Forum Discussion

chris100_263517's avatar
chris100_263517
Icon for Nimbostratus rankNimbostratus
May 12, 2016

APM CRLDP

Hello,

 

I'm configuring APM CRLDP for HTTP CRL retrieval and have a few questions about it. When you select pool or direct the base DN field must be populated. Does this mean that HTTP method is not applicable when you enter a destination IP? i.e. you cannot manually define CRL destinations and must use the ones contained in the client cert. If this is correct how does the APM handle multiple CRL destination URLs in the certs, timeouts and such?

 

thankyou

 

BIG-IP Access Policy Manager (APM)
security
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    May 12, 2016

    Hello,

     

    When you specify a destination, it's for ldap only. In latest versions you have a third option. When checked APM will look in the crldp field of your certificate

     

  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Icon for Nacreous rankNacreous
    May 12, 2016

    Hello,

     

    When you specify a destination, it's for ldap only. In latest versions you have a third option. When checked APM will look in the crldp field of your certificate

     

    • Yann_Desmarest_'s avatar
      Yann_Desmarest_
      Icon for Nacreous rankNacreous
      May 12, 2016
      Of course, if the crldp field in your cert is invalid or non existent. You have a problem. To workaround this, you can define a crl in the clientssl profile and update it using cron and tmsh
    • chris100_263517's avatar
      chris100_263517
      Icon for Nimbostratus rankNimbostratus
      May 12, 2016
      if I understand - for HTTP CRL you must use cert CRL field when using CRLDP
    • Yann_Desmarest_'s avatar
      Yann_Desmarest_
      Icon for Nacreous rankNacreous
      May 12, 2016
      You should use an CRLDP AAA object and select the option No Server. This way, the bigip APM will use the crldp field in the client certificate. You have to add a CRLDP block in your VPE
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    May 12, 2016

    Hello,

     

    When you specify a destination, it's for ldap only. In latest versions you have a third option. When checked APM will look in the crldp field of your certificate

     

    • Yann_Desmarest's avatar
      Yann_Desmarest
      Icon for Cirrus rankCirrus
      May 12, 2016
      Of course, if the crldp field in your cert is invalid or non existent. You have a problem. To workaround this, you can define a crl in the clientssl profile and update it using cron and tmsh
    • chris100_263517's avatar
      chris100_263517
      Icon for Nimbostratus rankNimbostratus
      May 12, 2016
      if I understand - for HTTP CRL you must use cert CRL field when using CRLDP
    • Yann_Desmarest's avatar
      Yann_Desmarest
      Icon for Cirrus rankCirrus
      May 12, 2016
      You should use an CRLDP AAA object and select the option No Server. This way, the bigip APM will use the crldp field in the client certificate. You have to add a CRLDP block in your VPE