two-way ssl on apm for mobile client

Ofcourse i am curious how they managed Clients Private key, as the IP of the client will never remain the same.

 

 

SSL certificates and IP addresses don't have much to do with one another.

 

 

So given your terminology, "one-way" SSL is where the server presents its public key to the client, the client verifies it (for trust, expiration, etc.) and then they both set up a private connection. A "two-way" SSL is then when the client passes its own public to the server for the server to verify. In BIG-IP speak, that's called "client certificate authentication". Two-factor authentication is client side authentication terminology for how many identity-proofing factors a client possesses (what you have, what you know, what you are). Smartcards are good examples of two-factor authentication (what you have - the card, and what you know - the pin).

 

 

So to answer your original question, APM absolutely supports client certificate authentication. Look in the APM visual policy for an agent called "On-Demand Cert Auth". You'll need to also create a client SSL profile in LTM, and at a minimum, set the server certificate and key, and the Trusted Certificate Authorities selection under the Client Authentication section (could be somewhere else depending on your version). This selection is generally a "bundle" file - a text file containing the PEM-formatted certificates of all the issuer certificates (public keys) that will be needed to validate the trust of the client's certificate. It's the equivalent of your browser's trusted certificate store on the server side. When the client presents its certificate, this list of certificates will be used to validate a complete chain of trust from the client to the self-signed root. You may also optionally include an Advertised Certificate Authorities bundle, which provides a root hint when the client certificate is requested. If you have many certificate authorities to deal with it helps the client to filter out just the ones you'll accept. The APM VPE On-Demand agent will effectively cause a renegotiation and set the Client Certificate option to request or require.

 

 

Now, once the client has presented a certificate, and is validated, the certificate X509 data will be accessible in APM session variables under session.ssl.cert.* (ex. session.ssl.cert.subject). You can use these values to perform your LDAP queries for authentication.