ACE SSL Offload and Client Authentication
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-08-2012 11:43 PM
Hello,
We had a requirement from one of our customer that their client terminals (POS terminals) should be authenticated by the ACE which is terminating the SSL connection. Backend connections to the server is clear text.
Since in a normal SSL flow the server sends the certificate to the client and the client verifies the identity of the server but in our case we need server/ACE to authenticate the client or some form of mutual authentication should be there.
As per the documentation we have enabled the authgroup to enable the client authentication feature, but when we are testing the application it seems that only the front end (client to ACE) connection gets established but not the back end.
We have verified that if client authentication is disabled the application works fine but the ACE sends it the certificate and the client is not authenticated.
crypto authgroup POS
cert certfinal.pem
ssl-proxy service ssl-proxy
key POS
cert certfinal.pem
authgroup POS
ssl advanced-options POS
'certfinal.pem' is generated with the combination of root certificate, intermediate certificate (from ACE CSR) and key (generated on ACE) for CSR.
On client(POS terminal) they have uploaded intermediate certificate (from ACE CSR) because the client couldn't generate the CSR since its a POS terminal.
Our scenario is like given below with client authentication
(Server)---------------clear text----------------(ACE)-----------------SSL--------------------(POS Terminals/client)
Can you guide us on how to move ahead.
Regards,
Akhtar
- Labels:
-
Application Networking
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-10-2012 08:22 PM
Hi,
During SSL client authentication, its your POS terminal should send their client certificate to ACE, ACE will compare this certificate with the one configure in authgroup. In your case, i guess at ACE you are using same set of certificate for both client and server authentication, and client is not offering any client certifcate.
