CirrusHas anyone successfully deployed LDAP using client cert authentication to the BIG-IP TMUI? I see the guide though it is not very intuitive so I was curious if anyone would be willing to share their configuration? From what I hear, there have been bugs prior to 13.1 which have now been resolved to allow this capability. Thanks!
CirrusBelow is my current config though for some reason when modifying authentication methods for remote users, httpd stops with the error "err httpd[4467]: [error] Unable to configure verify locations for client authentication"
root@(bigip1)(cfg-sync Standalone)(ModuleNotLicensed::Active)(/Common)(tmos) show running-config auth
auth cert-ldap system-auth {
bind-dn CN=Administrator,CN=Users,DC=test,DC=com
bind-pw $M$O4$RMnF/vBcoSHr/NYmQqr7Yw==
debug enabled
login-attribute sAMAccountName
login-filter [a-zA-Z0-9]\\\\w*(\\\?=@)
login-name altSubjectName=Othername
search-base-dn DC=test,DC=com
servers { 10.1.20.10 }
ssl-cname-field san-other
ssl-cname-otheroid 1.3.6.1.4.1.311.20.2.3
sso on
}
auth password-policy { }
auth remote-role {
role-info {
BIGIPadmins {
attribute CN=BIGIPadmins,OU=Groups,DC=test,DC=com
console tmsh
line-order 1
role administrator
user-partition All
}
}
}
auth remote-user { }
auth source {
type cert-ldap
}
auth user admin {
description "Admin User"
encrypted-password $6$CEtjm9Te$.VC8lUQnU1NcT0Udsgq6jtR.SSbASW2//e3tfxmRXzb4nv7E1E.Bb0KotT2C..rbRMpBgbdJNs1sBRFdiBHXm1
partition Common
partition-access {
all-partitions {
role admin
}
}
shell none
}
Below is my httpd config.
root@(bigip1)(cfg-sync Standalone)(ModuleNotLicensed::Active)(/Common)(tmos) list sys httpd all-properties
sys httpd {
allow { All }
auth-name BIG-IP
auth-pam-dashboard-timeout off
auth-pam-idle-timeout 12000
auth-pam-validate-ip on
description none
fastcgi-timeout 300
fips-cipher-version 0
hostname-lookup off
include none
log-level debug
max-clients 10
redirect-http-to-https disabled
request-body-max-timeout 0
request-body-min-rate 500
request-body-timeout 60
request-header-max-timeout 40
request-header-min-rate 500
request-header-timeout 20
ssl-ca-cert-file /Common/CurrentCACert
ssl-certchainfile none
ssl-certfile /etc/httpd/conf/ssl.crt/server.crt
ssl-certkeyfile /etc/httpd/conf/ssl.key/server.key
ssl-ciphersuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA
ssl-include none
ssl-ocsp-default-responder http://dc.test.com/ocsp
ssl-ocsp-enable on
ssl-ocsp-override-responder off
ssl-ocsp-responder-timeout 300
ssl-ocsp-response-max-age -1
ssl-ocsp-response-time-skew 300
ssl-port 443
ssl-protocol all
ssl-verify-client require
ssl-verify-depth 10
}
httpd error logs
[root@bigip1:ModuleNotLicensed::Active:Standalone] httpd tail -f httpd_errors
Jan 15 15:18:09 bigip1 err httpd[25050]: [error] Unable to configure verify locations for client authentication
Jan 15 15:21:45 bigip1 err httpd[26019]: [error] Unable to configure verify locations for client authentication
Jan 15 15:27:40 bigip1 err httpd[27394]: [error] Unable to configure verify locations for client authentication
Jan 15 15:27:45 bigip1 err httpd[27472]: [error] Unable to configure verify locations for client authentication
Jan 15 15:33:17 bigip1 err httpd[28861]: [error] Unable to configure verify locations for client authentication
Jan 15 16:37:18 bigip1 err httpd[10615]: [error] Unable to configure verify locations for client authentication
Jan 15 16:39:27 bigip1 err httpd[11132]: [error] Unable to configure verify locations for client authentication
Jan 15 16:41:48 bigip1 err httpd[11924]: [error] Unable to configure verify locations for client authentication
Jan 15 16:47:06 bigip1 err httpd[13281]: [error] Unable to configure verify locations for client authentication
Jan 15 16:47:12 bigip1 err httpd[13347]: [error] Unable to configure verify locations for client authentication
Ok, progress. After modifying most/if not all objects in httpd config, I configured the CA cert to none and httpd now starts again. Not quite sure what the issue could have been with the CA cert. However, I am now here. I am prompted for a client certificate and receive these errors.
Jan 15 20:14:35 bigip1 err httpd[23742]: [error] [client 10.1.1.81] Re-negotiation handshake failed: Not accepted by client!?, referer: https://bigip1.test.com/banner.html
Jan 15 20:14:49 bigip1 err httpd[23819]: [error] [client 10.1.1.81] Certificate Verification: Error (20): unable to get local issuer certificate
Jan 15 20:14:49 bigip1 err httpd[23819]: [error] [client 10.1.1.81] Re-negotiation handshake failed: Not accepted by client!?, referer: https://bigip1.test.com/banner.html
Jan 15 20:14:49 bigip1 err httpd[23742]: [error] [client 10.1.1.81] Re-negotiation handshake failed: Not accepted by client!?, referer: https://bigip1.test.com/banner.html
Unable to perform an SSLdump on the management interface and unable to decrypt traffic using the private key using Wireshark. Has anyone run into issues with compatibility between httpd cipher suites and Windows 2012?
Cumulonimbushello DeV,
The error you mention (Unable to configure verify locations for client authentication ) most often has to do with the SSLCertificateChainFile or the SSLCACertificateFile being unable to be read and parsed... You have to be sure that this certificate is in PEM format! we ofen have issue with DER and Base64 in this use case...
Regards,
Greetings,
My configuration is far simpler than yours, I'll post it below. For me, the ssldump output wasn't very helpful. I used both the /var/log/httpd/httpd_errors and /var/log/secure logs to troubleshoot.
BIG-IP config:
list sys httpd
sys httpd {
ssl-ca-cert-file /Common/bigip_ca
ssl-ocsp-default-responder http://172.24.171.29:2345
ssl-ocsp-enable on
ssl-ocsp-override-responder on
ssl-verify-client require
}
list auth cert-ldap
auth cert-ldap system-auth {
bind-dn cn=admin,dc=ldap,dc=test,dc=net
bind-pw $M$nq$CDOcADlm/Mkwy8MIU1/eLg==
login-attribute uid
login-filter "[a-z]{5}"
login-name cn
search-base-dn ou=People,dc=ldap,dc=test,dc=net
servers { 172.24.171.2 }
sso on
}
LDAP entry:
kevin, People, ldap.test.net
dn: uid=kevin,ou=People,dc=ldap,dc=test,dc=net
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: kevin
cn: kevin
displayName: kevin
SSL certificate:
Subject: C=US, ST=Washington, L=Seattle, O=Example, OU=Example BIGIP Admins, CN=kevin
Hope this is helpful!
KevinCirrusI have continued to look at the httpd logs though below is all I get.
Jan 18 05:42:05 ip-10-10-10-10 err httpd[5837]: [error] [client 10.1.20.25] Re-negotiation handshake failed: Not accepted by client!?, referer: https://bigip1.ad.lab/xui/
Jan 18 05:42:06 ip-10-10-10-10 err httpd[5837]: [error] [client 10.1.20.25] Re-negotiation handshake failed: Not accepted by client!?, referer: https://bigip1.ad.lab/tmui/Control/form?__handler=/tmui/system/user/authconfig&__source=finished&__linked=false&__fromError=false
Jan 18 05:42:06 ip-10-10-10-10 err httpd[5837]: [error] [client 10.1.20.25] Re-negotiation handshake failed: Not accepted by client!?, referer: https://bigip1.ad.lab/tmui/Control/form?__handler=/tmui/system/user/authconfig&__source=finished&__linked=false&__fromError=false
Jan 18 05:42:06 ip-10-10-10-10 err httpd[5837]: [error] [client 10.1.20.25] Re-negotiation handshake failed: Not accepted by client!?, referer: https://bigip1.ad.lab/tmui/Control/form?__handler=/tmui/system/user/authconfig&__source=finished&__linked=false&__fromError=false
Defintely SSL related. So, a few SSL related things I ran into:
1) Ensure the OCSP service up and reachable.
2) Ensure you are using SHA256 for signing.
3) Ensure the CA cert has the "extendedKeyUsage = OCSPSigning" extension.
4) Ensure the CA cert is in the certificate database. httpd checks the CA cert first for some reason.
Hope these points offer some help!
KevinCirrusThank you Kevin. It is now working. The 4 issues that I think bit me are below.
Unfortunately my frustration let me to modify all four without trying to determine which of the actually resolved it. None the less, thank you for taking the time to respond to my question. Your input is greatly appreciated.
CirrusFor troubleshooting purposes I am attempting to perform certificate based authentication within APM using the same certificates as I am in TMUI. I exported the BIG-IP certificate and key to create a client ssl profile. I imported the CA cert and added that to the trusted and advertised fields of the client SSL profile. SSL profile has ignore for client certificate and ODCA is configured to required. I am prompted for a certificate though based on the logs from my ssl profiel no certificate has been passed.
--------------------------------------------------------------------------------------
Ltm::ClientSSL Profile: BIGIPClientSSL
--------------------------------------------------------------------------------------
Virtual Server Name N/A
Bytes Inbound Outbound
Encrypted 48.1K 235.9K
Decrypted 24.6K 143.8K
Connections Open Maximum Total
Native 0 6 55
Compatibility 0 0 0
Total 0 7 55
Certificates/Handshakes
Valid Certificates 0
Invalid Certificates 0
No Certificates 55
Mid-Connection Handshakes 0
Secure Handshakes 55
Current Active Handshakes 0
Insecure Handshakes Accepted 0
Insecure Handshakes Rejected 0
Insecure Renegotiations Rejected 0
Mismatched Server Name Rejected 0
Extended Master Secret Handshakes 55
Protocol
SSL Protocol Version 2 0
SSL Protocol Version 3 0
TLS Protocol Version 1.0 0
TLS Protocol Version 1.1 0
TLS Protocol Version 1.2 55
DTLS Protocol Version 1 0
Key Exchange Method
Anonymous Diffie-Hellman 0
Diffie-Hellman w/ RSA Certs 0
Ephemeral Diffie-Hellman w/ DSS Certs 0
Ephemeral Diffie-Hellman w/ RSA Certs 0
Ephemeral ECDH w/ ECDSA Certs 0
Ephemeral ECDH w/ RSA Certs 17
Fixed ECDH w/ ECDSA Certs 0
Fixed ECDH w/ RSA signed Certs 0
RSA Certs 0
Ciphers
Advanced Encryption Standard (AES) 55
Advanced Encryption Standard Galois Counter Mode (AES-GCM) 0
Digital Encryption Standard (DES) 0
Rivest Cipher 2 (RC2) 0
Rivest Cipher 4 (RC4) 0
IDEA (old SSLv2 cipher) 0
Camellia 0
No Encryption 0
Message Digest Method
Message Digest 5 (MD5) 0
Secure Hash Algorithm (SHA) 55
No Message Authentication 0
SSL Hardware Acceleration
Full 0
Partial 0
None (Software) 55
Session Cache
Current Entries 0
Hits 38
Lookups 66
Overflows 0
Invalidations 28
Records
In 116