Forum Discussion

Altocumulus

Feb 13, 2017

Client SSL Authentication - AWS API Gateway

I'm looking at utilizing AWS API Gateway for some of our services. The implementation so far takes an API defined on the AWS Gateway, and then proxy that traffic to an F5 external endpoint, which rou...

cloud

iRules

LTM

Ted_Waller_01_1
Feb 20, 2017
Turns out I mainly just fat fingered the actual SSL configuration, and AWS API Gateway doesn't provide a nice error when it simply can't validate the initial chain applied to a virtual server. Overall, this worked as expected. Import the client certificate created on AWS into the F5, use it to be the "Trusted Certificate authority" for Client authentication on the SSL profile, and voila. Future enhancements on AWS would make this simpler, but for now it does work.

LB_Admin_133366

Nimbostratus

Hi Ted,

Could you let me know detailed steps on accomplishing this as I am also trying to do mutual authentication with AWS API gateway.

Thanks, Tanuj.

Ted_Waller_01_1

Altocumulus

Aug 11, 2017

Tanuj,

It's actually not too hard! What we did was the following:

1) We generated a Client Certificate (an option within API Gateway administration). 2) I imported this certificate into our F5. 3) Then I created an external endpoint on our F5. 4) I then created an SSL client-profile that had the certificate key chain defined that supported the endpoint created above (in our case it was a wildcard certificate). But also within that profile I defined a few settings in the "Client Authentication" block of the SSL profile as follows:

a) Client Certificate: require b) Frequency: once c) Trusted Certificate Authorities:

5) Once that was done, I assigned this profile to the F5 endpoint. It now functions, but only if you use client authentication that matches the certificate we applied.

6) Finally, in API Gateway you go to one of your APIs, select Stage, then select the root, and in the Settings tab of the stage, you scroll down and can select the Client Certificate to use for that API.

So long as your API resources are configured to talk to your F5 endpoint created above, and your Client Certificate is set up on both the SSL profile + Stage, you should be good to go!

Good luck!

Ted

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Client SSL Authentication - AWS API Gateway

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Whats new in NGINX Gateway Fabric 1.2?

BIG-IQ Client Certificate (PKI) Authentication

Get Started With Kubernetes SIG Gateway API

Integrating F5 BIG-IP with Kubernetes SIG Gateway API

Integrating SSL Orchestrator with McAfee Web Gateway-Explicit Proxy

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS