Forum Discussion

Pete_L_112517's avatar
Pete_L_112517
Icon for Nimbostratus rankNimbostratus
Oct 31, 2013

Basic Machine Cert inspection in APM Policy

Hi Guys

 

Just a newbie question here I guess. I need to setup a basic Machine Cert Auth action in my access policy. I've read the documentation but it just describe it, just not naming conventions etc.

 

I've checked my PC and I get a valid machine certificate and its stored in Certificates (Local Computer)\Personal\Certificates. Its a valid machine cert issued to the machine with the correct FQDN and issued by my Subordinate CA.

 

In the Machine Cert Auth action, I'm not sure what to name the Certificate Store. I've tried personal and personal\certificates but I'm not sure if its actually finding the certificate.

 

Certificate Store Location is LocalMachine. CA Profile is /Common/certificateauthority (all default settings - can't seem to select a valid CA cert inside this profile it just keeps resetting to none) OCSP Responder is None Certificate Match Rule SubjectCN Match FQDN

 

It doesnt need to be fancy just yet. All I want it to do is check that it has a valid machine cert issued from our internal CA and that it hasn't expired. THen it passes on to the next auth method.

 

No idea where to start really, the only error I can see if the reports is machinecert_auth_ag.result -2

 

I can't even tell if the policy is finding the certificate.

 

HELP!? :)

 

access policy
big-ip apm
certificates
deployment
machine certificate

6 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 31, 2013

    If your machine certs are in the default location, the Certificate Store should just be the string "My". Don't ask me why...

     

    All of the other settings can be left at default to start with.

     

  • Pete_L_112517's avatar
    Pete_L_112517
    Icon for Nimbostratus rankNimbostratus
    Oct 31, 2013

    Deleted the Machine Cert Auth Action, and re-added it to the policy and get the exact same result.

     

    The certificate store is back as "MY" but still not reference in the logs that it has found a certificate.

     

    I've just re-added the Anti-Virus inspection, and its passing that so I know for sure that it is able to inspect the client in some way.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 31, 2013

    I would make the following adjustments to the Machine Cert Auth agent:

     

    Certificate Store Name: MY

     

    Certificate Store Location - LocalMachine

     

    CA Profile - it should be a SSL certificate authority profile that contains a CA cert (or bundle of CA certs) that can validate the machine cert. This profile is created in the GUI under Local Traffic - Profiles - SSL - Certificate Authority

     

    OCSP Responder - none

     

    Certificate Match Rule - any (for now)

     

    Save Certificate in a Session Variable - enabled

     

    Allow UAC right elevation prompts - yes

     

  • Pete_L_112517's avatar
    Pete_L_112517
    Icon for Nimbostratus rankNimbostratus
    Oct 31, 2013

    Thanks Kevin, thats where I thought the problem has been - no trusted CA to actually verify the cert it see.

     

    The issue I am having with the process now is when I create a CA profile, in the drop down of Trusted Certificate Authorities, I can see the list of all my device certs and chain certs but when I select one and goto save the profile, the selection in that dropdown just reverts back to "none" every time.

     

    I am running an older version of software (11.1 HF4) so I might have get an outage to update the software to see if this is a bug in this version.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 31, 2013

    When you say "list of all my device certs and chain certs", are you actually referring to CA certs? This selection should only contain CA certs, and should contain all CA certificates in the path to establish a full chain of trust. If you have more than one CA in that path, then you need to create a text file bundle of all of these certs (in base64 PEM format).

     

  • Pete_L_112517's avatar
    Pete_L_112517
    Icon for Nimbostratus rankNimbostratus
    Nov 01, 2013

    Yep, I know what you mean (I think) but apologies I think my terminology is wrong.

     

    I have a list of certs, and some are external CA's which aren't we want to use. I had to "chain" some external certs for a different purpose. In this instance I only need to verify against an internal CA, which I have the certificate for on the appliance.

     

    The issue is that when I select any certificate in this list, the selection won't stick.

     

    Here is a screenshot of what I'm trying to change (had to black out some info that made me identifiable as I can't upload for some reason)

     

    Screenshot