Forum Discussion

WCP_183386's avatar
WCP_183386
Icon for Nimbostratus rankNimbostratus
Jan 20, 2015

F5 to Jboss

I'd like to use F5 to loadbalance over some Jboss servers (no httpds), also terminating mutually-authenticated SSL at the F5.

 

How do I get the client's certificate subject name into Jboss to check authorization? Does this require custom irule or something?

 

application delivery
deployment
LTM
security

5 Replies

Sort By
  • Brad_Parker's avatar
    Brad_Parker
    Icon for Cirrus rankCirrus
    Jan 20, 2015

    If your terminating the SSL at the F5, the F5 will be providing the authorization not your jBoss server. What I'm guessing you want to do however, is to configure your client SSL profile to require a client certificate, configure the "Trusted Cerificate Authorities" and "Certificate Revocation List (CRL)" sections in the Client Authentication area of the profile.

     

  • WCP_183386's avatar
    WCP_183386
    Icon for Nimbostratus rankNimbostratus
    Jan 20, 2015

    I figured F5 would provide the validation of the certificate against the trust store, but not subject name checking. Can F5 check that the certificate actually names a subject that we specify as a valid user? e,g, CN=somename.we.allow ??

     

    • Brad_Parker's avatar
      Brad_Parker
      Icon for Cirrus rankCirrus
      Jan 20, 2015
      That's what the purpose of the Trusted Certificate Authority and the CRL is for. It assumes any certificate issued by the authority not in the CRL is a valid certificate. Checking each subject is redundant to validating the certificate is issued by the root and is not necessarily really security since the subject can easily be spoofed by a different issuer. This is why many use a specific intermediate for issuer for client certs for a specific site.
    • WCP_183386's avatar
      WCP_183386
      Icon for Nimbostratus rankNimbostratus
      Jan 20, 2015
      Well, the fact that a certificate is valid against the truststore (i.e. issued by a trusted authority) isn't enough. It has to be valid/trusted AND reference a subject entity that we have agreed to allow into the system (DN references this entity by name somehow). So, I'm wondering if F5 can do both of these things. Obviously it can check validity, but can it then also check subject. Spurious subjects wouldn't be a problem as they couldn't be asserted on a trusted certificate (i.e. one where we trust the issuer to only provide legit identities).
  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Jan 20, 2015

    yes the F5 can do both, Brad explained the checking client cert against CA. the other part you would do with an iRule, if you search for checking certificate subject or something like that you will find many posts about it.

     

    something like this: https://devcentral.f5.com/wiki/iRules.ClientCertificateCNChecking.ashx

     

    if you want the descission logic on your Jboss environment you could also just add the subject in a header and send it with the request to the Jboss server.

     

    still think about what Brad is saying, is there really a chance someone with a valid cert will miss use this service? if not, why the extra check.