SSL client profile - certificate authentication - multiple CRL files
Hi guys, currently I'm running a tests with certificate-based user authentication, using LTM/APM. In general everything is working fine, except for the fact, that there is no option to check several CRL files in one SSL client profile. As there are multiple CAs, that have issued client certificates, I need to check several CRL files. The documentation is not very specific about this piece of information. There are only statements, that it is not allowed to have multiple CRLs in a single master file. I have tried to use CRLDP, but this does only work in conjunction with LDAP. I can only provide the CRLs via file upload to BIG-IP or via HTTP downloads from an internal server. The only idea I have so far, but which is still not tested, is to use several SSL client profiles, one for each Trusted CA, assign the correct CRL file, stored locally on the BIG-IP, and the assign the SSL client profiles dynamically, based on the requested hostname in the SNI extension. To be honest, I cannot believe that there is no easier way to achieve this. Any ideas on that? Thanks in advance. Greets, svs
Trouble with Smart Card Login to the F5 Web Management UI
I've read https://devcentral.f5.com/questions/smart-card-login-to-f5-web-management and https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-user-account-administration-12-0-0/6.html but I'm having trouble getting smart cards to work to login to the web management console of the F5 itself. We are a Active Directory shop (2012), and if we need to tweak our Smart Card certs for this, we can. I can get the management site to verify the client cert, but no authentication happens--you just land at the login page (where you can enter name/password, and it successfully authenticates, but that defeats the purpose). I've uploaded our internal root CA certificate to the Apache Certificates store, and configured httpd as follows (note: the GUI for cert-LDAP piece ALWAYS turns on OCSP checking, regardless of the setting--this is really annoying): sys httpd { auth-pam-idle-timeout 1800 log-level debug ssl-ca-cert-file /Common/InternaCA-cert ssl-ciphersuite DEFAULT:!3DES:!LOW:!MD5:!EXPORT ssl-verify-client require ssl-verify-depth 20 } And then have tried several variations on the following (the subject of our Smart Card certs is the DistinguishedName, and we have the userPrincipalName in the subject alternate name-these accounts don't have email addresses). The accounts/domains are sanitized in the code below: auth cert-ldap system-auth { bind-dn "CN=LDAP Runner,OU=Other,OU=Users-Internal,DC=contoso,DC=com" bind-pw BINDPASSWORD check-roles-group enabled debug enabled login-attribute sAMAccountName login-name userPrincipalName search-base-dn OU=Users-Internal,DC=Contoso,DC=com servers { dc8.contoso.com } ssl-cname-field san-other ssl-cname-otheroid 1.3.6.1.4.1.311.20.2.3 sso on } I've tried combinations of the CN and OID for the UPN. Watching the tcpdump traffic, I can see that there's no LDAP traffic at all (unless you enter the user name and password in the forms). The httpd logs aren't showing anything that seems useful, though lots and lots of: Sep 23 18:04:30 F502EU err httpd[21790]: [error] [client 127.0.0.1] AUTHCACHE PAM: user 'admin' - not authenticated: Authentication failure Which corresponsds to lots and lots of: Sep 23 19:10:19 F502EU err httpd[22289]: [error] [client 127.0.0.1] AUTHCACHE PAM: user 'admin' - not authenticated: Authentication failure Sep 23 19:10:19 F502EU info httpd(pam_audit)[22289]: User=admin tty=(unknown) host=127.0.0.1 failed to login after 1 attempts (start="Fri Sep 23 19:10:17 2016" end="Fri Sep 23 19:10:19 2016"). What am I missing?
Can the LTM SSL client certificate LDAP authentication module be configured to do protocol transition and Kerberos constrained delegation?
Can the LTM SSL client certificate LDAP authentication module be configured to do protocol transition and Kerberos constrained delegation if the LDAP server is an Active Directory Domain Controller? If not, can an iRule be used to do protocol transition and Kerberos constrained delegation after the LTM SSL client certificate LDAP authentication module has successfully authenticated and authorized the user? If not, can the tmsh command create kerberos-delegation be used in a way such that protocol transition and Kerberos constrained delegation is done after the LTM SSL client certificate LDAP authentication module has successfully authenticated and authorized the user? If not, is using APM the only way to do protocol transition and Kerberos constrained delegation of a user authenticating using client certificate authentication with Active Directory?
Is ca-bundle.crt updated when I update BIG-IP ?
I compared ca-bundle.crt on BIG-IP between 11.5.x and 12.1.x. Cause of a problem of client certification auth I faced. What I found difference is that is following: BIG-IP 12.1.x (VE) : 7108135 2017-04-29 20:18 /config/ssl/ssl.crt/ca-bundle.crt BIG-IP 11.5.x (appliance): 3635692 Jan 16 2016 /config/ssl/ssl.crt/ca-bundle.crt When I update 11.5.x to 12.1.x , the ca-bundle.crt will be replaced newer one ? OR Should I copy the ca-bundle.crt from 12.1.x to 11.5.x? I need correct GlobalSign Root CA, but a ca-bundle.crt on 11.5.x has duplicated CA inside ( same subject key they have ). Also number of GlobalSign CA on 12.1.x is 9. That is more than 3 on 11.5.x. Thanks for reading.