On demand Cert authentication - how is the client cert vaidated ?

BIG-IP renegotiates the SSL connection during Access Policy processing to request the client certificate. The chain is validated up to the certificate(s) included in the CA section of the client-ssl profile applied to the APM-enabled virtual server. Typically, you'd set the Client-Certificate section to Ignore, but be sure to set the CA section with the CA chain and/or cert that is appropriate.

ODCA on its own doesn't do much more than validate the Certificate is from a trusted CA, exists, and is not expired.

If you want proper validation, you need to add OCSP or CRL validation after the ODCA agent.

There's two things to keep in mind when talking about APM On-Demand Certificate authentication:

1. ODCA performs an SSL renegotiation, as in issues a TLS HelloRequest message to the client. The new TLS handshake then includes a CertificateRequest message from the server to get the client's certificate. The "Request" and "Require" options in the ODCA agent indicate how APM validates the client's certificate. The Request selection causes a "fail open" condition if the client doesn't present a certificate or validation fails. The Require selection causes a "fail closed" condition if the certificate isn't presented and/or cannot be validated.

    

2. Certificate evaluation (ie. expiration, validation, trust, and optionally revocation) are all still controlled by the client SSL profile. You should as a general rule configure the client SSL profile exactly as you would for direct LTM-only mutual PKI authentication, but set the Client Authentication option to "Ignore", as APM will set that in the renegotiation.