Verify Certificate is installed
Hello everyone! I'm currently trying to set up a Machine Cert Auth in my APM VPE with the sole purpose of verifying that the computer has installed a company computer certificate. I'm struggling to get it to work and I'm unsure which components I actually need to get it to work. I have reviewed all manual chapters I can find and browsed through DC but still not managed to get it to work. I have the following simple policy: With the following Machine Cert Auth Config: Here I have tried numerous of different combinations. The one I'm presently using is this: CN=ad-ADDS01-CA-2, DC=ad, DC=jonsson, DC=biz I have installed the following computer cert on the computer trying to connect: I have configured a Certificate Authority Profile with the following settings: That is the root CA which has signed the Computer certificate. Here is the entire chain: The certificate is installed in the Local Machine part and I have all of the components installed for the APM to check my certs. Yet I’m still seeing this in the log: Apr 12 11:57:21 bigipcore02 err apmd[7363]: 0149015f:3: MachineCert Agent: Init failed in '/Common/cert_auth_test_act_machinecert_auth_ag' reason 'Loading CA file failed' And this when debug is turned on: Apr 12 12:32:42 bigipcore02 debug apmd[7363]: 01490266:7: (null):Common:00000000: ./AccessPolicyProcessor/SessionState.h: 'clearTempSessionAgentState()': 118: Agent did not initiated the scheduled agent It feels that I've done everything correct according to the examples and manuals I have found. What am I missing? =/
DISA OCSP responder sometimes producing errors
Hi, not sure if there are others that have this issue, it seems sporadic. I’m using BigIP v13.1.1 OCSP will sometimes fail and users will fail to login, and it will fail for a random duration of time which makes me think it may be an issue with DISA's OCSP servers. It doesn't happen daily. I have a pretty standard APM setup. No HA, nothing weird. My VPE: Start -> On Demand Cert (request) -> OCSP (/Common/DISA_OCSP, cert type user) -> etc etc -> For my OCSP config I have default settings with the Certificate Authority file as the DOD CA bundle and Verify other is the DOD Email CA bundle. Everything is checked besides Ignore AIA and Trust Other. The error in /var/log/apm is: OCSP Auth agent: Failure status ‘Error querying OCSP responsder *(<-this is a typo in the error)* host (ocsp.disa.mil) path (/)’ Looking at my email cert, it looks like I have two different AIAs. One is a crl.disa.mil url pointing at my CA's DODEMAILCA cer file, the other is ocsp.disa.mil. Can anyone recommend a more stable way to configure this?
iPad cert based auth not working
Has anyone here recently experienced an issue with cert based auth with iPads? I have configured LTM v13.1.1 with CBA via the client SSL profile, it’s working fine with iPhones, Edge & Chrome browsers with Win10 clients etc, only iPads have an issue. Issue appears to be related to iPads running v12.x onwards. Certs are being deployed via MDM, an iPad with v11.x was working ok until upgraded to v12.4.1 Also tested on beta IOS v13 today with same outcome. Clicking on link with auth using x509 cert results in page cannot be displayed SSL error. No client cert auth prompt is displayed. Anyone else?
Uploading Apache certificate chain
Trying to implement smart card auth for the big-ip configuration utility, but unable to upload the cert chain via the ui or cli. Receive the following error: Values (/parition/name) specified for Certificate Bundle Entity (/partition......) foreign key index (certificate_file_object_FK) do not point to an item that exists in the database. I've seen references to this error and a bug in 11.5, however this is 12.1.2 and also having the problem with 13.0 I've uploaded the bundle elsewhere and it's fine. Does anybody know if the bug is still outstanding or any work arounds? Appreciated.
