I want to implement SSL forward proxy client and server authentication, and I am not sure how certificates are implemented. How can it be done? I mean how do I have to implement client and server certificates in order to proxy/forward SSL traffic to a backend SSL server? I am using a BIG-IP LTM appliance.

I might be mistaken, but it sounds like you need reverse proxy services. Certificates are used by SSL profiles. Jason put together a good read on SSL profiles which you can find here: https://devcentral.f5.com/articles/ssl-profiles-part-1.UyL53YXD-18 What kind of authentication will you need? If you are using client certificate based, then you'll need to look into using proxy SSL: http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385.html

I am trying to implement the scenario explained in the article: http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-3-0/14.html Under BIP-IP LTM version 11.3.0, File Management : SSL Certificate List, I created a certificate named "test.domain.com" which generated a file. I sent the file to our CA management team and they returned 2 files to me (certtest.cer and certtest.p7b). Then I imported it to BIG-IP and bound it to a client SSL profile. Then I had our CA team generated certificate file containing the backend server's certificate and key which I imported to the BIG-IP and bound it to a server SSL profile. I followed the procedure mentioned in the article, but I get an error connecting to site. Using Google Chrome browser, I get more explanation about the error: Error type: Malformed certificate Objet: backendserver.domain.com Issuer: test.domain.com I am wandering how certificates should be implemented in such a scenario. Best regards, Alain

You should be able to use the backend server certificate and key for both your client and server SSL profiles. I would think this would be desired behavior if you want the LTM to behave as if it's the web server, from the end user's perspective. Try changing your SSL client profile to use the same certificate/key pair as the SSL server profile and see if this makes a difference.

I am not sure this make sense as I want to go to https://test.domain.com and there are 2 backend servers that are load balanced as backendserver1.domain.com and backendserver2.domain.com. Each of those servers has its own certificate. How can I assure client communications in this case?

My apologies, I was unaware you had multiple backend servers. Are you certain that the certificate you imported and applied to your client SSL profile is properly formatted? It sounds like the certificate may be the problem in this case.

Certificates implementation in "SSL forward proxy client and server authentication" scenario.

Kevin_Stewart
Employee
May 06, 2014
The problem is sort of a paradox. You need to known when to decrypt and when not to decrypt based on the request, but you can't know that without decrypting first. There are a few less-than-optimal options:

If you can base all decisions on IP addresses (OSI layer 4), then you could either enable/disable SSL based on client source or have two separate destination VIPs with different SSL characteristics.

The TLS protocol offers an attribute in unencrypted handshake data, the "servername" value, that can be used to make routing decisions. This gets tricky because 1) beyond the handshake you have to maintain some form of persistence, and 2) not every client will support TLS.

I would also add, as I mentioned before, that not offloading the SSL at the proxy will put you at some disadvantage. SSL throughput on a BIG-IP device will almost always be MUCH higher than that of a commodity server, offloading SSL gives you the ability to enforce stronger client authentication and cipher control than you can usually get from a typical web server, and without access to the unencrypted HTTP payload at the proxy, you lose HTTP-based iRules, layer 7 optimization, cookie persistence, etc. Perhaps a better approach is to think about the many ways the F5 device can be used to proxy authentication instead of pass it through.
Darek_H_152835
Nimbostratus
May 07, 2014
Kevin - i think we didn't understand correctly here. I can make decryption on the client side - this is not a problem. The main question here is the F5 can act as a client for the server it will connect and use client cert to authenticate ? So 2 servers will connect to the F5 VIP (HTTPS will be included, no client cert auth, SSL Offloading will occur). Then F5 will establish new HTTPS session (with client auth cert) to the server and send the requests there from the 2 servers. As i know how to offload the client site i don't see anything regarding client cert auth on the server side (profile). So the question here is - if it's possible to use client cert auth on the server side (one client cert will be provided for the F5) ? Many thanks for any info on that.
Kevin_Stewart
Employee
May 07, 2014
You can definitely put a client cert (and private key) in a server SSL profile, just not the client cert passed from a client to the VIP (if offloading SSL on the client side). To add a client cert and private key on the server side, import the cert and key and specify them in the Certificate and Key sections of the server SSL profile.
Luis_Abdiel_204
Nimbostratus
Jun 02, 2015
Hi.

How can use my "Oracle Http Server" certificates (auto login wallets) in ASM BigIP? How can import the auto login wallets to ASM BigIP?

Forum Discussion

Certificates implementation in "SSL forward proxy client and server authentication" scenario.

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Implementing SSL Orchestrator - Certificate Considerations

CORS implementation

Automating ACMEv2 Certificate Management on BIG-IP

SSL Profiles Part 3: Certificate Chain Implementation

How I did it - "Application authentication with Verizon ID and F5 Access Policy Manager"

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS