Forum Discussion

Philip_Lee_6609's avatar
Philip_Lee_6609
Icon for Nimbostratus rankNimbostratus
Sep 21, 2007

SSL cilent certificate authentication

We have a web application (BigIP LTM -> iplanet web servers -> websphere application server).

 

 

The web application requires client certificate authentication and HTTPS.

 

 

We want to terminate the SSL in the BigIP and would like to do the client certificate authentication in the web server. Is this possible? So far, i can't get it to work.

 

 

The other option is to turn on client certificate authentication in the BigIP and pass the client certificate to the web server. Of course, the client certificate authentication is turned on in the web server.

 

 

I have tried to turn off client certificate authentication in the web server and turn on client certificate authentication in the bigip ltm and use irule to pass the client certificate in base64 format but that doesn't work..

 

 

any other options??
application delivery
dev
devops
iRules

14 Replies

Sort By
Show More
  • zafer's avatar
    zafer
    Icon for Nimbostratus rankNimbostratus
    Oct 12, 2009
    How can i do with SSL termination

     

     

    i found some irule for incerting to header but it didnt solve my problem

     

     

    regards

     

     

    zafer
  • zafer's avatar
    zafer
    Icon for Nimbostratus rankNimbostratus
    Oct 12, 2009
    How can i do with SSL termination

     

     

    i found some irule for incerting to header but it didnt solve my problem

     

     

    regards

     

     

    zafer
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Oct 12, 2009
    Hi Zafer,

     

     

    Can you elaborate on what you're trying to accomplish, what you've tried and what is not working?

     

     

    You can use the client SSL profile's option for client cert to change how LTM handles client certs for a VIP. To require a client cert for all requests, set the client cert mode to require. Clients who make requests without a valid client cert will receive a TCP reset. If you want to handle this more gracefully, you can set the mode to request and then use SSL::verify_result (Click here) to check the validity of the cert. You could then send an HTTP response to clients who do not present a valid cert.

     

     

    Aaron
  • zafer's avatar
    zafer
    Icon for Nimbostratus rankNimbostratus
    Oct 14, 2009
    sorry for multiple message its browser bug

     

     

    Aaron i send new post

     

     

    regards

     

     

    zafer