HTTPS sideband connection with certificate authentication
Hello Is it possible to make a https sideband connection with certificate authentication from a custom iRule. The connection I need is the same as the one created with this curl command: curl --cacert /root/CA.pem -d " date " --cert /root/cert.pem:admincert https://server.domain.int:550/OTP/rest/service/generate
SSL Client Auth fails after first wrong Issuer - doesnt test following Issuers
Hi, i have a problem with client certificate authentication. I think i found the problem, but still miss the answer. The situation is, there is a semi-public Trustcenter and i need to allow only clients with a valid client certificate. So i bundled all the Root and Intermediate Certificates into a chain file. But tests showed only ssl handshake failures : Dec 9 10:25:23 f5-111 info tmm1[15991]: 01260013:6: SSL Handshake failed for TCP 10.40.1.83:40652 -> 10.30.1.213:443 Dec 9 10:25:24 f5-111 debug tmm1[15991]: 01260006:7: Peer cert verify error: ok (depth 1; cert /C=DE/O=ITSG TrustCenter fuer Arbeitgeber) Dec 9 10:25:24 f5-111 debug tmm1[15991]: 01260006:7: Peer cert verify error: ok (depth 1; cert /C=DE/O=ITSG TrustCenter fuer Arbeitgeber) Dec 9 10:25:24 f5-111 debug tmm1[15991]: 01260006:7: Peer cert verify error: certificate signature failure (depth 0; cert /C=DE/O=ITSG TrustCenter fuer Arbeitgeber/OU=Deutsche Rentenversicherung Bund/OU=BN66667777/CN=Tino Pfeil) Dec 9 10:25:24 f5-111 debug tmm1[15991]: 01260009:7: Connection error: ssl_shim_vfycerterr:4249: certificate signature failure (42) Dec 9 10:25:24 f5-111 info tmm1[15991]: 01260013:6: SSL Handshake failed for TCP 10.40.1.83:34058 -> 10.30.1.213:443 I tried it with openssl verify and got this error: error 7 at 0 depth lookup:certificate signature failure 46953852812416:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:102: 46953852812416:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:944: 46953852812416:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:233: The problem is, i think, that there are 3 root certificates and multiple intermediate certs with the same name and hash but different serials. If i change order, so that the real issuer of the client is the first certificate, openssl verify gives "ok". When i put another intermediate with the same hash before the real issuer in the file, i get this error. So it seems verify process fails because openssl checks the digital signature of the first matching issuer (by issuer_hash), and if it fails the process stops without checking if there might be another issuer with a valid digital signature.. So how can i let the F5 check if any of the included intermediate certs is a valid one, and don't let the process fail after the first wrong. I found a KB which could be the right one for my problem, but i need a downtime to update, currently installed 11.6.0 HF8.
APM Clientless certificate authentication
Problem this snippet solves: This code allow to configure certificate authentication with APM clientless-mode support. The APM behavior when configuring following condition is to disable clientless-mode : APM clientless-mode in irule On-Demand Cert Auth in VPE This code enable clientless mode if required based. PS : this code use a list instead of a simple variable to be included in APM Sharepoint authentication code without changes. How to use this snippet: Edit the first HTTP_REQUEST event and add condition for enabling certificate authentication. Code : when HTTP_REQUEST { set AUTHENTICATION_MODE {certificate} #set AUTHENTICATION_MODE {none} } priority 900 when CLIENTSSL_CLIENTCERT { if {[SSL::cert count] < 1}{ reject } else { HTTP::release } } when HTTP_REQUEST { if { ( [set apm_sessionid [HTTP::cookie value "MRHSession"]] ne "" ) and ( [ACCESS::session exists -state_allow $apm_sessionid] ) } then { # Allow the successfully pre authenticated request to pass return } # Check authentication mode selected in previous HTTP_REQUEST event if {[lindex $AUTHENTICATION_MODE 0] equals "certificate"} { if { [SSL::cert count] <= 0 } { # if there is no client certificate hold the HTTP request till the SSL re-negotiation is done. HTTP::header insert "clientless-mode" 1 HTTP::collect SSL::session invalidate SSL::authenticate always SSL::authenticate depth 9 SSL::cert mode require SSL::renegotiate } elseif {[info exists sessionid]} { # the previous HTTP request in the same TCP connection is already authenticated and session cookie is missing, Insert MRHSession HTTP::cookie insert name MRHSession value $apm_sessionid } else { # SSL client is already authenticated, but Access session not evaluated. enable clientless mode HTTP::header insert "clientless-mode" 1 } } } when ACCESS_SESSION_STARTED { # catch session ID for next requests in the same TCP connection set apm_sessionid [ACCESS::session sid] # extract CN from subject and set in session.logon.last.username variable if {[lindex $AUTHENTICATION_MODE 0] equals "certificate"} { # Allow comma and = to be included in subject. remove space at the end or beginning of strings. set subject [ split [string map {"\\," "," " , " "|" ", " "|" " ," "|" "," "|" "\\=" "=" " = " "|" "= " "|" " =" "|" "=" "|"} [X509::subject [SSL::cert 0]]] "|"]; array set subject_list $subject if {[info exists subject_list(CN)]} { ACCESS::session data set session.logon.last.cn $subject_list(CN) ACCESS::session data set session.logon.last.username $subject_list(CN) ACCESS::session data set session.logon.last.logonname $subject_list(CN) } ACCESS::session data set session.logon.last.upn [findstr [ACCESS::session data get session.ssl.cert.x509extension] "othername:UPN<" 14 ">"] } }
Client Certificate Inspection on SSL VPN
I have a request to set up an SSL VPN on the F5 which requires that only devices with machine certificates are allowed to connect. I have set up the VPN and it works fine without certificate inspection, however I cannot get it to work with certificate inspection. I believe this is partially because I have set up an SSL certificate to allow the end user device to connect to the F5 using a DigiCert certificate so that tehy don't get a certificate error. This means that I then cannot associate another profile to the Virtual Server to check the internal CA against the machine certificate. The VPE does not seem to allow you to define what certificate authority to trust etc it just needs to be in the Virtual Server SSL client profile from all of my reading. Please help!2 Way SSL and SIDEBANDS usage in iRules
I have a use case where we want to do client certificate authentication on the a Big-IP that is running as a stand alone ASM. Once we validate the certificate we want to have the Big-IP reach out and talk to a web authentication server and grab a token to insert in the HTTP packet to be able to send down to the application. I am trying to figure out the best method to manage all this. My first thought would be to use an iRule and SIDEBANDS to talk to the web server to get the token. I do not have any experience using this though and have pretty much stuck to fairly simple iRules up to this point. I would appreciate any thoughts on this or other ideas on how to accomplish this. We are already using proxy SSL for some other application but with restriction to RSA key exchanges only and some other issues it causes us down in the web server tiers it is not an option we want to pursue going forward.
client certificate authentication - continued
I've been working on an APM policy to use client cert auth (no login page/no password) for Exchange ActiveSync. I think my session is successful but this isn't right and I'm not sure that Exchange is actually accepting this. Here's a snip of a session. The domain name is set, the entries metatdata len 351 and "Could not find SSO domain, check variable assign agent setting" will continue to repeat throughout the session. VPE
Update only one specific SSL certificate in a bundle
Hello everyone For a client I configured a VS to do SSL Client Certificate verification with APM. They have around 80 partners that access that VS and each has its own certificate identified by a number. Also each client certificate has been issued by its own CA also identified by that same number All certificates are part of a bundle and that bundle is specified as the ca-file in the SSL profile ltm profile client-ssl /Common/services.ssl_client_prof_2 { app-service none ca-file /Common/certsbundle.crt cert /Common/services.crt cert-key-chain { services_Intermediate_CA_bundle { cert /Common/services.crt chain /Common/Intermediate_CA_bundle.crt key /Common/services_key.key } } chain /Common/Intermediate_CA_bundle.crt defaults-from /Common/services_ssl_client_prof inherit-certkeychain false key /Common/services_key.key passphrase none } That bundle is in PEM format and each partner section is identified by their number example: inline ca-certificate 6003-0780 "end-6003-0780" -----BEGIN CERTIFICATE---- "Encrypted Certificate" -----END CERTIFICATE----- end-6003-0780 They often have to update one of the certificates in the bundle. What is the easiest and reliable way to do this. Is there a command that could replace the section of the file and importing the certificates following the change (keeping the same name as specified in the profile) Maybe not the best way to do this, I am thinking of proposing them to only use one CA to issue all the certificates. Would there be any security issues that would arise by doing that Thank you
Can I have social Open ID login along with the enterprise user login on the same page using F5 APM framework?
Folks, My team is using F5 APM framework for authentication mechanism in our system. I wanted to check the feasibility of a given solution as the screenshot listed below: We wanted to check if we can have social open id along with username textbox. Our developers suggest that this is not possible in F5 APM framework and they are suggesting to have radio buttons having the social sites and username. The user shall to select an option from radio button with either username or social id and then proceed next. Request you to let me know if the above screen design is possible. Kind Regards & Thanks.
