Fork me on GitHub

linuxaddicted.de

Linux | Dev | Ops

BigIP Client Certificates

This howto will show you how to use client certificates to authenticate against applications hosted by a BigIP loadbalancer. You may find this howto (or parts of it) on ask.f5.com as they was no documentation before on this topic. I forwarded it to F5 some time ago. This is the only way to use client certificates without purchasing addon modules from F5.

Purpose

If you host a website/application which should only be accessible by some users you you may have already thought about client certificates. This makes brute force attacks against login panels impossible. This increases the overall application security by adding another layer a user must pass.

The mapping between certificates and access rights is based on a LDAP directory.

Overview

The loadbalancer reads the CN from the client certificate and searches the defined group for the virtual server for a matching entry. The loadbalancer verifies CA and CRL’s before the lookup takes place.

LDAP Setup

Example LDAP tree
1
2
3
4
5
6
7
8
9
10
dc=company,dc=com
   /         \
  /           \
...      ou=datacenter
           /        \
          /          \
        ...       ou=webauth
                   /    \
                  /      \
            ou=users    ou=groups

User & Group LDIF

Here are two LDIF examples for users and groups:

User LDIF
1
2
3
4
5
dn: cn=Example User,ou=users,ou=webauth,ou=datacenter,dc=company,dc=com
cn: Example User
sn: Example User
objectClass: person
description: It's just a example user
Group LDIF
1
2
3
4
5
6
7
dn: cn=Example Group,ou=groups,ou=webauth,ou=datacenter,dc=company,dc=com
cn: Example Group
objectClass: posixGroup
description: Group is allowed to connect to BigIP's VHOST secure.company.com
memberUid: cn=Example User,ou=users,ou=webauth,ou=datacenter,dc=company,dc=com
memberUid: cn=Example User No2,ou=users,ou=webauth,ou=datacenter,dc=company,dc=com
gidNumber: 145

The “memberUid” has to match exactly the certificates CN because this is the key the BigIP is looking for.

BigIP Configuration

Authentication Configuration

As a first step we create a new “Authentication Configuration”. Just open the web frontend and navigate to:

Local TrafficProfilesAuthenticationConfiguration

You have to create a new config for every virtual host you want to secure. This is force by the LDAP group used because every config can only use one group. Here’s a example configuration:

Authentication Configuration
1
2
3
4
5
6
7
8
9
10
11
12
Parameter        | Value
==========================================================================
Hosts            | 1.2.3.4
Search Type      | User
User Base        | DNou=users,ou=webauth,ou=datacenter,dc=company,dc=com
User Key         | cn
Admin DN         | DN for binding
Admin Password   | Bind password
Group Base DN    | ou=groups,ou=webauth,ou=datacenter,dc=company,dcc=com
Group Key        | cn
Group Member Key | memberUid
Valid Groups     | Corresponding LDAP group

Authentication Profile

The next step is to create a profile which inherits the new created config. You need a profile for every configuration. Navigate to

Local TrafficProfilesAuthenticationProfiles

Authentication Profile
1
2
3
4
5
6
Parameter      | Value
==========================================================================
Type           | SSL Client Certificate LDAP
Parent Profile | ssl_cc_ldap
Mode           | Enabled
Configuration  | NAME OF CONF JUST CREATED

CA Upload

If your CA certificate(s) have not been installed it’s time to do so.

Local TrafficSSL CertificatesImport

SSL Profiles

To use SSL (without client certificates too) you need a SSL profile. Navigate to

Local TrafficProfilesSSLClient

Create a new profile based on “clientssl” or one of your already defined profiles.

SSL Client
1
2
3
4
5
6
7
Parameter                          | Value
==========================================================================
Chain                              | CompanyBundle
Trusted Certificate Authorities    | CompanyBundle
Client Certificate                 | require
Frequency                          | always
Advertised Certificate Authorities | CompanyBundle

Virtual Host Configuration

You may create a new virtual host or modify a existing host. Navigate here

Local TrafficVirtual Servers

Modify the following parameters (if you already used SSL in this vhost):

Virtual Servers
1
2
3
4
Parameter               | Value
==========================================================================
SSL Profile (Client)    | Profile created earlier
Authentication Profiles | Profile created earlier

That’s it!

Import your client certificates to your browser and enjoy your secure connection.

If you have any trouble don’t hesitate to contact me: daniel {A_T} linuxaddicted {D_O_T} de

Comments