Forum Discussion
tiwang_122270
Nimbostratus
Nimbostratusproblem with machine certificate check...
Hi out there I am going to build me a virtual server for m2m - machine to machine communication where pc's will upload data to a webservice. The inside serverpart have I now running with a kerberos sso policy where I now will replace my http-401 agent with a machine certificate agent - I expect that I can swap this module in but I cannot really find some documentations on this. Can some here either show me a sample or guide? I tried to insert it in my apm policy but I could not get the correct certificate in the machine store. Is it possibly to use the "on demand certificate check" agent instead? this works simple and problem-free but as far as I can see I can only define the current user's personal certificate there - is this correct? best regards /ti
tiwangHi Again When I try to logon with me client the machinecert agent rturns with -2 - does this Means that it doesnt recoignices my machine cert or what?
Jan 10 10:12:13 bigip1 notice apd[5827]: 01490113:5: b26548ab: session.user.agent is Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Jan 10 10:12:13 bigip1 notice apd[5827]: 01490113:5: b26548ab: session.user.clientip is 195.81.253.32 Jan 10 10:12:13 bigip1 notice apd[5827]: 01490113:5: b26548ab: session.user.display_sessionid is b26548ab Jan 10 10:12:13 bigip1 notice apd[5827]: 01490113:5: b26548ab: session.user.sessionid is b26548ab Jan 10 10:12:13 bigip1 notice apd[5827]: 01490113:5: b26548ab: session.user.starttime is 1389345127 Jan 10 10:12:13 bigip1 notice apd[5827]: 01490113:5: b26548ab: session.windows_check_machinecert.last.result is -2
- tiwang
ok - got a step further - my "return status -2" comes from problems with trusting the CA - or more precisely - how the ca certificate was exported - need to dig more in this
- tiwang
Hi Again I am now able to use the machine certificate agent to verify a client certificate - but I expected that if the the certificate had been copied so that the private keys where lost I would detect this and break out in the branch "Found" - not "Successful" - but the agent returns "Successful" even though there are no private keys - any suggestions?
best regards /ti
- tiwang
hi out there - really no-one which has seen problems with the machine certificate agent?
best regards /ti
vandenhoutenp_9Hi Ti,
Did you ever get this working?
Thanks
Peter
tiwang_122270Hi Again Well - depends on how you look at it. First - not running production on it yet!! Second - the machine cert agent in the F5 isn't in fact that usefull for my purpose but using the SSL Server profile togheter with some certificate checking in clientless mode instead is a better solution for my purpose - the purpose for my projecct was to do password-less authentication on clients comming in from batch-jobs - eg: not a user with a browser but small jobs based on some .net framework - and as far as I can see on our developers it is not a trivial job to let them interact that java-script which is injected by the APM module. What is your problem? best regards /ti