Forum Discussion

DINESH_22788's avatar
DINESH_22788
Icon for Nimbostratus rankNimbostratus
Mar 06, 2016

client certificate ( store in F5 ) presented to server by irule

Hi Guys,

 

could anyone please assist me with client certificate presented to server by F5 ( irule ) .

 

This scenario differs from the others as we are using BigIP to dynamically present a client certificate.As per requirement , Client machine will not install client cert or shouldn't be aware with any client cert ( sound wried BUT correct [SSL::cert count] <= 0 ).

 

F5 will carry client cert and based on IP , present to server during SSL communication .

 

please advise iruel syntax that can pull a client cert ( store in f5 ) and present to backend .Thanks

 

application delivery
devops
iRules
LTM

1 Reply

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Mar 07, 2016

    Hi Dinesh,

    the iRule you're looking for is rather simple.

    Basically you have to configure two different Server-SSL-Profiles for your backend application. One Server-SSL-Profile that negotiates a normal SSL-Session and a second Server-SSL-Profile (with added Certificate, Key and Chain Settings) that negotiates a multual SSL-Session using the fixed client certificate. And then use an iRule to switch between the Server-SSL-Profiles based on the client IP...

    when SERVER_CONNECTED {
    if { [IP::addr [IP::client_addr] equals 10.0.0.0/8] } then {
        SSL::profile serverside PROFILE_WITH_CLIENT_CERTIFICATE     
    } else {
        SSL::profile serverside PROFILE_WITHOUT_CLIENT_CERTIFICATE
    }
}

    Note: You may also use Datagroups to match you trusted Client IPs.

    Note: Keep in mind to adjust the OneConnect mask (if OneConnect is used), so that trusted and untrusted client wouldn't share the same backend connection pool.

    Note: For further reading on the Server-SSL-Profile Certificate, Key and Chain settings see: https://support.f5.com/kb/en-us/solutions/public/14000/800/sol14806.html

    Cheers, Kai