Forum Discussion
zafer
Nimbostratus
NimbostratusClient Certificate authentication
Hello
our IIS used Client authentication certificate based.
We want to SSL offload on bigip and support client authentication with bigip
i have two vip 192.168.1.60:http and 192.168.1.https
two pool http_pool: 192.168.0.160:http and https_pool : 192.168.0.160:https
i have two SSL profile, Client and Server SSL profile
imported customer domain certificate, key and CA certificate
here is the Client SSL profile
cert file: customer cert
key file :customer key file
Chain : customer Ca certificate
Trusted Certificate Authorities : customer Ca certificate
Client authentication Section : Request
on the SSL profile ;
cert file: customer cert
key file :customer key file
Chain : customer Ca certificate
Notes: if i dont enable Trusted Certificate Authorities and Client authentication mode require i dont see any error packet does not goes to backend server
with this configuration i can see packet goes to IIS but i see HTTP 403.16 error
regarding irule ; not hits
when CLIENTSSL_CLIENTCERT {
set cert [SSL::cert 0]
session add ssl [SSL::sessionid] $cert 600
}
when HTTP_REQUEST {
set client_cert [session lookup ssl [SSL::sessionid]]
if { $client_cert eq ""} {
SSL::renegotiate
} else {
set whole [X509::whole $client_cert]
log local0. "Inserting client cert in SSL_CLIENT_CERT $whole"
HTTP::header insert SSL_CLIENT_CERT $whole
}
}
19 Replies
MandrakeYes, that's right, so how i can achieve the solution without using the global variables ? please excuse me for my shallow knowledge of irule :-) it's my first encounter with it.
Cheers !
Prashant
hoolioCirrostratus
Hi Prashant,
Basically, to declare a local variable do so with out the :: prefix in the name and not in the RULE_INIT event. Here's a post with details on global versus local variable scope:
http://devcentral.f5.com/Forums/tabid/1082223/asg/50/showtab/groupforums/aff/5/aft/85746/afv/topic/Default.aspx85747
Aaron- Mandrakethanks Aaron, I'l check it out.
Cheers! 
borgh_6040Zafer,
Was the issue resolved. We are facing exact same error on LTM 10.0.1. We have IIS real servers behind F5...and as soon as we turn SSL offload on F5 on (with client SSL profile and Server SSL profile) all URIs on the web application that IIS has "client cert based" authentication start throwing the 403.16 error.
With SSL passthough (no client or Server SSL profile) - SSL being handled by the IIS servers - works perfectly.
If one of the experts could throw some light on this as well - much appreciated.
Thank you,
Arghya- jose_patricio_4zafer,
how to resolve this?? - jose_patricio_4i have same problem
- hoolioHi Jose,
If the same client cert/key is working on a browser direct to IIS then it's most likely the LTM server SSL profile configuration that is the problem. Can you print out the actual serverssl profile using 'b profile serverssl PROFILE_NAME list all' or 'tmsh list ltm profile server-ssl PROFILE_NAME all-properties?
You can change the names of certs, etc to keep it anonymous.
Also, which LTM version are you testing this on?
Aaron 
NathHi Zafer, This is also my issue. Could you please elaborate your config? On my config I only import the Cert,Key and CA. Do I need to import the domain cert,key and use it to the clientSSL?- Nath
Hi all,
I am facing the same issue. May I know how do you able to solve this one?
Thanks.
-Nat
