IK13_38276
Jun 18, 2010Nimbostratus
Handling Client Certificates
Hi guys,
Please excuse me if I'm posting to the wrong forum, and I'd appreciate if you point me in the right direction.
We want to employ client certificates in addition to our application user/password authentication for a two-factor authentication. The web site is configured for anonymous authentication and the user login is done solely by the application - application users not OS users. So the map between a client certificate and the application users is also maintained by the application.
We have scenarios with or without Big-IP LTM in the middle. Without, everything is fine. With...I'm having trouble understanding the available options that Big-IP LTM offers for working with client certificates. There's what I gather so far (please correct me or add something I missed):
1. Big-IP can be set as a forwarding router only and in this case it's pretty much the same (as far as the application server is concerned) as not being in the middle at all.
2. With SSL Termination there are two options:
2.1 Client->SSL->Big-IP->non-SSL->application server
2.2 Client->SSL->Big-IP->SSL->application server
Either way, since SSL is terminated at Big-IP, there's no way for the real client certificate to travel all the way to the application server, unless it is injected by an iRule as a custom HTTP header. Which means that the application has to be aware (by a config option for example) and act differently, based upon whether or not there's Big-IP in the middle.
Am I correct so far?
Another question - let's say we have 2.2 Client->SSL->Big-IP->SSL->Application Server
Does Big-IP provide an option to map the certificate coming from a client to another (client) certificate the Big-IP is to use (when acting as a client) to establish SSL connection to the application server?
This would allow the applicationnot not to care about the Big-IP and all it needs to happen is instead of mapping the real client certificates to the application users, to map the corresponding Big-IP certificates to the application users.
Thanks ahead.