Passing Client CAC / Smart Card Cert to Application Server
- Nov 29, 2023
Thank you so much, Lucas_Thompson
we went with Option #3 (Use Proxy-SSL by setting it up manually: https://my.f5.com/manage/s/article/K13385) as this worked for us and is the simpliest option as well, All the AAA happens on the server side / application.
Under "SSL cipher negotiation" in the above link, we used "Proxy SSL Passthrough feature allows the BIG-IP system to pass traffic through to the server". Our version is: BIG-IP 14.1.5.6 which has this feature.
We enabled "Proxy SSL" and "Proxy SSL Passthrough" on both the Client and Server SSL Profiles (Which is required, and we had to Remove the Profiles from the Virtual Server before making the change as you will get an error if you try to make this change while they are in use. Then Add them back after the below changes)
Updated settings in two Locations, Client and Server SSL Profiles that are being used:
- Local Traffic >> Profiles >> SSL >> Client (Will repeat below steps, but picking 'Server' instead)
- Click on [Name of Profile]
- Change Configuration to "Advanced"
- Scroll down, Check the 'Enable' box next to: Proxy SSL & Proxy SSL Passthrough (If it is grayed out, will need to check the 'Custom' box to the right of the Feature)