Erki_Märks_2779
Aug 01, 2008Nimbostratus
SSLRequire
Is there a option like SSLRequire in apache for bigip?
I whould like to know if the following is possible in bigip
SSLRequire %{SSL_CLIENT_I_DN_O} eq "test"
I whould like to know if the following is possible in bigip
SSLRequire %{SSL_CLIENT_I_DN_O} eq "test"
For each command you can see some examples about how it works
You could add a check of the issuer using X509::issuer (Click here).
Aaron
means that only the cert with SSL_CLIENT_I_DN_O eq "test" is displayed in the cert list, when client certificate is asked. So you wont have to scroll the window and search the cert from a long list.
I haven't tested these options much. If they don't work, you could try opening a case with support or replying here.
Aaron
You can contact F5 Support via the following phone numbers (Click here), email (emailclerk@f5.com) or via the https://websupport.f5.com page. If/when you do find a solution, could you post back here for everyone's benefit?
Thanks,
Aaron
So how to turn on Advertised Certificate Authorities option here
if { $uri starts_with "/idauth" } {
HTTP::collect
SSL::authenticate always
SSL::authenticate depth 3
SSL::cert mode require
SSL::renegotiate
}
profile clientssl idauth_optional {
defaults from clientssl
key "web.key"
cert "web.crt"
ca file "id_ee.crt"
client cert ca "id_ee.crt"
peer cert mode ignore
}
Does anyone else have ideas on how to configure this option via the GUI or in an iRule? If not, I'd suggest going back to F5 Support and ask them for a supported method for configuring this.
Aaron