I have an APM policy configured, with the initial check being 'client type' for a machine tunnel or edge client. After that there is a Machine cert auth check for both edge client and machine tunnel connections, this is identical for both type of client. The machine cert check is successful when the client connects using the edge client, however it is failing when the machine tunnel connection tries to connect.
Is there any difference in what the machine cert check does for a machine tunnel and edge client?
The f5mcertcheck logs from the client shows exactly the same behaviour for the machine tunnel and edge client checks.
One thing I'm not sure about is whether I need to configure the client as per the documentation below, seems to suggest this is for on-demand cert auth?
Does the client need this configuration for machine cert check also?
Configuring client certificates for machine tunnel authentication
When you configure client certificates for the machine tunnel service, you specify the location where the certificates are stored. For on-demand certificate authentication, the F5 Machine Tunnel service can select client certificates present in the service account or from the local computer.
Service Account: To select a service account as the certificate store, the F5 Machine Tunnel service should be installed on the client system. This store is local to the f5MachineTunnelService on the device.
Local computer: Selecting a local machine store as the certificate store does not require the F5 Machine Tunnel service to be installed. You can specify the location of the client certificate on the local machine.
Update......done further testing today and configured the client to use the local machine store which is where the client cert is and no difference. The client logs show it is looking in the right place and can see the certificate, however the APM is reporting an errors and the check is failing with 'session.check_machinecert.last.result' set to '-2'
It really isn't clear in the documentation, but Machine Certificate Authentication (MCA) isn't compatible with Machine Tunnels. To authenticate client certificates with Machine Tunnels, you would use On-Demand Certificate Authentication (ODCA) instead of MCA.
ODCA requires that you conifgure a CA on the F5 that can validate the client certificate. This CA would be configured in a ClientSSL profile for the VIP and set as the CA and Advertised CA. The profile would b set to "ignore" client certificate validation. Within the APM policy you define "ODCA" for authentication of the Machine Tunnel client type.