For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Philip_Lee_6609's avatar
Philip_Lee_6609
Icon for Nimbostratus rankNimbostratus
Sep 21, 2007

SSL cilent certificate authentication

We have a web application (BigIP LTM -> iplanet web servers -> websphere application server).     The web application requires client certificate authentication and HTTPS.     We want to t...
application delivery
dev
devops
iRules
AaronJB's avatar
AaronJB
Ret. Employee
Sep 25, 2007
Do you need to pass /a/ client certificate to the back end server, or do you need to pass /the/ client certificate to the back end server to complete the handshake?

 

 

If you can use the same client cert for all connections then you can do that in the SSL profile - but obviously if you are making any authentication decision based on the certificate you will still need to insert the 'real' client certificate into the headers.

 

 

 

If you need to pass the actual client certificate over and use that in the LTM->node SSL handshake them I'm afraid I don't believe there is any way to do that - even with iRules.

 

 

While it is possible to change some parameters of the serverside SSL profile on-the-fly with iRules, I've yet to find a way to insert the clientside client certificate X509 data into the serverside SSL profile within an iRule.

 

 

 

I'd say the best solution is the one you currently have - inserting the client certificate into headers.