topic Re: ACE SSL offloading & Client certificate authentication in Application Networking

ACE SSL offloading & Client certificate authentication

sebastianvandijk — Wed, 09 May 2007 11:53:45 GMT

We have several webserver clusters secured with SSL and we use client certificate authentication.

Depending on the certificate, users have different rights.

At the moment we use microsoft NLB but we want to implement SSL offloading on the ACE. However, if we remove SSL from our webservers we can not use client certificate authentication anymore.

What solutions are possible to keep client certificate authentication ?

Is it possible to implement authentication on the ACE and send some header, which would include a user id to the webservers, or something like that ?

Regards,

Sebastian

Re: ACE SSL offloading & Client certificate authentication

sebastianvandijk — Mon, 18 Jun 2007 11:18:48 GMT

anybody ?

Re: ACE SSL offloading & Client certificate authentication

sebastianvandijk — Thu, 21 Jun 2007 09:41:01 GMT

i just found out cisco currently isnt support client authentication in SSL.

too bad, any view on when this functionality will be available ?

Re: ACE SSL offloading & Client certificate authentication

Gilles Dufour — Fri, 22 Jun 2007 11:21:52 GMT

this functionality will come with software version 2.0 which should come out in november.

Gilles.

Re: ACE SSL offloading & Client certificate authentication

sebastianvandijk — Tue, 27 Nov 2007 09:12:04 GMT

Hi Gilles,

Any update on when version 2 will be available ?

regards,

Sebastian

Re: ACE SSL offloading & Client certificate authentication

Gilles Dufour — Tue, 27 Nov 2007 12:41:50 GMT

actually my first message was incorrect.

The target is early 2008 for A2.0

Nov was for Ace appliance software on CCO. A1.7

Gilles.

Re: ACE SSL offloading & Client certificate authentication

sebastianvandijk — Tue, 27 Nov 2007 13:26:08 GMT

Hi Gilles,

that's a pitty, but we'll keep waiting.

Do you know where i can register for ACE software updates ?

Re: ACE SSL offloading & Client certificate authentication

sebastianvandijk — Tue, 18 Mar 2008 15:36:26 GMT

I just found out that version 2 is out, great !

However, although client certificate authentication is available, i can't find how to grab / pass the user id from the certificate to the webserver ?

Can this be done ? Or can't the certificate subject be used from within the ACE ?

regards,

Sebastian

Re: ACE SSL offloading & Client certificate authentication

Gilles Dufour — Tue, 18 Mar 2008 16:30:43 GMT

Unfortunately, extracting values from the cert and insert into the HTTP Header did not made it in ACE2.0.

Next big release 3.0 should have it.

Gilles.

Re: ACE SSL offloading & Client certificate authentication

sebastianvandijk — Tue, 12 Jan 2010 14:10:18 GMT

Hi Gilles,

I can't exactly determine if these features have been implemented yet ?

And if so, does an example configuration reside somewhere on the cisco site, or can you give a hint in the right direction ?

regards,

Sebastian

Re: ACE SSL offloading & Client certificate authentication

roubicekz — Sat, 13 Nov 2010 11:56:09 GMT

Looks like it has been implemented some time ago.

zdenek

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/ssl/guide/terminat.html#wp1169832

ACE SSL offloading & Client certificate authentication

Akhtar Samo — Tue, 03 Jul 2012 10:58:59 GMT

Hello Gilles,

We had a similar requirement from one of our customer that their client terminals (POS terminals) should be authenticated by the ACE which is terminating the SSL connection. Backend connections to the server is clear text.

Since in a normal SSL flow the server sends the certificate to the client and the client verifies the identity of the server but in our case we need server/ACE to authenticate the client or some form of mutual authentication should be there.

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/ssl/guide/terminat.html#wp1117637

As per the documentation we have enabled the authgroup to enable the client authentication feature, but when we are testing the application it seems that only the front end (client to ACE) connection gets established but not the back end.

We have verified that if client authentication is disabled the application works fine but the ACE sends it the certificate and the client is not authenticated.

crypto authgroup POS

cert certfinal.pem

ssl-proxy service ssl-proxy

key POS

cert certfinal.pem

authgroup POS

ssl advanced-options POS

Would appreciate if you can help us out in that.

Regards,

Akhtar

ACE SSL offloading & Client certificate authentication

cpomeroy — Tue, 03 Jul 2012 15:07:29 GMT

Akhtar,

When doing client authentication, the ACE will request a certificate from the client. This will be done in the SSL handshake. If the client does not send a certificate, the handshake will fail. If the Client does send a certficate, then the ACE will use the certificate in the auth group to autenticate the client certificate.

In your configuration, you are using cert certfinal.pem in the auth group. This appears to be the server certificate. If that is the case, then this will not work as it is highly unlikely that the certifcate

cert certfinal.pem was used to sign the client certifcates. The Authgroup should have the certificate that signed the client certs and not the server cert.

Typicall you would see a certificate chain that would look some thing like this

Root CA--signs the Intermediate CA---which signs the server or Client Certifcate.

Your authgroup should contain the the intermediate and root ca that signed the client certificate. Then those client certificates must be installed on the client.

ACE SSL offloading & Client certificate authentication

Akhtar Samo — Wed, 04 Jul 2012 06:50:03 GMT

As per the client the certfinal.pem is generated with the combination of root certificate, intermediate certificate (from ACE CSR) and key (generated on ACE) for CSR.

On client they have uploaded intermediate certificate (from ACE CSR) because the client couldn't generate the CSR since its a POS terminal.

Our scenario is like given below with client authentication

(Server)---------------clear text----------------(ACE)-----------------SSL--------------------(POS Terminals/client)

Can you guide us on how to move ahead ?

Regards,

Akhtar