Application Delivery (ADX)

SSL Client Authentication

by Yasir_Liaqatullah on ‎07-07-2009 08:00 PM - edited on ‎10-31-2013 03:32 PM by bcm1 (1,465 Views)

Synopsis

      We want to enable client authentication.

 

Discussion

The requirements are that when a client tries to connect the ServerIron, the ServerIron requests a certificate and then verify the certificate against a root-certificate. [edit] Required Certificates

      The following certificates are required to enable the client-authentication functionality:

 

1 Server Certificate this is the usual server certificate in server profile
2 Server Certificate Key The key corresponding to the Server Certificate
3 CA-Certificate The CA certificate which signed the client certificate

 

      In addition to the above, it is also assumed that a client certificate has been issued and it is being used by the client.

 

Topology

     Client_auth.jpg

 

 

Configuration

    ssl profile verisign128
      keypair-file verisign128key
      certificate-file verisign128cert
      cipher-suite all-cipher-suites
      enable-certificate-chaining
      verify-client-cert per-connection require
      ca-cert-file level_0.pem
      session-cache off
    !                                                               
    server source-nat-ip 10.45.4.250 255.255.255.0 10.45.4.254 port-range 2
    server source-nat-ip 10.45.4.251 255.255.255.0 10.45.4.254 port-range 2 for-ssl
    !
    server real rs13 10.45.4.13
      source-nat
      port http
      port http url "HEAD /"
      port 8081
    !
    server real rs14 10.45.4.14
      source-nat                                                     
      port http
      port http url "HEAD /"
      port 8081
    !
    server virtual vip1 10.45.4.240
      port http
      bind http rs13 http rs14 http
      port ssl sticky
      port ssl ssl-terminate verisign128
      bind ssl rs13 8081 real-port http rs14 8081 real-port http
    !
    ip address 10.45.4.239 255.255.255.0

Verification

The command "show ssl authentiation-stat" displays useful information about client-authentication counters.

 

    SSL# rconsole 1 1
    SSL1/1#sho ssl authentication-stat
    SSL certificate verification counters:
                      Success :         20                    Failure :          3
                 Unknown user :          0           Signature failed :          0
          Certificate expired :          0        Certificate revoked :          0
          Cert not yet valid  :          3      Cert signature failed :          0
    Issuer pubkey decode fail :          0           Self signed cert :          0
        Issuer cert not found :          0    Subject Issuer mismatch :          0
        Certificate untrusted :          0        Cert chain too long :          0
    CRL counters:
              CRL load failed :          0       CRL signature failed :          0
                CRL not found :          0          CRL not yet valid :          0
                  CRL expired :          0
    SSL1/1#

 

Debugging

Tips and Caveats

The most common problem encountered is that the system time is not properly configured. Since the default time of the system is January 1, 2000, thus, it fails to authenticate a client.

In such situations, the counter "Cert not yet valid" goes up.

The remedy is to set the time on the system using "clock set"

 

  SSL#clock set 18:00:00 06-06-07
  Real Time Clock is programmed
  SSL#

 

Further Reading

Contributors