Forum Discussion

Kannan_Thalaia1's avatar
Kannan_Thalaia1
Icon for Cirrus rankCirrus
Jul 12, 2021

C3D, Client Certificate passing issue

For application new requirement, we need to pass the client certificate to backend server. We enabled the C3D option on the client and server SSL profile.

 

I created the CA certificate and key (https://support.f5.com/csp/article/K14499) and attached to Server SSL profile.

 

The below be the client and Server SSL profile (https://support.f5.com/csp/article/K14065425) . Refer the below settings.

 

Prerequisites:

• You must have a CA-Bundle used to validate incoming client certificates. --> Used Company's Certificate Bundle

• You must have a Certificate and Key for Reverse Proxy --> Current application certificate 

• You must have a CA Certificate and Key that has the ability to create new certificates --> Created CA certificate and key from F5 (https://support.f5.com/csp/article/K14499)

 

But when the client try to access application, we are getting SSL handshake error.

 

Any configuration need to correct on F5 or ?

 

Appreciate your help on this.

 

021-07-12 01:34:31,510 +0000#INFO#com.sap.scc.rt#com.sap.scc.servlets.AccessControlServlet$3#  

#SccEndpointValidator has thrown exception for HTTPS://141.122.200.74:64801: Received fatal alert: handshake_failure javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

 

2021-07-12 01:34:31,510 +0000#INFO#com.sap.scc.ui#com.sap.scc.servlets.AccessControlServlet$3#     #Error when checking local connectivity to gatewaypp:64801 --> javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

 

 

application delivery
BIG-IP
error
LTM
SccEndpointValidator

5 Replies

Sort By
  • Daniel_Wolf's avatar
    Daniel_Wolf
    Icon for MVP rankMVP
    Jul 12, 2021

    Hi Kannan,

     

    your config looks right. From my memory there are two things that could possibly be wrong.

    First: The CA key/certificate you are using for C3D is not capable to create new certificates (must be type: Issuing CA Certificate).

    Second: the application / web server does not trust certificates issued by this Issuing CA. Did you import this certificate on the application / web server as a trusted CA?

     

    You can do a tcpdump between the F5 and the application / web server and you will see the TLS handshake, from the handshake / tcpdump you can export the certificates that the F5 sends to the backend and check if they are issued properly.

     

    KR

    Daniel

  • Kannan_Thalaia1's avatar
    Kannan_Thalaia1
    Icon for Cirrus rankCirrus
    Jul 12, 2021

    Hello Daniel,

     

    Thanks for your update.

     

    First: The CA key/certificate you are using for C3D is not capable to create new certificates (must be type: Issuing CA Certificate).

    --> I am not sure how to create Issuing CA certificate. I created the CA certificate and key (https://support.f5.com/csp/article/K14499) and attached to Server SSL profile.

     

    When I tried to capture the logs, the F5 is not sending any certificate to backend. Refer the attachment.

     

    Second: the application / web server does not trust certificates issued by this Issuing CA. 

    Did you import this certificate on the application / web server as a trusted CA?

    --> I provide the CA certificate (which created above) to the application owner to put in the trusted CA list.

    But, if eel, first we need to fix the above issue ( F5 is not sending client certificate to backend)

     

     

    • Daniel_Wolf's avatar
      Daniel_Wolf
      Icon for MVP rankMVP
      Jul 12, 2021

      In the Prerequisites section of K14065425 it is stated that:

      • You must have a CA-Bundle used to validate incoming client certificates.
      • You must have a Certificate and Key for Reverse Proxy.
      • You must have a CA Certificate and Key that has the ability to create new certificates.

       

      This CA Certificate and Key must be used in the Server SSL profile in the CA Certificate and CA Key fields. And the backend server must trust certificates issued by this CA.

  • Kannan_Thalaia1's avatar
    Kannan_Thalaia1
    Icon for Cirrus rankCirrus
    Jul 14, 2021

    Hello Daniel,

    Still I am not clear the CA certificate which i created through the LTM ((https://support.f5.com/csp/article/K14499) work or not?

     

    I provided the CA certificate which created through LTM to application owner to upload those into their trusted store.

     

    Now I am waiting for their test result.

     

    I will keep you update on this.

     

    Regards,

    Kannan.

    • Daniel_Wolf's avatar
      Daniel_Wolf
      Icon for MVP rankMVP
      Jul 14, 2021

      Hello Kannan,

       

      how you describe it, it sounds ok. The certificate created in "Creating a trusted CA key and certificate", Step 3: Generate a CA certificate by using the following command syntax" is the one that should be trusted by the application server.

       

      KR

      Daniel