CirrostratusHi, I have been using SSL Mutual Authentication via LTM. IN previous implementation A single client certificate was used to multiple clients, now I need to identify clinet uniquely by client Certificate via mutual auth. and have to make sure that single client certificate can not be reused by other client. What are the possibilities to achieve this via LTM or by any other BigIP module and how.?
EmployeeEmad,
Let's break this down into three parts:
Allowing individual access via client certificate - this is relatively easy and mechanically just an extension of what you're already doing with a single certificate. Each client certificate would minimally include some unique information about the holder (ex. a common name, email address, ID number, etc.), and would be issued and digitally signed by some authority that your BIG-IP trusts.
Uniquely identifying users and making sure that a single client certificate cannot be reused by another client - this one depends on what you mean by "single client certificate". If you mean the previous single certificate, then it's easy enough to filter that certificate based on attributes of the cert. If you mean preventing one person from using someone else's cert, that's more to do with the environment than it is about the BIG-IP (or any server). Certificates can be stored in software or hardware. The former can be a bit more challenging to secure, while the latter (usually via smart cards) is easier to secure.
What to do with individual client identities - it sounds like you're already doing mutual auth with certificates, so I probably don't need to go into the details of that. If all you need to do is allow users access with a certificate, then LTM is all you need. With LTM and an iRule, you can extract user identity information from the cert and filter on this data. If you need to pass identity information to the server, LTM can pass an HTTP header, or you could use APM to do server side Kerberos auth.