cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
871
Views
0
Helpful
6
Replies

ACE CLIENT CERTIFIATE INSERTION IN HEADER

Hy guys.

I have a doubt regarding the client cert insertion in the https header.

The exact problem is that in the old SSL module we had an option like this:

policy http-header cert_pass

     client-cert pem

As you can see, we configure the option to pass the complete certificate in pem format in one header.

I'm unable to find this optiono in ace 5.1(3) version.

Any idea?

Thanks!

6 Replies 6

Kanwaljeet Singh
Cisco Employee
Cisco Employee

Hi David,

What is the requirement here? Client authentication is supported on ACE and when ACE is acting as a client in SSL HANDSHAKE you can upload the client certificate on ACE for it to present it to the server when demanded by server during SSL handshake. Please go to the below link and have a look at," Enabling client authentication".

http://www.cisco.com/c/en/us/td/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/ssl/guide/sslgd/terminat.html#wp1117637

Regards,

Kanwal

Hi Kanwal.

The ACE is not acting as a client. The ACE is doing SSL offload here.

We have a service configured that requieres client authentication, so I configured an AUTHGROUP that with some ROOT cets to auth the client certificate.

In the old SSL module i have configured the client authentication and:

policy http-header cert_pass

     client-cert pem

that send the client certificate to the ACE in the SSL header. As you can see, The whole cert is passed in pem format, so I can't see the same command on ACE.

Hi David,

You can upload the certificate in PEM format. When you configure authgroup, you do that. Please visit section:

"Configuring a Group of Certificates for Authentication" in the same above link. You will see how to configure authgroup and associate certificate with it and then associating this authgroup to SSL proxy.

Regards,

Kanwal

I think I'm not explaining very well

The Authgroup is clear. Only create it and associante de certs.This is client cert auth.

Tha last par is the problematic part: incude de client cert in http header.....

In old SSL module I could include whole cert. Can I in ACE?

Look:

Configuring HTTP Header Insertion

ssl-proxy(config-ctx-http-header-policy)# {prefix prefix_string | client-cert [pem]| client-ip-port | custom custom_string} | session | alias user-defined-name standard-name]

This is the problematic feature I don't see in ACE.

Hi David,

May be i didn't understand. Is this what are you looking for?  You can find it in the same link.

Configuring HTTP Header Insertion of SSL Client Certificate Information

When you configure the ACE for client authentication, you can instruct the ACE to provide the server with information about the client certificate that the ACE receives from the client. This SSL session information enables the server to properly manage the client request and can include certificate information such as the certificate serial number or the public key algorithm used to create the public key in the certificate. To forward the SSL session information to the server, the ACE inserts HTTP headers containing the client certificate fields that you specify into the HTTP requests that it receives over the client connection. The ACE then forwards the HTTP requests to the server.


Note To prevent HTTP header spoofing, the ACE deletes any incoming HTTP headers that match one of the headers that it is going to insert into the HTTP request.


When you instruct the ACE to insert SSL client certificate information, by default, the ACE inserts the HTTP header information into every HTTP request that it receives over the client connection because persistence rebalance is enabled by default. If you do not want the ACE to insert the information into every HTTP request that it receives over the connection, disable persistence rebalance in an HTTP parameter map. You can also instruct the ACE to insert the information into every HTTP request that it receives over the connection by creating an HTTP parameter map with the header modify per-request command enabled. You then reference the parameter map in the policy map that the ACE applies to the traffic. For information about creating an HTTP parameter map, see the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide.


Note You must have the ACE configured for client authentication to insert an HTTP header with SSL client certificate field information (see the "Enabling Client Authentication" section). If you configure header insertion but do not configure the ACE for client authentication, no header information is inserted and the counters that track the header insertion operation do not increment (see Chapter 6, "Displaying SSL Information and Statistics").

Regards,

Kanwal

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: