Manual Chapter :
On-Demand Certificate Authentication
Applies To:
Show VersionsBIG-IP APM
- 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0
On-Demand Certificate Authentication
Overview: Requesting and validating an SSL certificate on demand
Typically, when a client makes an HTTPS request, an SSL handshake request occurs at the start
of an SSL session. You can configure a client SSL profile to skip the initial SSL handshake
and add the On-Demand certificate authentication agent to the access policy to re-negotiate
the SSL connection later. Access Policy Manager can perform the
certificate request and validation task that is normally performed by the target server, on
demand.
Use the agent when you want to request and validate a certificate only after a user has
already completed some other steps (logged on, gone through an authentication process, or
anything else you require). Wherever you place the On-Demand authentication action in your
access policy, it performs an SSL re-handshake.
You might want to use the On-Demand certificate authentication agent, for
example, if all employees must gain access to the network before only a few employees can gain
access to servers with sensitive information.
When configuring On-Demand certification authentication in a
per-request policy
,
avoid having any other agent before the On-Demand Cert Auth agent if the client SSL profile on
the virtual server has the Client
Certificate
field set to ignore
. This configuration makes the per-request policy re-execute the
subroutine when it reaches the On-Demand Cert Auth agent. This can cause the per-request
policy to go to the unexpected branch on each agent located before On-Demand Cert Auth agent. Exchanging SSL certificates
Before you can use On-Demand certificate authentication successfully, you must exchange
certificates between clients and the BIG-IP system.
The client needs a valid certificate with which to respond to a certificate request. The
BIG-IP system includes a self-signed certificate that you can export and install on the
client. As an alternative to the self-signed certificate, you can import a certificate and
corresponding key (issued by your organization CA) into the BIG-IP system and install that
on the client.
In the client SSL certificate, we do not recommend setting the
Client Certificate
field to ignore
when using On-Demand certificate
authenticationThe BIG-IP systems needs the client root certificate installed on it. Exporting and
importing SSL certificates is done in the System File Management area of the product.
Create a custom Client SSL profile
You create a custom Client SSL profile when you want the BIG-IP system to terminate client-side SSL traffic for the purpose of:
- Authenticating and decrypting ingress client-side SSL traffic
- Re-encrypting egress client-side traffic
- On the Main tab, click.The Client SSL profile list screen opens.
- ClickCreate.The New Client SSL Profile screen opens.
- In theNamefield, type a unique name for the profile.
- Selectclientsslin theParent Profilelist.
- From theConfigurationlist, selectAdvanced.
- Select theCustomcheck box.The settings become available for change.
- Next to Client Authentication, select theCustomcheck box.The settings become available.
- From theConfigurationlist, selectAdvanced.
- Modify the settings, as required.
- ClickFinished.
Create a custom Server SSL profile
Create a custom server SSL profile to support SSL forward proxy.
- On the Main tab, click.The Server SSL profile list screen opens.
- ClickCreate.The New Server SSL Profile screen opens.
- In theNamefield, type a unique name for the profile.
- ForParent Profile, retain the default selection,serverssl.
- From theConfigurationlist, selectAdvanced.
- Select theCustomcheck box.The settings become available for change.
- From theSSL Forward Proxylist, selectEnabled.You can update this setting later, but only while the profile is not assigned to a virtual server.
- From theSSL Forward Proxy Bypasslist, selectEnabled(or retain the default valueDisabled).The values of theSSL Forward Proxy Bypasssettings in the server SSL and the client SSL profiles specified in a virtual server must match. You can update this setting later but only while the profile is not assigned to a virtual server.
- Scroll down to theSecure Renegotiationlist and selectRequest.
- ClickFinished.
Adding On-Demand
certificate authentication to an access policy
To successfully pass the On-Demand certificate authentication, the client browser must
have a valid SSL certificate for the BIG-IP system.
The client
browser might stop responding if the client fails to provide a certificate. We
strongly recommend that you add a Decision Box action in which you ask the user
whether a valid certificate is installed and provide an option to not proceed to the
On-Demand Cert Auth action when a valid certificate is not installed.
Add an On-Demand Cert Auth agent to an access
policy to request and validate an SSL certificate anywhere in the session.
- On the Main tab, click.The Access Profiles (Per-Session Policies) screen opens.
- In the Per-Session Policy column, click theEditlink for the access profile you want to configure.The visual policy editor opens the access policy in a separate screen.
- Click the(+)icon anywhere in the access policy to add a new item.Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
- Select the Authentication tab.The tab displays a list of authentication actions.
- SelectOn-Demand Cert Authand clickAdd Item.A properties screen opens.
- From theAuth Modelist, select one of these:
- RequestThis is the default mode.
- RequiredFor an iPod or an iPhone, you must select this mode. (You can select this mode for other clients as well.)To pass a certificate check using Safari, you will be asked to select the certificate multiple times. This is expected behavior.
- ClickSave.The properties screen closes and the policy displays.
- Click theApply Access Policylink to apply and activate the changes to the policy.
The On-Demand Cert Auth action is included and applied to the access policy.
To
apply this access policy to network traffic, add the access profile to a virtual
server.
To ensure
that logging is configured to meet your requirements, verify the log settings for
the access profile.
Verify log settings for the access profile
Confirm that the correct log settings are selected
for the access profile to ensure that events are logged as you intend.
Log settings are configured in the
area of the product. They enable and disable logging for access
system and URL request filtering events. Log settings also specify log publishers
that send log messages to specified destinations. - On the Main tab, click.The Access Profiles (Per-Session Policies) screen opens.
- Click the name of the access profile that you want to edit.The properties screen opens.
- On the menu bar, clickLogs.The access profile log settings display.
- Move log settings between theAvailableandSelectedlists.You can assign up to three log settings that enable access system logging to an access profile. You can assign additional log settings to an access profile provided that they enable logging for URl request logging only.Logging is disabled when theSelectedlist is empty.
- ClickUpdate.
An access profile is in effect when it is assigned to a virtual server.
Add client-side SSL and access profiles to a virtual server
You associate the client SSL and access profiles with the virtual
server so that the BIG-IP system handles client-side SSL
traffic as specified, and so that Access Policy Managercan
apply the access profile to incoming traffic.
- On the Main tab, click.The Virtual Server List screen opens.
- Click the name of the virtual server you want to modify.
- For theSSL Profile (Client)setting, from theAvailablelist, select the name of the Client SSL profile you previously created and move the name to theSelectedlist.
- In the Access Policy area, from theAccess Profilelist, select the access profile that you configured earlier.
- ClickUpdateto save the changes.
The access policy and client-side SSL profiles are now associated with the virtual
server.