Access Policy Manager supports authenticating and authorizing the client against Online Certificate Status Protocol (OCSP). OCSP is a mechanism used to retrieve the revocation status of an X.509 certificate by sending the certificate information to a remote OCSP responder. This responder maintains up-to-date information about the certificate's revocation status. OCSP ensures that Access Policy Manager always obtains real-time revocation status during the certificate verification process.
This task list includes all steps required to set up this configuration. If you are adding OCSP authentication to an existing access policy, you do not need to create another access profile.
You associate the client SSL and access profiles with the virtual server so that the BIG-IP system handles client-side SSL traffic as specified, and so that Access Policy Managercan apply the access profile to incoming traffic.
This is an example of an access policy with all the associated elements needed to authenticate and authorize users with OCSP authentication. Notice that you must add either the Client Cert Inspection agent or the On-Demand Cert Auth agent before the OCSP Auth object in your access policy. One of those agents is required in order to receive the X.509 certificate from the user. This is also important since both agents store the user information as well as the issuer certificates in the session variables. This allows the OCSP Auth agent to check the revocation status of the user's certificate.
When the OCSP Auth access policy item runs, it populates session variables, which are then available for use in access policy rules. This table lists the session variables for the OCSP access policy item and for the certificate item used in the access policy.
|session.ssl.cert.whole||Provides the client certificate received from the user in PAM format.|
|session.ssl.cert.certissuer||Provides the issuer certificate of the client certificate in PAM format.|
|session.ocsp.last.result||Sets the result of the OCSP authentication. The available values are:
|session.ocsp.last.status||Sets the status of the authentication to Failed.|
You might run into problems with OCSP authentication in some instances. Follow these tips to try to resolve any issues you might encounter.
|Possible error messages||Possible explanations and corrective actions|
|No AAA server associated with the agent||Make sure that a valid OCSP responder configuration is assigned to the OCSP agent in the access policy.|
|User/Issuer certificate not found for the session||The user/issuer certificate session variables are missing. Make sure that either the Client Cert Inspection agent or On-Demand Cert Auth agent is configured in the access policy (or use a variable assignment agent to create them).|
|Failure to connect to OCSP responder (BIO callback failure)||Make sure that the OCSP responder is up and running and reachable from the BIG-IP system.|
|Error parsing the OCSP response (invalid response)||Indicates that no valid basic response was found in the OCSP response. Check the configuration on the remote OCSP responder.|
|Error signing OCSP request||Make sure that the signing certificate and key are valid.|
|No valid nonce found in the response||This happens when the nonce setting is enabled on the OCSP responder configuration and the received OCSP response does not contain a valid nonce. Check the remote OCSP responder connection and setting.|
|Nonce verification failed||This happens when the nonce received in the response does not match with the nonce sent in the request. Make sure that the connection from BIG-IP system to OCSP responder is secure.|
|Failure to verify response||Make sure that the OCSP responder has a valid CA and verify other certificate settings.|
|Status times invalid||Make sure that the BIG-IP system and OCSP responder clocks are in sync.|
|OCSP response - Cert with serial number 'x' has been revoked||Indicates that the status of the user certificate is revoked.|
|Failed to add cert to OCSP request||Indicates a failure in creating the OCSP request; either the supplied user/issuer certificates are not valid or the CertID digest configured in the OCSP responder setting is not valid.|