Forum Discussion
Stevenson_88156
Nimbostratus
NimbostratusMutual SSL Certificate Authentication
Hi, I had been asked to setup a mutual SSL certiicate authentication to protect some of our web services hosted in F5. Reading some documentation, I had thought I was in the right direction, I first setup a Client SSL with the Client Certificate set to "Request" as shown in this link.
http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_1/ltm_ssl_profiles.html1298333
I then preceeded to setup the authentication profile with SSL Client Certificate LDAP authentication.
http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_1/ltm_auth_profiles.html1186130
However, for some reason, everytime I tried to access the virtual server site and send the certificate, the authentication kept failing. Note that I am using a self signed certificate and imported the certificate into the F5 box as well and set the CA as the certificate itself.
Please help as I cannot find many resources or articles on this posted on Ask F5. Thanks.
hooleylistCirrostratus
Hi,
Do you have the advanced client auth license? Can you print out and anonymize the virtual server, client ssl profile and auth profiles?
If you remove the LDAP auth portion from the virtual server, does just the client cert to root cert verification succeed?
Aaron
Stevenson_88156I had also tested removing the auth portion of our virtual server and it didn't work.
We have the following licenses loaded on our F5 BIG-IP box (under the license tab of the web admin console).
Access Policy Manager Module, 500 CCU(Perpetual)
ADD ANTI-VIRUS CHECKS
ADD BASE ENDPOINT SECURITY CHECKS
ADD FIREWALL CHECKS
ADD NETWORK ACCESS
ADD SECURE VIRTUAL KEYBOARD
ADD WEB APP
ADD MACHINE CERTIFICATE CHECKS
ADD PROTECTED WORKSPACE
ADD 1,000 CONCURRENT USERS
ADD LTM 6900(Perpetual)
Local Traffic Manager Module
ADD IPV6 GATEWAY
ADD RATE SHAPING
ADD RAMCACHE
50 MBPS COMPRESSION
SSL 500 TPS Per Core
ADD SSL CMP
ADD ANTI-VIRUS CHECKS
ADD BASE ENDPOINT SECURITY CHECKS
ADD FIREWALL CHECKS
ADD NETWORK ACCESS
ADD SECURE VIRTUAL KEYBOARD
ADD WEB APP
ADD MACHINE CERTIFICATE CHECKS
ADD PROTECTED WORKSPACE
ADD DNS EXPRESS
Also below are is the virtual server and profiles I have setup.
virtual testVS {
snat automap
pool TestPool
destination 192.168.1.10:80
ip protocol tcp
auth test_ssl_cc_ldap
profiles {
http {}
oneconnect {}
tcp {}
test_mutual_auth_clientssl_profile {
clientside
}
}
}
profile clientssl test_mutual_auth_clientssl_profile {
defaults from clientssl
key "server_cert.key"
cert "server_cert.crt"
crl file none
client cert ca "client_cert.crt"
peer cert mode require
authenticate once
authenticate depth 9
}
profile auth test_ssl_cc_ldap {
defaults from ssl_cc_ldap
config test_ssl_client_cert_ldap_config
type ssl cc ldap
mode enable
credential source http basic auth
rule _sys_auth_ssl_cc_ldap
}
auth ssl cc ldap test_ssl_client_cert_ldap_config {
search cert
admin dn "CN=app_service,OU=ServiceAccounts,DC=DOMAIN,DC=COM"
admin pw "password"
user base "dc=domain,dc=com"
user key "sAMAccountName"
user class "user"
group base "dc=domain,dc=com"
group key "sAMAccountName"
group member key "memberOf"
servers "192.268.15.20:389"
valid groups "CN=TestGroup,OU=Groups,DC=domain,DC=com"
}
nemmankHi Stevenson, You probably have resolved your issue by now or given up on it. Mutual authentication could be using just the Client SSL to validate the browser connection traffic for the session (once or always) or you cann do a further authentication using a remote server. This remote authentication is facilitated using PAM modules on the F5 BigIP. These could be tacas, radius or even an ldap server. In your setup above, you are doing client ssl authentication using remote ldap server. The test to fish out the problem would be:
1) do you have ldap bind to your ldap server and can you do ldapsearch from bigIP CLI to the ldap server ? 2) The client certificate loaded onto the client browser, can you extract the sAMAccountName from it and matches what was held on the ldap server and in the correct object group?