The F5 BIG-IP appliance must be configured to deny access when revocation data is unavailable using OCSP.

An XCCDF Rule

Description

Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates). Caching of CRL files on BIG-IP is not feasible or possible due to the large sizes of DOD/DISA CRL files. Use the alternate mitigation, configuring the system to deny access when revocation data is unavailable, which is done in the APM VPE.

ID: SV-260050r947408_rule
Version: F5BI-AP-000231
Severity: Medium
References: CCI-001991
Updated: 6 days ago

Remediation Templates

Update the OCSP Auth.

From the BIG-IP GUI:
1. Access.
2. Profiles/Policies.
3. Access Profiles.4. Click "Edit" under "Per-Session Policy" for the Access Profile.
5. Add an "OCSP Auth" in the Access Profile.
Note: To create an OCSP Responder, go to Access >> Authentication >> OCSP Responder.
6. Ensure the fallback branch goes to a "Deny" ending.
7. Click "Apply Access Policy".

The F5 BIG-IP appliance must be configured to deny access when revocation data is unavailable using OCSP.

Description

Remediation Templates

A Manual Procedure