Rule ID
SV-260050r981644_rule
Version
V2R4
CCIs
Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates). Caching of CRL files on BIG-IP is not feasible or possible due to the large sizes of DOD/DISA CRL files. Use the alternate mitigation, configuring the system to deny access when revocation data is unavailable, which is done in the APM VPE.
If the BIG-IP appliance does not provide PKI-based user authentication intermediary services, this is not applicable. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click "Edit" under "Per-Session Policy" for the Access Profile. 5. Verify an "OSCP Auth" object is configured in the Access Profile VPE AND that the fallback branch of this object leads to a "Deny" ending. If the BIG-IP appliance is not configured to deny access when revocation data is unavailable, this is a finding.
Update the OCSP Auth. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click "Edit" under "Per-Session Policy" for the Access Profile. 5. Add an "OCSP Auth" in the Access Profile. Note: To create an OCSP Responder, go to Access >> Authentication >> OCSP Responder. 6. Ensure the fallback branch goes to a "Deny" ending. 7. Click "Apply Access Policy".