Manual Chapter :
About On-Demand Cert Auth
Applies To:
Show VersionsBIG-IP APM
- 15.0.1, 15.0.0
About On-Demand Cert Auth
Typically, when a client makes an HTTPS request, an SSL handshake request occurs at the start
of an SSL session. If the client SSL profile skips the initial SSL handshake, an On-Demand
Cert Auth action can re-negotiate the SSL connection from an access policy by sending a
certificate request to the user. This prompts a certificate screen to open. After the user
provides a valid certificate, the On-Demand Cert Auth action checks the result of certificate
authentication. The agent verifies the value of the session variable
session.ssl.cert.valid
to determine whether authentication was a
success. When configuring on-demand certification authentication in a per-request
policy, avoid having any other agent before the On-Demand Cert Auth agent if the client SSL
profile on the virtual server has the
Client
Certificate
field set to ignore
. This configuration makes the per-request policy re-execute the
subroutine when it reaches the On-Demand Cert Auth agent. This can cause the per-request
policy to go to the unexpected branch on each agent located before On-Demand Cert Auth agent. The On-Demand Cert Auth action provides one configuration option,
Auth
Mode
, with two supported modes: - Request
- With this mode, the system requests a valid certificate from the client, but the connection does not terminate if the client does not provide a valid certificate. Instead, this action takes the fallback route in the access policy. This is the default option.
- Require
- With this mode, the system requires that a client provides a valid certificate. If the client does not provide a valid certificate, the connection terminates and the client browser stops responding.For an iPod or an iPhone, theRequiresetting must be used for On-Demand certificate authentication. To pass a certificate check using Safari, the user is asked to select the certificate multiple times. This is expected behavior.
On-demand certificate authentication does not work when added to a subroutine
for a per-request policy that is part of a forward proxy configuration.