On-Demand Cert Auth Fallback

To force an actual HTTP redirect to another URL, the easiest option might be to create a redirect ending in the visual policy:

1. In the visual policy, click the Edit Endings button.

    

2. Click the Add Ending button.

    

3. In the new ending properties, select Redirect and specify a URL. Save.

    

4. After the fallback branch of your on-demand cert auth agent, select the Redirect ending.

    

In your On-Demand Cert Auth agent, do you have it set to Request or Require? Fallback will only work if you have it sent to Request.

Thanks again Kevin!

Is it secure to change the On-Demand Cert Auth to request? what is the different between Request to Require?

It's the difference between a fail open connection and fail closed connection. The Require option provides a fail closed connection. If for any reason the client cannot satisfy the certificate request, or the client's certificate cannot be validated or trusted, the connection is closed. The Request option, however, allows the connection to proceed. This option also allows you to apply additional logic after the SSL handshake, as in to perform an HTTP redirect on validation/trust failure.

The "is it secure" question is relative to what you're doing in the fallback branch. The SSL handshake will complete regardless, so you must do something in that fallback branch that prohibits further access.

The error implies an issue with the SSL handshake, and not specifically the client cert.

Do you also have the client SSL profile configured to request or require the client certificate?

What does your client SSL profile's Cipher option look like?

What type of client are you using?

Do you see a prompt for client certificate?

No problem. So technically speaking, you don't need to set anything in the client SSL profile if you're using an APM On-Demand Cert Auth agent. The client SSL profile Certificate Authentication option should be set to Ignore.

So Just to be clear the On-Demand Cert Auth should configured to "request" and the client SSL profile Certificate should be set to ignore?

Correct.

what is the different between request to ignore practically?

Ignore doesn't ask for a client cert and Request asks for one but fails open if the certificate is missing or invalid.

The point is that you shouldn't have TWO places where you're asking for a client certificate. The Client SSL profile will perform mutual authentication in the initial SSL handshake, while the APM On-Demand Cert Auth agent will perform an SSL renegotiation to "step-up" to mutual authentication. Some browsers can handle both, but it's never advisable to set it in both places.

JoeLupo73, first things first, I was saying that you should NOT set Request or Require in both the client SSL profile and the APM On-Demand Cert Auth agent. Only do it in one. If you select Request or Require in the client SSL profile, mutual authentication happens in the first SSL handshake with the client. The certificate data will still be accessible to the access session. If you set the client SSL profile to Ignore, and then set the APM On-Demand Cert Auth agent to Request or Require, mutual authentication will happen in a renegotiated SSL handshake after the initial handshake. This renegotiated handshake also has the benefit of being completely encrypted with the session keys from the first handshake, so an eavesdropper cannot see who is logging into your application.

In both cases though, the Require option is a hard fail. If certificate validation fails, or the user simply doesn't present a certificate, the session is closed. The Request option is a soft fail. If certificate validation fails, or the user simply doesn't present a certificate, the session is maintained and you can then make additional decisions, like passing HTML content to the user.