Forward client certificate info to applications

Question

We have a custom .NET application from a third party that uses client certificate information to authenticate users.&nbsp;
The application runs on a single web server at the moment and handles the SSL processing by itself. 
&nbsp;(basically a port forward in the firewall of port 443 to the server)

I would like to load balance the application om multiple servers and do SSL termination in the big-ip.
&nbsp;
I have used up all means to make the developer support reading cert info from anything other than the ”built in objects in .NET”.
&nbsp;
Is there any tools from F5 or third party products that would let me forward the client certificate information from the big-ip down to the web server and into the application?&nbsp;
Basically something that can get the forwarded cert info from the big-ip and place it into the internals of the server so that the application can read it.
&nbsp;
Perhaps it needs to be an ISAPI-filter / IIS module, or a service running on the servers?&nbsp;&nbsp;&nbsp;/Andreas&nbsp;&nbsp;&nbsp;

nitass · Answer

have you seen this one? 
&nbsp;  
&nbsp; Request Client Certificate And Pass To Application by alankila 
&nbsp; http://devcentral.f5.com/wiki/iRules.RequestClientCertificateAndPassToApplication.ashx 
&nbsp;  
&nbsp; can your developer read client certificate info from the header?

andos · Answer

Thanks for the reply. 
&nbsp;  
&nbsp; Yes, I've looked at passing the certificate info in headers. 
&nbsp; Unfortunately the company making the application won't support reading the certificate from anything other than what they call ".NET built in objects". 
&nbsp; To put the question another way; If the application can't read cert info from headers, is there any way to get the info into the application? Maybe with a third party module/component? 
&nbsp; May not be F5 products, but perhaps someone know of any other products for this? 
&nbsp;  
&nbsp; I have been searching around for a solutions for a couple of days now, but not had much luck. &nbsp;

hoolio · Answer

It's possible there is a serverside plugin you could use for this.  But I'm not aware of one.   
&nbsp;  
&nbsp; In v11, there is a new feature called Proxy SSL which you can use for this type of scenario where you need to pass the original client cert onto the pool.  Basically, you import the server cert/key(s) to LTM.  LTM will allow the client and selected pool member to negotiate an SSL handshake directly.  LTM watches to see what server cert the pool member uses.  It then intercepts subsequent communication and decrypts the SSL allowing you to inspect/modify with the unencrypted content.  This includes adding an HTTP profile to the virtual server.  I couldn't find much public documentation on this, but you could open a case with F5 Support to request more details and a documentation update. 
&nbsp;  
&nbsp; Aaron

andos · Answer

Thanks for the info! 
&nbsp;  
&nbsp; I'll look into Proxy SSL 
&nbsp;  
&nbsp; /Andreas

cyril_m · Answer

here is documentation on Proxy SSL feature: http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385.html&nbsp;

Forum Discussion

Forward client certificate info to applications

5 Replies

How I did it - "High-Performance S3 Load Balancing of Dell ObjectScale with F5 BIG-IP"

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

F5 doesn't signatures for cve

Corn Job script to automate backup and export F5OS

irule to block a non valid url

SSL Certificate

irule for redirect and header injection

Related Content

Introducing the F5 Application Study Tool (AST)

Automating Certificate Management on F5 BIG-IP

Application Study Tool: Make Grafana Listen on HTTPS

Automating ACMEv2 Certificate Management on BIG-IP

Modern Applications-Demystifying Ingress solutions flavors

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS