APM OCSP Responder Issues
I have: in apm: configured the OCSP responder under Access > Auth > OCSP Responders ocspfqdn.com/ocsp added it to the APM policy. I have a health monitor to the OCSP responder that is good (tcp) But its not working. tcpdump shows: 09:12:43.591044 IP F5SELFIP.58606 > OCSPserver1.com: Flags [P.], seq 1:192, ack 1, win 229, length 191: HTTP: POST /ocsp HTTP/1.0 out slot1/tmm0 lis= 09:12:43.602954 IP OCSPserver1.com > F5SELFIP.58606: Flags [FP.], seq 1:462, ack 192, win 1027, length 461: HTTP: HTTP/1.1 404 Not Found in slot1/tmm0 lis= I'm not quite sure what else I can do here. I will note that I implemented this: https://my.f5.com/manage/s/article/K12552109 and it didn't work, but all i did was put the OCSP ip behind a simply virtual server, and then add the irule. I dont know if extra configurations were needed.23Views0likes0CommentsAPM OCSP check via corporate proxy
Hi, I am checking the revocation status of client certificates in APM using OCSP Auth Agent. I have a AAA Server -> OCSP Responder configured with . I have a host entry and static route configured, our corporate L4 firewall facing the internet is allowing this connection towards OCSP IP address. This works fine until the IP of the OCSP server suddenly changes. Then the OCSP check does not work anymore and I need to update the host entry, routing entry and firewall rule with the new destination IP address. This is an ugly solution and I was thinking I can let APM contacting the OCSP via the system proxy. Just the same way as, for example, I am using the system proxy to update ASM signatures with the system proxy. In order to test it, I did the necessary config of the /sys db proxy.* values (as we are on 12.1.2). I am pretty sure the config is correct. I removed the host entry and routing entry. But I can see that the APM still tries to avoid the proxy and send the OCSP HTTP requests directly. And of course this is failing now as there is no host and route entry in place. Why is the system proxy not being used by APM to route the OCSP requests out to the internet? And how can I achieve this to work? Proxy is really my only option for a robust solution because our corporate firewalls are L4 only, and the OCSP IP address is changing quite frequently. I saw this post from Kevin: https://devcentral.f5.com/articles/ocsp-through-an-outbound-explicit-proxy-29026, from which I understood that it indeed is not possible to use system proxy for OCSP calls. But why is that? Isn't it strange to have a system proxy available but not being able to use it for such obvious action? And where could I find the iRule Kevin was referring to at the beginning of the article ("simple VIP and iRule that "proxifies" an outbound OCSP HTTP request")? I couldn't find this previous article he was referring to. Thanks, Martin447Views0likes2Comments