Forum Discussion

tomo_95427's avatar
tomo_95427
Icon for Nimbostratus rankNimbostratus
Dec 28, 2010

CRLDP using http URL base??

Hi,     I've just trying to SSL client cert authentication with CRLDP to automatically check CRL status..   Crl file is only provided HTTP URL base below.     http://xxx.yyy.com/xxx.xxx...
config
design
vandenhoutenp_9's avatar
vandenhoutenp_9
Icon for Nimbostratus rankNimbostratus
May 10, 2014

Hi guys,

 

I'm looking for a bit of guidance on how to setup a CRLDP AAA server to use HTTP as I just can't seem to get it right. We are running 11.4.1 HF3 and I have the following options configured for the CRLDP server:

 

Server Connection: I've specified "Pool" as "Direct" doesn't seem to save the IP address I specify. Service Port: 80 HTTP BaseDN: http://server.mydomain.com/CRL/company_issuing_ca_certification_authorities_group_dc_com_crlfile.crl Cache Timeout: 86400 Use Issuer: Unticked Allow Null CRL: Unticked Verify Signature: Enabled Connection Timeout: 15 seconds Update Interval: 0 seconds

 

The error I'm getting in the APM log files is as follows:

 

May 10 17:17:02 F5APMDEVICE debug apd[19971]: 01490000:7: modules/Authentication/Crldp/CrldpAuthModule.cpp func: "setCrldpResponseStatus()" line: 795 Msg: Crldp Response Status: Bad HTTP response status May 10 17:17:02 F5APMDEVICE warning apd[19971]: 0149015e:4: abcf0b23: CRLDP Auth agent: CRL lookup failed for LDAP url 'http://server.mydomain.com/CRL/company_issuing_ca_certification_authorities_group_dc_com_crlfile.crl' reason 'Bad HTTP response status' May 10 17:17:02 F5APMDEVICE warning apd[19971]: 01490148:4: abcf0b23: CRLDP Auth agent: Failure status 'Bad HTTP response status' May 10 17:17:02 F5APMDEVICE debug apd[19971]: 01490012:7: abcf0b23: CRLDP agent: LEAVE Function executeInstance

 

The LDAP error seems to suggest it isn't actually attempting to connect to the distribution point via HTTP. Where am I going wrong here?

 

Thanks

 

Peter

 

  • vandenhoutenp_9's avatar
    vandenhoutenp_9
    Icon for Nimbostratus rankNimbostratus
    May 10, 2014
    Please ignore. I didn't read the solution article correctly.
  • GahanP_31299's avatar
    GahanP_31299
    Icon for Nimbostratus rankNimbostratus
    May 31, 2014
    Hey Peter did you actually get CRLDP AAA working on HTTP in APM v11.4.1 HF3? When I try to define the CRLDP server (as Direct + HTTP for example) it simply ignores the Server details and changes the type to "no server". I have a client cert inspection stage in policy which is working fine, but the following CRLDP Auth seems to do nothing. On the wire there are no HTTP requests being sent to the CRL host and I can still log in with a revoked certificate. I searched for this ID325296 in the release notes, but cannot find anything concrete to say HTTP is now supported for CRLDP AAA on APM thanks
  • GahanP_31299's avatar
    GahanP_31299
    Icon for Nimbostratus rankNimbostratus
    Jun 03, 2014
    Ok, so it does work and the behaviour of it resorting to "no server" seems to be OK. If you tweak the cache & update timeouts whilst looking on the wire, you do indeed see the HTTP fetch of the CRL from the CDRLP server. Happy Days :-)