Client Certificate authentication

Hello

 

 

our IIS used Client authentication certificate based.

 

We want to SSL offload on bigip and support client authentication with bigip

 

 

i have two vip 192.168.1.60:http and 192.168.1.https

 

two pool http_pool: 192.168.0.160:http and https_pool : 192.168.0.160:https

 

 

i have two SSL profile, Client and Server SSL profile

 

 

imported customer domain certificate, key and CA certificate

 

 

here is the Client SSL profile

 

 

cert file: customer cert

 

key file :customer key file

 

Chain : customer Ca certificate

 

Trusted Certificate Authorities : customer Ca certificate

 

 

Client authentication Section : Request

 

 

on the SSL profile ;

 

 

cert file: customer cert

 

key file :customer key file

 

Chain : customer Ca certificate

 

 

Notes: if i dont enable Trusted Certificate Authorities and Client authentication mode require i dont see any error packet does not goes to backend server

 

 

with this configuration i can see packet goes to IIS but i see HTTP 403.16 error

 

 

 

regarding irule ; not hits

 

 

 

when CLIENTSSL_CLIENTCERT {

 

set cert [SSL::cert 0]

 

session add ssl [SSL::sessionid] $cert 600

 

}

 

 

when HTTP_REQUEST {

 

set client_cert [session lookup ssl [SSL::sessionid]]

 

if { $client_cert eq ""} {

 

SSL::renegotiate

 

} else {

 

set whole [X509::whole $client_cert]

 

log local0. "Inserting client cert in SSL_CLIENT_CERT $whole"

 

HTTP::header insert SSL_CLIENT_CERT $whole

 

}

 

}