Client Certificate Authentication w/ specific url's?

Thx Hoolio! We are not planning on upgrading to 10.1/10.2 until next year sometime. After reviewing some of your recommended options, it seems that we would rather avoid any vulnerabilities if possible and go with trying the subdomain approach first. The OCSP article looked interesting but required a 9.4.8 HF3 upgrade which we are not ready to do just yet. We certainly don't mind being a case study, in hopes we can collectively find a good solution in the end. Do you have an example of the subdomain method you mentioned earlier? This sounds like it might work well, the part I'm a little confused is if we create a new subdomain VS for all Client Certificate Authentication do we only redirect the specific URI's from the main VS to this one? In other words, if our client hits https://www.abc123...rvice.asmx on the main VS and gets redirected to https://www.abc321...rvice.asmx on the new subdomain VS using CCA (2-way ssl) and works as expected. However, if the same client hits https://www.abc123.com/ClaimService on the main VS would he get redirected as well? And at that point can he just use normal SSL certificate authentication to connect to this service?

 

 

"Another option for implementing selective client cert requesting would be to use a new subdomain which requests a client cert for all URIs. (So are you saying create a new subdomain VS for all CCA URI's).

 

 

You could then use an iRule on the main VS which redirects requests for the URIs you want a client cert for to the new subdomain. (Place an iRule redirect on the main VS to redirect the specific URI's to the new subdomain VS).

 

 

A separate iRule on the new subdomain VS would request a client cert for all URIs. (Place another iRule on the new subdomain VS to allow CCA on this VS).