Forum Discussion

Born_7758's avatar
Born_7758
Icon for Nimbostratus rankNimbostratus
Jun 22, 2011

Client Certificate Authentication

Hello Everyone,

 

 

I was given a .arm file to install on the F5 . What would be the best way to do client certificate authentication using the file I was given?

 

 

 

 

 

application delivery
dev
devops
iRules

4 Replies

Sort By
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jun 23, 2011
    Per this page I think an arm file is:

     

     

     

    http://publib.boulder.ibm.com/infocenter/tivihelp/v5r1/index.jsp?topic=%2Fcom.ibm.itim.infocenter.doc%2Fcpt%2Fcpt_ic_security_ssl_oview_ftypes.html

     

     

    A file with an extension of .arm contains a base-64 encoded ASCII representation of a certificate, including its public key, but not its private key. An .arm format is generated and used by the IBM® Key Management utility. Specify this format to extract a self-signed certificate from the machine on which the self-signed certificate was generated to the machine that will use the self-signed certificate as the CA certificate.

     

     

     

    I think arm is a synonym for PEM files. So you should be able to upload it via the GUI under Local Traffic >> SSL certificates.

     

     

    Is is supposed to be the issuer root cert? Or something else? If it is the issuer root cert, you can specify it in the client SSL profile's trusted CA bundle and advertised CA bundle.

     

     

    Aaron
  • sojan_86359's avatar
    sojan_86359
    Icon for Nimbostratus rankNimbostratus
    Jun 22, 2012
    Hi Aron,

     

     

    Is there a possibility where we can specify which certificate they should send to F5 to suthenticate themselse ?

     

    Or

     

    Can we do only with an issuer root cert ?

     

     

    I am looking for a setup where the clients will come with a specific certificate and F5 will authenticate only he see that coming in from the client

     

     

    Please let me what we can do here.. thanks in advance
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jun 22, 2012
    Hi Sojan,

     

     

    In SSL, the server (LTM in this case) can specify the CA issuer cert(s) that it will accept but not tell the client to provide a specific certificate. For LTM, you can select one or more CA certs to send to the client in the SSL handshake using the client SSL profile's trusted CA bundle setting. Within an iRule, you can check for the attributes and either reject the handshake, send an HTTP response, etc if the client cert isn't considered valid.

     

     

    sol10167: Overview of the Client SSL profile

     

    https://support.f5.com/kb/en-us/solutions/public/10000/100/sol10167.html

     

     

    Aaron
  • sojan_86359's avatar
    sojan_86359
    Icon for Nimbostratus rankNimbostratus
    Jun 25, 2012
    Thank you aron ,

     

     

    There is a slight change in the requirement , so we have to setup thumbprint match and I saw this irule in devcentral. But I am confused how should my Data group should be configured to work with this Irule ?

     

     

    I am looking for String , Value and how should that be setup

     

     

    1: when CLIENTSSL_HANDSHAKE {

     

    2: set subject_dn [X509::subject [SSL::cert 0]]

     

    3: set cert_hash [X509::hash [SSL::cert 0]]

     

    4: set cSSLSubject [findstr $subject_dn "CN=" 0 ","]

     

    5:

     

    6: log local0. "Subject = $subject_dn, Hash = $cert_hash and $cSSLSubject"

     

    7:

     

    8: Check if the client certificate contains the correct CN and Thumbprint from the list

     

    9: set Expected_hash [class lookup $cSSLSubject mythumbprints]

     

    10:

     

    11: if { $Expected_hash != $cert_hash } {

     

    12: log local0. "Thumbprint presented doesn't match mythumbprints. Expected Hash = $Expected_hash, Hash received = $cert_hash" 13: reject

     

    14: }

     

    15: }