Forum Discussion
Stevenson_88156
Mar 28, 2012Nimbostratus
Mutual SSL Certificate Authentication
Hi, I had been asked to setup a mutual SSL certiicate authentication to protect some of our web services hosted in F5. Reading some documentation, I had thought I was in the right direction, I first s...
Stevenson_88156
Mar 29, 2012Nimbostratus
I had also tested removing the auth portion of our virtual server and it didn't work.
We have the following licenses loaded on our F5 BIG-IP box (under the license tab of the web admin console).
Access Policy Manager Module, 500 CCU(Perpetual)
ADD ANTI-VIRUS CHECKS
ADD BASE ENDPOINT SECURITY CHECKS
ADD FIREWALL CHECKS
ADD NETWORK ACCESS
ADD SECURE VIRTUAL KEYBOARD
ADD WEB APP
ADD MACHINE CERTIFICATE CHECKS
ADD PROTECTED WORKSPACE
ADD 1,000 CONCURRENT USERS
ADD LTM 6900(Perpetual)
Local Traffic Manager Module
ADD IPV6 GATEWAY
ADD RATE SHAPING
ADD RAMCACHE
50 MBPS COMPRESSION
SSL 500 TPS Per Core
ADD SSL CMP
ADD ANTI-VIRUS CHECKS
ADD BASE ENDPOINT SECURITY CHECKS
ADD FIREWALL CHECKS
ADD NETWORK ACCESS
ADD SECURE VIRTUAL KEYBOARD
ADD WEB APP
ADD MACHINE CERTIFICATE CHECKS
ADD PROTECTED WORKSPACE
ADD DNS EXPRESS
Also below are is the virtual server and profiles I have setup.
virtual testVS {
snat automap
pool TestPool
destination 192.168.1.10:80
ip protocol tcp
auth test_ssl_cc_ldap
profiles {
http {}
oneconnect {}
tcp {}
test_mutual_auth_clientssl_profile {
clientside
}
}
}
profile clientssl test_mutual_auth_clientssl_profile {
defaults from clientssl
key "server_cert.key"
cert "server_cert.crt"
crl file none
client cert ca "client_cert.crt"
peer cert mode require
authenticate once
authenticate depth 9
}
profile auth test_ssl_cc_ldap {
defaults from ssl_cc_ldap
config test_ssl_client_cert_ldap_config
type ssl cc ldap
mode enable
credential source http basic auth
rule _sys_auth_ssl_cc_ldap
}
auth ssl cc ldap test_ssl_client_cert_ldap_config {
search cert
admin dn "CN=app_service,OU=ServiceAccounts,DC=DOMAIN,DC=COM"
admin pw "password"
user base "dc=domain,dc=com"
user key "sAMAccountName"
user class "user"
group base "dc=domain,dc=com"
group key "sAMAccountName"
group member key "memberOf"
servers "192.268.15.20:389"
valid groups "CN=TestGroup,OU=Groups,DC=domain,DC=com"
}
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects