For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Cory_50405's avatar
Cory_50405
Icon for Noctilucent rankNoctilucent
Aug 13, 2012

SSL certificate authentication

We have a customer with a requirement to enable SSL certificate based authentication to their web server. They have only one certificate that they would like to be able to authenticate with. We also must terminate their SSL session, inspect (ASM), re-encrypt and pass along to the destination web server. Here's my proposed setup:

 

 

- create SSL client profile with the web server certificate for SSL termination, require client certificate authentication based on a trusted certificate authority that I create which will include the certificate which the client will present for authentication

 

- create SSL server profile with the web server certificate for SSL re-encryption, no authentication

 

 

Any authentication gurus out there know if this will work, or if it needs to/should be done a different way?

 

 

There's also another possible sticking point, which is passing the client certificate back to the destination web server. Is this a possibility?

 

config
design

5 Replies

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Aug 13, 2012
    - create SSL server profile with the web server certificate for SSL re-encryption, no authenticationif web server does not do client certificate authentication, default serverssl profile would work just fine.

     

     

    There's also another possible sticking point, which is passing the client certificate back to the destination web server. Is this a possibility?is this applicable?

     

     

    Insert Client Certificate In Serverside HTTP Headers

     

    https://devcentral.f5.com/wiki/iRules.InsertCertInServerHeaders.ashx
  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Aug 13, 2012
    The web server will be doing client certificate authentication as well. There is a subset of internal users who will be accessing the web server and not going through the LTM, so certificate based authentication has to be done at the web server level. It's a strange setup, I know...

     

     

    That iRule should do the trick for the passing of the client certificate.
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Aug 13, 2012
    The web server will be doing client certificate authentication as well.so, certificate and key you have to set in serverssl profile is client one (not web server certificate and key) since bigip will act as client to present cilent certificate to web server for authentication.
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Aug 13, 2012
    If you need the web servers to receive the actual client certificate, you can look at the Proxy SSL feature added in 11.0.

     

     

    Release Note: BIG-IP LTM and TMOS version 11.0.0

     

    http://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote_11_0_0_ltm.html

     

     

    Proxy SSL Support

     

     

    This release provides Proxy SSL support in Client SSL and Server SSL profiles, which enables direct client-server authentication. You can find information about Proxy SSL in the Big-IP Local Traffic Manager: Implementations guide on AskF5. http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-1-0/15.html

     

     

    sol13385: Overview of Proxy SSL feature

     

    https://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385.html

     

     

    Aaron
  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Aug 13, 2012
    I'll give this Proxy SSL feature a shot and see how it goes. Thank you both for the information.