Forum Discussion
becky_76258
Nimbostratus
NimbostratusClient Certs and SSL offload on LTM
Hi,
My client is currently running their website on a single server. The https home page uses a domain SSL cert installed on the server. Website users then also download a client certificate to gain access to certain areas of the site. They use Microsoft Client Services to issue the certificate and configure IIS to require the cert to gain access.
As the client is moving to a dual server set up they want to introduce load balancing and want to terminate ssl on the LTM but to continue to use client certs to restrict access in IIS. Does anyone know if this is possible and what configuration we would need to implement on the F5?
4 Replies
hoolioCirrostratus
Hi Becky,
You can have LTM request a client cert for all requests to a VIP, or selectively based on the requested URI. LTM can establish an SSL connection with the pool members. However, LTM cannot use the client's cert to establish a connection with the server as LTM doesn't have the client's SSL key. What many people do is insert details about the client cert or the entire cert in an HTTP header. The server would need to then parse the cert details and validate that instead of the actual SSL cert.
To require a client cert for all requests to a VIP, you can use a client SSL profile and set the client cert mode to require. You'll need to import the issuing CA's cert and configure it as the trusted and advertised CA cert.
To request a client cert for some requests, you can use a client SSL profile and set the client cert mode to ignore. You can then dynamically request a client cert based on the requested URI. There are three related examples in the Codeshare. None exactly request a client cert based on URI, add the cert or cert details to the session table and then look up the cert on resumed SSL sessions, so you would need to adapt these to your requirements.
Uses the session table to store the cert details, but doesn't selectively request a client cert based on URI
http://devcentral.f5.com/wiki/default.aspx/iRules/InsertCertInServerHeaders.html
Requests a client cert based on the requested URI, but doesn't use the session table to store the cert or cert details
http://devcentral.f5.com/wiki/default.aspx/iRules/RequestClientCertificateAndPassToApplication.html
Requests a client cert based on the requested URI and uses the session table, but has a lot of extra code which is used to check the client cert against an OCSP server.
http://devcentral.f5.com/wiki/default.aspx/iRules/client_cert_request_by_uri_with_ocsp_checking.html
Aaron
becky_76258Hi Aaron,
Thanks for the response. I am quite new to iRules and having trouble picking out the bits I need to do the job. It seems the app developers are happy to offload all of the SSL functionality onto the load balancer, so I won't necessarily need to pass the client certificate information to the web server. So what I would like to achieve is:
Use a class map to specify URIs which require a client cert.
Check if client cert is present and that it is valid.
If there is no valid client cert, send back a HTTP 403.7 error to advise user that a certificate is required.
If client cert exists and is valid, allow access to the application.
I am sure this quite simple to achieve, any help would be greatly appreciated.
Many thanks,
Becky- becky_76258Hi Aaron,
We are running BIG-IP Version 9.4.6
Thanks again,
Becky - hoolioGreat. If you can upgrade to 9.4.8 and install HF3, I can provide you a modified version of the OCSP codeshare example I linked to above. It'll take me a few days to do this though.
Aaron
