For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

gym1's avatar
gym1
Icon for Nimbostratus rankNimbostratus
Apr 29, 2024

(How) can I get two client certificates in one APM session?

I have a customer with iPads that need to authenticate to APM with a user certificate. This has been working fine, but there is also now need to read a field from a per-device certificate on each iPa...
BIG-IP Access Policy Manager (APM)
cert auth
clientssl
gym1's avatar
gym1
Icon for Nimbostratus rankNimbostratus
Apr 30, 2024

Thanks for the suggestion. I guess I should have mentioned that I had considered the device certificate policy item as a possibility, but it is only supported on Windows and Mac, whereas the clients here are iPads. It requires knowledge of the certificate store name, which is hidden from me, and as that reference says, need the Edge client. I'm trying to avoid the use of Edge, because these devices are already using a VPN client from another vendor. We know from experience that the two conflict.

So I have an unusual set of conditions.

I'm now considering use of an external logon page hosted on another virtual on the F5 (as an iRule I hope), That would have a client SSL profile that captures the other client certificate, then parses it for the field I need, and somehow returns that to the original policy. Then somehow I hope to parse that response and use that field value.

I say "somehow" because frankly the external logon page feature does not seem well documented. It's not at all clear what the policy expects to receive back from the external logon page, nor how the response can be used.