Manual Chapter : OCSP Authentication

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Manual Chapter

About OCSP authentication

Access Policy Manager supports authenticating and authorizing the client against Online Certificate Status Protocol (OCSP). OCSP is a mechanism used to retrieve the revocation status of an X.509 certificate by sending the certificate information to a remote OCSP responder. This responder maintains up-to-date information about the certificate's revocation status. OCSP ensures that Access Policy Manager always obtains real-time revocation status during the certificate verification process.

Important: Access Policy Manager must include an OCSP responder configuration for every OCSP responder that exists.

Task summary for OCSP authentication

This task list includes all steps required to set up this configuration. If you are adding OCSP authentication to an existing access policy, you do not need to create another access profile.

Task list

Configuring an AAA OCSP responder

Before you can specify a certificate authority file for an OCSP responder, the file must be imported into the system SSL certificate list.
You create an OCSP responder in Access Policy Manager when you want to use OCSP authentication for user access.
  1. On the Main tab, click Access Policy > AAA Servers > OCSP Responders. The OCSP Responder Servers list screen opens.
  2. Click Create. The New Server properties screen opens.
  3. In the Name field, type a unique name for the authentication server.
  4. In the URL field, type the URL used to contact the OCSP service on the responder. You can skip this step if you did not select the Ignore AIA check box and all users have certificates with the correct AIA structure.
  5. Optional: From the Certificate Authority File list, select an SSL certificate.
  6. Click Finished. The new server displays on the list.
You can select this OCSP Responder from an OCSP Auth access policy item.

Creating an access profile

You create an access profile to provide the access policy configuration for a virtual server that establishes a secured session.
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. Click Create. The New Profile screen opens.
  3. In the Name field, type a name for the access profile.
    Note: An access profile name must be unique among all access profile and any per-request policy names.
  4. From the Profile Type list, select one:
    • LTM-APM - Select for a web access management configuration.
    • SSL-VPN - Select to configure network access, portal access, or application access. (Most access policy items are available for this type.)
    • ALL - Select to support LTM-APM and SSL-VPN access types.
    • SSO - Select to configure matching virtual servers for Single Sign-On (SSO).
      Note: No access policy is associated with this type of access profile
    • RDG-RAP - Select to validate connections to hosts behind APM when APM acts as a gateway for RDP clients.
    • SWG - Explicit - Select to configure access using Secure Web Gateway explicit forward proxy.
    • SWG - Transparent - Select to configure access using Secure Web Gateway transparent forward proxy.
    • System Authentication - Select to configure administrator access to the BIG-IP system (when using APM as a pluggable authentication module).
    • Identity Service Used internally to provide identity service for a supported integration. Only APM creates this type of profile.
      Note: You can edit Identity Service profile properties.
    Note: Depending on licensing, you might not see all of these profile types.
    Additional settings display.
  5. In the Language Settings area, add and remove accepted languages, and set the default language. A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  6. Click Finished.
This creates an access profile with a default access policy.

Configuring OCSP authentication

Add an OCSP authentication item to an access policy when you want to authenticate using OCSP.
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. In the Access Policy column, click the Edit link for the access profile you want to configure. The visual policy editor opens the access policy in a separate screen.
  3. Click the (+) icon anywhere in the access policy to add a new action item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. From the Authentication tab, select either Client Cert Inspection or On-Demand Cert Auth, and click Add item. Client Cert Inspection checks the result of an SSL handshake request that occurs at the start of an SSL session. On Demand Cert Auth performs an SSL re-handshake and checks the result. The CRLDP and OCSP Auth actions require certificate information made available by one of these access policy items.
  5. Click the (+) icon anywhere in the access policy to add a new action item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  6. Select OSCP Auth, and click Add item. A properties popup screen opens.
  7. From the OCSP Responder list, select an OCSP responder.
  8. Click Save. The properties screen closes and the visual policy editor displays.
  9. Click Apply Access Policy to save your configuration.
This creates an access policy that uses OCSP authentication.
To put an access policy into effect, add it to a virtual server.

Configuring a client SSL profile for OCSP

You need a clientssl profile to use OCSP authentication from an access policy.
  1. On the Main tab, click Local Traffic > Profiles > SSL > Client. The Client profile list screen opens.
  2. Click Create. The New Client SSL Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. Select clientssl in the Parent Profile list.
  5. Scroll down to the Client Authentication area.
  6. Select the Custom check box for Client Authentication. The settings become available.
  7. From the Client Certificate list, select the option that is applicable to the item you selected when you edited the access policy.
    • Select request if the Client Cert Inspection agent is used in the access policy.
    • Select ignore if the On-Demand Cert Auth agent is used.
  8. From the Trusted Certificate Authorities list, select the Certificate Authority that issues the user certificates.
  9. From the Advertised Certificate Authorities list, select the advertised Certificate Authority file for client certificate authentication.
  10. Click Finished.
To put a client SSL profile into effect, you must add it to a virtual server.

Adding client-side SSL and access profiles to a virtual server

You associate the client SSL and access profiles with the virtual server so that the BIG-IP system handles client-side SSL traffic as specified, and so that Access Policy Managercan apply the access profile to incoming traffic.

  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. For the SSL Profile (Client) setting, from the Available list, select the name of the Client SSL profile you previously created, and using the Move button, move the name to the Selected list.
  4. In the Access Policy area, from the Access Profile list, select the access profile that you configured earlier.
  5. Click Update to save the changes.
The access policy and client-side SSL profiles are now associated with the virtual server.

Policy example for OCSP authentication

This is an example of an access policy with all the associated elements needed to authenticate and authorize users with OCSP authentication. Notice that you must add either the Client Cert Inspection agent or the On-Demand Cert Auth agent before the OCSP Auth object in your access policy. One of those agents is required in order to receive the X.509 certificate from the user. This is also important since both agents store the user information as well as the issuer certificates in the session variables. This allows the OCSP Auth agent to check the revocation status of the user's certificate.

How OCSP works How OCSP works

OCSP session variables

When the OCSP Auth access policy item runs, it populates session variables, which are then available for use in access policy rules. This table lists the session variables for the OCSP access policy item and for the certificate item used in the access policy.

Session variables for OCSP

Session Variable Description
session.ssl.cert.whole Provides the client certificate received from the user in PAM format.
session.ssl.cert.certissuer Provides the issuer certificate of the client certificate in PAM format.
session.ocsp.last.result Sets the result of the OCSP authentication. The available values are:
  • 0: Failed
  • 1: Passed
session.ocsp.last.status Sets the status of the authentication to Failed.

OCSP authentication troubleshooting tips

You might run into problems with OCSP authentication in some instances. Follow these tips to try to resolve any issues you might encounter.

OCSP auth and query troubleshooting

Possible error messages Possible explanations and corrective actions
No AAA server associated with the agent Make sure that a valid OCSP responder configuration is assigned to the OCSP agent in the access policy.
User/Issuer certificate not found for the session The user/issuer certificate session variables are missing. Make sure that either the Client Cert Inspection agent or On-Demand Cert Auth agent is configured in the access policy (or use a variable assignment agent to create them).
Failure to connect to OCSP responder (BIO callback failure) Make sure that the OCSP responder is up and running and reachable from the BIG-IP system.
Error parsing the OCSP response (invalid response) Indicates that no valid basic response was found in the OCSP response. Check the configuration on the remote OCSP responder.
Error signing OCSP request Make sure that the signing certificate and key are valid.
No valid nonce found in the response This happens when the nonce setting is enabled on the OCSP responder configuration and the received OCSP response does not contain a valid nonce. Check the remote OCSP responder connection and setting.
Nonce verification failed This happens when the nonce received in the response does not match with the nonce sent in the request. Make sure that the connection from BIG-IP system to OCSP responder is secure.
Failure to verify response Make sure that the OCSP responder has a valid CA and verify other certificate settings.
Status times invalid Make sure that the BIG-IP system and OCSP responder clocks are in sync.
OCSP response - Cert with serial number 'x' has been revoked Indicates that the status of the user certificate is revoked.
Failed to add cert to OCSP request Indicates a failure in creating the OCSP request; either the supplied user/issuer certificates are not valid or the CertID digest configured in the OCSP responder setting is not valid.