Forum Discussion

Kirimaya's avatar
Kirimaya
Icon for Nimbostratus rankNimbostratus
Mar 03, 2024

BIG-IP APM Machine Cert Auth poblem

Dear F5 Expert

 

Now i have implementation BIG-IP APM SSL VPN Auth with AD and Machine Cert Auth, For AD auth is work fine. But for Machine Cert Auth i found debug log is found Cert and verify key success. But i don't know why APM didn't forward client to authen page.

 

Here's my configure

SSL Self sign with ZERO SSL

my SSL profile root domain and chain to ZERO SSL

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

APM VPE i just verifu machine cert and allow 2 option verify key and not verify, i just check SN cert only.

here's CA profile, i just use CA Cert from ZERO SSL

 

and the last one here's Log on utility and access report


Info           2024-03-03 16:23:18:016                       \CertCheckImpl.cpp, CCertCheckImpl::Verify, Store name:"MY", Store location:"LocalMachine", Subject match FQDN:"false", Allow elevation UI:"true", Serial number(HEX):"00898ad22f5f67b4c15e15187d63d0592a", Issuer:"", SubjectAltName:""
Info           2024-03-03 16:23:18:016                       \CertCheckImpl.cpp, CCertCheckImpl::Verify, certInfo:STORE_NAME:MY&STORE_LOCATION:LocalMachine&ALLOW_ELEVATION:1&MATCH_FQDN:0&SN:00898ad22f5f67b4c15e15187d63d0592a&ISSUER:&SAN:, RootCertInfo:IS_TRUSTED:0, Nonce: cWQ2NDNQZHpDbzdKNnRvbWN5SW8=
Info           2024-03-03 16:23:18:017                       \certinfo.cpp, CCertInfo::FindCertificateInStoreExt:, Total certs tested: 1
Info           2024-03-03 16:23:18:017                       \certinfo.cpp, CCertInfo::FindCertificateInStoreExt:, Found matched certificate
Info           2024-03-03 16:23:18:023                       \certinfo.cpp, CCertInfo::IsPrivateKeyPresent, GetPrivateKey succeeded: found private key.
Info           2024-03-03 16:23:18:023                       \CertCheckImpl.cpp, CCertCheckImpl::CheckPrivateKey, The machine certificate has private key on this machine
Info           2024-03-03 16:23:18:033                       \CertCheckImpl.cpp, CCertCheckImpl::Verify, Found key successfully using current user
Info           2024-03-03 16:23:18:033                       \CertCheckImpl.cpp, CCertCheckImpl::CheckPrivateKey, Signing message succeeded
Info           2024-03-03 16:23:18:066                       CUAgentHost::downloadNextAgent() - sending request to server "https://www.kotchagorn.com:10443/my.policy_host?dummy=45b47b8aeb5c96285f65f295ffa35237"
Info           2024-03-03 16:23:18:067                       CUAgentHost::downloadNextAgent() - POST data "version=2.0&client_data=c2Vzc2lvbj0xMzJhNWY3YzhlYzgxODg5MmNiNjJhZmQ4M2MzYjFjYyZkZXZpY2VfaW5mbz1QR0ZuWlc1MFgybHVabT

Info           2024-03-03 16:23:18:166                             <URL>/logon</URL>
Info           2024-03-03 16:23:18:170   EPCHECK             \f5/EPCheck/MultiInstancePolicy.h, f5::EPCheck::MultiInstancePolicy<class EventSink>::stop, waiting for worker thread to exit
Info           2024-03-03 16:23:19:534   EPCHECK             \f5/EPCheck/MultiInstancePolicy.h, f5::EPCheck::MultiInstancePolicy<class EventSink>::run, worker thread exit
Info           2024-03-03 16:23:19:536   EPCHECK             \f5/EPCheck/MultiInstancePolicy.h, f5::EPCheck::MultiInstancePolicy<class EventSink>::stop, worker thread exit
Info           2024-03-03 16:23:19:545                       CUAgentHost::~CUAgentHost() - enter
Info           2024-03-03 16:23:19:545                       CAtlBrCon()::~CAtlBrCon()
Info           2024-03-03 16:23:19:545                       CUAgentHost::~CUAgentHost() - exit
Info           2024-03-03 16:23:19:547   EPCHECK             wWinMain, Endpoint check server process finished (res), 0

 

  

2024-03-03 23:23:18

/Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert./Common/Kotchagorn_vpn_act_machinecert_auth_ag.certificate_revoked' set to '0'

2024-03-03 23:23:18

/Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert./Common/Kotchagorn_vpn_act_machinecert_auth_ag.certificate_verified' set to '0'

2024-03-03 23:23:18

/Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert./Common/Kotchagorn_vpn_act_machinecert_auth_ag.error_message' set to ' X509_verify_cert failed: error #: 20 at depth 0, error message:unable to get local issuer certificate '

2024-03-03 23:23:18

/Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert./Common/Kotchagorn_vpn_act_machinecert_auth_ag.result' set to '0'

2024-03-03 23:23:18

/Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert./Common/Kotchagorn_vpn_act_machinecert_auth_ag.signature_verified' set to '1'

2024-03-03 23:23:18

/Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert.last.certificate_revoked' set to '0'

2024-03-03 23:23:18

/Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert.last.certificate_verified' set to '0'

2024-03-03 23:23:18

/Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert.last.error_message' set to ' X509_verify_cert failed: error #: 20 at depth 0, error message:unable to get local issuer certificate '

2024-03-03 23:23:18

/Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert.last.result' set to '0'

2024-03-03 23:23:18

/Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert.last.signature_verified' set to '1'

 

2024-03-03 23:23:18

/Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.policy.inspectionhost.status' set to 'done'

 

 

 

Anyone please guide me please

 

 

Best Regards,

access
application delivery
auth
BIG-IP Access Policy Manager (APM)
machinecert
security
No RepliesBe the first to reply