Forum Discussion

tomo_95427's avatar
tomo_95427
Icon for Nimbostratus rankNimbostratus
Dec 28, 2010

CRLDP using http URL base??

Hi,

 

 

I've just trying to SSL client cert authentication with CRLDP to automatically check CRL status..

 

Crl file is only provided HTTP URL base below.

 

 

http://xxx.yyy.com/xxx.xxx.xxx/xxx.crl

 

 

I'm confusing "Address" and "base DN" setting in crldp server setting.. Because our CA doesn't support LDAP.

 

Do you know how to set HTTP URL in crldp server setting by using HTTP(not LDAP ..)??

 

 

Thanks

 

 

8 Replies

  • Hi Tomo,

     

     

    At this time the enhancement for CRLDP to work with HTTP URLs is being tracked in ID325296.

     

     

     

  • It means that the CRLDP function does not currently support HTTP-based CRL fetching, only LDAP. The number indicates the support ID assigned to track the request.
  • Hi guys,

     

    I'm looking for a bit of guidance on how to setup a CRLDP AAA server to use HTTP as I just can't seem to get it right. We are running 11.4.1 HF3 and I have the following options configured for the CRLDP server:

     

    Server Connection: I've specified "Pool" as "Direct" doesn't seem to save the IP address I specify. Service Port: 80 HTTP BaseDN: http://server.mydomain.com/CRL/company_issuing_ca_certification_authorities_group_dc_com_crlfile.crl Cache Timeout: 86400 Use Issuer: Unticked Allow Null CRL: Unticked Verify Signature: Enabled Connection Timeout: 15 seconds Update Interval: 0 seconds

     

    The error I'm getting in the APM log files is as follows:

     

    May 10 17:17:02 F5APMDEVICE debug apd[19971]: 01490000:7: modules/Authentication/Crldp/CrldpAuthModule.cpp func: "setCrldpResponseStatus()" line: 795 Msg: Crldp Response Status: Bad HTTP response status May 10 17:17:02 F5APMDEVICE warning apd[19971]: 0149015e:4: abcf0b23: CRLDP Auth agent: CRL lookup failed for LDAP url 'http://server.mydomain.com/CRL/company_issuing_ca_certification_authorities_group_dc_com_crlfile.crl' reason 'Bad HTTP response status' May 10 17:17:02 F5APMDEVICE warning apd[19971]: 01490148:4: abcf0b23: CRLDP Auth agent: Failure status 'Bad HTTP response status' May 10 17:17:02 F5APMDEVICE debug apd[19971]: 01490012:7: abcf0b23: CRLDP agent: LEAVE Function executeInstance

     

    The LDAP error seems to suggest it isn't actually attempting to connect to the distribution point via HTTP. Where am I going wrong here?

     

    Thanks

     

    Peter

     

    • GahanP_31299's avatar
      GahanP_31299
      Icon for Nimbostratus rankNimbostratus
      Hey Peter did you actually get CRLDP AAA working on HTTP in APM v11.4.1 HF3? When I try to define the CRLDP server (as Direct + HTTP for example) it simply ignores the Server details and changes the type to "no server". I have a client cert inspection stage in policy which is working fine, but the following CRLDP Auth seems to do nothing. On the wire there are no HTTP requests being sent to the CRL host and I can still log in with a revoked certificate. I searched for this ID325296 in the release notes, but cannot find anything concrete to say HTTP is now supported for CRLDP AAA on APM thanks
    • GahanP_31299's avatar
      GahanP_31299
      Icon for Nimbostratus rankNimbostratus
      Ok, so it does work and the behaviour of it resorting to "no server" seems to be OK. If you tweak the cache & update timeouts whilst looking on the wire, you do indeed see the HTTP fetch of the CRL from the CDRLP server. Happy Days :-)
  • Hi, FYI this feature is in 11.5.X and later. In the CRLDP Auth object set to "No Server", which ignores LDAP DP's and will only use HTTP DP's.