Hello,

We had a requirement from one of our customer that their client terminals (POS terminals) should be authenticated by the ACE which is terminating the SSL connection. Backend connections to the server is clear text.

Since in a normal SSL flow the server sends the certificate to the client and the client verifies the identity of the server but in our case we need server/ACE to authenticate the client or some form of mutual authentication should be there.

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/ssl/guide/terminat.html#wp1117637

As per the documentation we have enabled the authgroup to enable the client authentication feature, but when we are testing the application it seems that only the front end (client to ACE) connection gets established but not the back end.

We have verified that if client authentication is disabled the application works fine but the ACE sends it the certificate and the client is not authenticated.

crypto authgroup POS

cert certfinal.pem

ssl-proxy service ssl-proxy

   key POS

   cert certfinal.pem

   authgroup POS

   ssl advanced-options POS

'certfinal.pem' is generated with the combination of root certificate,  intermediate certificate (from ACE CSR) and key (generated on ACE) for CSR.

On client(POS terminal) they have uploaded intermediate certificate (from ACE CSR) because the client couldn't generate the CSR since its a POS terminal.

Our scenario is like given below with client authentication

(Server)---------------clear text----------------(ACE)-----------------SSL--------------------(POS Terminals/client)

Can you guide us on how to move ahead.

Regards,

Akhtar