For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Vladimir_Budilo's avatar
Vladimir_Budilo
Icon for Nimbostratus rankNimbostratus
Feb 09, 2010

F5 Webservice Mutual Authentication Functionality

I have created an application that utilizes the F5's webservice to query and manipulate the GTM setup (enabling/disabling a pool-member, etc).

 

 

During a security review at my company, a question was raised: Can F5 provide mutual authentication (so that F5 knows that the client is valid)? But this is only required for the webservice, and not the GUI. Is this possible? If so, how?

 

 

Thanks!

 

Vladimir
config
design

5 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Feb 09, 2010
    Hi Vladimir,

     

     

    One option that may/may not work:

     

     

    An LTM VIP can request or require a client cert for the clientside connection. LTM can also provide a client cert for the serverside connection. You can search on AskF5.com for clientssl profile or serverssl profile for details. There are a few solutions on this as well as manual chapters in the LTM config guide. You could use an iRule to select 127.0.0.1:80 as the node (when CLIENT_ACCEPTED { node 127.0.0.1 80}).

     

     

    The iRule should work around a limitation of not being allowed to define a pool member on the loopback interface:

     

     

    BIGpipe pool member creation error:

     

    01020061:3: IP Address 127.0.0.1 is invalid, loopback not allowed.

     

     

    Aaron
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Feb 09, 2010
    I wonder what security you gain by restricting iControl calls with a client cert if the admin GUI doesn't require a client cert. If an attacker was able to get to a host which can run the iControl app, couldn't they also just log into the GUI from that same host?

    I think the VIP and iRule approach would only work if you have a GTM/LTM combo unit as you can't define standard LTM VIPs/iRules for load balancing on a GTM-only unit.

    The iControl API is handled on the same httpd instance as the admin GUI. If you have GTM-only units, I wonder if you could modify the httpd.conf to listen on a separate port and use a separate virtual host which requires a client cert.

    This is the default vhost for iControl from a 9.4.8 unit: 

     
  from: /etc/httpd/conf/httpd.conf 
  
  Section 3: Virtual Hosts 
  
  VirtualHost: 
  
 LoadModule jk2_module modules/mod_jk2.so 
  
 LoadModule fastcgi_module /usr/lib/httpd/modules/mod_fastcgi.so 
  
     AddHandler fastcgi-script .fcgi 
     FastCgiIpcDir /var/run/fcgi 
     FastCgiServer /usr/local/www/iControl/iControlPortal.cgi -processes 1 -socket iControlPortal -idle-timeout 300 
      
         SetHandler fastcgi-script 
      
      
         FastCgiServer /usr/local/www/emupdate/getfile 
          
             SetHandler fastcgi-script 
          
         FastCgiServer /usr/local/www/emupdate/subscription 
          
             SetHandler fastcgi-script 
          
      
  
 

     
  from: /etc/httpd/conf.d/ssl.conf 
    Client Authentication (Type): 
    Client certificate verification type and depth.  Types are 
    none, optional, require and optional_no_ca.  Depth is a 
    number which specifies how deeply to verify the certificate 
    issuer chain before deciding the certificate is not valid. 
 SSLVerifyClient require 
 SSLVerifyDepth  10

    In 9.4.2+ you'd want to make the changes to the httpd.conf through the bigip_sys.conf following the steps outlined in this article on customizing the syslog config.

    LTM 9.4.2+: Custom Syslog Configuration

    http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=155

    Aaron
  • Vladimir_Budilo's avatar
    Vladimir_Budilo
    Icon for Nimbostratus rankNimbostratus
    Feb 09, 2010
    Aaron, thanks for the reply!

     

     

    Here is the situation... in production, we require RSA authentication for most of the GUI users. What I did was to create a user that requires local authentication (since RSA can't be integrated into my application -- the one that makes the calls to the F5 webservice). Now, since the app isn't using RSA, I'm thinking of ways of adding additional authentication to satisfy the security team.

     

     

    Is there a way to add the mutual authentication on a particular user, rather than the whole F5 interface?

     

     

    Again, my application uses BOB01 (for example) as the userid to connect to F5's Webservice. All I'm doing now, within my code, is pass in the authentication parameters and I get authenticated. All of the other users in Production have RSA authentication.

     

     

    Thanks again,

     

    Vladimir
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Feb 09, 2010
    Hrm... that makes more sense. I didn't actually realize you could have a locally authenticated user account while using remote auth for others. The latest version I checked with with was 10.0.1 and it still didn't seem possible.

     

     

    You might try posting in the iControl forum (Click here) or open a case with F5 Support. I'm not sure whether there is something clever you could do that would only affect the iControl requests.

     

     

    Aaron
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Feb 16, 2010
    Hmm... Last time I tried to get some users locally nauthenticated and some remotely, I discovered that the PAM files you have to update to doit, get re-created whenever you do a sync... Which then over-writes your changes.

     

     

    What method did you use to set one user (Besides root and admin) to local auth?

     

     

    H