Forum Discussion
Thomas-R-D
Nimbostratus
NimbostratusPassing Client CAC / Smart Card Cert to Application Server
I am reaching to see if anyone has created or come across the most stream line process of passing a Client cert through F5 which then reaches the an Application server. The most important piece of d...
Thank you so much, Lucas_Thompson
we went with Option #3 (Use Proxy-SSL by setting it up manually: https://my.f5.com/manage/s/article/K13385) as this worked for us and is the simpliest option as well, All the AAA happens on the server side / application.
Under "SSL cipher negotiation" in the above link, we used "Proxy SSL Passthrough feature allows the BIG-IP system to pass traffic through to the server". Our version is: BIG-IP 14.1.5.6 which has this feature.
We enabled "Proxy SSL" and "Proxy SSL Passthrough" on both the Client and Server SSL Profiles (Which is required, and we had to Remove the Profiles from the Virtual Server before making the change as you will get an error if you try to make this change while they are in use. Then Add them back after the below changes)
Updated settings in two Locations, Client and Server SSL Profiles that are being used:
- Local Traffic >> Profiles >> SSL >> Client (Will repeat below steps, but picking 'Server' instead)
- Click on [Name of Profile]
- Change Configuration to "Advanced"
- Scroll down, Check the 'Enable' box next to: Proxy SSL & Proxy SSL Passthrough (If it is grayed out, will need to check the 'Custom' box to the right of the Feature)
Lucas_Thompson
Employee
EmployeeClient certificates are subject to a TLS validation process that must occur uninterrupted between the endpoints, so you can't have an intermediate like BIG-IP participate in it, ordinarily.
If you want client certificate info passed to the app servers, you'll have to do one of these things:
- Perform SSL offload fully on BIG-IP and use its built-in validation. Use an iRule to pass the CN (or whatever info you want) to the app server in an HTTP header. The backend server performs no TLS at all.
- Remove SSL altogether on the BIG-IP by using a Fast-L4 virtual instead of a Standard virtual with a client SSL profile. This way the server handles all of its TLS, server and client certs. BIG-IP has no visibility into any HTTP in this situation.
- Use Proxy-SSL by setting it up manually: https://my.f5.com/manage/s/article/K13385
- Use SSL Orchestartor to set up Proxy-SSL for you: https://community.f5.com/t5/technical-articles/ssl-orchestrator-advanced-use-cases-client-certificate/ta-p/286005
in the most recent version, SSL Orchestrator "lite" mode is included that lets you configure it
Thomas-R-DNimbostratus
NimbostratusThank you so much, Lucas_Thompson
we went with Option #3 (Use Proxy-SSL by setting it up manually: https://my.f5.com/manage/s/article/K13385) as this worked for us and is the simpliest option as well, All the AAA happens on the server side / application.
Under "SSL cipher negotiation" in the above link, we used "Proxy SSL Passthrough feature allows the BIG-IP system to pass traffic through to the server". Our version is: BIG-IP 14.1.5.6 which has this feature.
We enabled "Proxy SSL" and "Proxy SSL Passthrough" on both the Client and Server SSL Profiles (Which is required, and we had to Remove the Profiles from the Virtual Server before making the change as you will get an error if you try to make this change while they are in use. Then Add them back after the below changes)
Updated settings in two Locations, Client and Server SSL Profiles that are being used:
- Local Traffic >> Profiles >> SSL >> Client (Will repeat below steps, but picking 'Server' instead)
- Click on [Name of Profile]
- Change Configuration to "Advanced"
- Scroll down, Check the 'Enable' box next to: Proxy SSL & Proxy SSL Passthrough (If it is grayed out, will need to check the 'Custom' box to the right of the Feature)
- Kevin_Stewart
This is an older thread, but for anyone reading, it's worth noting here that ProxySSL is an older technology that relies on knowledge of server private keys and RSA TLS handshakes. As the majority of the Internet has now almost completely deprecated pure RSA handshakes for lack of perfect-forward-secrecy, it's very likely that Internet clients will stop working here. Or worst case, you'd have to disable modern TLS security to force clients to use RSA.
The more modern solution is to use Client Certificate Constrained Delegation (C3D): https://community.f5.com/t5/technical-articles/ssl-orchestrator-advanced-use-cases-client-certificate/ta-p/286005. This allows you to explicitly decrypt at the BIG-IP and forge a new ephemeral client certificate to the backend server, with the additional ability to inject "constraining" extension values into the minted client cert.
