Forum Discussion
Remote User Management - LDAP Client Cert
Has anyone successfully deployed LDAP using client cert authentication to the BIG-IP TMUI? I see the guide though it is not very intuitive so I was curious if anyone would be willing to share their configuration? From what I hear, there have been bugs prior to 13.1 which have now been resolved to allow this capability. Thanks!
- Dev_56330Cirrus
Below is my current config though for some reason when modifying authentication methods for remote users, httpd stops with the error "err httpd[4467]: [error] Unable to configure verify locations for client authentication"
root@(bigip1)(cfg-sync Standalone)(ModuleNotLicensed::Active)(/Common)(tmos) show running-config auth auth cert-ldap system-auth { bind-dn CN=Administrator,CN=Users,DC=test,DC=com bind-pw $M$O4$RMnF/vBcoSHr/NYmQqr7Yw== debug enabled login-attribute sAMAccountName login-filter [a-zA-Z0-9]\\\\w*(\\\?=@) login-name altSubjectName=Othername search-base-dn DC=test,DC=com servers { 10.1.20.10 } ssl-cname-field san-other ssl-cname-otheroid 1.3.6.1.4.1.311.20.2.3 sso on } auth password-policy { } auth remote-role { role-info { BIGIPadmins { attribute CN=BIGIPadmins,OU=Groups,DC=test,DC=com console tmsh line-order 1 role administrator user-partition All } } } auth remote-user { } auth source { type cert-ldap } auth user admin { description "Admin User" encrypted-password $6$CEtjm9Te$.VC8lUQnU1NcT0Udsgq6jtR.SSbASW2//e3tfxmRXzb4nv7E1E.Bb0KotT2C..rbRMpBgbdJNs1sBRFdiBHXm1 partition Common partition-access { all-partitions { role admin } } shell none }
- Dev_56330Cirrus
Below is my httpd config.
root@(bigip1)(cfg-sync Standalone)(ModuleNotLicensed::Active)(/Common)(tmos) list sys httpd all-properties sys httpd { allow { All } auth-name BIG-IP auth-pam-dashboard-timeout off auth-pam-idle-timeout 12000 auth-pam-validate-ip on description none fastcgi-timeout 300 fips-cipher-version 0 hostname-lookup off include none log-level debug max-clients 10 redirect-http-to-https disabled request-body-max-timeout 0 request-body-min-rate 500 request-body-timeout 60 request-header-max-timeout 40 request-header-min-rate 500 request-header-timeout 20 ssl-ca-cert-file /Common/CurrentCACert ssl-certchainfile none ssl-certfile /etc/httpd/conf/ssl.crt/server.crt ssl-certkeyfile /etc/httpd/conf/ssl.key/server.key ssl-ciphersuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA ssl-include none ssl-ocsp-default-responder http://dc.test.com/ocsp ssl-ocsp-enable on ssl-ocsp-override-responder off ssl-ocsp-responder-timeout 300 ssl-ocsp-response-max-age -1 ssl-ocsp-response-time-skew 300 ssl-port 443 ssl-protocol all ssl-verify-client require ssl-verify-depth 10 }
- Dev_56330Cirrus
httpd error logs
[root@bigip1:ModuleNotLicensed::Active:Standalone] httpd tail -f httpd_errors Jan 15 15:18:09 bigip1 err httpd[25050]: [error] Unable to configure verify locations for client authentication Jan 15 15:21:45 bigip1 err httpd[26019]: [error] Unable to configure verify locations for client authentication Jan 15 15:27:40 bigip1 err httpd[27394]: [error] Unable to configure verify locations for client authentication Jan 15 15:27:45 bigip1 err httpd[27472]: [error] Unable to configure verify locations for client authentication Jan 15 15:33:17 bigip1 err httpd[28861]: [error] Unable to configure verify locations for client authentication Jan 15 16:37:18 bigip1 err httpd[10615]: [error] Unable to configure verify locations for client authentication Jan 15 16:39:27 bigip1 err httpd[11132]: [error] Unable to configure verify locations for client authentication Jan 15 16:41:48 bigip1 err httpd[11924]: [error] Unable to configure verify locations for client authentication Jan 15 16:47:06 bigip1 err httpd[13281]: [error] Unable to configure verify locations for client authentication Jan 15 16:47:12 bigip1 err httpd[13347]: [error] Unable to configure verify locations for client authentication
- Dev_56330Cirrus
Ok, progress. After modifying most/if not all objects in httpd config, I configured the CA cert to none and httpd now starts again. Not quite sure what the issue could have been with the CA cert. However, I am now here. I am prompted for a client certificate and receive these errors.
Jan 15 20:14:35 bigip1 err httpd[23742]: [error] [client 10.1.1.81] Re-negotiation handshake failed: Not accepted by client!?, referer: https://bigip1.test.com/banner.html Jan 15 20:14:49 bigip1 err httpd[23819]: [error] [client 10.1.1.81] Certificate Verification: Error (20): unable to get local issuer certificate Jan 15 20:14:49 bigip1 err httpd[23819]: [error] [client 10.1.1.81] Re-negotiation handshake failed: Not accepted by client!?, referer: https://bigip1.test.com/banner.html Jan 15 20:14:49 bigip1 err httpd[23742]: [error] [client 10.1.1.81] Re-negotiation handshake failed: Not accepted by client!?, referer: https://bigip1.test.com/banner.html
- Dev_56330Cirrus
Unable to perform an SSLdump on the management interface and unable to decrypt traffic using the private key using Wireshark. Has anyone run into issues with compatibility between httpd cipher suites and Windows 2012?
- youssef1Cumulonimbus
hello DeV,
The error you mention (Unable to configure verify locations for client authentication ) most often has to do with the SSLCertificateChainFile or the SSLCACertificateFile being unable to be read and parsed... You have to be sure that this certificate is in PEM format! we ofen have issue with DER and Base64 in this use case...
Regards,
- Kevin_K_51432Historic F5 Account
Greetings,
My configuration is far simpler than yours, I'll post it below. For me, the ssldump output wasn't very helpful. I used both the /var/log/httpd/httpd_errors and /var/log/secure logs to troubleshoot.BIG-IP config: list sys httpd sys httpd { ssl-ca-cert-file /Common/bigip_ca ssl-ocsp-default-responder http://172.24.171.29:2345 ssl-ocsp-enable on ssl-ocsp-override-responder on ssl-verify-client require } list auth cert-ldap auth cert-ldap system-auth { bind-dn cn=admin,dc=ldap,dc=test,dc=net bind-pw $M$nq$CDOcADlm/Mkwy8MIU1/eLg== login-attribute uid login-filter "[a-z]{5}" login-name cn search-base-dn ou=People,dc=ldap,dc=test,dc=net servers { 172.24.171.2 } sso on } LDAP entry: kevin, People, ldap.test.net dn: uid=kevin,ou=People,dc=ldap,dc=test,dc=net objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: kevin cn: kevin displayName: kevin SSL certificate: Subject: C=US, ST=Washington, L=Seattle, O=Example, OU=Example BIGIP Admins, CN=kevin
Hope this is helpful!
Kevin- Dev_56330Cirrus
I have continued to look at the httpd logs though below is all I get.
Jan 18 05:42:05 ip-10-10-10-10 err httpd[5837]: [error] [client 10.1.20.25] Re-negotiation handshake failed: Not accepted by client!?, referer: https://bigip1.ad.lab/xui/ Jan 18 05:42:06 ip-10-10-10-10 err httpd[5837]: [error] [client 10.1.20.25] Re-negotiation handshake failed: Not accepted by client!?, referer: https://bigip1.ad.lab/tmui/Control/form?__handler=/tmui/system/user/authconfig&__source=finished&__linked=false&__fromError=false Jan 18 05:42:06 ip-10-10-10-10 err httpd[5837]: [error] [client 10.1.20.25] Re-negotiation handshake failed: Not accepted by client!?, referer: https://bigip1.ad.lab/tmui/Control/form?__handler=/tmui/system/user/authconfig&__source=finished&__linked=false&__fromError=false Jan 18 05:42:06 ip-10-10-10-10 err httpd[5837]: [error] [client 10.1.20.25] Re-negotiation handshake failed: Not accepted by client!?, referer: https://bigip1.ad.lab/tmui/Control/form?__handler=/tmui/system/user/authconfig&__source=finished&__linked=false&__fromError=false
- Kevin_K_51432Historic F5 Account
Defintely SSL related. So, a few SSL related things I ran into:
1) Ensure the OCSP service up and reachable. 2) Ensure you are using SHA256 for signing. 3) Ensure the CA cert has the "extendedKeyUsage = OCSPSigning" extension. 4) Ensure the CA cert is in the certificate database. httpd checks the CA cert first for some reason.
Hope these points offer some help!
Kevin - Dev_56330Cirrus
Thank you Kevin. It is now working. The 4 issues that I think bit me are below.
- In my lab environment I did not add OCSP to the AIA extension of the CA. I reissued cert once added and then ran certutil -URL path\dev.cer. Validated the certificate against my OCSP responder.
- Imported CA cert in PEM format. (Base64)
- Configured OCSP override on the BIG-IP client-cert ldap config.
- Enabled Nonce support on my OCSP responder.
Unfortunately my frustration let me to modify all four without trying to determine which of the actually resolved it. None the less, thank you for taking the time to respond to my question. Your input is greatly appreciated.
- malexanderNimbostratus
Long ago post but I wanted to comment that after a very frustrating week of working with this I found the openssl ocsp man page response verification requires the issuer of the response is also the issuer of the certificate. So if you overload a heirarchy with just the one OCSP responder it could never pass. From their page you can run openssl to create a new PEM that has trusted extensions for the issuer of the OCSP responder.
openssl x509 -in ocspCA.pem -addtrust OCSPSigning -out trustedCA.pem
And F5 / LTM will not do the LDAP authentication with the ssl-ocsp-enable set to "off" It will just skip the LDAP lookup.
- Dev_56330Cirrus
For troubleshooting purposes I am attempting to perform certificate based authentication within APM using the same certificates as I am in TMUI. I exported the BIG-IP certificate and key to create a client ssl profile. I imported the CA cert and added that to the trusted and advertised fields of the client SSL profile. SSL profile has ignore for client certificate and ODCA is configured to required. I am prompted for a certificate though based on the logs from my ssl profiel no certificate has been passed.
-------------------------------------------------------------------------------------- Ltm::ClientSSL Profile: BIGIPClientSSL -------------------------------------------------------------------------------------- Virtual Server Name N/A Bytes Inbound Outbound Encrypted 48.1K 235.9K Decrypted 24.6K 143.8K Connections Open Maximum Total Native 0 6 55 Compatibility 0 0 0 Total 0 7 55 Certificates/Handshakes Valid Certificates 0 Invalid Certificates 0 No Certificates 55 Mid-Connection Handshakes 0 Secure Handshakes 55 Current Active Handshakes 0 Insecure Handshakes Accepted 0 Insecure Handshakes Rejected 0 Insecure Renegotiations Rejected 0 Mismatched Server Name Rejected 0 Extended Master Secret Handshakes 55 Protocol SSL Protocol Version 2 0 SSL Protocol Version 3 0 TLS Protocol Version 1.0 0 TLS Protocol Version 1.1 0 TLS Protocol Version 1.2 55 DTLS Protocol Version 1 0 Key Exchange Method Anonymous Diffie-Hellman 0 Diffie-Hellman w/ RSA Certs 0 Ephemeral Diffie-Hellman w/ DSS Certs 0 Ephemeral Diffie-Hellman w/ RSA Certs 0 Ephemeral ECDH w/ ECDSA Certs 0 Ephemeral ECDH w/ RSA Certs 17 Fixed ECDH w/ ECDSA Certs 0 Fixed ECDH w/ RSA signed Certs 0 RSA Certs 0 Ciphers Advanced Encryption Standard (AES) 55 Advanced Encryption Standard Galois Counter Mode (AES-GCM) 0 Digital Encryption Standard (DES) 0 Rivest Cipher 2 (RC2) 0 Rivest Cipher 4 (RC4) 0 IDEA (old SSLv2 cipher) 0 Camellia 0 No Encryption 0 Message Digest Method Message Digest 5 (MD5) 0 Secure Hash Algorithm (SHA) 55 No Message Authentication 0 SSL Hardware Acceleration Full 0 Partial 0 None (Software) 55 Session Cache Current Entries 0 Hits 38 Lookups 66 Overflows 0 Invalidations 28 Records In 116
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com