03-03-2014 04:04 AM
Hy guys.
I have a doubt regarding the client cert insertion in the https header.
The exact problem is that in the old SSL module we had an option like this:
policy http-header cert_pass
client-cert pem
As you can see, we configure the option to pass the complete certificate in pem format in one header.
I'm unable to find this optiono in ace 5.1(3) version.
Any idea?
Thanks!
03-03-2014 07:33 AM
Hi David,
What is the requirement here? Client authentication is supported on ACE and when ACE is acting as a client in SSL HANDSHAKE you can upload the client certificate on ACE for it to present it to the server when demanded by server during SSL handshake. Please go to the below link and have a look at," Enabling client authentication".
Regards,
Kanwal
03-03-2014 08:07 AM
Hi Kanwal.
The ACE is not acting as a client. The ACE is doing SSL offload here.
We have a service configured that requieres client authentication, so I configured an AUTHGROUP that with some ROOT cets to auth the client certificate.
In the old SSL module i have configured the client authentication and:
policy http-header cert_pass
client-cert pem
that send the client certificate to the ACE in the SSL header. As you can see, The whole cert is passed in pem format, so I can't see the same command on ACE.
03-03-2014 08:18 AM
Hi David,
You can upload the certificate in PEM format. When you configure authgroup, you do that. Please visit section:
"Configuring a Group of Certificates for Authentication" in the same above link. You will see how to configure authgroup and associate certificate with it and then associating this authgroup to SSL proxy.
Regards,
Kanwal
03-03-2014 08:36 AM
I think I'm not explaining very well
The Authgroup is clear. Only create it and associante de certs.This is client cert auth.
Tha last par is the problematic part: incude de client cert in http header.....
In old SSL module I could include whole cert. Can I in ACE?
03-03-2014 08:41 AM
Look:
ssl-proxy(config-ctx-http-header-policy)# {prefix prefix_string | client-cert [pem]| client-ip-port | custom custom_string} | session | alias user-defined-name standard-name]
This is the problematic feature I don't see in ACE.
03-03-2014 08:42 AM
Hi David,
May be i didn't understand. Is this what are you looking for? You can find it in the same link.
Configuring HTTP Header Insertion of SSL Client Certificate Information
When you configure the ACE for client authentication, you can instruct the ACE to provide the server with information about the client certificate that the ACE receives from the client. This SSL session information enables the server to properly manage the client request and can include certificate information such as the certificate serial number or the public key algorithm used to create the public key in the certificate. To forward the SSL session information to the server, the ACE inserts HTTP headers containing the client certificate fields that you specify into the HTTP requests that it receives over the client connection. The ACE then forwards the HTTP requests to the server.
Note To prevent HTTP header spoofing, the ACE deletes any incoming HTTP headers that match one of the headers that it is going to insert into the HTTP request.
When you instruct the ACE to insert SSL client certificate information, by default, the ACE inserts the HTTP header information into every HTTP request that it receives over the client connection because persistence rebalance is enabled by default. If you do not want the ACE to insert the information into every HTTP request that it receives over the connection, disable persistence rebalance in an HTTP parameter map. You can also instruct the ACE to insert the information into every HTTP request that it receives over the connection by creating an HTTP parameter map with the header modify per-request command enabled. You then reference the parameter map in the policy map that the ACE applies to the traffic. For information about creating an HTTP parameter map, see the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide.
Note You must have the ACE configured for client authentication to insert an HTTP header with SSL client certificate field information (see the "Enabling Client Authentication" section). If you configure header insertion but do not configure the ACE for client authentication, no header information is inserted and the counters that track the header insertion operation do not increment (see Chapter 6, "Displaying SSL Information and Statistics").
Regards,
Kanwal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide