Forum Discussion

Ted_Waller_01_1's avatar
Ted_Waller_01_1
Icon for Altocumulus rankAltocumulus
Feb 13, 2017
Solved

Client SSL Authentication - AWS API Gateway

I'm looking at utilizing AWS API Gateway for some of our services. The implementation so far takes an API defined on the AWS Gateway, and then proxy that traffic to an F5 external endpoint, which routes it accordingly to the correct services within our environment. AWS API Gateway provides a Client Certificate feature (http://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html) which we'd like to use, but the feature-set is not very rich at this point. As I understand it, F5 does offer this type of service, but from what I've gleaned with my testing...it requires a real certificate (and more importantly an actual signing CA), which AWS does not provide in this context. Does anyone know of a way to bypass the normal certificate checks? The idea would be to require a client-certificate and then validate via a subject and serial number match, and if they don't reject.

 

I did try importing the self-signed certificate and use that as the "CA" in this case, but it didn't pass validation.

 

Thanks.

 

cloud
iRules
LTM
  • Ted_Waller_01_1's avatar
    Ted_Waller_01_1
    Feb 20, 2017

    Turns out I mainly just fat fingered the actual SSL configuration, and AWS API Gateway doesn't provide a nice error when it simply can't validate the initial chain applied to a virtual server. Overall, this worked as expected. Import the client certificate created on AWS into the F5, use it to be the "Trusted Certificate authority" for Client authentication on the SSL profile, and voila. Future enhancements on AWS would make this simpler, but for now it does work.

     

5 Replies

Sort By
  • Ted_Waller_01_1's avatar
    Ted_Waller_01_1
    Icon for Altocumulus rankAltocumulus
    Feb 20, 2017

    Turns out I mainly just fat fingered the actual SSL configuration, and AWS API Gateway doesn't provide a nice error when it simply can't validate the initial chain applied to a virtual server. Overall, this worked as expected. Import the client certificate created on AWS into the F5, use it to be the "Trusted Certificate authority" for Client authentication on the SSL profile, and voila. Future enhancements on AWS would make this simpler, but for now it does work.

     

  • LB_Admin_133366's avatar
    LB_Admin_133366
    Icon for Nimbostratus rankNimbostratus
    Aug 11, 2017

    Hi Ted,

     

    Could you let me know detailed steps on accomplishing this as I am also trying to do mutual authentication with AWS API gateway.

     

    Thanks, Tanuj.

     

    • Ted_Waller_01_1's avatar
      Ted_Waller_01_1
      Icon for Altocumulus rankAltocumulus
      Aug 11, 2017

      Tanuj,

       

      It's actually not too hard! What we did was the following:

       

      1) We generated a Client Certificate (an option within API Gateway administration). 2) I imported this certificate into our F5. 3) Then I created an external endpoint on our F5. 4) I then created an SSL client-profile that had the certificate key chain defined that supported the endpoint created above (in our case it was a wildcard certificate). But also within that profile I defined a few settings in the "Client Authentication" block of the SSL profile as follows:

       

      a) Client Certificate: require b) Frequency: once c) Trusted Certificate Authorities:

       

      5) Once that was done, I assigned this profile to the F5 endpoint. It now functions, but only if you use client authentication that matches the certificate we applied.

       

      6) Finally, in API Gateway you go to one of your APIs, select Stage, then select the root, and in the Settings tab of the stage, you scroll down and can select the Client Certificate to use for that API.

       

      So long as your API resources are configured to talk to your F5 endpoint created above, and your Client Certificate is set up on both the SSL profile + Stage, you should be good to go!

       

      Good luck!

       

      Ted

       

    • LB_Admin_133366's avatar
      LB_Admin_133366
      Icon for Nimbostratus rankNimbostratus
      Aug 11, 2017

      Thank you for your prompt response Ted. Will follow the steps and keep you posted.

       

  • KashifS_243275's avatar
    KashifS_243275
    Icon for Nimbostratus rankNimbostratus
    Sep 13, 2018

    Hello Ted, A couple of quick questions, Do you mean a VS by "external endpoint"? Also from the steps it looks like you may have used two separate certs for this VS, one to create a SSL profile for the VS for decryption and the second one generated at the AWS API gateway to force client authentication? am i wrong? I am trying to set something similar up and wasn't quite sure on a couple of things.