Forum Discussion

maintenance_ssi's avatar
maintenance_ssi
Icon for Nimbostratus rankNimbostratus
Sep 18, 2018

F5, HTTPD and Mod_jk and Tomcat full HTTPS

Hi,   I have the following architecture :   Client => F5 => HTTPD => Mod_jk => Tomcat 8 IE : HTTPS -> HTTPS-> HTTPS -> AJP/13 -> AJP/13/SSL Connector   My application asks to the browser cli...
BIG-IP
Big-IP iRules
client ssl profile
devops
LTM
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Sep 18, 2018

I'm thinking java.security.cert.X509Certificate would only get populated if httpd was actually consuming the client certificate. There are probably a few options here:

 

  • Configure the new mode_jk/tomcat services to consume the certificate as an HTTP header. This was likely done by base64-encoding the client's certificate in PEM form and simply passing as a header.

     

  • Use APM to do the client side certificate auth, then do Kerberos on the server side.

     

  • Use the Client Certificate Constrained Delegation (C3D) function, available in 13.1, to forge a client certificate to the server. In this approach, the F5 consumes and validates the client certificate, and then a local CA cert/key re-issues a client certificate to the backend server, copying all of the necessary attributes from the original client cert. The server just needs to trust the local CA. This also allows you to explicitly decrypt and re-encrypt the traffic at the F5. Ref: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-13-1-0/4.html