Forum Discussion

Nimbostratus

Mar 06, 2016

client certificate ( store in F5 ) presented to server by irule

Hi Guys, could anyone please assist me with client certificate presented to server by F5 ( irule ) . This scenario differs from the others as we are using BigIP to dynamically present a ...

MVP

Mar 07, 2016

Hi Dinesh,

the iRule you're looking for is rather simple.

Basically you have to configure two different Server-SSL-Profiles for your backend application. One Server-SSL-Profile that negotiates a normal SSL-Session and a second Server-SSL-Profile (with added Certificate, Key and Chain Settings) that negotiates a multual SSL-Session using the fixed client certificate. And then use an iRule to switch between the Server-SSL-Profiles based on the client IP...

when SERVER_CONNECTED {
    if { [IP::addr [IP::client_addr] equals 10.0.0.0/8] } then {
        SSL::profile serverside PROFILE_WITH_CLIENT_CERTIFICATE     
    } else {
        SSL::profile serverside PROFILE_WITHOUT_CLIENT_CERTIFICATE
    }
}

Note: You may also use Datagroups to match you trusted Client IPs.

Note: Keep in mind to adjust the OneConnect mask (if OneConnect is used), so that trusted and untrusted client wouldn't share the same backend connection pool.

Note: For further reading on the Server-SSL-Profile Certificate, Key and Chain settings see: https://support.f5.com/kb/en-us/solutions/public/14000/800/sol14806.html

Cheers, Kai

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)