Client Certificate Authentication

Per this page I think an arm file is:

 

 

 

http://publib.boulder.ibm.com/infocenter/tivihelp/v5r1/index.jsp?topic=%2Fcom.ibm.itim.infocenter.doc%2Fcpt%2Fcpt_ic_security_ssl_oview_ftypes.html

 

 

A file with an extension of .arm contains a base-64 encoded ASCII representation of a certificate, including its public key, but not its private key. An .arm format is generated and used by the IBM® Key Management utility. Specify this format to extract a self-signed certificate from the machine on which the self-signed certificate was generated to the machine that will use the self-signed certificate as the CA certificate.

 

 

 

I think arm is a synonym for PEM files. So you should be able to upload it via the GUI under Local Traffic >> SSL certificates.

 

 

Is is supposed to be the issuer root cert? Or something else? If it is the issuer root cert, you can specify it in the client SSL profile's trusted CA bundle and advertised CA bundle.

 

 

Aaron

Hi Aron,

 

 

Is there a possibility where we can specify which certificate they should send to F5 to suthenticate themselse ?

 

Or

 

Can we do only with an issuer root cert ?

 

 

I am looking for a setup where the clients will come with a specific certificate and F5 will authenticate only he see that coming in from the client

 

 

Please let me what we can do here.. thanks in advance

Hi Sojan,

 

 

In SSL, the server (LTM in this case) can specify the CA issuer cert(s) that it will accept but not tell the client to provide a specific certificate. For LTM, you can select one or more CA certs to send to the client in the SSL handshake using the client SSL profile's trusted CA bundle setting. Within an iRule, you can check for the attributes and either reject the handshake, send an HTTP response, etc if the client cert isn't considered valid.

 

 

sol10167: Overview of the Client SSL profile

 

https://support.f5.com/kb/en-us/solutions/public/10000/100/sol10167.html

 

 

Aaron

Thank you aron ,

 

 

There is a slight change in the requirement , so we have to setup thumbprint match and I saw this irule in devcentral. But I am confused how should my Data group should be configured to work with this Irule ?

 

 

I am looking for String , Value and how should that be setup

 

 

1: when CLIENTSSL_HANDSHAKE {

 

2: set subject_dn [X509::subject [SSL::cert 0]]

 

3: set cert_hash [X509::hash [SSL::cert 0]]

 

4: set cSSLSubject [findstr $subject_dn "CN=" 0 ","]

 

5:

 

6: log local0. "Subject = $subject_dn, Hash = $cert_hash and $cSSLSubject"

 

7:

 

8: Check if the client certificate contains the correct CN and Thumbprint from the list

 

9: set Expected_hash [class lookup $cSSLSubject mythumbprints]

 

10:

 

11: if { $Expected_hash != $cert_hash } {

 

12: log local0. "Thumbprint presented doesn't match mythumbprints. Expected Hash = $Expected_hash, Hash received = $cert_hash" 13: reject

 

14: }

 

15: }