two-way ssl on apm for mobile client

Employee

Mar 12, 2013

Ofcourse i am curious how they managed Clients Private key, as the IP of the client will never remain the same.

SSL certificates and IP addresses don't have much to do with one another.

So given your terminology, "one-way" SSL is where the server presents its public key to the client, the client verifies it (for trust, expiration, etc.) and then they both set up a private connection. A "two-way" SSL is then when the client passes its own public to the server for the server to verify. In BIG-IP speak, that's called "client certificate authentication". Two-factor authentication is client side authentication terminology for how many identity-proofing factors a client possesses (what you have, what you know, what you are). Smartcards are good examples of two-factor authentication (what you have - the card, and what you know - the pin).

So to answer your original question, APM absolutely supports client certificate authentication. Look in the APM visual policy for an agent called "On-Demand Cert Auth". You'll need to also create a client SSL profile in LTM, and at a minimum, set the server certificate and key, and the Trusted Certificate Authorities selection under the Client Authentication section (could be somewhere else depending on your version). This selection is generally a "bundle" file - a text file containing the PEM-formatted certificates of all the issuer certificates (public keys) that will be needed to validate the trust of the client's certificate. It's the equivalent of your browser's trusted certificate store on the server side. When the client presents its certificate, this list of certificates will be used to validate a complete chain of trust from the client to the self-signed root. You may also optionally include an Advertised Certificate Authorities bundle, which provides a root hint when the client certificate is requested. If you have many certificate authorities to deal with it helps the client to filter out just the ones you'll accept. The APM VPE On-Demand agent will effectively cause a renegotiation and set the Client Certificate option to request or require.

Now, once the client has presented a certificate, and is validated, the certificate X509 data will be accessible in APM session variables under session.ssl.cert.* (ex. session.ssl.cert.subject). You can use these values to perform your LDAP queries for authentication.

Forum Discussion

two-way ssl on apm for mobile client

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Syslog Filter Configuration for Separating Audit and LTM logs.

Use F5 APM as Forward Proxy

Forward proxy with SSL passthrough - SWG license required?

sslprovide (--f5 ssl) does not generate CLIENT/SERVER_TRAFFIC_SECRET on server-side TLS traffic

F5 Software Downgrade from version 17.x.x to 15.x.x

Related Content

Protecting Your Native Mobile Apps with F5 XC Mobile App Shield

Making Mobile SDK Integration Ridiculously Easy with F5 XC Mobile SDK Integrator

Bot Defense for Mobile Apps in XC WAAP Part 1: The Bot Defense Mobile SDK

Mobile Security: Current Challenges & A Vision For The Future

Protect your Mobile Applications with F5 Distributed Cloud Bot Defense

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS