cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2093
Views
0
Helpful
1
Replies

ACE SSL Offload and Client Authentication

Akhtar Samo
Level 1
Level 1

Hello,

We had a requirement from one of our customer that their client terminals (POS terminals) should be authenticated by the ACE which is terminating the SSL connection. Backend connections to the server is clear text.

Since in a normal SSL flow the server sends the certificate to the client and the client verifies the identity of the server but in our case we need server/ACE to authenticate the client or some form of mutual authentication should be there.

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/ssl/guide/terminat.html#wp1117637

As per the documentation we have enabled the authgroup to enable the client authentication feature, but when we are testing the application it seems that only the front end (client to ACE) connection gets established but not the back end.

We have verified that if client authentication is disabled the application works fine but the ACE sends it the certificate and the client is not authenticated.

crypto authgroup POS

cert certfinal.pem

ssl-proxy service ssl-proxy

   key POS

   cert certfinal.pem

   authgroup POS

   ssl advanced-options POS

'certfinal.pem' is generated with the combination of root certificate,  intermediate certificate (from ACE CSR) and key (generated on ACE) for CSR.

On client(POS terminal) they have uploaded intermediate certificate (from ACE CSR) because the client couldn't generate the CSR since its a POS terminal.

Our scenario is like given below with client authentication

(Server)---------------clear text----------------(ACE)-----------------SSL--------------------(POS Terminals/client)

Can you guide us on how to move ahead.

Regards,

Akhtar

1 Reply 1

gaursin2
Level 1
Level 1

Hi,

During SSL client authentication, its your POS terminal should send their client certificate to ACE, ACE will compare this certificate with the one configure in authgroup. In your case, i guess at ACE you are using same set of certificate for both client and server authentication, and client is not offering any client certifcate.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: