search

F5Networks / f5-appsvcs-extension

F5 BIG-IP Application Services 3 Extension
Apache License 2.0
165 stars 53 forks source link

C3D example is missing? #355

Closed chen23 closed 3 years ago

chen23 commented 3 years ago

In the docs it appears that the example for C3D is not correct (the description does not match the contents of the example):

https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/declarations/tls-encryption.html#using-client-certificate-constrained-delegation-c3d-features-in-a-declaration

The following (taken from the Postman examples) seems to be a correct example.

{
    "class": "AS3",
    "action": "deploy",
    "persist": true,
    "logLevel": "debug",
    "declaration": {
        "class": "ADC",
        "schemaVersion": "3.9.0",
        "id": "C3DFeatures",
        "label": "C3D Test",
        "remark": "test",
        "Sample_C3D": {
            "class": "Tenant",
            "appC3D": {
                "class": "Application",
                "template": "generic",
                "webtls": {
                    "class": "TLS_Server",
                    "certificates": [
                        {
                            "matchToSNI": "www.test.domain.com",
                            "certificate": "webcert1"
                        },
                        {
                            "certificate": "webcert2"
                        }
                    ],
                    "authenticationMode": "request",
                    "authenticationTrustCA": {
                        "bigip": "/Common/dev_chain.crt"
                    },
                    "crlFile": {
                        "bigip": "/Common/dev_crl.crl"
                    },
                    "allowExpiredCRL": true,
                    "c3dOCSPUnknownStatusAction": "ignore",
                    "c3dOCSP": {
                        "use": "ocsp"
                    },
                    "c3dEnabled": true
                },
                "webcert1": {
                    "class": "Certificate",
                    "remark": "test",
                    "certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
                    "privateKey": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----"
                },
                "webcert2": {
                    "class": "Certificate",
                    "remark": "test",
                    "certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
                    "privateKey": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----"
                },
                "ocsp": {
                    "class": "Certificate_Validator_OCSP",
                    "dnsResolver": {
                        "bigip": "/Common/10.10.10.10"
                    },
                    "responderUrl": "http://oscp.responder.test.com",
                    "timeout": 299
                },
                "clienttls": {
                    "class": "TLS_Client",
                    "clientCertificate": "defaultCert",
                    "crlFile": {
                        "bigip": "/Common/c3d_crl.crl"
                    },
                    "allowExpiredCRL": true,
                    "c3dEnabled": true,
                    "c3dCertificateAuthority": "c3dCA",
                    "c3dCertificateLifespan": 360,
                    "c3dCertificateExtensions": [
                        "subject-alternative-name"
                    ],
                    "trustCA": {
                        "bigip": "/Common/c3d_chain.crt"
                    }
                },
                "c3dCA": {
                    "class": "Certificate",
                    "certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
                    "privateKey": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----"
                },
                "defaultCert": {
                    "class": "Certificate",
                    "certificate": {
                        "bigip": "/Common/default.crt"
                    },
                    "privateKey": {
                        "bigip": "/Common/default.key"
                    }
                }
            }
        }
    }
}
dstokesf5 commented 3 years ago

Thank you for reporting this. I have added AUTOTOOL-1954 to our internal product backlog to update the documentation.

dstokesf5 commented 3 years ago

The documentation has been updated. Closing this issue.