Manual Chapter : On-Demand Certificate Authentication

Applies To:

Show Versions Show Versions


  • 13.0.1, 13.0.0
Manual Chapter

Overview: Requesting and validating an SSL certificate on demand

Typically, when a client makes an HTTPS request, an SSL handshake request occurs at the start of an SSL session. You can configure a client SSL profile to skip the initial SSL handshake and add the On-Demand certificate authentication agent to the access policy to re-negotiate the SSL connection later. Access Policy Manager® can perform the certificate request and validation task that is normally performed by the target server, on demand.

Use the agent when you want to request and validate a certificate only after a user has already completed some other steps (logged on, gone through an authentication process, or anything else you require). Wherever you place the On-Demand authentication action in your access policy, it performs an SSL re-handshake.

You might want to use this agent, for example, if all employees must gain access to the network before only a few employees can gain access to servers with sensitive information.

Exchanging SSL certificates

Before you can use On-Demand certificate authentication successfully, you must exchange certificates between clients and the BIG-IP® system.

The client needs a valid certificate with which to respond to a certificate request. The BIG-IP system includes a self-signed certificate that you can export and install on the client. As an alternative to the self-signed certificate, you can import a certificate and corresponding key (issued by your organization CA) into the BIG-IP system and install that on the client.

The BIG-IP systems needs the client root certificate installed on it. Exporting and importing SSL certificates is done in the System File Management area of the product.

Task summary

Creating a custom Client SSL profile

  1. On the Main tab, click Local Traffic > Profiles > SSL > Client .
    The Client SSL profile list screen opens.
  2. Click Create.
    The New Client SSL Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. Select clientssl in the Parent Profile list.
  5. Scroll down to the Client Authentication area.
  6. Select the Custom check box for Client Authentication.
    The settings become available.
  7. For the Client Certificate setting, select ignore.
    When ignore is selected, the BIG-IP® system skips the initial SSL handshake.
  8. For the Trusted Certificate Authorities setting, select a trusted certificate authority.
  9. Click Finished.

Adding On-Demand certificate authentication to an access policy

To successfully pass the On-Demand certificate authentication, the client browser must have a valid SSL certificate for the BIG-IP® system.
Note: The client browser might stop responding if the client fails to provide a certificate. We strongly recommend that you add a Decision Box action in which you ask the user whether a valid certificate is installed and provide an option to not proceed to the On-Demand Cert Auth action when a valid certificate is not installed.
Add an On-Demand Cert Auth agent to an access policy to request and validate an SSL certificate anywhere in the session.
  1. On the Main tab, click Access > Profiles / Policies .
    The Access Profiles (Per-Session Policies) screen opens.
  2. In the Per-Session Policy column, click the Edit link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the (+) icon anywhere in the access policy to add a new item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. Select the Authentication tab.
    The tab displays a list of authentication actions.
  5. Select On-Demand Cert Auth and click Add Item.
    A properties screen opens.
  6. From the Auth Mode list, select one of these:
    • Request This is the default mode.
    • Required For an iPod or an iPhone, you must select this mode. (You can select this mode for other clients as well.)
      Note: To pass a certificate check using Safari, you will be asked to select the certificate multiple times. This is expected behavior.
  7. Click Save.
    The properties screen closes and the policy displays.
  8. Click the Apply Access Policy link to apply and activate the changes to the policy.
The On-Demand Cert Auth action is included and applied to the access policy.
To apply this access policy to network traffic, add the access profile to a virtual server.
Note: To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.

Verifying log settings for the access profile

Confirm that the correct log settings are selected for the access profile to ensure that events are logged as you intend.
Note: Log settings are configured in the Access > Overview > Event Log > Settings area of the product. They enable and disable logging for access system and URL request filtering events. Log settings also specify log publishers that send log messages to specified destinations.
  1. On the Main tab, click Access > Profiles / Policies .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click the name of the access profile that you want to edit.
    The properties screen opens.
  3. On the menu bar, click Logs.
    The access profile log settings display.
  4. Move log settings between the Available and Selected lists.
    You can assign up to three log settings that enable access system logging to an access profile. You can assign additional log settings to an access profile provided that they enable logging for URl request logging only.
    Note: Logging is disabled when the Selected list is empty.
  5. Click Update.
An access profile is in effect when it is assigned to a virtual server.

Adding client-side SSL and access profiles to a virtual server

  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. For the SSL Profile (Client) setting, from the Available list, select the name of the Client SSL profile you previously created and move the name to the Selected list.
  4. In the Access Policy area, from the Access Profile list, select the access profile that you configured earlier.
  5. Click Update to save the changes.
The access policy and client-side SSL profiles are now associated with the virtual server.