Applies To:
Show Versions![Show Versions](/etc/designs/pcx/techdocs/images/expandversions.gif)
BIG-IP APM
- 12.1.6
On-Demand Certificate Authentication
Overview: Requesting and validating an SSL certificate on demand
Typically, when a client makes an HTTPS request, an SSL handshake request occurs at the start of an SSL session. You can configure a client SSL profile to skip the initial SSL handshake and add the On-Demand certificate authentication agent to the access policy to re-negotiate the SSL connection later. Access Policy Manager® can perform the certificate request and validation task that is normally performed by the target server, on demand.
Use the agent when you want to request and validate a certificate only after a user has already completed some other steps (logged on, gone through an authentication process, or anything else you require). Wherever you place the On-Demand authentication action in your access policy, it performs an SSL re-handshake.
You might want to use this agent, for example, if all employees must gain access to the network before only a few employees can gain access to servers with sensitive information.
Exchanging SSL certificates
Before you can use On-Demand certificate authentication successfully, you must exchange certificates between clients and the BIG-IP® system.
The client needs a valid certificate with which to respond to a certificate request. The BIG-IP system includes a self-signed certificate that you can export and install on the client. As an alternative to the self-signed certificate, you can import a certificate and corresponding key (issued by your organization CA) into the BIG-IP system and install that on the client.
The BIG-IP systems needs the client root certificate installed on it. Exporting and importing SSL certificates is done in the System File Management area of the product.
Task summary
Creating a custom Client SSL profile
Adding On-Demand certificate authentication to an access policy
Verifying log settings for the access profile
Adding client-side SSL and access profiles to a virtual server
You associate the client SSL and access profiles with the virtual server so that the BIG-IP® system handles client-side SSL traffic as specified, and so that Access Policy Manager®can apply the access profile to incoming traffic.