Forum Discussion

WaterlooSysAdmi's avatar
Feb 14, 2020

Big-IP - Client Certificate

Hello,

 

We're currently setting up an API on a Microsoft Service Fabric cluster(see below). Clients will be sending requests to the API with their own client certificate(which are subject to change time to time) and we need to pass the cert down to the cluster as part of the http request. Does anymore know how we might do this? If we take the Big-IP out of the loop and hit the cluster directly it works.

 

https://test-api.abc.com > Bip-IP VS(443) > Big-IP Pool > SF Cluster:8400

 

Thank you for your help!

5 Replies

  • Hi,

    can you post the current VIP configuration?

    Do you need to balance traffic based on parameters of the HTTP protocol (hostname, url, etc)?

     

  • Hello,

     

    The traffic flows like below. Right now it just has a default http profile and a *.abc.com cert profile attached. Client will be connecting with there own cert and I need to pass that cert down to the cluster.

     

    https://test-api.abc.com > Bip-IP VS(443) > Big-IP Pool > SF Cluster:8400

     

     

    Thank you,

     

  • The simplest solution would be to remove the http profile and the client certificate, going to perform a simple tcp load balance and change the type of VIP in Performance Layer4.

    Then install the certificate (wildcard) on the individual pool members.

     

    in the current configuration you have 2 separate SSL connections.I can't imagine how you could impersonate the client, among other things you don't have the private key related to the client certificate.

     

    Angelo

  • The service fabric nodes are just a round robin pool listening on port 8400. The Big-IP VS has a ssl profile with *.abc.com attached. Our clients are calling the end point https://test-api.abc.com  in their code which the Big-IP VS ssl profile handles the ssl offload for https://test-api.abc.com. In the clients request they'll pass their own unique cert which then must be passed down to the SF cluster which our API is listening for. Our API has a library of unique clients certs that it will be listening for to validate the request. When we test with the Big-IP with Postman and inspect the traffic we can see the client cert is not being being passed. When we take the Big-IP out of the loop we can see it being passed.

     

    https://test-api.abc.com > Bip-IP VS(443) > Big-IP Pool > SF Cluster:8400

  • To request the certificate from the client it should be sufficient to configure the Cliente Authentication section of the Client SSL profile: https://support.f5.com/csp/article/K14783#4

    You need to bundle the CAs that issue client certificates.

    You must set the "Client Certificate" field with require or request, the "Trusted Certificate Authorities" and "Advertised Certificate Authorities" fields with the CA bundle.

     

    But I have no idea how you can pass it on to the pool members.