Forum Discussion
Cory_50405
Noctilucent
NoctilucentSSL certificate authentication
We have a customer with a requirement to enable SSL certificate based authentication to their web server. They have only one certificate that they would like to be able to authenticate with. We also must terminate their SSL session, inspect (ASM), re-encrypt and pass along to the destination web server. Here's my proposed setup:
- create SSL client profile with the web server certificate for SSL termination, require client certificate authentication based on a trusted certificate authority that I create which will include the certificate which the client will present for authentication
- create SSL server profile with the web server certificate for SSL re-encryption, no authentication
Any authentication gurus out there know if this will work, or if it needs to/should be done a different way?
There's also another possible sticking point, which is passing the client certificate back to the destination web server. Is this a possibility?
nitassEmployee
- create SSL server profile with the web server certificate for SSL re-encryption, no authenticationif web server does not do client certificate authentication, default serverssl profile would work just fine.
There's also another possible sticking point, which is passing the client certificate back to the destination web server. Is this a possibility?is this applicable?
Insert Client Certificate In Serverside HTTP Headers
https://devcentral.f5.com/wiki/iRules.InsertCertInServerHeaders.ashx
Cory_50405The web server will be doing client certificate authentication as well. There is a subset of internal users who will be accessing the web server and not going through the LTM, so certificate based authentication has to be done at the web server level. It's a strange setup, I know...
That iRule should do the trick for the passing of the client certificate.- nitassThe web server will be doing client certificate authentication as well.so, certificate and key you have to set in serverssl profile is client one (not web server certificate and key) since bigip will act as client to present cilent certificate to web server for authentication.
- hooleylist
Cirrostratus
If you need the web servers to receive the actual client certificate, you can look at the Proxy SSL feature added in 11.0.
Release Note: BIG-IP LTM and TMOS version 11.0.0
http://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote_11_0_0_ltm.html
Proxy SSL Support
This release provides Proxy SSL support in Client SSL and Server SSL profiles, which enables direct client-server authentication. You can find information about Proxy SSL in the Big-IP Local Traffic Manager: Implementations guide on AskF5. http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-1-0/15.html
sol13385: Overview of Proxy SSL feature
https://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385.html
Aaron - Cory_50405I'll give this Proxy SSL feature a shot and see how it goes. Thank you both for the information.