We have a web application (BigIP LTM -> iplanet web servers -> websphere application server). The web application requires client certificate authentication and HTTPS. We want to terminate the SSL in the BigIP and would like to do the client certificate authentication in the web server. Is this possible? So far, i can't get it to work. The other option is to turn on client certificate authentication in the BigIP and pass the client certificate to the web server. Of course, the client certificate authentication is turned on in the web server. I have tried to turn off client certificate authentication in the web server and turn on client certificate authentication in the bigip ltm and use irule to pass the client certificate in base64 format but that doesn't work.. any other options??

There are several examples in this forum of doing that using the session table to store client cert variables & re-inserting them as headers -- is that what you're having trouble with, or have you taken a different approach? /deb

Hi. Í have the same problem I am trying to do the following. 1. client -> bigip : request website 2. bigip -> client : request client cert 3. client -> bigip : send client cert 4. bigip verify client_cert 5. bigip -> backend : forward request to backend 6. backend -> bigip/client : require client certificate. 7. bigip/client -> backend : send client cert. All this works fine until step 6. But the backend webserver also require client certificate. Now the problem starts. If I understand correctly, this client cert request will not be routet back to the calling client computer, but be handled by BigIP. So somehow I need to manualy do a ssl handshake with backend server, where I forward the client certificate received by BigIP from client. One solution (which is working) is to pass the certificate into the HTTP header. But this is not an optimal solution, since it is a BizTalk solution at backend which is receiving the call, and if the certificate is required by the IIS server, all information about the certificate will automaticly be passed into the context of the BizTalk message. If the certificate is passed into the HTTP header, this must be done manualy for each BizTalk solution. Anyone have any idea on how to write this handshake between bigip and backend server in a iRule? regards Lars Terje

Do you need to pass /a/ client certificate to the back end server, or do you need to pass /the/ client certificate to the back end server to complete the handshake? If you can use the same client cert for all connections then you can do that in the SSL profile - but obviously if you are making any authentication decision based on the certificate you will still need to insert the 'real' client certificate into the headers. If you need to pass the actual client certificate over and use that in the LTM->node SSL handshake them I'm afraid I don't believe there is any way to do that - even with iRules. While it is possible to change some parameters of the serverside SSL profile on-the-fly with iRules, I've yet to find a way to insert the clientside client certificate X509 data into the serverside SSL profile within an iRule. I'd say the best solution is the one you currently have - inserting the client certificate into headers.

Hm. Yea. I need to pass the actual client certificate over, and not a common one. :-( Putting it into the header is not a good solution for me. I have an _ugly_ workaround I need to think through... Regards Lars Terje

The BIG-IP can not possibly utilize the real client's certificate for the server-side connection because it does not have the key associated with that certificate as the client does not share that information. If you need the server to see the real client's certificate then you will not be able to terminate SSL on the BIG-IP. You can just pass it through untouched so the client and server can talk directly to each other.... the BIG-IP can still do load balancing, but no layer 7 functionality.

SSL cilent certificate authentication

Deb_Allen_18
Historic F5 Account
Sep 21, 2007
There are several examples in this forum of doing that using the session table to store client cert variables & re-inserting them as headers -- is that what you're having trouble with, or have you taken a different approach?

/deb
Lars_Terje_Vaal
Nimbostratus
Sep 25, 2007
Hi. Í have the same problem

I am trying to do the following.

1. client -> bigip : request website

2. bigip -> client : request client cert

3. client -> bigip : send client cert

4. bigip verify client_cert

5. bigip -> backend : forward request to backend

6. backend -> bigip/client : require client certificate.

7. bigip/client -> backend : send client cert.

All this works fine until step 6. But the backend webserver also require client certificate. Now the problem starts. If I understand correctly, this client cert request will not be routet back to the calling client computer, but be handled by BigIP. So somehow I need to manualy do a ssl handshake with backend server, where I forward the client certificate received by BigIP from client.

One solution (which is working) is to pass the certificate into the HTTP header. But this is not an optimal solution, since it is a BizTalk solution at backend which is receiving the call, and if the certificate is required by the IIS server, all information about the certificate will automaticly be passed into the context of the BizTalk message. If the certificate is passed into the HTTP header, this must be done manualy for each BizTalk solution.

Anyone have any idea on how to write this handshake between bigip and backend server in a iRule?

regards

Lars Terje
AaronJB
SIRT
Sep 25, 2007
Do you need to pass /a/ client certificate to the back end server, or do you need to pass /the/ client certificate to the back end server to complete the handshake?

If you can use the same client cert for all connections then you can do that in the SSL profile - but obviously if you are making any authentication decision based on the certificate you will still need to insert the 'real' client certificate into the headers.

If you need to pass the actual client certificate over and use that in the LTM->node SSL handshake them I'm afraid I don't believe there is any way to do that - even with iRules.

While it is possible to change some parameters of the serverside SSL profile on-the-fly with iRules, I've yet to find a way to insert the clientside client certificate X509 data into the serverside SSL profile within an iRule.

I'd say the best solution is the one you currently have - inserting the client certificate into headers.
Lars_Terje_Vaal
Nimbostratus
Sep 25, 2007
Hm.

Yea. I need to pass the actual client certificate over, and not a common one. :-(

Putting it into the header is not a good solution for me.

I have an _ugly_ workaround I need to think through...

Regards

Lars Terje
Kirk_Bauer_1018
Nimbostratus
Sep 25, 2007
The BIG-IP can not possibly utilize the real client's certificate for the server-side connection because it does not have the key associated with that certificate as the client does not share that information. If you need the server to see the real client's certificate then you will not be able to terminate SSL on the BIG-IP. You can just pass it through untouched so the client and server can talk directly to each other.... the BIG-IP can still do load balancing, but no layer 7 functionality.
Lars_Terje_Vaal
Nimbostratus
Sep 25, 2007
Yea. Didn't think of the private key... :-)

I have tried a passthrough without SSL termination earlier, and that's is working fine.

Thanks guys for good answers.

I'm going back to the drawing board...

Regards

Lars Terje
Garrett_Skjelst
Nimbostratus
Apr 20, 2009
I'm interested in seeing the configuration that you're using to accomplish steps 1-5 if you are alright with making something like that available.

I'm trying to make a similar solution and getting a little stuck on it.

Thanks in advance

-G
zafer
Nimbostratus
Oct 12, 2009
How can i do with SSL termination

i found some irule for incerting to header but it didnt solve my problem

regards

zafer
zafer
Nimbostratus
Oct 12, 2009
How can i do with SSL termination

i found some irule for incerting to header but it didnt solve my problem

regards

zafer
zafer
Nimbostratus
Oct 12, 2009
How can i do with SSL termination

i found some irule for incerting to header but it didnt solve my problem

regards

zafer