Manual Chapter : On-Demand Certificate Authentication

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.1.2, 15.1.1, 15.1.0
Manual Chapter

On-Demand Certificate Authentication

Overview: Requesting and validating an SSL certificate on demand

Typically, when a client makes an HTTPS request, an SSL handshake request occurs at the start of an SSL session. You can configure a client SSL profile to skip the initial SSL handshake and add the On-Demand certificate authentication agent to the access policy to re-negotiate the SSL connection later. Access Policy Manager can perform the certificate request and validation task that is normally performed by the target server, on demand.
Use the agent when you want to request and validate a certificate only after a user has already completed some other steps (logged on, gone through an authentication process, or anything else you require). Wherever you place the On-Demand authentication action in your access policy, it performs an SSL re-handshake.
You might want to use the On-Demand certificate authentication agent, for example, if all employees must gain access to the network before only a few employees can gain access to servers with sensitive information.
When configuring On-Demand certification authentication in a
per-request policy
, avoid having any other agent before the On-Demand Cert Auth agent if the client SSL profile on the virtual server has the
Client Certificate
field set to
ignore
. This configuration makes the per-request policy re-execute the subroutine when it reaches the On-Demand Cert Auth agent. This can cause the per-request policy to go to the unexpected branch on each agent located before On-Demand Cert Auth agent.

Certificate validation in BIG-IP

This session provides the list of checks performed by BIG-IP to validate the certificates.
  • Certificate depth should not be more than the configured value
    BIG-IP validates the certificate chain (root and intermediate certificate) based on the value specified in the
    Certificate Chain Traversal Depth
    field sent by the client or server. By default, the value is set to 9. If the certificate chain depth is more than the specified value, then certificate validation fails with the “certificate chain too long” error message
  • Certificate trusted chain
    BIG-IP validates the certificate chain of trust with the respective issuer for each certificate in the chain.
  • Certificate Revocation List (CRL)
    The CRL validates the certificates from the chain, statically or dynamically, based on the configurations.
  • Certificate extensions
    BIG-IP requires a CA certificate to have
    Basic Constrains
    and
    CA: True
    attributes.
  • Certificate duration validity
    The date and time mentioned in the
    Not Before
    and
    Not After
    fields for a valid certificate must be based on the current time.
  • Certificate’s common name
    BIG-IP verifies the common name of the certificate with the DNSName attributes subject alternative names (subjectAltName).
If any one of the above checks fails, then the certificate is marked as invalid.

Exchanging SSL certificates

Before you can use On-Demand certificate authentication successfully, you must exchange certificates between clients and the BIG-IP system.
The client needs a valid certificate with which to respond to a certificate request. The BIG-IP system includes a self-signed certificate that you can export and install on the client. As an alternative to the self-signed certificate, you can import a certificate and corresponding key (issued by your organization CA) into the BIG-IP system and install that on the client.
In the client SSL certificate, we do not recommend setting the
Client Certificate
field to
ignore
when using On-Demand certificate authentication
The BIG-IP systems needs the client root certificate installed on it. Exporting and importing SSL certificates is done in the System File Management area of the product.

Create a custom Client SSL profile

You create a custom Client SSL profile when you want the BIG-IP system to terminate client-side SSL traffic for the purpose of:
  • Authenticating and decrypting ingress client-side SSL traffic
  • Re-encrypting egress client-side traffic
By terminating client-side SSL traffic, the BIG-IP system offloads these authentication and decryption/encryption functions from the destination server.
  1. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    Client
    .
    The Client SSL profile list screen opens.
  2. Click
    Create
    .
    The New Client SSL Profile screen opens.
  3. In the
    Name
    field, type a unique name for the profile.
  4. Select
    clientssl
    in the
    Parent Profile
    list.
  5. Select the
    Proxy SSL
    check box (the rest of the UI will collapse following this setting).
  6. Optionally, select the
    Proxy SSL Passthrough
    check box.
    This option is often not needed. Review the Knowledge Center article K13385: Overview of the Proxy SSL feature for guidelines on when to enable this setting and its implications.
  7. Configure the
    Certificate Key Chain
    .
    The
    Certificate
    and
    Key
    under ClientSSL profile are not used in
    Proxy SSL
    (since the client and the server will eventually verify each other). F5 recommends leaving the default F5 cert/key pair.
  8. Click
    Finished
    .

Create a custom Server SSL profile

Create a custom server SSL profile to support SSL forward proxy.
  1. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    Server
    .
    The Server SSL profile list screen opens.
  2. Click
    Create
    .
    The New Server SSL Profile screen opens.
  3. In the
    Name
    field, type a unique name for the profile.
  4. For
    Parent Profile
    , retain the default selection,
    serverssl
    .
  5. Select the
    Proxy SSL
    check box (the rest of the UI will collapse following this setting).
  6. Optionally, select the
    Proxy SSL Passthrough
    check box.
    This option is often not needed. Review the Knowledge Center article K13385: Overview of the Proxy SSL feature for guidelines on when to enable this setting and its implications.
  7. Configure the
    Certificate
    and
    Key
    using the identical Certificate and Key details configured on the server.
    Import the details to the BIG-IP system prior to configuring
    Proxy SSL
    .
  8. Click
    Finished
    .

Adding On-Demand certificate authentication to an access policy

To successfully pass the On-Demand certificate authentication, the client browser must have a valid SSL certificate for the BIG-IP system.
The client browser might stop responding if the client fails to provide a certificate. We strongly recommend that you add a Decision Box action in which you ask the user whether a valid certificate is installed and provide an option to not proceed to the On-Demand Cert Auth action when a valid certificate is not installed.
Add an On-Demand Cert Auth agent to an access policy to request and validate an SSL certificate anywhere in the session.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. In the Per-Session Policy column, click the
    Edit
    link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the
    (+)
    icon anywhere in the access policy to add a new item.
    Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. Select the Authentication tab.
    The tab displays a list of authentication actions.
  5. Select
    On-Demand Cert Auth
    and click
    Add Item
    .
    A properties screen opens.
  6. From the
    Auth Mode
    list, select one of these:
    • Request
      This is the default mode.
    • Required
      For an iPod or an iPhone, you must select this mode. (You can select this mode for other clients as well.)
      To pass a certificate check using Safari, you will be asked to select the certificate multiple times. This is expected behavior.
  7. Click
    Save
    .
    The properties screen closes and the policy displays.
  8. Click the
    Apply Access Policy
    link to apply and activate the changes to the policy.
The On-Demand Cert Auth action is included and applied to the access policy.
To apply this access policy to network traffic, add the access profile to a virtual server.
To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.

Verify log settings for the access profile

Confirm that the correct log settings are selected for the access profile to ensure that events are logged as you intend.
Log settings are configured in the
Access
Overview
Event Log
Settings
area of the product. They enable and disable logging for access system and URL request filtering events. Log settings also specify log publishers that send log messages to specified destinations.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click the name of the access profile that you want to edit.
    The properties screen opens.
  3. On the menu bar, click
    Logs
    .
    The access profile log settings display.
  4. Move log settings between the
    Available
    and
    Selected
    lists.
    You can assign up to three log settings that enable access system logging to an access profile. You can assign additional log settings to an access profile provided that they enable logging for URl request logging only.
    Logging is disabled when the
    Selected
    list is empty.
  5. Click
    Update
    .
An access profile is in effect when it is assigned to a virtual server.

Add client-side SSL and access profiles to a virtual server

You associate the client SSL and access profiles with the virtual server so that the BIG-IP system handles client-side SSL traffic as specified, and so that Access Policy Managercan apply the access profile to incoming traffic.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. For the
    SSL Profile (Client)
    setting, from the
    Available
    list, select the name of the Client SSL profile you previously created and move the name to the
    Selected
    list.
  4. In the Access Policy area, from the
    Access Profile
    list, select the access profile that you configured earlier.
  5. Click
    Update
    to save the changes.
The access policy and client-side SSL profiles are now associated with the virtual server.