Authentication name in server ssl profile

Question

Hi, I am kind of stuck while trying to configure a server ssl profile. &nbsp;
Under the "server authentication" section, i selected "require" for server certificate. As i want the ssl communication to be secure, i need to include the CN for the server under "authenticate name" section. The problem is that I am having 2 servers that are load-balanced. If I include both their CNs seperated by a comma, the VIP fails on me. &nbsp;
I also tried a wildcard thing like "*.domain.com" , although it took the change but the VIP failed on me again. &nbsp;
I cannot do 2 seperate server ssl profiles for  vip so that i can refer the server`s CN under authenticate name in each ssl-profile. &nbsp;
 &nbsp;
How can i solve this issue?? Please advise ...&nbsp;

ferg_104721 · Answer

Hi 
&nbsp;  
&nbsp; have you considered of applying a server side cert on the VIP instead of trying to configure Server Auth, if you are only tryingto keep data encrypted this will do that for you. 
&nbsp;  
&nbsp; Can you try it with no entry, "A blank Authenticate Name field means that everyone is authenticated, even though you have specified Require as the Server Certificate setting."

boneyard · Answer

as ferg is already asking, what are you trying to accomplish, just encryption or also authentication of the server via a specific certificate?

brad_11480 · Answer

See this is a few years old, but I am going down a similar path.
I need to determine trust for the server, but the server may change so the server name will change.&nbsp;
It appears I could use an iRule and change the SSL::profile to match appropriately.
But in my case the settings are all the same for the profile. The difference is that I want to plug in the correct server name (what I'm expecting the certificate to return as).  &nbsp;
I want to validate the server so I can establish trust..
Require a certficiate
If expired drop
If untrusted drop
and then, yes, we could allow any name, but trust should definitely check that the name is what is expected (any browser will do that!).&nbsp;
Cases I see this happening is farms of servers that do not share a common certificate. In most cases here the application servers all have their own internal PKI issued certificates. We trust the PKI and expect these to match.  If they don't somebody moved something or ...  &nbsp;
I would really like to avoid having to defined a server SSL profile for each of these servers but use a single one and define the authenticate name.. perhaps this can be returned in an iRule for me to match..  I will dig into that..&nbsp;
Thanks all...&nbsp;

Forum Discussion

Authentication name in server ssl profile

3 Replies

Recent Discussions

About custome Response Blocking Page

Office Online Server with SharePoint 2016

health monitor source IP address

How to target only webview rendering with CSS?

ltm policy asm_auto_l7_policy

Related Content

Server Profile SNI

Simple HTTP Authentication server

LTM Diameter iRules and Profile Configurations with Support for Server Initiated Request

Distributed caching of authentication requests with NGINX Ingress Controller

AD Authentication and Local DB Authentication in APM