For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Greg_Crosby_319's avatar
Greg_Crosby_319
Historic F5 Account
Sep 05, 2014

If you are not receiving a prompt for certificates then it might be a ca certificate issue on the BIG-IP. One of the questions in the iApp is "Which CA certificate bundle do you want to use for your trusted and advertised certificate authorities?". The certificate selected for this question needs to match the trusted CA that issued the certificates contained in your smartcard, only the client certificates issued by the selected CA will be prompted for a pin.

 

To verify, make sure BIG-IP apm logging is set to debug (note this is pretty verbose, so if you are in production use caution) and run tail -f /var/log/apm during a connection attempt. Look for "Session variable 'session.ssl.cert.exist' set to '1'" which will confirm a cert was never received (as you would suspect since a pin prompt to open smartcard was seen) and a look for a note similar to: Following rule 'fallback' from item 'Start' to item 'On-Demand Cert Auth'

 

  • Hans_Doerr_1691's avatar
    Hans_Doerr_1691
    Icon for Nimbostratus rankNimbostratus
    Sep 05, 2014
    Thank you, Greg. I see in SOL11124 how to enable Debug level logging on the Access Policy log. I'll enable that and then run tail -f /var/log/apm during the connection attempt. Although, we didn't see the PIN prompt for the smart card certificate on the F5; we saw the PIN prompt when we went directly to the WI servers. What we saw on the F5 was the SSL certificate mismatch prompt when we went to the IP address as opposed to the FQDN of the Virtual Server. When we go to the Virtual Server with the FQDN, it goes straight to "page cannot be displayed" in the browser. Your directions will be helpful, however. Thank you & I'll respond with how it goes. Appreciate it-
  • Greg_Crosby_319's avatar
    Greg_Crosby_319
    Historic F5 Account
    Sep 05, 2014
    A good test to confirm the CA certificate as the issue is to disable "Trusted Certificate Authorities" and "Advertised Certificate Authorities" within the iapp created client ssl profile. You will have to disable strictness on the iapp in order to modify the client ssl profile (select iapp you created, click "properties" tab, set application service to "advanced", and uncheck "strict updates"). If you receive a pin prompt after modifying the client ssl profile, then the certificate being used to verify trusted CA is not matching the certificates CA within the smartcard being tested.
Related Content