For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Philip_Lee_6609's avatar
Philip_Lee_6609
Icon for Nimbostratus rankNimbostratus
Sep 21, 2007

SSL cilent certificate authentication

We have a web application (BigIP LTM -> iplanet web servers -> websphere application server).     The web application requires client certificate authentication and HTTPS.     We want to t...
application delivery
dev
devops
iRules
Lars_Terje_Vaal's avatar
Lars_Terje_Vaal
Icon for Nimbostratus rankNimbostratus
Sep 25, 2007
Hi. Í have the same problem

 

 

I am trying to do the following.

 

1. client -> bigip : request website

 

2. bigip -> client : request client cert

 

3. client -> bigip : send client cert

 

4. bigip verify client_cert

 

5. bigip -> backend : forward request to backend

 

6. backend -> bigip/client : require client certificate.

 

7. bigip/client -> backend : send client cert.

 

 

All this works fine until step 6. But the backend webserver also require client certificate. Now the problem starts. If I understand correctly, this client cert request will not be routet back to the calling client computer, but be handled by BigIP. So somehow I need to manualy do a ssl handshake with backend server, where I forward the client certificate received by BigIP from client.

 

 

One solution (which is working) is to pass the certificate into the HTTP header. But this is not an optimal solution, since it is a BizTalk solution at backend which is receiving the call, and if the certificate is required by the IIS server, all information about the certificate will automaticly be passed into the context of the BizTalk message. If the certificate is passed into the HTTP header, this must be done manualy for each BizTalk solution.

 

 

Anyone have any idea on how to write this handshake between bigip and backend server in a iRule?

 

 

regards

 

Lars Terje