Manual Chapter :
On-Demand Certificate Authentication
Applies To:
Show VersionsBIG-IP APM
- 15.1.2, 15.1.1, 15.1.0
On-Demand Certificate Authentication
Overview: Requesting and validating an SSL certificate on demand
Typically, when a client makes an HTTPS request, an SSL handshake request occurs at the start of an SSL session. You can configure a client SSL profile to skip the initial SSL handshake and add the On-Demand certificate authentication agent to the access policy to re-negotiate the SSL connection later. Access Policy Manager can perform the certificate request and validation task that is normally performed by the target server, on demand.
Use the agent when you want to request and validate a certificate only after a user has already completed some other steps (logged on, gone through an authentication process, or anything else you require). Wherever you place the On-Demand authentication action in your access policy, it performs an SSL re-handshake.
You might want to use the On-Demand certificate authentication agent, for example, if all employees must gain access to the network before only a few employees can gain access to servers with sensitive information.
When configuring On-Demand certification authentication in a
per-request policy
, avoid having any other agent before the On-Demand Cert Auth agent if the client SSL profile on the virtual server has the Client Certificate
field set to ignore
. This configuration makes the per-request policy re-execute the subroutine when it reaches the On-Demand Cert Auth agent. This can cause the per-request policy to go to the unexpected branch on each agent located before On-Demand Cert Auth agent. Certificate validation in BIG-IP
Certificate validation in BIG-IP
This session provides the list of checks performed by BIG-IP to validate the certificates.
- Certificate depth should not be more than the configured valueBIG-IP validates the certificate chain (root and intermediate certificate) based on the value specified in theCertificate Chain Traversal Depthfield sent by the client or server. By default, the value is set to 9. If the certificate chain depth is more than the specified value, then certificate validation fails with the “certificate chain too long” error message
- Certificate trusted chainBIG-IP validates the certificate chain of trust with the respective issuer for each certificate in the chain.
- Certificate Revocation List (CRL)The CRL validates the certificates from the chain, statically or dynamically, based on the configurations.
- Certificate extensionsBIG-IP requires a CA certificate to haveBasic ConstrainsandCA: Trueattributes.
- Certificate duration validityThe date and time mentioned in theNot BeforeandNot Afterfields for a valid certificate must be based on the current time.
- Certificate’s common nameBIG-IP verifies the common name of the certificate with the DNSName attributes subject alternative names (subjectAltName).
If any one of the above checks fails, then the certificate is marked as invalid.
Exchanging SSL certificates
Before you can use On-Demand certificate authentication successfully, you must exchange certificates between clients and the BIG-IP system.
The client needs a valid certificate with which to respond to a certificate request. The BIG-IP system includes a self-signed certificate that you can export and install on the client. As an alternative to the self-signed certificate, you can import a certificate and corresponding key (issued by your organization CA) into the BIG-IP system and install that on the client.
In the client SSL certificate, we do not recommend setting the
Client Certificate
field to ignore
when using On-Demand certificate authenticationThe BIG-IP systems needs the client root certificate installed on it. Exporting and importing SSL certificates is done in the System File Management area of the product.
Create a custom Client SSL profile
You create a custom Client SSL profile when you want the BIG-IP system to terminate client-side SSL traffic for the purpose of:
- Authenticating and decrypting ingress client-side SSL traffic
- Re-encrypting egress client-side traffic
- On the Main tab, click.The Client SSL profile list screen opens.
- ClickCreate.The New Client SSL Profile screen opens.
- In theNamefield, type a unique name for the profile.
- Selectclientsslin theParent Profilelist.
- Select theProxy SSLcheck box (the rest of the UI will collapse following this setting).
- Optionally, select theProxy SSL Passthroughcheck box.This option is often not needed. Review the Knowledge Center article K13385: Overview of the Proxy SSL feature for guidelines on when to enable this setting and its implications.
- Configure theCertificate Key Chain.TheCertificateandKeyunder ClientSSL profile are not used inProxy SSL(since the client and the server will eventually verify each other). F5 recommends leaving the default F5 cert/key pair.
- ClickFinished.
Create a custom Server SSL profile
Create a custom server SSL profile to support SSL forward proxy.
- On the Main tab, click.The Server SSL profile list screen opens.
- ClickCreate.The New Server SSL Profile screen opens.
- In theNamefield, type a unique name for the profile.
- ForParent Profile, retain the default selection,serverssl.
- Select theProxy SSLcheck box (the rest of the UI will collapse following this setting).
- Optionally, select theProxy SSL Passthroughcheck box.This option is often not needed. Review the Knowledge Center article K13385: Overview of the Proxy SSL feature for guidelines on when to enable this setting and its implications.
- Configure theCertificateandKeyusing the identical Certificate and Key details configured on the server.Import the details to the BIG-IP system prior to configuringProxy SSL.
- ClickFinished.
Adding On-Demand
certificate authentication to an access policy
To successfully pass the On-Demand certificate authentication, the client browser must
have a valid SSL certificate for the BIG-IP system.
The client
browser might stop responding if the client fails to provide a certificate. We
strongly recommend that you add a Decision Box action in which you ask the user
whether a valid certificate is installed and provide an option to not proceed to the
On-Demand Cert Auth action when a valid certificate is not installed.
Add an On-Demand Cert Auth agent to an access
policy to request and validate an SSL certificate anywhere in the session.
- On the Main tab, click.The Access Profiles (Per-Session Policies) screen opens.
- In the Per-Session Policy column, click theEditlink for the access profile you want to configure.The visual policy editor opens the access policy in a separate screen.
- Click the(+)icon anywhere in the access policy to add a new item.Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
- Select the Authentication tab.The tab displays a list of authentication actions.
- SelectOn-Demand Cert Authand clickAdd Item.A properties screen opens.
- From theAuth Modelist, select one of these:
- RequestThis is the default mode.
- RequiredFor an iPod or an iPhone, you must select this mode. (You can select this mode for other clients as well.)To pass a certificate check using Safari, you will be asked to select the certificate multiple times. This is expected behavior.
- ClickSave.The properties screen closes and the policy displays.
- Click theApply Access Policylink to apply and activate the changes to the policy.
The On-Demand Cert Auth action is included and applied to the access policy.
To
apply this access policy to network traffic, add the access profile to a virtual
server.
To ensure
that logging is configured to meet your requirements, verify the log settings for
the access profile.
Verify log settings for the access profile
Confirm that the correct log settings are selected for the access profile to ensure that events are logged as you intend.
Log settings are configured in the
area of the product. They enable and disable logging for access system and URL request filtering events. Log settings also specify log publishers that send log messages to specified destinations. - On the Main tab, click.The Access Profiles (Per-Session Policies) screen opens.
- Click the name of the access profile that you want to edit.The properties screen opens.
- On the menu bar, clickLogs.The access profile log settings display.
- Move log settings between theAvailableandSelectedlists.You can assign up to three log settings that enable access system logging to an access profile. You can assign additional log settings to an access profile provided that they enable logging for URl request logging only.Logging is disabled when theSelectedlist is empty.
- ClickUpdate.
An access profile is in effect when it is assigned to a virtual server.
Add client-side SSL and access profiles to a virtual server
You associate the client SSL and access profiles with the virtual
server so that the BIG-IP system handles client-side SSL
traffic as specified, and so that Access Policy Managercan
apply the access profile to incoming traffic.
- On the Main tab, click.The Virtual Server List screen opens.
- Click the name of the virtual server you want to modify.
- For theSSL Profile (Client)setting, from theAvailablelist, select the name of the Client SSL profile you previously created and move the name to theSelectedlist.
- In the Access Policy area, from theAccess Profilelist, select the access profile that you configured earlier.
- ClickUpdateto save the changes.
The access policy and client-side SSL profiles are now associated with the virtual
server.