For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

wonsoo_41223's avatar
wonsoo_41223
Historic F5 Account
Jun 15, 2016

I think it should be better to post on APM instead of iRule part.

 

1. The CA certificate (tomcat-cert) move from CA certificate in SSL forward proxy to "Trusted Certificate Authorities" in Client Authentication part.

 

2. My understanding is that "On-Demand Cert Auth" can trigger to request client side to present client certificate with initiating a new SSL session. It doesn't matter to set "ignore" in Client Certificate field. The best way to troubleshooting for this case is to capture tcpdump for checking SSL handshake. Some of case, browser silently provide client certificate without prompt.

 

* https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/16.html

 

3. For UPN value extraction, check this url :

 

* https://support.f5.com/kb/en-us/solutions/public/17000/000/sol17063.html

 

4. If APM policy is changed, please update policy with clicking "Apply Access Policy". Otherwise old policy will be running in the APM access profile.