Forum Discussion
Hi Martin Vlasko,
Any update regarding this issue ? I have the same result using Machine Cert Auth, the evaluation of the APM profile is failed and point directly to 'fallback' I get this line on repport:
<< machinecert_auth_ag.result' set to '-2'>>
Do you have the list of machinecert_auth_ag.result value and there meanings ? Regards,
- Martin_VlaskoJan 29, 2019Altocumulus
Hi CentOne,
Yes it works for me now, I had to do a workaround for CRL check.
If you are also using a CRL for "Certificate Revocation List (CRL)" within CA profile (Local Traffic > Profiles > SSL > Certificate Authority), then do following:
- uncheck "Update CRL" (in Local Traffic > Profiles > SSL > Certificate Authority > your profile)
- set "Certificate Revocation List (CRL)" to "None" (also in your CA profile)
Then go to Access Policy > AAA Servers > CRLDP, and create new profile here (choose timeout values that fit your environment):
- Server Connection: No Server
- Cache Timeout: 86400
- Use Issuer: unchecked
- Allow Null CRL: unchecked
- Verify Signature: Enabled
- Connection Timeout: 15 seconds
- Update Interval: 0 seconds
Then go to your APM's policy and under the action "Machine Cert Checker" configure following:
- Certificate Store Name: MY
- Certificate Store Location: LocalMachine
- CA Profile: your CA profile discussed above
- Save Certificate in a session variable: Enabled
- Allow User Account Control right elevation prompts: Yes
- Match subject CN with FQDN: Yes
- Match Issuer: the CN of your issuing CA
Right after this action insert "Variable Assign" action to policy and assign two variables:
- session.ssl.cert.whole = (Session Variable) session.check_machinecert.last.cert.cert
- session.ssl.cert.certissuer = (Session Variable) session.check_machinecert.last.cert.issuer.cert
Right after this action insert "CRLDP Auth Agent" action to policy:
- CRLDP Server: choose the one you created under Access Policy > AAA Servers > CRLDP
And that's it, works for me.
FYI, about the CRLDP workaround I learned from Kevin's post here: https://devcentral.f5.com/questions/machine-certificate-revocation-checksanswer160001
Let me know if you are also successful with this configuration.
- SushilK17May 11, 2022Nimbostratus
Hi ,
I tried same config however getting below error and response in APM session logs.
(null):Common:c8a55694: CRLDP Auth agent: CRL lookup failed for LDAP url 'http://abc.dns.com/CDP/filename.crl' reason 'Bad HTTP response status'
Could you suggest how to resolve this issue, Looks F5 not able to resolve domain to CRL server Ip address
Regards,
Sushil Kolekar
- CentOne_190154Jan 31, 2019Nimbostratus
Hi Martin Vlasko,
Many thanks for your return. Could you please confirm me the extension of the certificates used on the Machine ? on the CA Profile on the APM ?
I have used : Regarding the issuer: CN=pki,DC=demo,DC=lab,DC=net <> pki.demo.lab.net certificate client side with .pxf certificate APM side with .crt
the cert machine auth still failed
- Martin_VlaskoJan 31, 2019Altocumulus
Hi there,
I think the extension does not matter anymore, once you import the certificate in to the cert store.
On F5 I always work with PEM format.
But maybe one more hint, in LTM SSL client side profile for this VS, the whole section "Client Authentication" is NOT enabled, because it is handled by APM.
And perhaps try to make it work first without the CRL check, just to make sure the authentication works.. then you can add the config for CRL checking - in case you need it.
- CentOne_190154Feb 04, 2019Nimbostratus
Hi Martin,
The basic configuration of Machine Cert auth is working now...I have used the PEM format as you have recommended.
The machine certificate should match a SAN value on the APM auth Agent: for example 'machineX.f5trn.local' I have used the following syntax but it doesn't work for me : .DNS Name=.f5trn.local
Any advise ?
Best regards,
- Martin_VlaskoFeb 04, 2019Altocumulus
Hi,
It probably depends on what exactly you have in the SAN field of your client certificate.
The F5 help suggests using following regex:
.*DNS Name=([^,]+).*
With the regex you are trying to match and return the SAN value which APM then checks against machine's FQDN. Anything that is found within the round brackets will be returned and compared with FQDN. So in your case I would try something like:
.*DNS Name=(.*\.f5trn\.local).*
or
.*DNS Name=([^,]+\.f5trn\.local).*
It depends on how many values you have in the SAN field, if there are commas, or if it's just a single value.
Perhaps try to dump the certificate into APM log file to see the raw data which should help you figure out the correct regex syntax for your case.
- CentOne_190154Feb 06, 2019Nimbostratus
Hi Martin,
Thank youf for your help. It works!
Regards,
- Martin_VlaskoFeb 07, 2019Altocumulus
Happy to hear it works and that I was able to help you :-)