I wonder what security you gain by restricting iControl calls with a client cert if the admin GUI doesn't require a client cert. If an attacker was able to get to a host which can run the iControl app, couldn't they also just log into the GUI from that same host?
I think the VIP and iRule approach would only work if you have a GTM/LTM combo unit as you can't define standard LTM VIPs/iRules for load balancing on a GTM-only unit.
The iControl API is handled on the same httpd instance as the admin GUI. If you have GTM-only units, I wonder if you could modify the httpd.conf to listen on a separate port and use a separate virtual host which requires a client cert.
This is the default vhost for iControl from a 9.4.8 unit:
from: /etc/httpd/conf/httpd.conf
Section 3: Virtual Hosts
VirtualHost:
LoadModule jk2_module modules/mod_jk2.so
LoadModule fastcgi_module /usr/lib/httpd/modules/mod_fastcgi.so
AddHandler fastcgi-script .fcgi
FastCgiIpcDir /var/run/fcgi
FastCgiServer /usr/local/www/iControl/iControlPortal.cgi -processes 1 -socket iControlPortal -idle-timeout 300
SetHandler fastcgi-script
FastCgiServer /usr/local/www/emupdate/getfile
SetHandler fastcgi-script
FastCgiServer /usr/local/www/emupdate/subscription
SetHandler fastcgi-script
from: /etc/httpd/conf.d/ssl.conf
Client Authentication (Type):
Client certificate verification type and depth. Types are
none, optional, require and optional_no_ca. Depth is a
number which specifies how deeply to verify the certificate
issuer chain before deciding the certificate is not valid.
SSLVerifyClient require
SSLVerifyDepth 10
In 9.4.2+ you'd want to make the changes to the httpd.conf through the bigip_sys.conf following the steps outlined in this article on customizing the syslog config.
LTM 9.4.2+: Custom Syslog Configuration
http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=155
Aaron