Forum Discussion

RobertB's avatar
RobertB
Icon for Nimbostratus rankNimbostratus
Dec 07, 2020

Passing Client certificate to pool members for authentication

We are running LTM version BIG-IP 15.1.0.5 Build 0.42.8 Engineering Hotfix. We have a F5 virtual server configured with a client and server SSL profiles for termination and re-encryption. We have a r...
application delivery
BIG-IP
LTM
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Sep 02, 2022

Client Certificate Constrained Delegation (C3D) is a mechanism to "forge" a new client cert on the server side. So BIG-IP would request and validate the real client cert on the client side, extract the attributes of that client cert and insert those into a new client cert dynamically created on the server side, and pass that to the backend servers. The forging mechanism requires a local "signing" CA certificate and private key on the BIG-IP, and the backend servers would need to trust this local CA. The point of this function to provide explicit decryption at the BIG-IP when the backend servers require a client certificate. Under normal circumstances a middle box could not decrypt mutual TLS traffic, because it wouldn't have access to the client's private key. C3D gets around this limitation by forging a new client (with a local private key) to the server. It's aptly named "constrained delegation", because like Kerberos, you can insert additonal information into the forged cert. So you could technically insert constraining identity and privilege information in the cert that the server could use to evaluate authorization.

The following is about integrating C3D with SSL Orchestrator, but goes into good detail on setting up C3D: https://community.f5.com/t5/technical-articles/ssl-orchestrator-advanced-use-cases-client-certificate/ta-p/286005

But I'd like to go back to your original question. You said you wanted to pass the certificate to the servers via HTTP header, and you included an iRule that is technically correct. If you are requiring a client cert via the BIG-IP client SSL profile, then that value should be available in [SSL::cert 0]. Try inserting a log statement to see what you get:

when HTTP_REQUEST {
  log local0. [b64encode [SSL::cert 0]]
  log local0. [X509::subject [SSL::cert 0]]
  HTTP::header insert X-Client-Cert [b64encode [SSL::cert 0]]
}

If you see a set of values in the LTM log, then you should also see an HTTP header with this value at the server.