LTM Authentication Profile LDAP Cert Feature in APM?

Peter_Baumann · ‎12-Oct-2022

Hello again,
Since our customer tries to migrate from LTM auth profiles to APM he's missing one feature in APM which was available in LTM auth profiles.
The customer is checking in the LDAP if a certificate is available, here's the relevant config setting:

Does someone know how to implement the same in APM?

Thanks,
Peter

Nikoolayy1 · ‎12-Oct-2022

I habe not used LTM auth profiles but if this is to extract the UPN from an SSL cert and then send it to the AD maybe check the links below:

https://support.f5.com/csp/article/K17063

https://community.f5.com/t5/technical-forum/apm-irule-needed-to-extract-username-from-client-cert-to...

JRahm · ‎13-Oct-2022

yeah, as @Nikoolayy1 suggests, it's not missing, just differently implemented in the visual policy editor in APM. Kevin also has an iRule solution, which he prefers, over doing it solely in the VPE.

https://community.f5.com/t5/technical-forum/apm-clientcert-to-kerberos-transition-parsing/m-p/249706

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral

Nikoolayy1 · ‎23-Oct-2022

If you managed to get the needed answers, please flag the question as answered.

Nikoolayy1 · ‎28-Oct-2022

Any progress on the issue 🙂

Peter_Baumann · ‎09-Nov-2022

Sorry I was quite busy...
No unfortunately it is not solved.
Advanced Auth had the Feature as displayed in the screenshot:
Search Type: Certificate: Specifies that the system searches for a certificate stored in the user's profile in the remote LDAP database.

So, ACA was checking in the LDAP DB if there's a cert stored in the users profile.
How can this be done with APM? I couldn't find any solution for it since it is more an active LDAP query which has to be done and not checking session variables.

Thanks,
Peter

Peter_Baumann · ‎16-Nov-2022

Hello again,
The customer just told me that with ACA they could validate the provided cert against users cert stored in LDAP.
So, what is missing in the access profile is the ability to check the from the client provided cert with the cert stored at the user in LDAP.

The customer was using a cert validation with ACA if the provided cert is matching the user certs stored in LDAP, even when the user has two valid certs and one of it will soon be invalid because of the expired date.

AubreyKingF5 · ‎21-Nov-2022

Have you used the APM VPE? I think you can do a simple LDAP search to get the contents of this, but you will need your full DN to set it.

Peter_Baumann · ‎21-Dec-2022

Hi @AubreyKingF5 ,
It was not possible to use the same features like in ACA.
The problem is that we only have the action "Client Certificate is valid" but no "Client Certificate is available" like in ACA.

APM:

ACA:

Even with the flexibility of APM we couldn't get to the point to have the same functionality like ACA.
The only possible way would be to use iRuleLX (NPM) but this would be quite complicated and questionable if it also works with the high traffic volume they have here at the customer.

AubreyKingF5 · ‎27-Dec-2022

Sorry for delay.. I am installing APM now to see if I can show you. It's been a bit since I did this, so there may be some 'new version' rust.

Peter_Baumann · ‎01-Mar-2023

Update to this Issue:
Customer is facing another problem trying to migrate from ACA to APM.
They have a API behind a VS and APM with Cert Auth. The problem is now that when a machine client is using this API it will check the client certificate (APM On-Demand Cert Auth Block). This will lead to a first redirect to /my.policy which confuses the client with his POST request, the redirect is not done on the client.

With ACA this was possible since we didn't had the redirect first when checking the cert auth.

We will now open a case for this at F5 support since migration from ACA to APM is not possible like this.

Maybe you have some news with your tests on the APM @AubreyKingF5 ?

DevCentral

LTM Authentication Profile LDAP Cert Feature in APM?

MFA required on DevCentral