Forum Discussion

scorpa_121336's avatar
scorpa_121336
Icon for Nimbostratus rankNimbostratus
Aug 13, 2013

APM CRL checking

Hello.

 

I'm working with APM and using On-demand client certificate auth with policy type - request, because i want to have fallback rule in case of certificate validation failure.

 

So, according to http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm_config_10_2_0/apm_config_clientcert_auth.html - You should not configure CRL updates if you are using the Access Policy Manager to generate and issue On-Demand Certificates to users (using either a self-signed client root CA certificate, or a client root CA certificate from a trusted CA). In this case the Access Policy Manager manages CRLs internally.

 

But seems it's not working, i have certificate with public crl in it like http://CA/revoke.crl, i can resolve this address through BIG-IP, but if i revoke some cert its still valid for authentication so i assume that crl isn't checked. So how to setup crl checking for APM if i have only URL where Crl file located and could not provide ldap crldp or OCSP?

 

  • As the references guide states, there are 3 options for revocation checking:

     

    1. OCSP - this option takes the client certificate (issuer and serial number) and makes an OCSP request to a remote responder. It requires an OCSP AAA configuration and associated OCSP Auth agent in the policy VPE.

       

    2. CRLDP - this option reads the CRLDP extension in the client certificate and attempts to retrieve the remote CRL. This also requires a AAA configuration and associated CRLDP auth in the policy VPE. Currently, the CRLDP auth agent only works with LDAP-accessible CRLDPs. There's an RFE to add HTTP support.

       

    3. Local CRL - this is a PEM-formatted CRL embedded in the client SSL profile. The caution you're reading is intended for auto-generation of certificates, something that is rarely used. There are two significant caveats to using local CRLs:

       

    a. They are size constrained - depending on your software and hardware versions as little as 4mb. b. They do not auto-update. CRLs usually have a pretty short shelf life, so you have to devise a way to get them updated. Here's a forum post that has some script examples for auto-updating CRLs. The formatting is messed up on the second script. I can edit it if you want to go this route.

     

    https://devcentral.f5.com/questions/automaticlly-update-crl

     

  • Thank you!

     

    I think i must use this script :(

     

    But one question i have two nodes in failover, how they will synchronize crl between each other and will they sync this script ?

     

  • We have an active/passive cluster and run an automated script to update our CRL.

     

    The short answer is that we found we needed to run the same script on both the active and the passive node separately.

     

    A couple of points to note about this process: 1.) It is best to run the script on the passive node a few minutes after the active node rather than at the same time. We ran into issues with synching when we had the script running at the same time on each node if the passive ran a split second before the passive or vice versa.

     

    2.) You will find that your nodes will show "Changes Pending" every time the script runs. I haven't found a way around that yet. As in I would like to be able to tell APM to ignore CRL file updates in the triggers to signify what a change is.

     

  • i have the same experience with a update CRL script on a big-ip cluster. i fixed it by doing a sync to group if the crl is updated so the message dissapears and not to import if the device is in standby. not perfect but works, when i asked for something better i was told here to use CRLDP or OCSP. personally i still feel f5 could make CRL files a little more usable by allowing auto updating build in.
  • That is no problem.. And once I figure out how to post it, I will do so. This forum errors out with an "undefined" every time I try and post the code.

     

  • Sorry, I couldn't figure out how to submit the code without the "undefined" errors.. So here is a screen grab of it (alas you will have to type it out). It could probably use a little more error checking etc., but it works. Note: Just replace the bits in the "<>" with whatever meets your environment:

     

  • Thank you. Its working.

     

    And one more question, will it work if i'll use it under ssl client but with type- ignore user certificate, because in access policy i'm using On-demand auth. Or if not how to use crl with On-demand auth?

     

  • Nice work Nash.

     

    To answer your last question, scorpa, the APM on-Demand Cert Auth agent will read the CRL from the client SSL profile, so you can definitely set the client SSL profile to "ignore".