Forum Discussion

ChrisThuys's avatar
ChrisThuys
Icon for Altocumulus rankAltocumulus
Oct 27, 2020

irule to insert a client cert for authorisation to a website

I have configured a VS to act as a reverse proxy for a external vendors website. ie the pool member is the external vendors website.

We are also using client and server ssl profiles.

The vendors sire requires a client certificate to be presented. I would like to use an irule to insert the client certificate so that the jbos apps that are making the requests do not need to.

 

Is this at all possible and if so how might i go about it. The research i have done so far seems to indicate that the client has to present the client certificate when establishing the ssl connection.

application delivery
iRules
LTM

4 Replies

Sort By
  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Oct 29, 2020

    is it one client certificate, or different ones for different people?

     

    if it is one you can configure it on the client ssl profile.

     

    if it is multiple you might want to look into C3D: https://support.f5.com/csp/article/K14065425

    • ChrisThuys's avatar
      ChrisThuys
      Icon for Altocumulus rankAltocumulus
      Nov 25, 2020

      The idea is that the end user does nto present a client certificate to the backend webserver. This is done by the F5. Yes the client side is using ssl it just does not use a client certificate. The server side is also using ssl but the backend server requires a client certificate to be presented.

  • jaikumar_f5's avatar
    jaikumar_f5
    Icon for MVP rankMVP
    Oct 30, 2020

    From what I see your requirement, you dont want to have mutual authentication for your clients. But the external vendor website which is your pool member, requires to have cert produced to access it.

     

    You can simply configure a cert in your custom serverssl profile and pass it. By default the cert is none.

    In case the vendor would accept only cert CN's, have that installed on LTM and map it to the serverssl profile. This way your clients can connect to the VS without any cert and on the backend LTM will be providing the cert while connecting to the external website.

    • ChrisThuys's avatar
      ChrisThuys
      Icon for Altocumulus rankAltocumulus
      Nov 25, 2020

      Ffinally getting back to this. This is what I have done already however. The backend webserver returnes "400 Bad Request

      No required SSL certificate was sent"

       

      It appears from the decryoted packet capture that the backend server never requests a certificate it just expects the certificate to be sent.

      Is ther ee some way to insert the client certificart e pre-emptively.