APM Machine Tunnel - Machine Cert Auth Check Failing
I have an APM policy configured, with the initial check being 'client type' for a machine tunnel or edge client. After that there is a Machine cert auth check for both edge client and machine tunnel connections, this is identical for both type of client. The machine cert check is successful when the client connects using the edge client, however it is failing when the machine tunnel connection tries to connect. Is there any difference in what the machine cert check does for a machine tunnel and edge client? The f5mcertcheck logs from the client shows exactly the same behaviour for the machine tunnel and edge client checks. One thing I'm not sure about is whether I need to configure the client as per the documentation below, seems to suggest this is for on-demand cert auth? Does the client need this configuration for machine cert check also? https://techdocs.f5.com/en-us/edge-client-7-2-1/big-ip-access-policy-manager-edge-client-and-application-configuration-7-2-1/big-ip-edge-client-for-windows.html#configuring_client_certificates_for_machine_tunnel_authentication Configuring client certificates for machine tunnel authentication When you configure client certificates for the machine tunnel service, you specify the location where the certificates are stored. For on-demand certificate authentication, the F5 Machine Tunnel service can select client certificates present in the service account or from the local computer. Service Account:To select a service account as the certificate store, the F5 Machine Tunnel service should be installed on the client system. This store is local to the f5MachineTunnelService on the device. Local computer:Selecting a local machine store as the certificate store does not require the F5 Machine Tunnel service to be installed. You can specify the location of the client certificate on the local machine. JohnAPM Machine Certificate Auth - MACs
I've got machine cert check configured on an APM policy which works fine for Windows machines. An issue has been seen where the cert auth on Macs can fail if there are some expired certificates on the machine. I can't find any documentation as to how and in what order the APM/Edge Client checks the certificates on the machines, ie does it check the first certificate in the store and report back the status of that, or does it check through all certs for a valid match? So if the first cert in the store had expired but also had a valid cert, does that cause the cert check to fail? If that is the case is there anything on the F5 config that can be done to check all certs in the store for a match? John