Forum Discussion

CWaldon_204196's avatar
CWaldon_204196
Icon for Nimbostratus rankNimbostratus
Oct 05, 2016

Options for Mutually Authenticated Connections using Certificates

Hello,

 

I'm attempting to change an existing VS configuration to accommodate some updated security requirements that have been passed down to our team.

 

The existing configuration is as follows:

 

Virtual Service that is listening on HTTPS port, and is doing the SSL offloading for this service on the client side. The server side is unencrypted HTTP. There is also an iRule that has been applied that rewrites the URIs (5 static translations (e.g. /api/v2/xyz to /ABC/xyz, /api/v2/def to /ABC/def).

 

The new requirement is that the Client will be providing a client certificate that they want to validate. It must be that specific certificate as the communication is supposed to be just between a single client server owned by our partner and our server.

 

I looked into doing Client Certificate Authentication but from what I can tell that will simply verify whether or not the certificate is valid, not that specific certificate's details.

 

I also don't want to do it using a iRule because there's a chance that in the future there will be other clients using this connection and the scalability of the iRule option seems low.

 

The client certificate validation can be done using Tomcat on the server on our side so I think that the best option for this application would be to push the SSL termination down to the server so that they can do the Client certificate authentication with Tomcat. I am wondering though whether or not this will work with the existing URI rewriting?

 

Not sure if that explanation made sense, we have had a bit of a moving target on this project so the configuration has changed several times.

 

Thanks.

 

application delivery
BIG-IP
certificates
iRules
security

5 Replies

Sort By
  • Shaun_Simmons1's avatar
    Shaun_Simmons1
    Icon for Altostratus rankAltostratus
    Oct 05, 2016

    If Tomcat can validate the users certificate, could you make the VIP Layer 4 443 passthrough? -The user will be passed Tomcat's SSL certificate to access the site.

     

    --I have seen this in the past with an IBM Tivoli; one configured access by the users cert hash --"Public" certificate or "public key"

     

  • CWaldon's avatar
    CWaldon
    Icon for Nimbostratus rankNimbostratus
    Oct 06, 2016

    Thanks, I will try that out!

     

    Will the iRule for the URI rewriting still work if it's configured to do passthrough?

     

  • Shaun_Simmons1's avatar
    Shaun_Simmons1
    Icon for Altostratus rankAltostratus
    Oct 06, 2016

    Hmmmmm....I used to have an iRule that I used to authenticate users based on criteria pulled from a users Public Certificate, using a data-group... I needed it for a special project. I worked with my F5 Federal guy, stating what I needed in layman's terms and he transposed it into a magical iRule! I'm still thinking through your problem...my brain isn't quite awake this morning haha!

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 07, 2016

    There's no clean non-iRule way to do this quite yet, but as Shaun stated you can use a data group to minimize customization of that iRule. If you take a look at this page you can see a lot of options for extracting information from the certification: https://devcentral.f5.com/wiki/iRules.X509.ashx

     

    So you could take a variation of one of the code examples and add the data group.

     

    when CLIENTSSL_HANDSHAKE {
     Check if the client supplied one or more client certs
    if { [SSL::cert count] > 0 }{
        if { not ( [class match [X509::subject [SSL::cert 0]] equals my-cert-subject-dg] ) } {
             incoming cert subject didn't match a data group entry
            reject
        }
    } else {
         No certificate presented
        reject
    }
}