Securing Applications using mTLS Supported by F5 Distributed Cloud

Introduction

Mutual Transport Layer Security (mTLS) is a process that establishes encrypted and secure TLS connection between the parties and ensures both parties use X.509 digital certificates to authenticate each other. It helps to prevent the malicious third-party attacks which will imitate the genuine applications. This authentication method helps when a server needs to ensure the authenticity and validity of either a specific user or device. As the SSL became outdated several companies like Skype, Cloudfare are now using mTLS to secure business servers. Not using TLS or other encryption tools without secure authentication leads to ‘man in the middle attacks.’ Using mTLS we can provide an identity to a server that can be cryptographically verified and makes your resources more flexible.

mTLS with XFCC Header

Not only supporting the mTLS process, F5 Distributed Cloud WAF is giving the feasibility to forward the Client certificate attributes (subject, issuer, root CA etc..) to origin server via x-forwarded-client-cert header which provides additional level of security when the origin server ensures to authenticate the client by receiving multiple requests from different clients. This XFCC header contains the following attributes by supporting multiple load balancer types like HTTPS with Automatic Certificate and HTTPS with Custom Certificate.

Cert
Chain
Subject
URI
DNS

How to Configure mTLS

In this Demo we are using httpbin as an origin server which is associated through F5 XC Load Balancer. Here is the procedure to deploy the httpbin application, creating the custom certificates and step-by-step process of configuring mTLS with different LB (Load Balancer) types using F5 XC.

Deploying HttpBin Application
Here is the link to deploy the application using docker commands.
Signing server/leaf cert with locally created Root CA
Commands to generate CA Key and Cert:
openssl genrsa -out root-key.pem 4096
openssl req -new -x509 -days 3650 -key root-key.pem -out root-crt.pem
Commands to generate Server Certificate:
openssl genrsa -out cert-key2.pem 4096
openssl req -new -sha256 -subj "/CN=test-domain1.local" -key cert-key2.pem -out cert2.csr
echo "subjectAltName=DNS:test-domain1.local" >> extfile.cnf
openssl x509 -req -sha256 -days 501 -in cert2.csr -CA root-crt.pem -CAkey root-key.pem -out
cert2.pem -extfile extfile.cnf -CAcreateserial
Note:
Add the TLS Certificate to XC console, create a LB(HTTP/TCP) and attach origin pools and TLS certificates to it.
In Ubuntu:
Move above created CA certificate (ca-crt.pem) to /usr/local/share/ca-certificates/ca-crt.pem and modify "/etc/hosts" file by mapping the VIP(you can get this from your configured LB -> DNS info -> IP Addr) with domain, in this case the (test-domain1.local).
mTLS with HTTPS Custom Certificate
Log in the F5 Distributed Cloud Console and navigate to “Web APP & API Protection” module.
Go to Load Balancers and Click on ‘Add HTTP Load Balancer’.

Give the LB Name (test-mtls-cust-cert), Domain name (mtlscusttest.f5-hyd-demo.com), LB Type as HTTPS with Custom Certificate, Select the TLS configuration as Single Certificate and configure the certificate details.

Click in ‘Add Item’ under TLS Certificates and upload the cert and key files by clicking on import from files.

Click on apply and enable the mutual TLS, import the root cert info, and add the XFCC header value.

Configure the origin pool by clicking on ‘Add Item’ under Origins. Select the created origin pool for httpbin.

Click on ‘Apply’ and then save the LB configuration with ‘Save and Exit’.

Now, we have created the Load Balancer with mTLS parameters. Let us verify the same with the origin server.
mTLS with HTTPS with Automatic Certificate

Log in the F5 Distributed Cloud Console and navigate to “Web APP & API Protection” module.

Goto Load Balancers and Click on ‘Add HTTP Load Balancer’.

Give the LB Name(mtls-auto-cert), Domain name (mtlstest.f5-hyd-demo.com), LB Type as HTTPS with Automatic Certificate, enable the mutual TLS and add the root certificate. Also, enable x-forwarded-client-cert header to add the parameters.

Configure the origin pool by clicking on ‘Add Item’ under Origins. Select the created origin pool for httpbin.

Click on ‘Apply’ and then save the LB configuration with ‘Save and Exit’.
Now, we have created the HTTPS Auto Cert Load Balancer with mTLS parameters. Let us verify the same with the origin server.

Conclusion

As you can see from the demonstration, F5 Distributed Cloud WAF is providing the additional security to the origin servers by forwarding the client certificate info using mTLS XFCC header.