Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Mutual authentication on an F5 Load Balancer

Posted on 2012-09-13
2
Medium Priority
?
2,796 Views
Last Modified: 2012-09-20
I have a requirement to implement mutual authentication between my platform and that of a third party.

In this instance I will be the server end and the third party will be the client. I have an F5 load balancer handling web traffic on my platform.

As his request comes to me I will need to validate his client certificate to confirm his identity. My question is, will the F5 process the client certificate details as the request passes through it meaning that my back end doesn't receive the certificate details to validate them ?

If it does, how do I configure the F5 to carry out the mutual authentication ?

I am using a BIG-IP LTM1600 10.2.1 Build 297.0 Final
0
Comment
Question by:ccfcfc
2 Comments
 
LVL 22

Expert Comment

by:Rick Hobbs
ID: 38397140
Do you have the Advanced Client Authentication Module?
0
 
LVL 66

Accepted Solution

by:
btan earned 2000 total points
ID: 38397461
You can configure a clientssl profile to request or require a client cert. Further you will import the trusted CA and CRL. If there are intermediate CA, you can check out the ca-bundle or chain option. See the "Client Authentication"

http://support.f5.com/kb/en-us/solutions/public/10000/100/sol10167.html

Client certificate authentication use the following sequence of events:

The client requests an SSL connection
>The SSL server presents its SSL certificate, along with any configured chain certificate bundle, to the client
>The SSL client uses the CA certificates stored in its Trusted Device Certificate store, and the supplied certificate chain if necessary, to authenticate the server
>The SSL server requests a client certificate, advertising a list of preferred CAs if configured to do so
>The SSL client presents its SSL certificate
>The SSL server uses its configured trusted CA certificate bundle to authenticate the client

Without ACA or APM, you pretty much only have CRLDP, SSL OCSP and SSL client cert LDAP, if I am not wrong. Can be rather basic and I do suggest to upgrade to latest version 10.2.4 or even v11 above.

If needed, there is iRule for cert check based on Subject name
https://devcentral.f5.com/wiki/iRules.ClientCertificateCNChecking.ashx
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question