Applies To:Show Versions
- 11.6.4, 11.6.3, 11.6.2, 11.6.1
Overview: Requesting and validating an SSL certificate on demand
Typically, when a client makes an HTTPS request, an SSL handshake request occurs at the start of an SSL session. You can configure a client SSL profile to skip the initial SSL handshake and add the On-Demand certificate authentication agent to the access policy to re-negotiate the SSL connection later. Access Policy Manager can perform the certificate request and validation task that is normally performed by the target server, on demand.
Use the agent when you want to request and validate a certificate only after a user has already completed some other steps (logged on, gone through an authentication process, or anything else you require). Wherever you place the On-Demand authentication action in your access policy, it performs an SSL re-handshake.
You might want to use this agent, for example, if all employees must gain access to the network before only a few employees can gain access to servers with sensitive information.
Exchanging SSL Certificates
Before you can use On-Demand certificate authentication successfully, you must exchange certificates between clients and the BIG-IP system.
The client needs a valid certificate with which to respond to a certificate request. The BIG-IP system includes a self-signed certificate that you can export and install on the client. As an alternative to the self-signed certificate, you can import a certificate and corresponding key (issued by your organization CA) into the BIG-IP system and install that on the client.
The BIG-IP systems needs the client root certificate installed on it.
Creating a custom Client SSL profile
- On the Main tab, click The Client profile list screen opens. .
- Click Create. The New Client SSL Profile screen opens.
- In the Name field, type a unique name for the profile.
- Select clientssl in the Parent Profile list.
- Scroll down to the Client Authentication area.
- Select the Custom check box for Client Authentication. The settings become available.
- For the Client Certificate setting, select ignore. When ignore is selected, the BIG-IP system skips the initial SSL handshake.
- For the Trusted Certificate Authorities setting, select a trusted certificate authority.
- Click Finished.
Adding On-Demand certificate authentication to an access policy
- On the Main tab, click The Access Profiles List screen opens. .
- In the Access Policy column, click the Edit link for the access profile you want to configure. The visual policy editor opens the access policy in a separate screen.
Click the (+) icon anywhere in the access policy to add
a new action item.
Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
- Select the Authentication tab. The tab displays a list of authentication actions.
- Select On-Demand Cert Auth and click Add Item. A properties screen opens.
From the Auth Mode list, select one of these:
- Request This is the default mode.
Required For an iPod or an iPhone, you must
select this mode. (You can select this mode for other clients as
well.)Note: To pass a certificate check using Safari, you will be asked to select the certificate multiple times. This is expected behavior.
- Click Save. The properties screen closes and the visual policy editor displays.
- Click the Apply Access Policy link to apply and activate the changes to the access policy.
Adding client-side SSL and access profiles to a virtual server
You associate the client SSL and access profiles with the virtual server so that the BIG-IP system handles client-side SSL traffic as specified, and so that Access Policy Managercan apply the access profile to incoming traffic.
- On the Main tab, click The Virtual Server List screen opens. .
- Click the name of the virtual server you want to modify.
- For the SSL Profile (Client) setting, from the Available list, select the name of the Client SSL profile you previously created, and using the Move button, move the name to the Selected list.
- In the Access Policy area, from the Access Profile list, select the access profile that you configured earlier.
- Click Update to save the changes.