Machine Certificate Check - why does it fail?

Hi,

 

I did not mention it, but all that I have done already. The checker is installed together with the EC and the whole thing has been installed with admin rights.

 

In APM policy machine certificate check action I do have the 'Match subject CN with FQDN' set to YES and even the 'Match Issuer' set to the correct string.

 

I mean, I am pretty sure I managed to configure everything based on the available documentation. My question here was more the direction... if it does not work for whatever reason, what is the way to find out why is it not working?

 

I cannot imagine there is no way to somewhere see the real actual reason of the error, it must be written somewhere.. I just don't know where, couldn't find it yet.

 

Looks like I will have to open a ticket with F5 support.

 

Hi,

 

You can check the log file on the client itself. It will help you to understand the problem.

 

You can also download F5 CTU (Client Troubleshooting Utility) and run it on the client.

 

https://support.f5.com/csp/article/K12444

 

Hi there,

 

Log file from the client I checked already, it's in my original post above. Not really helpful the messages in it.

 

But I can give a try to the CTU, I thought it would produce just the same type of logs as I already have, but I will give it a try and let's see.

 

thx for the tip.

 

Hi,

 

I did not mention it, but all that I have done already. The checker is installed together with the EC and the whole thing has been installed with admin rights.

 

In APM policy machine certificate check action I do have the 'Match subject CN with FQDN' set to YES and even the 'Match Issuer' set to the correct string.

 

I mean, I am pretty sure I managed to configure everything based on the available documentation. My question here was more the direction... if it does not work for whatever reason, what is the way to find out why is it not working?

 

I cannot imagine there is no way to somewhere see the real actual reason of the error, it must be written somewhere.. I just don't know where, couldn't find it yet.

 

Looks like I will have to open a ticket with F5 support.

 

Hi,

 

You can check the log file on the client itself. It will help you to understand the problem.

 

You can also download F5 CTU (Client Troubleshooting Utility) and run it on the client.

 

https://support.f5.com/csp/article/K12444

 

Hi there,

 

Log file from the client I checked already, it's in my original post above. Not really helpful the messages in it.

 

But I can give a try to the CTU, I thought it would produce just the same type of logs as I already have, but I will give it a try and let's see.

 

thx for the tip.

 

Hi CentOne,

 

Yes it works for me now, I had to do a workaround for CRL check.

 

If you are also using a CRL for "Certificate Revocation List (CRL)" within CA profile (Local Traffic > Profiles > SSL > Certificate Authority), then do following:

 

• uncheck "Update CRL" (in Local Traffic > Profiles > SSL > Certificate Authority > your profile)
• set "Certificate Revocation List (CRL)" to "None" (also in your CA profile)

Then go to Access Policy > AAA Servers > CRLDP, and create new profile here (choose timeout values that fit your environment):

 

• Server Connection: No Server
• Cache Timeout: 86400
• Use Issuer: unchecked
• Allow Null CRL: unchecked
• Verify Signature: Enabled
• Connection Timeout: 15 seconds
• Update Interval: 0 seconds

Then go to your APM's policy and under the action "Machine Cert Checker" configure following:

 

• Certificate Store Name: MY
• Certificate Store Location: LocalMachine
• CA Profile: your CA profile discussed above
• Save Certificate in a session variable: Enabled
• Allow User Account Control right elevation prompts: Yes
• Match subject CN with FQDN: Yes
• Match Issuer: the CN of your issuing CA

Right after this action insert "Variable Assign" action to policy and assign two variables:

 

• session.ssl.cert.whole = (Session Variable) session.check_machinecert.last.cert.cert
• session.ssl.cert.certissuer = (Session Variable) session.check_machinecert.last.cert.issuer.cert

Right after this action insert "CRLDP Auth Agent" action to policy:

 

• CRLDP Server: choose the one you created under Access Policy > AAA Servers > CRLDP

And that's it, works for me.

 

FYI, about the CRLDP workaround I learned from Kevin's post here: https://devcentral.f5.com/questions/machine-certificate-revocation-checksanswer160001

 

Let me know if you are also successful with this configuration.

 

Hi Martin Vlasko,

 

Many thanks for your return. Could you please confirm me the extension of the certificates used on the Machine ? on the CA Profile on the APM ?

 

I have used : Regarding the issuer: CN=pki,DC=demo,DC=lab,DC=net <> pki.demo.lab.net certificate client side with .pxf certificate APM side with .crt

 

the cert machine auth still failed

 

Hi there,

 

I think the extension does not matter anymore, once you import the certificate in to the cert store.

 

On F5 I always work with PEM format.

 

But maybe one more hint, in LTM SSL client side profile for this VS, the whole section "Client Authentication" is NOT enabled, because it is handled by APM.

 

And perhaps try to make it work first without the CRL check, just to make sure the authentication works.. then you can add the config for CRL checking - in case you need it.