cancel
Showing results for 
Search instead for 
Did you mean: 

irule to insert a client cert for authorisation to a website

ChrisThuys
Nimbostratus
Nimbostratus

I have configured a VS to act as a reverse proxy for a external vendors website. ie the pool member is the external vendors website.

We are also using client and server ssl profiles.

The vendors sire requires a client certificate to be presented. I would like to use an irule to insert the client certificate so that the jbos apps that are making the requests do not need to.

 

Is this at all possible and if so how might i go about it. The research i have done so far seems to indicate that the client has to present the client certificate when establishing the ssl connection.

4 REPLIES 4

boneyard
MVP
MVP

is it one client certificate, or different ones for different people?

 

if it is one you can configure it on the client ssl profile.

 

if it is multiple you might want to look into C3D: https://support.f5.com/csp/article/K14065425

The idea is that the end user does nto present a client certificate to the backend webserver. This is done by the F5. Yes the client side is using ssl it just does not use a client certificate. The server side is also using ssl but the backend server requires a client certificate to be presented.

From what I see your requirement, you dont want to have mutual authentication for your clients. But the external vendor website which is your pool member, requires to have cert produced to access it.

 

You can simply configure a cert in your custom serverssl profile and pass it. By default the cert is none.

In case the vendor would accept only cert CN's, have that installed on LTM and map it to the serverssl profile. This way your clients can connect to the VS without any cert and on the backend LTM will be providing the cert while connecting to the external website.

Ffinally getting back to this. This is what I have done already however. The backend webserver returnes "400 Bad Request

No required SSL certificate was sent"

 

It appears from the decryoted packet capture that the backend server never requests a certificate it just expects the certificate to be sent.

Is ther ee some way to insert the client certificart e pre-emptively.