Forum Discussion
Unique identification of client in SSL Mutual auth
Emad,
Let's break this down into three parts:
-
Allowing individual access via client certificate - this is relatively easy and mechanically just an extension of what you're already doing with a single certificate. Each client certificate would minimally include some unique information about the holder (ex. a common name, email address, ID number, etc.), and would be issued and digitally signed by some authority that your BIG-IP trusts.
-
Uniquely identifying users and making sure that a single client certificate cannot be reused by another client - this one depends on what you mean by "single client certificate". If you mean the previous single certificate, then it's easy enough to filter that certificate based on attributes of the cert. If you mean preventing one person from using someone else's cert, that's more to do with the environment than it is about the BIG-IP (or any server). Certificates can be stored in software or hardware. The former can be a bit more challenging to secure, while the latter (usually via smart cards) is easier to secure.
-
What to do with individual client identities - it sounds like you're already doing mutual auth with certificates, so I probably don't need to go into the details of that. If all you need to do is allow users access with a certificate, then LTM is all you need. With LTM and an iRule, you can extract user identity information from the cert and filter on this data. If you need to pass identity information to the server, LTM can pass an HTTP header, or you could use APM to do server side Kerberos auth.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com