Forum Discussion
NimbostratusAPM OCSP Responder to check client (stunnel) certificate
Hello I am trying to setup LTM and APM to reverse proxy an stunnel client access to my backend. I have go the virtual server up to do ssl and APM to check the client certificate against my OCSP responder correctly.
However I cant get rid of the BIG-IP wanting to set cookies (F5_ST, LastMRH_Session and MRHSession) and redirecting. My client can't handle cookies.
Am I trying to accomplish something that can't be done? :)
Oh yeah, BIG-IP VE 11.4.0
2 Replies
- Kevin_Stewart
Employee
Technically speaking, APM AAA is designed for HTTP. The session is maintained by a cookie and the redirect is used to start (and end) the policy evaluation. You can get rid of the redirect with clientless-mode, but you still need the session cookie for subsequent requests. There are, interestingly enough, a few alternatives. First take a look at the following:
The idea is that you have an LTM VIP, your stunnel virtual. When a client makes a new connection to the VIP and passes the client certificate, you initiate a sideband connection to an APM VIP (in clientless-mode), passing the client certificate in an HTTP header (encoded for transport). The APM VIP consumes the certificate, does the OCSP, and then responds with a "good" or "bad" to the calling sideband. The LTM VIP then simply continues the Stunnel connection or drops it. If there was something in the Stunnel traffic that you could use for persistence, then you'd be able to control how often this process fires. The above example is wildly more complicated than what you'd need, in my opinion, but a good place to start.
- Kevin_Stewart
Almost forgot. In 11.4 you can also now use the ACCESS::policy evaluate command to evaluate a policy, inline and in clientless-mode, in non-HTTP protocol environments:
https://devcentral.f5.com/wiki/iRules.ACCESS__policy.ashx
Probably a bit simpler than the sideband call stuff. ;)
