SSL cilent certificate authentication

There are several examples in this forum of doing that using the session table to store client cert variables & re-inserting them as headers -- is that what you're having trouble with, or have you taken a different approach?

 

 

/deb

Hi. Í have the same problem

 

 

I am trying to do the following.

 

1. client -> bigip : request website

 

2. bigip -> client : request client cert

 

3. client -> bigip : send client cert

 

4. bigip verify client_cert

 

5. bigip -> backend : forward request to backend

 

6. backend -> bigip/client : require client certificate.

 

7. bigip/client -> backend : send client cert.

 

 

All this works fine until step 6. But the backend webserver also require client certificate. Now the problem starts. If I understand correctly, this client cert request will not be routet back to the calling client computer, but be handled by BigIP. So somehow I need to manualy do a ssl handshake with backend server, where I forward the client certificate received by BigIP from client.

 

 

One solution (which is working) is to pass the certificate into the HTTP header. But this is not an optimal solution, since it is a BizTalk solution at backend which is receiving the call, and if the certificate is required by the IIS server, all information about the certificate will automaticly be passed into the context of the BizTalk message. If the certificate is passed into the HTTP header, this must be done manualy for each BizTalk solution.

 

 

Anyone have any idea on how to write this handshake between bigip and backend server in a iRule?

 

 

regards

 

Lars Terje

Do you need to pass /a/ client certificate to the back end server, or do you need to pass /the/ client certificate to the back end server to complete the handshake?

 

 

If you can use the same client cert for all connections then you can do that in the SSL profile - but obviously if you are making any authentication decision based on the certificate you will still need to insert the 'real' client certificate into the headers.

 

 

 

If you need to pass the actual client certificate over and use that in the LTM->node SSL handshake them I'm afraid I don't believe there is any way to do that - even with iRules.

 

 

While it is possible to change some parameters of the serverside SSL profile on-the-fly with iRules, I've yet to find a way to insert the clientside client certificate X509 data into the serverside SSL profile within an iRule.

 

 

 

I'd say the best solution is the one you currently have - inserting the client certificate into headers.

Hm.

 

 

Yea. I need to pass the actual client certificate over, and not a common one. :-(

 

Putting it into the header is not a good solution for me.

 

 

I have an _ugly_ workaround I need to think through...

 

 

Regards

 

Lars Terje

 

 

The BIG-IP can not possibly utilize the real client's certificate for the server-side connection because it does not have the key associated with that certificate as the client does not share that information. If you need the server to see the real client's certificate then you will not be able to terminate SSL on the BIG-IP. You can just pass it through untouched so the client and server can talk directly to each other.... the BIG-IP can still do load balancing, but no layer 7 functionality.

Yea. Didn't think of the private key... :-)

 

 

I have tried a passthrough without SSL termination earlier, and that's is working fine.

 

 

Thanks guys for good answers.

 

 

I'm going back to the drawing board...

 

 

Regards

 

Lars Terje

I'm interested in seeing the configuration that you're using to accomplish steps 1-5 if you are alright with making something like that available.

 

 

I'm trying to make a similar solution and getting a little stuck on it.

 

 

Thanks in advance

 

-G

How can i do with SSL termination

 

 

i found some irule for incerting to header but it didnt solve my problem

 

 

regards

 

 

zafer

How can i do with SSL termination

 

 

i found some irule for incerting to header but it didnt solve my problem

 

 

regards

 

 

zafer

How can i do with SSL termination

 

 

i found some irule for incerting to header but it didnt solve my problem

 

 

regards

 

 

zafer