For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Greg_Crosby_319's avatar
Greg_Crosby_319
Historic F5 Account
Sep 05, 2014

If you are not receiving a prompt for certificates then it might be a ca certificate issue on the BIG-IP. One of the questions in the iApp is "Which CA certificate bundle do you want to use for your trusted and advertised certificate authorities?". The certificate selected for this question needs to match the trusted CA that issued the certificates contained in your smartcard, only the client certificates issued by the selected CA will be prompted for a pin.

 

To verify, make sure BIG-IP apm logging is set to debug (note this is pretty verbose, so if you are in production use caution) and run tail -f /var/log/apm during a connection attempt. Look for "Session variable 'session.ssl.cert.exist' set to '1'" which will confirm a cert was never received (as you would suspect since a pin prompt to open smartcard was seen) and a look for a note similar to: Following rule 'fallback' from item 'Start' to item 'On-Demand Cert Auth'

 

Hans_Doerr_1691's avatar
Hans_Doerr_1691
Icon for Nimbostratus rankNimbostratus
Sep 05, 2014
Thank you, Greg. I see in SOL11124 how to enable Debug level logging on the Access Policy log. I'll enable that and then run tail -f /var/log/apm during the connection attempt. Although, we didn't see the PIN prompt for the smart card certificate on the F5; we saw the PIN prompt when we went directly to the WI servers. What we saw on the F5 was the SSL certificate mismatch prompt when we went to the IP address as opposed to the FQDN of the Virtual Server. When we go to the Virtual Server with the FQDN, it goes straight to "page cannot be displayed" in the browser. Your directions will be helpful, however. Thank you & I'll respond with how it goes. Appreciate it-
Related Content