For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kirimaya's avatar
Kirimaya
Icon for Nimbostratus rankNimbostratus
Mar 03, 2024

BIG-IP APM Machine Cert Auth poblem

Dear F5 Expert

 

Now i have implementation BIG-IP APM SSL VPN Auth with AD and Machine Cert Auth, For AD auth is work fine. But for Machine Cert Auth i found debug log is found Cert and verify key success. But i don't know why APM didn't forward client to authen page.

 

Here's my configure

SSL Self sign with ZERO SSL

my SSL profile root domain and chain to ZERO SSL

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

APM VPE i just verifu machine cert and allow 2 option verify key and not verify, i just check SN cert only.

here's CA profile, i just use CA Cert from ZERO SSL

 

and the last one here's Log on utility and access report


Info           2024-03-03 16:23:18:016                       \CertCheckImpl.cpp, CCertCheckImpl::Verify, Store name:"MY", Store location:"LocalMachine", Subject match FQDN:"false", Allow elevation UI:"true", Serial number(HEX):"00898ad22f5f67b4c15e15187d63d0592a", Issuer:"", SubjectAltName:""
Info           2024-03-03 16:23:18:016                       \CertCheckImpl.cpp, CCertCheckImpl::Verify, certInfo:STORE_NAME:MY&STORE_LOCATION:LocalMachine&ALLOW_ELEVATION:1&MATCH_FQDN:0&SN:00898ad22f5f67b4c15e15187d63d0592a&ISSUER:&SAN:, RootCertInfo:IS_TRUSTED:0, Nonce: cWQ2NDNQZHpDbzdKNnRvbWN5SW8=
Info           2024-03-03 16:23:18:017                       \certinfo.cpp, CCertInfo::FindCertificateInStoreExt:, Total certs tested: 1
Info           2024-03-03 16:23:18:017                       \certinfo.cpp, CCertInfo::FindCertificateInStoreExt:, Found matched certificate
Info           2024-03-03 16:23:18:023                       \certinfo.cpp, CCertInfo::IsPrivateKeyPresent, GetPrivateKey succeeded: found private key.
Info           2024-03-03 16:23:18:023                       \CertCheckImpl.cpp, CCertCheckImpl::CheckPrivateKey, The machine certificate has private key on this machine
Info           2024-03-03 16:23:18:033                       \CertCheckImpl.cpp, CCertCheckImpl::Verify, Found key successfully using current user
Info           2024-03-03 16:23:18:033                       \CertCheckImpl.cpp, CCertCheckImpl::CheckPrivateKey, Signing message succeeded
Info           2024-03-03 16:23:18:066                       CUAgentHost::downloadNextAgent() - sending request to server "https://www.kotchagorn.com:10443/my.policy_host?dummy=45b47b8aeb5c96285f65f295ffa35237"
Info           2024-03-03 16:23:18:067                       CUAgentHost::downloadNextAgent() - POST data "version=2.0&client_data=c2Vzc2lvbj0xMzJhNWY3YzhlYzgxODg5MmNiNjJhZmQ4M2MzYjFjYyZkZXZpY2VfaW5mbz1QR0ZuWlc1MFgybHVabT

Info           2024-03-03 16:23:18:166                             <URL>/logon</URL>
Info           2024-03-03 16:23:18:170   EPCHECK             \f5/EPCheck/MultiInstancePolicy.h, f5::EPCheck::MultiInstancePolicy<class EventSink>::stop, waiting for worker thread to exit
Info           2024-03-03 16:23:19:534   EPCHECK             \f5/EPCheck/MultiInstancePolicy.h, f5::EPCheck::MultiInstancePolicy<class EventSink>::run, worker thread exit
Info           2024-03-03 16:23:19:536   EPCHECK             \f5/EPCheck/MultiInstancePolicy.h, f5::EPCheck::MultiInstancePolicy<class EventSink>::stop, worker thread exit
Info           2024-03-03 16:23:19:545                       CUAgentHost::~CUAgentHost() - enter
Info           2024-03-03 16:23:19:545                       CAtlBrCon()::~CAtlBrCon()
Info           2024-03-03 16:23:19:545                       CUAgentHost::~CUAgentHost() - exit
Info           2024-03-03 16:23:19:547   EPCHECK             wWinMain, Endpoint check server process finished (res), 0

 

  

2024-03-03 23:23:18

/Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert./Common/Kotchagorn_vpn_act_machinecert_auth_ag.certificate_revoked' set to '0'

2024-03-03 23:23:18

/Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert./Common/Kotchagorn_vpn_act_machinecert_auth_ag.certificate_verified' set to '0'

2024-03-03 23:23:18

/Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert./Common/Kotchagorn_vpn_act_machinecert_auth_ag.error_message' set to ' X509_verify_cert failed: error #: 20 at depth 0, error message:unable to get local issuer certificate '

2024-03-03 23:23:18

/Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert./Common/Kotchagorn_vpn_act_machinecert_auth_ag.result' set to '0'

2024-03-03 23:23:18

/Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert./Common/Kotchagorn_vpn_act_machinecert_auth_ag.signature_verified' set to '1'

2024-03-03 23:23:18

/Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert.last.certificate_revoked' set to '0'

2024-03-03 23:23:18

/Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert.last.certificate_verified' set to '0'

2024-03-03 23:23:18

/Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert.last.error_message' set to ' X509_verify_cert failed: error #: 20 at depth 0, error message:unable to get local issuer certificate '

2024-03-03 23:23:18

/Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert.last.result' set to '0'

2024-03-03 23:23:18

/Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert.last.signature_verified' set to '1'

 

2024-03-03 23:23:18

/Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.policy.inspectionhost.status' set to 'done'

 

 

 

Anyone please guide me please

 

 

Best Regards,

access
application delivery
auth
BIG-IP Access Policy Manager (APM)
machinecert
security
No RepliesBe the first to reply