APM Machine Tunnel - Machine Cert Auth Check Failing

Question

I have an APM policy configured, with the initial check being 'client type' for a machine tunnel or edge client. After that there is a Machine cert auth check for both edge client and machine tunnel connections, this is identical for both type of client. The machine cert check is successful when the client connects using the edge client, however it is failing when the machine tunnel connection tries to connect.

Is there any difference in what the machine cert check does for a machine tunnel and edge client?

The f5mcertcheck logs from the client shows exactly the same behaviour for the machine tunnel and edge client checks.

One thing I'm not sure about is whether I need to configure the client as per the documentation below, seems to suggest this is for on-demand cert auth?

Does the client need this configuration for machine cert check also?

https://techdocs.f5.com/en-us/edge-client-7-2-1/big-ip-access-policy-manager-edge-client-and-application-configuration-7-2-1/big-ip-edge-client-for-windows.html#configuring_client_certificates_for_machine_tunnel_authentication

Configuring client certificates for machine tunnel authentication

When you configure client certificates for the machine tunnel service, you specify the location where the certificates are stored. For on-demand certificate authentication, the F5 Machine Tunnel service can select client certificates present in the service account or from the local computer.

Service Account: To select a service account as the certificate store, the F5 Machine Tunnel service should be installed on the client system. This store is local to the f5MachineTunnelService on the device.

Local computer: Selecting a local machine store as the certificate store does not require the F5 Machine Tunnel service to be installed. You can specify the location of the client certificate on the local machine.

John

jjm1971 · Answer

Update......done further testing today and configured the client to use the local machine store which is where the client cert is and no difference.  The client logs show it is looking in the right place and can see the certificate, however the APM is reporting an errors and the check is failing with 'session.check_machinecert.last.result' set to '-2'

rickmyers · Answer

I am also having the same issue. &nbsp;Did you ever figure out what the issue is?

russell_moore · Answer

It really isn't clear in the documentation, but Machine Certificate Authentication (MCA) isn't compatible with Machine Tunnels. To authenticate client certificates with Machine Tunnels, you would use On-Demand Certificate Authentication (ODCA) instead of MCA.&nbsp;
ODCA requires that you conifgure a CA on the F5 that can validate the client certificate. This CA would be configured in a ClientSSL profile for the VIP and set as the CA and Advertised CA. The profile would b set to "ignore" client certificate validation. Within the APM policy you define "ODCA" for authentication of the Machine Tunnel client type.
Russell
&nbsp;

Forum Discussion

APM Machine Tunnel - Machine Cert Auth Check Failing

3 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

F5 BIG-IP Access Policy Manager (APM) Machine Tunnels for Windows

Zero Trust building blocks - Machine Identity Management (MIM) and Workload Protection

Migration F5-DNS-VM from a Virtual Machine to other Virtual Machine

Ubuntu Virtual Machine for NGINX Microservices March 2022 Labs

Session persistence based on http header for machine to machine calls