Forum Discussion
NimbostratusMutual Authentication over public internet
NimbostratusBased on the example configuration, I am assuming you are providing the service which the SaaS server is connecting to and you have wired up the virtual server with a publicly signed certificate.
To answer your question,
Mutual authentication is essentially based on trust, in this scenario:
-
The certificate on the virtual server needs to be trusted by the Saas server. As this is a publicly signed certificate, that should be pretty straight forward.
-
The certificate that the Saas server presents needs to be trusted by the virtual server. It is your choice which trusted CAs these certificates are issued from.
For greater control, these should be issued by your internal PKI. You could also trust third-party CAs that issue certificates on your behalf.
Do take note that any CAs you choose, needs to have its CRL available and imported to the F5 if you have the requirement of revocation checking.
NimbostratusYou can validate by checking the certificate that is presented by the client (Saas) during the TLS handshake. The most unique attribute that you can check is the thumbprint of the certificate. The iRule below will check if the thumbprint is listed within a data group, disconnecting if its not in the list.
You need to make sure the client SSL profile you are using is set to require/request.
when CLIENTSSL_CLIENTCERT {
binary scan [sha1 [SSL::cert 0]] H* _sha1_thumbprint
if {! [class match $_sha1_thumbprint equals allowed_certsha1_dg] } {
SSL::session invalidate
reject
}
}
