Support dynamic CRL check for clientSSL profile (BIG-IP 15.1)
Hi, Did anyone tested (dynamic) CRL validator object for client SSL profile? (BIG-IP v15.1): It should work in v 15.1 (fixed bug 743758 - https://cdn.f5.com/product/bugtracker/ID743758.html ) I'm getting following errors for all client certificates: err tmm1[21207]: 01a40008:3: Unable to build certificate trust chain for profile /clientssl_profile tmm1[21207]: 01260009:4: clientIP:62042 -> VIP:443: Connection error: ssl_hs_do_crl_validation:6014: alert(46) unknown certificate error With CRL File it works ok, but file does not automatically fetch, check, and cache CRL files… Kr, EPX
SSL handshake failure during SSO
Both our production and non-production service desk applications use SSO. User connects to application VIP, which redirects users to the SSO VIP on 443. The F5 configuration for these two environments are identical: SSL bridging with default Client SSL profile as parent. No customizations except for the certificate/key/bundle. However in the non-prod environment, the SSL handshake cannot complete. tcpdump shows a fatal error, certificate unknown, even though this is the same cert/key on the SSO server. When I browse directly to the SSO VIP, the application works as expected. Currently the work-around is to have the non-prod ITSD application server bypass the F5 and go directly to the SSO app server rather than the F5.
BIG-IQ & AS3 Template using Certificates uploaded to BIG-IQ
Good Day - Currently I am running BIG-IQ version 8.2.x, and we are deploying / migrating all legacy applications over to BIG-IQ AS3 templates. Currently we utilize a BYOC (Bring your own Certificate) model, where end users will need to download certs, copy and past into the applicaiton via BIG-IQ. I do not have the API process setup just yet, but they are bound by the AS3 template created in BIG-IQ. We are now looking at intergrating BIG-IQ with Venafi 22.4.1.2245. What I am trying to figure out is the following? My thought would be Venafi automated process to import/upload as in the link below into BIG-IQ, and then with the Veanfi intergration certificates could be set to auto renew, and the app owner would just need to republish their applicaiton to update certificate. https://clouddocs.f5.com/products/big-iq/mgmt-api/v0.0/HowToSamples/bigiq_public_api_wf/t_import_cert_and_key.html But now I am trying to how to link the AS3 templates for the applications to the certificate now imported into BIG-IQ. The values I have within the Certificate section of the AS3 template are the following: Base64 (We are not using this) Text (this what we are using for BYOC process where users copy and paste txt version of cert but looking to improve with the process above) Resource URL (I tried using similar for my cert like the below links from the above import article, but this is not working, for it is giving a pointer error) (Question? could this be a url to Venafi where it could download the certificate automatically?) https://localhost/mgmt/cm/adc-core/working-config/sys/file/ssl-key/ed0168ee-696f-3036-8266-7b81c4840246 https://localhost/mgmt/cm/adc-core/working-config/sys/file/ssl-cert/9c6dfe1c-7d89-3447-bf35-e58c88904a7c Copy from (I tried this with all different variants from the import document, but I just keep getting F5pointer error) Does anybody know how to use this to pull the certificate in? BIG-IP component pathname (This will not work as the cert would need to be pushed to the BIG-IP) Anybody have any thoughts on this? My goal is to not have to do any Certificate Management apsect, just either profile the link to where cert can be pulled from via BIG-IQ or Venafi when a user deploys the application. Ideally would be using the process to import the cert, and referencing this cert on BIG-IQ at deployment time? Any help would be greatly appreciated. ThxDid Serverssl profile require certificate?
Hi We want to use F5 as SSL bridging (Decrypt using ssl client profile and re-encrypt using serverssl profile) Problem is our server using self-sign root certificate and certificate name is IP server (eg. 10.10.10.1 ) How do we config SSL server profile ? Should we just choose None on certificate setting? Should we import self-sign root certificate server using into BIG-IP? where to import? Thank you Kridsana
LTM two-way SSL authentication with a specific client cert, not CA cert
Hi experts, I am trying to set up the SSL two-way authentication following this link https://support.f5.com/csp/article/K12140946#test. It is successful when I choose a CA certificate in the "Trusted Certificate Authorities" field in the Client SSL profile. However, this would authenticate anyone with the client cert signed by the CA (e.g., DigiCert), correct? How do I make it only accepts a specific client cert (e.g. xyz.example.com but not abc.example.com)? I have tried to specify the client cert in the field and the GUI accepts the setting but doesn't work. Thanks!
Importing RSA Certificate & key
Hi, I'm browsing SSL certificate list, and there are different types of Contents. I'm particularly in "RSA Certificate & key" since this is the method I'd like to import two of the newly received CA certificates. The problem is I have no idea how. I can easily import certificate and key in separate entries, but this seems to clutter the list. I'm also having difficulties in finding a proper instruction on the web. Please help or direct me to one, that just assumes me being a F5 first-timer :) thanks
DISA OCSP responder sometimes producing errors
Hi, not sure if there are others that have this issue, it seems sporadic. I’m using BigIP v13.1.1 OCSP will sometimes fail and users will fail to login, and it will fail for a random duration of time which makes me think it may be an issue with DISA's OCSP servers. It doesn't happen daily. I have a pretty standard APM setup. No HA, nothing weird. My VPE: Start -> On Demand Cert (request) -> OCSP (/Common/DISA_OCSP, cert type user) -> etc etc -> For my OCSP config I have default settings with the Certificate Authority file as the DOD CA bundle and Verify other is the DOD Email CA bundle. Everything is checked besides Ignore AIA and Trust Other. The error in /var/log/apm is: OCSP Auth agent: Failure status ‘Error querying OCSP responsder *(<-this is a typo in the error)* host (ocsp.disa.mil) path (/)’ Looking at my email cert, it looks like I have two different AIAs. One is a crl.disa.mil url pointing at my CA's DODEMAILCA cer file, the other is ocsp.disa.mil. Can anyone recommend a more stable way to configure this?iRule to redirect user with incorrect certificate to specific url
Hello, I'm writing iRule, which sould redirect user to specific uri, if user don't have cert or have incorrect cert. Client ssl profile client authentication is set to "ignore". I want to redirect user with incorrect cert to "https://[HTTP::host]/index.php?id=14", which is the only uri, that works without cert auth. HTTP respond or redirect in event "when HTTP_REQUEST_SEND" does not work, but logging does ("No or invalid client Certificate!"). Browser response when I choose incorect cert: " This site can’t provide a secure connection sent an invalid response. Try running Windows Network Diagnostics. ERR_SSL_PROTOCOL_ERROR " Code: when CLIENTSSL_CLIENTCERT { HTTP::release if { [SSL::cert count] < 1 } { log local0. "No client Certificate!" } } when HTTP_REQUEST { if { [HTTP::uri] ne "/index.php?id=14" }{ if { [SSL::cert count] <= 0 } { HTTP::collect SSL::authenticate always SSL::authenticate depth 9 SSL::cert mode require SSL::renegotiate } } if { [HTTP::uri] eq "/index.php?id=14" }{ log local0. "uri eq id=14" pool XYZ-POOL } } when HTTP_REQUEST_SEND { clientside { if { [SSL::cert count] > 0 } { HTTP::header insert "X-SSL-Session-ID" [SSL::sessionid] HTTP::header insert "X-SSL-Client-Cert-Status" [X509::verify_cert_error_string [SSL::verify_result]] HTTP::header insert "X-SSL-Client-Cert-Subject" [X509::subject [SSL::cert 0]] HTTP::header insert "X-SSL-Client-Cert-Issuer" [X509::issuer [SSL::cert 0]] log local0. "http header insert completed" } else { log local0. "No or invalid client Certificate!" HTTP::redirect "https://www.xyz.com/index.php?id=14" HTTP::respond 302 Location "https://[HTTP::host]/index.php?id=14" } } } Best regards, Spela
