Forum Discussion

sgnormo's avatar
Icon for Cirrus rankCirrus
Nov 09, 2022

Oracle OID

Have a customer that is using Oracle OID.  In the current setup the F5 is configured for C3D, because the apache/proxy sends a certificate request.  I am told by the Oracle administrator the entire client certificate is being stored in the backend and Oracle is making the comparion of the certificate and Oracle will not work with F5 resigning the certificate

I am trying find out from the Oracle admin why can't Oracle match on the subject DN, why is it trying to perform a certificate validation since that was already handled by the F5.

General Flow: User -->F5-->apache/proxy-->Oracle


2 Replies

  • As F5 administrators, we can do a last due dilligence check on the configuration of C3D. I find this article easy to follow but ignore the SSLO portion.

    Any agreed custom values like OID should be recognised by backend?
    Also, in your SSL profiles; does the CA certificate used to re-sign the client certificate trusted by the backend local servers? 

  • Sorry for not responding sooner.

    The F5 is a WAF so is performing the break and inspect on user web traffic sending through the ASM module.  Since the customers backend requires a user certificate I explained to the user there are two options that can be utilized.

    Option 1 (preferred) the F5 prompts the user for their certificate, then the F5 performs a header insert to the backend systems (Apache) and then it is up to the customer to extract the certificate from the incoming packets.  The user certificate will be the original user certificate (not modified).  The backend servers must not send the "certificate request" or else the SSL negotiation will be terminated because the F5 will send a self signed cert.

    Option 2 (less preferred) is C3D.  The customer puts the F5 certificate that will be used for signing into their backend store as a trusted CA. When the user connects the F5 prompts the user for their certificate.  Then the F5 communicates to the backend server and the backend send the "certificate request".  F5 will resign the user certificate and send the certificate with the F5 being the certificate signer.  

    Customer said their Apache must prompt for the certificate, so have C3D setup on the F5 and the F5 is sending the resigned user certificate.  When the customer Apache server sends that resigned certificate to the Oracle backend the Oracle refuses the certificate because the customer is storing the original user certificate in the Oracle backend.

    I asked why does the Oracle backend need the full certificate, the Oracle can be configured to just use the CN from the certificate.  Customer answer is because that is how it works.

    So now the customer wants to utilize C3D and have the F5 perform a header insert of the user original certificate,  I am not sure if that can be done.  Even then just does not make any sense and makes things more complicated than required.