Forum Discussion

George_33482's avatar
George_33482
Icon for Nimbostratus rankNimbostratus
Oct 07, 2017

ASM Web Services Security Implementation

Hello,

 

I am implementing a web services using server certificate (public and private keys) and client certificate (public). running version 12.1.2 hf1

 

if I use the server certificate only with in the request->action->decrypt it works but if I used sign and decrypt with client cert I get the below error when calling a function where the asm blocks the request since I am learning/blocking all settings in the "learn and block settings" ................... Click to view description Verification ErrorVerification error, signature value is wrong Click to view description Verification ErrorVerification error, wrong element digest the underlying crypto library failed to perform signature verification. ..................

 

1- so can anyone please advice if someone has implemented such configuration? 2- how can we troubleshoot this scenario/issue. we used to take tcpdump/ssldump on the LTM level to troubleshoot ssl (server or client certs)issues. but now it seems we need to take capture on the ASM level! if I am correct, how can I troubleshoot such scenario?

 

Regards, George

 

application delivery
ASM Advanced WAF
LTM
security

1 Reply

Sort By
  • Chris_Grant's avatar
    Chris_Grant
    Icon for Employee rankEmployee
    Oct 28, 2017

    The ASM is essentially a process that talks to the LTM. As such for most issues you can use tcpdump much as you would with the LTM. If the issue is with HTTP rather than with SSL you may wish to use HTTPWatch, which as a browser plugin rather than a proxy will allow you to see exactly what your web browser is seeing.

     

    In rare instances you may need to see the communication between the LTM and the ASM processes, and in those instances you should already be engaged with support. They will tell you what needs to be done.

     

    From the sound of things it sounds like you are having a cipher problem, which is almost certainly not the ASM, but rather the LTM. Keep in mind that the ASM only operates at layer 7, relying on the underlying LTM infrastructure to handle the other layers of the OSI model. A tcpdump on the BigIP should give you visibility into this.