Manual Chapter : About On-Demand Cert Auth

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.0.0
Manual Chapter

About On-Demand Cert Auth

Typically, when a client makes an HTTPS request, an SSL handshake request occurs at the start of an SSL session. If the client SSL profile skips the initial SSL handshake, an On-Demand Cert Auth action can re-negotiate the SSL connection from an access policy by sending a certificate request to the user. This prompts a certificate screen to open. After the user provides a valid certificate, the On-Demand Cert Auth action checks the result of certificate authentication. The agent verifies the value of the session variable
session.ssl.cert.valid
to determine whether authentication was a success.
When configuring on-demand certification authentication in a per-request policy, avoid having any other agent before the On-Demand Cert Auth agent if the client SSL profile on the virtual server has the
Client Certificate
field set to
ignore
. This configuration makes the per-request policy re-execute the subroutine when it reaches the On-Demand Cert Auth agent. This can cause the per-request policy to go to the unexpected branch on each agent located before On-Demand Cert Auth agent.
The On-Demand Cert Auth action provides one configuration option,
Auth Mode
, with two supported modes:
Request
With this mode, the system requests a valid certificate from the client, but the connection does not terminate if the client does not provide a valid certificate. Instead, this action takes the fallback route in the access policy. This is the default option.
Require
With this mode, the system requires that a client provides a valid certificate. If the client does not provide a valid certificate, the connection terminates and the client browser stops responding.
For an iPod or an iPhone, the
Require
setting must be used for On-Demand certificate authentication. To pass a certificate check using Safari, the user is asked to select the certificate multiple times. This is expected behavior.
On-demand certificate authentication does not work when added to a subroutine for a per-request policy that is part of a forward proxy configuration.