Forum Discussion

Stevenson_88156's avatar
Stevenson_88156
Icon for Nimbostratus rankNimbostratus
Mar 28, 2012

Mutual SSL Certificate Authentication

Hi, I had been asked to setup a mutual SSL certiicate authentication to protect some of our web services hosted in F5. Reading some documentation, I had thought I was in the right direction, I first setup a Client SSL with the Client Certificate set to "Request" as shown in this link.

 

 

http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_1/ltm_ssl_profiles.html1298333

 

 

I then preceeded to setup the authentication profile with SSL Client Certificate LDAP authentication.

 

 

http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_1/ltm_auth_profiles.html1186130

 

 

However, for some reason, everytime I tried to access the virtual server site and send the certificate, the authentication kept failing. Note that I am using a self signed certificate and imported the certificate into the F5 box as well and set the CA as the certificate itself.

 

 

Please help as I cannot find many resources or articles on this posted on Ask F5. Thanks.

3 Replies

  • Hi,

     

     

    Do you have the advanced client auth license? Can you print out and anonymize the virtual server, client ssl profile and auth profiles?

     

     

    If you remove the LDAP auth portion from the virtual server, does just the client cert to root cert verification succeed?

     

     

    Aaron
  • I had also tested removing the auth portion of our virtual server and it didn't work.

     

     

    We have the following licenses loaded on our F5 BIG-IP box (under the license tab of the web admin console).

     

    Access Policy Manager Module, 500 CCU(Perpetual)

     

    ADD ANTI-VIRUS CHECKS

     

    ADD BASE ENDPOINT SECURITY CHECKS

     

    ADD FIREWALL CHECKS

     

    ADD NETWORK ACCESS

     

    ADD SECURE VIRTUAL KEYBOARD

     

    ADD WEB APP

     

    ADD MACHINE CERTIFICATE CHECKS

     

    ADD PROTECTED WORKSPACE

     

    ADD 1,000 CONCURRENT USERS

     

    ADD LTM 6900(Perpetual)

     

    Local Traffic Manager Module

     

    ADD IPV6 GATEWAY

     

    ADD RATE SHAPING

     

    ADD RAMCACHE

     

    50 MBPS COMPRESSION

     

    SSL 500 TPS Per Core

     

    ADD SSL CMP

     

    ADD ANTI-VIRUS CHECKS

     

    ADD BASE ENDPOINT SECURITY CHECKS

     

    ADD FIREWALL CHECKS

     

    ADD NETWORK ACCESS

     

    ADD SECURE VIRTUAL KEYBOARD

     

    ADD WEB APP

     

    ADD MACHINE CERTIFICATE CHECKS

     

    ADD PROTECTED WORKSPACE

     

    ADD DNS EXPRESS

     

     

    Also below are is the virtual server and profiles I have setup.

     

     

    virtual testVS {

     

    snat automap

     

    pool TestPool

     

    destination 192.168.1.10:80

     

    ip protocol tcp

     

    auth test_ssl_cc_ldap

     

    profiles {

     

    http {}

     

    oneconnect {}

     

    tcp {}

     

    test_mutual_auth_clientssl_profile {

     

    clientside

     

    }

     

    }

     

    }

     

    profile clientssl test_mutual_auth_clientssl_profile {

     

    defaults from clientssl

     

    key "server_cert.key"

     

    cert "server_cert.crt"

     

    crl file none

     

    client cert ca "client_cert.crt"

     

    peer cert mode require

     

    authenticate once

     

    authenticate depth 9

     

    }

     

    profile auth test_ssl_cc_ldap {

     

    defaults from ssl_cc_ldap

     

    config test_ssl_client_cert_ldap_config

     

    type ssl cc ldap

     

    mode enable

     

    credential source http basic auth

     

    rule _sys_auth_ssl_cc_ldap

     

    }

     

    auth ssl cc ldap test_ssl_client_cert_ldap_config {

     

    search cert

     

    admin dn "CN=app_service,OU=ServiceAccounts,DC=DOMAIN,DC=COM"

     

    admin pw "password"

     

    user base "dc=domain,dc=com"

     

    user key "sAMAccountName"

     

    user class "user"

     

    group base "dc=domain,dc=com"

     

    group key "sAMAccountName"

     

    group member key "memberOf"

     

    servers "192.268.15.20:389"

     

    valid groups "CN=TestGroup,OU=Groups,DC=domain,DC=com"

     

    }
  • Hi Stevenson, You probably have resolved your issue by now or given up on it. Mutual authentication could be using just the Client SSL to validate the browser connection traffic for the session (once or always) or you cann do a further authentication using a remote server. This remote authentication is facilitated using PAM modules on the F5 BigIP. These could be tacas, radius or even an ldap server. In your setup above, you are doing client ssl authentication using remote ldap server. The test to fish out the problem would be:

     

    1) do you have ldap bind to your ldap server and can you do ldapsearch from bigIP CLI to the ldap server ? 2) The client certificate loaded onto the client browser, can you extract the sAMAccountName from it and matches what was held on the ldap server and in the correct object group?