The F5 BIG-IP appliance must be configured to deny access when revocation data is unavailable using OCSP.

An XCCDF Rule

Description

<VulnDiscussion>Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates). Caching of CRL files on BIG-IP is not feasible or possible due to the large sizes of DOD/DISA CRL files. Use the alternate mitigation, configuring the system to deny access when revocation data is unavailable, which is done in the APM VPE.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-260050r947408_rule
Severity: Medium
References: CCI-001991
Updated: 9 months ago

Update the OCSP Auth.

From the BIG-IP GUI:
1. Access.
2. Profiles/Policies.
3. Access Profiles.4. Click "Edit" under "Per-Session Policy" for the Access Profile.
5. Add an "OCSP Auth" in the Access Profile.
Note: To create an OCSP Responder, go to Access >> Authentication >> OCSP Responder.
6. Ensure the fallback branch goes to a "Deny" ending.
7. Click "Apply Access Policy".

The F5 BIG-IP appliance must be configured to deny access when revocation data is unavailable using OCSP.

Description

Remediation - Manual Procedure