F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

D_Miller_25373's avatar
D_Miller_25373
Icon for Nimbostratus rankNimbostratus
Nov 10, 2011

Government PIV Card Integration

As I understand the PIV card, it basically holds a PKI Client Certificate.

 

 

We need to alert the client browser to, if it has a PIV card client certificate available, send the certificate.

 

 

We need to (either on the LTM or within the web application) process the certificate:

 

- make sure it is current

 

- make sure it is not revoked

 

- make sure it is valid (i.e. signed by the appropriate CA).

 

 

Then insert either the certificate signature and/or other data elements within the certificate into the HTML header so that the web application can use it to locate the user within the application identity database.

 

 

Anyone work with PIV cards? Does this approach sound valid? Any existing iRules available to accomplish all of this?

 

app sec
BIG-IP Access Policy Manager (APM)
security

2 Replies

  • jwham20's avatar
    jwham20
    Icon for Nimbostratus rankNimbostratus
    Nov 30, 2011
    D,

     

     

    Hmmm, this is an interesting topic, love working with different auth mechanisms. So I think you've got it on the nose as to what's on the PIV, more details (than we could ever want to know) at:

     

     

    http://csrc.nist.gov/publications/nistpubs/800-73-3/sp800-73-3_PART1_piv-card-applic-namespace-date-model-rep.pdf

     

    section 3

     

     

    section 3.1.3 - States that the card holds the Cert and the private key for that certificate (with a pin required)

     

     

    So, with that said, it boils down to basic client authentication of a certificate, then we add the complication of having to add other data elements into headers.

     

     

    Client auth:

     

     

    Overview of client auth prof:

     

    http://support.f5.com/kb/en-us/solutions/public/10000/100/sol10167.html?sr=17972137

     

     

    Configuring an OCSP or CRLDP certificate checker:

     

    http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_1/ltm_auth_profiles.html?sr=179721371192202

     

     

    In a nutshell, you configure a client auth profile that has client authentication turned on.

     

     

    Now, as for adding the data headers.. that's an interesting one.. How is the data you want to add presented in the packet? Is it a referencable field in the SSL handshake.. or does it just come across as bytes in the payload?

     

     

    If it's referencable, there is a chance that we could pull it with an easy irule and insert a header to the stream (once inserted, it should persist right?)

     

     

    If it's not, then might have to do a binary scan for the location and use that to pull the information for the headers.

     

     

    Hope this made some sense and isn't completely confusing,

     

     

    Josh,
  • jwham20's avatar
    jwham20
    Icon for Nimbostratus rankNimbostratus
    Nov 30, 2011
    D,

     

     

    Aha! Knew there had to be more options:

     

     

    Using the X509 command in the Irule, we can interrogate the client cert and push forward the data in a header

     

     

    http://devcentral.f5.com/wiki/iRules.X509.ashx

     

     

    And it looks like someone has also built an extensive Irule doing a binary scan:

     

    http://devcentral.f5.com/wiki/iRules.Extended_X509_Certificate_Parsing.ashx

     

     

    Hope this helps a bit!

     

     

    Josh