F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Michael_107360's avatar
Michael_107360
Icon for Cirrus rankCirrus
Dec 10, 2013

SSL Caller Authentication and Access Control

We have a web service that wishes to use client certificates for caller authentication and access control. The client certificate is sent as part of the SSL handshake (when the server is configured to request it). I am wondering if it is possible to do the following at the F5, or if APM is needed: 1) Terminate the SSL connection at the F5 2) Require a client certificate be provided on that connection 3) Check that certificate against an Company-provided trust store (which will contain a certificate, issued by us, for each caller of the web service) 4) Extract the subject from the client certificate and add it to an HTTP header passed to the (downstream) apache server

 

BIG-IP Access Policy Manager (APM)
design
security

1 Reply

  • IheartF5_45022's avatar
    IheartF5_45022
    Icon for Nacreous rankNacreous
    Dec 10, 2013

    Yes it is possible. Apply a clientssl profile with Client Certificate set to "require", and Trusted Cert Authority set to your CA, the apply this iRule;-

    when CLIENTSSL_HANDSHAKE {
     Check if the client supplied one or more client certs
    if {[SSL::cert count] > 0}{

     Check the first client cert subject
    set subject [X509::subject [SSL::cert 0]]
}
when HTTP_REQUEST {
     Remove the customer header if already present
    HTTP::header remove "X-subject"
    HTTP::header insert "X-subject" $subject
 }