Prompt for certificates APM

Question

My scenario:&nbsp;
I am attempting to prompt the user for the certificates he wishes to use to authenticate them self to my application. From the certificate, all that I care about is the username that is within it, ex: CN=joeBob . My plan is then: 1) User inserts CAC 2) F5 prompt for certificates prompt 3) parse certificate and grab out username 4) do some AD query with that username&nbsp;
I am stuck on the first part of the problem, step 2, where I cannot seem to prompt the user for a certificate. Here is how my APM policy looks like:&nbsp;
&nbsp;
On-Demand Cert Auth is set to 'Require'&nbsp;
My virtual server is set to use a tomcat client cert and the default ssl cert for the server. (I am doing this as the client cert being presented to the user, is from the application server hosting my application. The user should still validate that they are connecting to the right place) And the default ssl cert is the one I am using to ensure traffic is encrypted between tomcat and F5.&nbsp;
Here is a picture of how my client profile looks like:&nbsp;
&nbsp;
The problem:
By using this combo, the user is never prompted to select the certificates that they wish to identify with. What am I doing wrong?&nbsp;

yann_desmarest · Answer

Hi,&nbsp;
You can set your client ssl profile to require and add a client inspection block in the vpe. It should works fine. On-Demand Cert Auth is a particular use case where you need certificate authentication after a login page and AD auth for example.&nbsp;

wonsoo_41223 · Answer

I think it should be better to post on APM instead of iRule part. &nbsp;
1. The CA certificate (tomcat-cert) move from CA certificate in SSL forward proxy to "Trusted Certificate Authorities" in Client Authentication part.&nbsp;
2. My understanding is that "On-Demand Cert Auth" can trigger to request client side to present client certificate with initiating a new SSL session. It doesn't matter to set "ignore" in Client Certificate field. The best way to troubleshooting for this case is to capture tcpdump for checking SSL handshake. Some of case, browser silently provide client certificate without prompt. &nbsp;
 * https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/16.html &nbsp;
3. For UPN value extraction, check this url : &nbsp;
 * https://support.f5.com/kb/en-us/solutions/public/17000/000/sol17063.html &nbsp;
4. If APM policy is changed, please update policy with clicking "Apply Access Policy". Otherwise old policy will be running in the APM access profile. &nbsp;

tjp · Answer

Try changing the Client Certificate to "require" versus "ignore"&nbsp;

Forum Discussion

Prompt for certificates APM

3 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

Re: Management Certificate

Automate Let's Encrypt Certificates on BIG-IP

Automating ACMEv2 Certificate Management on BIG-IP

My Security+ Certification Journey

Certifications for security professionals