Forum Discussion
Cristian_Gal
Nimbostratus
NimbostratusAPM portal mode and On Demand Certificate Authentication
Hi,
We have to deploy authentication with APM, 11.4.1 for some web applications, authentication will include Client Certificate Authentication, OCSP Authentication and LDAP authentication. Every...
Cristian_GalNimbostratus
NimbostratusI am doing certificate authentication before assigning portal resources. It doesn't pass On demand certitificate authentication so I don't get to OCSP or LDAP, SSL session brakes. LTM says something like:
Apr 29 09:43:46 bigipteste info tmm1[8674]: 01260013:6: SSL Handshake failed for TCP from 10.10.10.100:49322 to 10.10.10.10:443Apr 29 09:43:58 bigipteste debug tmm[8674]: 01260006:7: Peer cert verify error: unable to get local issuer certificate (depth 0; cert /DC=ro/DC=test/CN=Users/CN=test 01)Apr 29 09:43:58 bigipteste debug tmm[8674]: 01260009:7: Connection error: ssl_shim_vfycerterr:2912: unable to get local issuer certificate (42)Apr 29 09:43:58 bigipteste info tmm[8674]: 01260013:6: SSL Handshake failed for TCP from 10.10.10.100:49323 to 10.10.10.10:443
while APM says:
Apr 29 09:43:46 bigipteste info apd[5814]: 01490006:6: 0d2c7fe9: Following rule 'fallback' from item 'Logon Page' to item 'On-Demand Cert Auth'Apr 29 09:43:46 bigipteste info apd[5814]: 01490004:6: 0d2c7fe9: Executed agent '/Common/Portal_act_ondemand_cert_auth_ag', return value 3Apr 29 09:43:46 bigipteste debug apd[5814]: 01490000:7: AccessPolicyProcessor/AccessPolicy.cpp func: "_executeOneAgent()" line: 108 Msg: user input is requiredApr 29 09:43:46 bigipteste info apd[5814]: 01490007:6: 0d2c7fe9: Session variable 'session.ssl.cert.valid' set to '1'Apr 29 09:43:46 bigipteste debug apd[5814]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "setSessionInactive()" line: 887 Msg: 0d2c7fe9: done with request processingApr 29 09:43:46 bigipteste debug apd[5814]: 01490000:7: AccessPolicyD.cpp func: "sendAccessPolicyResponse()" line: 1532 Msg: send 'redirect to EUIE' code, redirect URL="/agent_aaa_clientcert_form.cca"
I've tried the same debugging with policy for LTM VS and I can see the entire SSL certificate parameters and on demand authentication succesfull. I'm using the same client SSL profiles for both access policies, chain trust certificate is installed and set on client authentication section. Difference between them is just the type of access policy.