ASM vs to APM vs and client certificates

AlexS_yb · ‎16-Jul-2023

Hi

I had a VS which imposed a client certificate requirement to access it

Now I have to set this up as

ASM -> APM because I want ASM to interact first

My issue now is how do i get the client certificate information back to the APM vs when the tls session is terminated on the ASM VS

I was hoping to send the cert via a header to the back end - but I can't seem to write to ssl::cert

Daniel_Wolf · ‎16-Jul-2023

Hi @AlexS_yb,

I think you are looking for C3D (Client Certificate Constrained Delegation), this feature allows the BIG-IP to forge a client certificate for use in server-side client certificate authentication. The forged certificate is generated using information from a client certificate provided in the client-side ssl handshake.
See: K14065425: Configuring Client Certificate Constrained Delegation (C3D)

This way the APM should see the forged client cert with the required attributes for user authentication.

KR
Daniel

View solution in original post

Daniel_Wolf · ‎16-Jul-2023

Hi @AlexS_yb,

I think you are looking for C3D (Client Certificate Constrained Delegation), this feature allows the BIG-IP to forge a client certificate for use in server-side client certificate authentication. The forged certificate is generated using information from a client certificate provided in the client-side ssl handshake.
See: K14065425: Configuring Client Certificate Constrained Delegation (C3D)

This way the APM should see the forged client cert with the required attributes for user authentication.

KR
Daniel

AlexS_yb · ‎20-Jul-2023

Thanks for that , but not for me I don't think

DevCentral

ASM vs to APM vs and client certificates

MFA required on DevCentral