Forum Discussion
NimbostratusCRLDP using http URL base??
I've just trying to SSL client cert authentication with CRLDP to automatically check CRL status..
Crl file is only provided HTTP URL base below.
http://xxx.yyy.com/xxx.xxx.xxx/xxx.crl
I'm confusing "Address" and "base DN" setting in crldp server setting.. Because our CA doesn't support LDAP.
Do you know how to set HTTP URL in crldp server setting by using HTTP(not LDAP ..)??
Thanks
- ccb
Employee
Hi Tomo,
At this time the enhancement for CRLDP to work with HTTP URLs is being tracked in ID325296. 
Madiw_114772Hi,
what does mean
ID325296 ?I'm facing the ame issue.thanks- Kevin_StewartIt means that the CRLDP function does not currently support HTTP-based CRL fetching, only LDAP. The number indicates the support ID assigned to track the request.
vandenhoutenp_9Hi guys,
I'm looking for a bit of guidance on how to setup a CRLDP AAA server to use HTTP as I just can't seem to get it right. We are running 11.4.1 HF3 and I have the following options configured for the CRLDP server:
Server Connection: I've specified "Pool" as "Direct" doesn't seem to save the IP address I specify. Service Port: 80 HTTP BaseDN: http://server.mydomain.com/CRL/company_issuing_ca_certification_authorities_group_dc_com_crlfile.crl Cache Timeout: 86400 Use Issuer: Unticked Allow Null CRL: Unticked Verify Signature: Enabled Connection Timeout: 15 seconds Update Interval: 0 seconds
The error I'm getting in the APM log files is as follows:
May 10 17:17:02 F5APMDEVICE debug apd[19971]: 01490000:7: modules/Authentication/Crldp/CrldpAuthModule.cpp func: "setCrldpResponseStatus()" line: 795 Msg: Crldp Response Status: Bad HTTP response status May 10 17:17:02 F5APMDEVICE warning apd[19971]: 0149015e:4: abcf0b23: CRLDP Auth agent: CRL lookup failed for LDAP url 'http://server.mydomain.com/CRL/company_issuing_ca_certification_authorities_group_dc_com_crlfile.crl' reason 'Bad HTTP response status' May 10 17:17:02 F5APMDEVICE warning apd[19971]: 01490148:4: abcf0b23: CRLDP Auth agent: Failure status 'Bad HTTP response status' May 10 17:17:02 F5APMDEVICE debug apd[19971]: 01490012:7: abcf0b23: CRLDP agent: LEAVE Function executeInstance
The LDAP error seems to suggest it isn't actually attempting to connect to the distribution point via HTTP. Where am I going wrong here?
Thanks
Peter
- vandenhoutenp_9Please ignore. I didn't read the solution article correctly.
GahanP_31299Hey Peter did you actually get CRLDP AAA working on HTTP in APM v11.4.1 HF3? When I try to define the CRLDP server (as Direct + HTTP for example) it simply ignores the Server details and changes the type to "no server". I have a client cert inspection stage in policy which is working fine, but the following CRLDP Auth seems to do nothing. On the wire there are no HTTP requests being sent to the CRL host and I can still log in with a revoked certificate. I searched for this ID325296 in the release notes, but cannot find anything concrete to say HTTP is now supported for CRLDP AAA on APM thanks- GahanP_31299Ok, so it does work and the behaviour of it resorting to "no server" seems to be OK. If you tweak the cache & update timeouts whilst looking on the wire, you do indeed see the HTTP fetch of the CRL from the CDRLP server. Happy Days :-)
- John_Huttley
Hi, FYI this feature is in 11.5.X and later. In the CRLDP Auth object set to "No Server", which ignores LDAP DP's and will only use HTTP DP's.
