Forum Discussion
Using an iRule for a proxy pac file
kristine_v In CLI TMSH you can try restarting the mcpd service on the device that is generating the log in question.
restart /sys service mcpd
- Cory_50405Jun 18, 2014
Noctilucent
Is the certificate needed on the backend server for authentication? If so, then you could enable proxy SSL within the client and server SSL profiles assigned to your virtual server. This will enable the client certificate to be passed along to the web server. Since you mention this is two-way SSL, I suspect the server is still doing the authentication piece.
http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385.html
- Sebas_82058Jun 18, 2014
Nimbostratus
No, the backend doesn't even need to know about this. We just need the load balancer to validate connections are coming only from the sources we trust.
It's similar to this, however, the CA piece is the one I am having problems with:
https://devcentral.f5.com/questions/2-way-ssl-implementation-25325
- Sebas_82058Jun 19, 2014
Nimbostratus
I finally implemented this via an iRule that will do the work. Not the most beautiful solution, but it serves the purpose given the limitations on the client side.
- Muqeem_BaigDec 10, 2014
Nimbostratus
Dear Sebas can u please share the Irule...
- Neeraj_Jags_152Nov 05, 2014
Cirrus
I need help
- Neeraj_Jags_152Nov 05, 2014
Cirrus
I configured as per two way auth in F5 LB LTM ver 11.x as per below: - Client side SSL configured Server side SSL configured with key & cert and same key and cert are exist on pool member server.
Only server side SSL auth is working but Client auth is not working:- take this way. Client shared a open.ssl self signed certificate let say client_cert.cer I have imported client_cert.cer in F5. then When I configuring the SSL Client Profile, I selected the client_cert.cer in drop down box of Trusted Certificate Authorities :-- .. is this configuration TRUE, or will I need the different CA certificate from client
- >I read, somewhere, that we can just set the mode to request and then add an iRule to validate the certificate. Is that possible? yes, i think so. for trusted certificate authorities setting, you can leave it none. Client Certificate CN Checking (The second example) https://clouddocs.f5.com/api/irules/ClientCertificateCNChecking.html >When I configuring the SSL Client Profile, I selected the client_cert.cer in drop down box of Trusted Certificate Authorities :-- .. is this configuration TRUE i think it could work too but i think the codeshare is more flexible. hope this helps.
- Neeraj_Jags_152Nov 09, 2014
Cirrus
Hi Nitass, Thanks for the same.
Let me explain you again. generally certificate is signed by CA like Verisign, etc. in that case do we require CA (Verisign ) certificate to install in F5-LB or we only require certificate which is signed by Verisign. because Client-SSL-Profiles required a field like "Trusted Certificate Authorities" which means it should be Verisign certificate ?