Forum Discussion
NimbostratusOptions for Mutually Authenticated Connections using Certificates
Hello,
I'm attempting to change an existing VS configuration to accommodate some updated security requirements that have been passed down to our team.
The existing configuration is as follows:
Virtual Service that is listening on HTTPS port, and is doing the SSL offloading for this service on the client side. The server side is unencrypted HTTP. There is also an iRule that has been applied that rewrites the URIs (5 static translations (e.g. /api/v2/xyz to /ABC/xyz, /api/v2/def to /ABC/def).
The new requirement is that the Client will be providing a client certificate that they want to validate. It must be that specific certificate as the communication is supposed to be just between a single client server owned by our partner and our server.
I looked into doing Client Certificate Authentication but from what I can tell that will simply verify whether or not the certificate is valid, not that specific certificate's details.
I also don't want to do it using a iRule because there's a chance that in the future there will be other clients using this connection and the scalability of the iRule option seems low.
The client certificate validation can be done using Tomcat on the server on our side so I think that the best option for this application would be to push the SSL termination down to the server so that they can do the Client certificate authentication with Tomcat. I am wondering though whether or not this will work with the existing URI rewriting?
Not sure if that explanation made sense, we have had a bit of a moving target on this project so the configuration has changed several times.
Thanks.
5 Replies
Shaun_Simmons1Altostratus
If Tomcat can validate the users certificate, could you make the VIP Layer 4 443 passthrough? -The user will be passed Tomcat's SSL certificate to access the site.
--I have seen this in the past with an IBM Tivoli; one configured access by the users cert hash --"Public" certificate or "public key"
- CWaldon
Thanks, I will try that out!
Will the iRule for the URI rewriting still work if it's configured to do passthrough?
- Shaun_Simmons1
No. The traffic has to be decrypted by the F5 to interject the iRule.
- Shaun_Simmons1
Hmmmmm....I used to have an iRule that I used to authenticate users based on criteria pulled from a users Public Certificate, using a data-group... I needed it for a special project. I worked with my F5 Federal guy, stating what I needed in layman's terms and he transposed it into a magical iRule! I'm still thinking through your problem...my brain isn't quite awake this morning haha!
- Kevin_Stewart
Employee
There's no clean non-iRule way to do this quite yet, but as Shaun stated you can use a data group to minimize customization of that iRule. If you take a look at this page you can see a lot of options for extracting information from the certification: https://devcentral.f5.com/wiki/iRules.X509.ashx
So you could take a variation of one of the code examples and add the data group.
when CLIENTSSL_HANDSHAKE { Check if the client supplied one or more client certs if { [SSL::cert count] > 0 }{ if { not ( [class match [X509::subject [SSL::cert 0]] equals my-cert-subject-dg] ) } { incoming cert subject didn't match a data group entry reject } } else { No certificate presented reject } }
