Forum Discussion

Stephan_V's avatar
Stephan_V
Icon for Nimbostratus rankNimbostratus
Sep 12, 2016

Reuse IE SSL connection for Java?

I have an application that uses a couple of Java applets. The site is protected by client ssl certificates, and is served over https. The Java applet codebase urls are set to the connect and download via http/80. This is done to avoid the browser JRE plugin popping up asking the end user to separately authenticate using one of their client certificates (customer requirement).

 

The regular Internet Explorer session is https and client certificate based. The only http/80 portion is the connection (through the same F5) to get to the applets.

 

Is there a way to configure the F5 to know that a call for the applets is coming from an already authenticated ssl session? I'd like to move away from this mixed-mode and move to an all-https setup.

 

3 Replies

  • Short question. Is this an APM based deploment or are you using native LTM functionality to perform the certificate auth?

     

    Cheers, Kai

     

  • Hi Stephan,

    you could use an iRule to require SSL certificate auth for everything exept the /java-applets/* download location. Access to /java-applets/* will then become anonymously accessible...

    when CLIENTSSL_CLIENTCERT {
        if { [SSL::cert count] > 0 } { 
             Client certificate is available. Releasing the HTTP request..." 
            HTTP::release 
        }
    }
    when HTTP_REQUEST {
        if { [HTTP::path] starts_with "/java-applets/" } then {
             Allow the request
        } else {
            if { [SSL::cert count] == 0} { 
                 Client certificate not found. Trigger SSL renegotiation and holding the HTTP request until a cert is presented..." 
                HTTP::collect 
                SSL::cert mode require 
                SSL::renegotiate
            } else {
                 Allow the request
            }
        }
    }
    

    Another approach would be, to set a persistent cookie after certificate authentication is verified and then grant access to /java-applets/* based on the presence of a valid cookie value...

    Note: I can't tell you if your JavaApplication is able to access the persistent HTTP cookies of your browser session. But you may give it a try...

    when RULE_INIT {
        set static::applet_cookie_aes_key "AES 128 3d2751ac173029ff4c70c7e7054225ae"
        set static::applet_cookie_timeout 120   ; Seconds
    }
    when CLIENTSSL_CLIENTCERT {
        if { [SSL::cert count] > 0 } { 
             Client certificate is available. Releasing the HTTP request..." 
            HTTP::release 
        }
    }
    when HTTP_REQUEST {
        if { [HTTP::path] starts_with "/java-applets/" } then {
            set insert_session_cookie 0
            if { [set auth_cookie [HTTP::cookie value "Auth_Cookie"]] ne "" } then {
                 Session cookie is present. Check if cookie can be decrypted and if containing clock value is still valid.
                if { not ( [catch { set auth_cookie [AES::decrypt $static::applet_cookie_aes_key [b64decode $auth_cookie]] } ] ) and 
                         ( [clock seconds] < [expr { $auth_cookie + $static::applet_cookie_timeout } ] ) } then {
                     Clock value is verified. Allow the request...
                    return
                }
            }
            HTTP::respond 403 content "Access Denied! Visit https://[HTTP::host]/ first to get access..." noserver "Content-Type" "text/html"
        } else {
            set insert_session_cookie 1
            if { [SSL::cert count] == 0} { 
                 Client certificate not found. Trigger SSL renegotiation and holding the HTTP request until a cert is presented..." 
                HTTP::collect 
                SSL::cert mode require 
                SSL::renegotiate
            }
        }
    }
    when HTTP_RESPONSE {
        if { ( $insert_session_cookie ) and 
             ( [HTTP::header "Content-Type" ] contains "text/html" ) } then {
             Inject a persistent HTTP cookie containing an encrypted clock value for Java Applet access.
            HTTP::header insert "Set-Cookie" "Auth_Cookie=[b64encode [AES::encrypt $static::applet_cookie_aes_key [clock seconds]]];Secure;Path=/"
            HTTP::cookie expires "Auth_Cookie" $static::applet_cookie_timeout relative
        }
    }
    

    Note: In both cases you need to reconfigure the Client_SSL_Profile with

    Renegotiation=Enabled
    and
    Client Certificate=Ignore
    to become able to selectively force the cert authentication.

    Cheers, Kai