Manual Chapter : Client Certificate Inspection

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 14.0.0
Manual Chapter

Client Certificate Inspection

About client certificate inspection

The Client Cert Inspection access policy item checks the result of the SSL handshake that occurs at the start of a session. It does not, however, negotiate an SSL session. It relies on settings in a client SSL profile that is added to the virtual server. The Client Cert Inspection item can provide the result of the SSL handshake, including certificate revocation status when the client SSL profile specifies a certificate revocation list (CRL).

Task summary for client certificate inspection

To complete this configuration, you need an access profile and a virtual server configured. Checking the validity of a client certificate is very likely to be one of many items you add to an access policy.

Creating a client SSL profile for certificate inspection

Before you start this task, import the CA certificate for VMware View Horizon server to the BIG-IP system certificate store.
You create a custom client SSL profile to request an SSL certificate from the client at the start of the session. This enables a Client Cert Inspection item in an access policy to check whether a valid certificate was presented.
  1. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    Client
    .
    The Client SSL profile list screen opens.
  2. Click
    Create
    .
    The New Server SSL Profile screen opens.
  3. In the
    Name
    field, type a unique name for the profile.
  4. From the
    Parent Profile
    list, select
    clientssl
    .
    The default settings for the profile specify a 10-second SSL handshake timeout. Some users with smart cards cannot authenticate within that time. You can increase the timeout if this is the case at your site.
  5. From the
    Configuration
    list, select
    Advanced
    .
  6. If you have VMware View clients on Mac OS X, disable TLS 1.2 in the Options List area:
    1. In the
      Available Options
      list, select
      No TLS 1.2
      .
    2. Click
      Enable
      .
  7. If you change the values for the
    Cache Size
    or the
    Cache Timeout
    setting, do not specify a value of zero (0) for either setting.
    When these values are 0, the client must supply a PIN on each browser page refresh.
  8. Scroll down to
    Handshake Timeout
    and select the
    Custom
    check box.
    Additional settings become available.
  9. To limit the timeout to a number of seconds, select
    Specify
    from the list, and type the required number in the
    seconds
    field.
    In the list, the value
    Indefinite
    specifies that the system continue trying to establish a connection for an unlimited time. If you select
    Indefinite
    , the
    seconds
    field is no longer available.
  10. Scroll down to the Client Authentication area.
  11. Next to Client Authentication, select the
    Custom
    check box.
    The settings become available.
  12. From the
    Client Certificate
    list, select
    request
    .
    Do not select
    require
    .
  13. From the
    Trusted Certificate Authorities
    and
    Advertised Certificate Authorities
    , select the certificates you imported previously.
  14. Click
    Finished
    .

Configuring an access policy to confirm client certificate validity

Add a client certificate inspection item to an access policy when you want to check whether the client presented a valid certificate at the start of the session.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. In the Per-Session Policy column, click the
    Edit
    link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the
    (+)
    icon anywhere in the access policy to add a new item.
    Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. In the search field type
    client
    , then select
    Client Cert Inspection
    from the results list, and click
    Add item
    .
    A popup Properties screen displays.
  5. Click
    Save
    .
    The properties screen closes and the policy displays.
  6. Complete the policy:
    1. Add any additional policy items you require.
    2. Change the ending from
      Deny
      to
      Allow
      on any access policy branch on which you want to grant access.
  7. Click
    Apply Access Policy
    to save your configuration.
To apply this access policy to network traffic, add the access profile to a virtual server.
To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.

Verifying log settings for the access profile

Confirm that the correct log settings are selected for the access profile to ensure that events are logged as you intend.
Log settings are configured in the
Access
Overview
Event Log
Settings
area of the product. They enable and disable logging for access system and URL request filtering events. Log settings also specify log publishers that send log messages to specified destinations.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click the name of the access profile that you want to edit.
    The properties screen opens.
  3. On the menu bar, click
    Logs
    .
    The access profile log settings display.
  4. Move log settings between the
    Available
    and
    Selected
    lists.
    You can assign up to three log settings that enable access system logging to an access profile. You can assign additional log settings to an access profile provided that they enable logging for URl request logging only.
    Logging is disabled when the
    Selected
    list is empty.
  5. Click
    Update
    .
An access profile is in effect when it is assigned to a virtual server.