Forum Discussion

COMMS-CORE_1795's avatar
COMMS-CORE_1795
Icon for Nimbostratus rankNimbostratus
Dec 15, 2015

Manage SSL Certificate

Hi all,

 

Currently I´ve the following configuration in my F5-LTM

 

VS_HTTPS POOL_HTTPS x.x.x.x:443 x.x.x.x_443

 

In my web-browser I have install 2 certificates.

 

When I accessing a URL, the browser let me chose the certificates. When I accept the certificates (are a test certificates) I can validate with my servers and I can enter in my application.

 

But my problem appears when I use an iRule X-FORWARD-FOR (with a http profile in the VS configuration). In this moment the configuration would be:

 

VS_HTTPS iRULE_X_FORWARD_FOR POOL_HTTPS x.x.x.x:443 x.x.x.x_443

 

When I put the iRule, my browser doesn´t show me the certificates and I can not access to my application.

 

Please, can you help me?

 

BR

 

application delivery
iRules

1 Reply

Sort By
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Dec 15, 2015

    Hi BR,

     

    i sounds to me you're using a layer4 virtual in the first scenario, where the certificates are bound to the real servers and the mutual SSL-Handshake is performed between your client and the real servers. But in the second scenario you are switching to a layer7 virtual and moving the initial SSL termination to your F5?

     

    If this is the case, then the SSL-authentication would just fail, since the F5 simply cant pass the SSL-handshake to the real server. Unfortunately there isn't an easy solution for this behavior. It would require to revesit the entire authentication mechanism to perform pre-authentication and some sort of credential delegation (e.g. X-Forwarded-User, Kerberos Delegation, etc.)...

     

    Cheers, Kai