i'm trying to apply client authentication using certificate where the certificate is required otherwise you can't view the link . the public certificate is installed from client side and the private one configured in WAF . I'm using below irule to achieve that :
when HTTP_REQUEST {
if {[HTTP::uri] starts_with "/mylink/" } {
if {[SSL::cert count] <= 0 } {
HTTP::collect
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode require
SSL::renegotiate
}
}
}
but I got SSL handshake error as warning in WAF , so is there any error in above rule? or it required another setup in SSL profile ? note that i have different Urls which require different certificate but all of them under /mylink/ , for certificates i have one profile contain all the required certificates.
when your irules work (LTM initiate SSL HelloRequest require client initiate new SSL connection to LTM), client attempt SSL::renegotiate(client bring its clientcert) to LTM, you should HTTP::release clientside HTTP traffic :
In clientssl profile, renegotiation should be enabled. Also, in client authentication part under Trusted Certificate Authorities select intermediate/issuer certificate of client certificate.
You can also modify the iRule if requirement is to parse client cert subjectDN and allow access to it or add it as header to send it to pool member for authorization.
yes, the idea is i have api link which required client authentication. in soap ui i have attached the certificate and request the api but there is no response and i got the above error.
