Forum Discussion
NimbostratusCertificate Authentication on IPAD
Hi, We have a HTTPS webiste which we would like to securely expose using BIG-IP using certificate authentication. Both laptops with Windows and IPAD are allowed [no Android]. Each and evey laptop in our company already has corporate issued user certificates. Each and every company provided IPADs are managed by Airwatch. We have allowed Airwatch to issue certificate on behalf of the company and Airwatch is an intermediate CA for us [in short, both laptop and IPAds have our company issued certificates]
We have configured LTM and APM rules to check for certificate.
Results: On a corporate laptop, it always works fine and we can see LTM+APM logs for successful cert authentication. On IPAD, it will never work and it states that I need a valid certificate.
Now you must doubt that something wrong with the IPAD airwacth issued cert. But it is not. It is a valid certificate because if I change the backend server port from HTTPS to HTTP [and still expose the outside virtual server on HTTPS], the certificate check works fine on IPAD. If I puit it back on HTTPS for LTM to the backend web server, IPAD does not work.
[In short] Backend Web server on HTTPS:
LAPTOP->Internet -> HTTPS [LTM + APM CERT CHECK] -> HTTPS -> Web server =====> Works fine IPAD->Internet -> HTTPS [LTM + APM CERT CHECK] -> HTTPS -> Web server =====> NOT WORKING
Backend Web server on HTTP:
LAPTOP->Internet -> HTTPS [LTM + APM CERT CHECK] -> HTTP -> Web server =====> Works fine IPAD->Internet -> HTTPS [LTM + APM CERT CHECK] -> HTTP -> Web server =====> Works fine
I have opened a TAC case and still no answer from F5. Any idea will be much appriciated.
29 Replies
- Kevin_Stewart
Employee
It would almost seem like certificates are not as much an issue as server side SSL with an iPad.
What happens if you disable certificate checking in APM and do server side SSL with the iPad?
John_Antony_162Hi Kevin, Thanks a lot for the answer. If I disable cert check on APM, IPAD loads the HTTPS site properly.
- Kevin_Stewart
So just to be clear:
iPad client -> HTTPS VIP -> APM cert check -> HTTPS web server (fails) iPad client -> HTTPS VIP -> APM no cert check -> HTTPS web server (works) iPad client -> HTTPS VIP -> APM cert check -> HTTP web server (works)Is that correct?
- John_Antony_162
Yes Kevin. You are correct.
- John_Antony_162
this is what puzzle me.. I worked with TAC almost 3 weeks and they took multiple captures and SSL dump. But still no one was able to give me a solution. However, I cant think that we are the first one doing this. I hope other companies that exposes their HTTPS sites with cert check on IPAD. thats why I put my bet on DEV central. I hope all experts can chime in and help me.
- Kevin_Stewart
Okay, so again just to level set:
iPad client -> HTTPS VIP -> APM cert check -> HTTPS web server (fails) iPad client -> HTTPS VIP -> APM no cert check -> HTTPS web server (works)The only thing you're doing here is adding or removing client cert checking, correct? Are you doing this in the VPE or client SSL profile? Are you using standard client and server SSL profiles? ProxySSL? SNI?
Can you also set APM to debug logging mode and provide the log entries for when it fails?
- John_Antony_162
The only thing you're doing here is adding or removing client cert checking, correct? Ans: Yes. You are correct.
Are you doing this in the VPE or client SSL profile?
Ans: Cert check is on VPE and also on client SSL profile.
Are you using standard client and server SSL profiles? ProxySSL? SNI?
ANS: We need to check the cleint side cert. So we created a new SSL bundle that "request" client authentication and look for our CA as the cert issuer. For backend webserver , we use the default serverssl profile.
Can you also set APM to debug logging mode and provide the log entries for when it fails?
ANS: here is the output. I forgot to mention that we perform LDAP query to check the username againts an AD group membership. Below logs are unsuccessful attempt. However, APM was able to extract the username from my certificate as "johnpaul.Antony". So it sees the certificate and still does not allow me.
2014-06-27 12:38:23 Received User-Agent header: Mozilla%2f5.0%20(iPad%3b%20CPU%20OS%207_1_1%20like%20Mac%20OS%20X)%20AppleWebKit%2f537.51.2%20(KHTML%2c%20like%20Gecko)%20Version%2f7.0%20Mobile%2f11D201%20Safari%2f9537.53. 2014-06-27 12:38:23 Received client info - Type: Safari Version: 1 Platform: iOS CPU: unknown UI Mode: Mobile Smart Phone Javascript Support: 1 ActiveX Support: 0 Plugin Support: 0 2014-06-27 12:38:23 New session from client IP 208.185.x.x (ST=New Jersey/CC=US/C=NA) at VIP 10.16.20.50 Listener /Common/xxxxx_KABOIxxx (Reputation=Unknown) 2014-06-27 12:38:23 Username 'JohnPaul.Antony' 2014-06-27 12:38:23 Following rule 'User Group Membership' from item 'LDAP Query' to ending 'Allow' 2014-06-27 12:38:23 Access policy result: LTM+APM_Mode
- Kevin_Stewart
Try this: set the client SSL cert auth setting to Ignore, so that APM is the only thing prompted for client cert.
- John_Antony_162
Sure. I will test it now. However, how do we ensure that we are actually allowing the cert issued by our trusted CA? With custom cleitnssl bundle, it gives you the option to exactly look for a specific CA. Will it do the same on APM?
- Kevin_Stewart
The APM On-Demand Cert Auth agent forces an SSL renegotiation on the existing SSL session created by the client SSL profile. It basically just flips the cert auth switch in the SSL profile, and all other settings (CA trust, certificates, etc.) are maintained in the SSL profile.
