Layer7 Access Management

Expand all | Collapse all

Protect Web Services Auth using certificate authentication

Jump to Best Answer
  • 1.  Protect Web Services Auth using certificate authentication

    Posted 03-12-2017 10:39 PM

    Hi All,

    I have couple of queries on protecting web services authentication  https://<hostname>:<port>/authazws/auth?wsdl using certificate based authentication scheme. 

     

    I have had few ideas from the old post but still have some queries and started this new thread. 

    Protecting SPS WebServices  Ujwol

     

    I am in a understanding that the SSL needs to be enabled in SPS Apache level to achieve the cert based auth. 

    I would like to get your thoughts to correct to understand better. 

     

    Below is how my setup is:

     

    • Couple of servers serving federation traffic
    • Enabled WebServiceAuth in the same same instance i.e. enabled the WebService in Server.conf and kept a viruathost config for webservice auth.
    • Different agent for FED traffic and Web Service Auth traffic
    • SSL is decrypted in Load balancer itself and end to end ssl is not enabled (Load balancer has the cert uploaded and decrypt the ssl) 

     

    In this scenario, how do we configure cert based auth to protect WebService based authentication traffic? 

    May be a basic question but I need your help to understand better. 

     

    Do you have any article which explain the basic about the certificate based auth scheme setup? I never tried it before so looking to get some hands on.... Any help? 



  • 2.  Re: Protect Web Services Auth using certificate authentication
    Best Answer

    Posted 03-12-2017 11:51 PM

    Hi Raam,

     

    So, you are saying SSL is terminated at LB and is not passed on to the Apache web server.

    In this case, I don't think you can use X.509 client certificate authentication scheme. As, your LB will not pass the certificate to the Apache.

     

    You should probably check your LB documentation if there is a provision to achieve this.

     

    Regards,

    Ujwol



  • 3.  Re: Protect Web Services Auth using certificate authentication

    Posted 03-13-2017 09:33 AM

    Yes.. I think we cannot achieve the cert based authentication here... Meanwhile, is there any article you can refer I shall go-through for generic cert based auth scheme setup? 



  • 4.  Re: Protect Web Services Auth using certificate authentication



  • 5.  Re: Protect Web Services Auth using certificate authentication

    Posted 03-17-2017 06:27 AM

    Ujwol.. I am checking LB documentation and it looks like LB can send the it as a header . 
    It means the LB will validate the certificate and decrypt the traffic. Optionally, you can have the LB add a number of request headers to the request detailing  elements of the validated client SSL certificate. The web tier could one or more of these to implement additional check... Int his case what are the steps required at SPS end to protect the authazws using certificate. 

     

    Here, the federation traffic is remains same and the assumption is ssl related header will be passed only to the web services requests. Can this be handled in SPS and configure cert based protection? 



  • 6.  Re: Protect Web Services Auth using certificate authentication

    Posted 03-20-2017 11:27 PM

    My thoughts on this is you can achieve TWO WAY SSL handshake (i.e. X509 Client Cert Authentication) over a HTTPS channel only.

     

    The discussion here is a design based one.

     

    In this case SSL (HTTPS) terminate at LB, which is a ONE WAY SSL Handshake. If we need to enable Client Cert Authentication i.e. TWO WAY SSL handshake then we'll need to implement this logic at LB, this would keep the TWO WAY SSL handshake simple and functional at a single Layer (i.e. LB). Once LB verifies the authenticity of the client using TWO WAY handshake, LB can then send the request downstream to CA AG on non https ports (in this case CA AG would have AuthAzWS as unprotected). In this approach, the onus of protecting the unprotected / non SSL AuthAzWS is taken over by the LB completely. You'll need to PoC this and make sure everything looks good.

     

    There is another good alternative. Multiple instance of CA AG can be installed on the same server. So we could leave the FED CA AG untouch as it, along with existing LB configurations. Build a new instance of CA AG on the same server for AuthAz. Here you can use SSL Termination on the new instance of CA AG. Which mean CA AG will also do the TWO WAY SSL handshake and protect the AuthAzWS using X509 Client Cert. This is an OOB Supported configuration, so you need not do a PoC.

     

    Regards

    Hubert



  • 7.  Re: Protect Web Services Auth using certificate authentication

    Posted 03-21-2017 12:30 AM

    I don't think the first approach will work. As to my knowledge I don't think LB can utilise client certificate authentication/protection logic on it's own. All it may be able to do is receive the client certificate, validate it and forward the certificate data to downstream (CA AG) as HTTP headers.

     

    Second approach of separating this out into two CA AG environment is more straight foward.



  • 8.  Re: Protect Web Services Auth using certificate authentication

    Posted 03-21-2017 09:23 AM

    Some LB's do support Client Authentication. CA's favorite LB does support it

     

    https://devcentral.f5.com/articles/ssl-profiles-part-8-client-authentication 

     

    Additionally it seems we could also separate TWO WAY SSL Handshake based off traffic.

     

    https://devcentral.f5.com/questions/create-custom-client-certificate-authentication-with-irule

     

    But again this approach has some level of unknown and that is a risk which needs to mitigated by running a thorough PoC.

     

    I'd still go for approach-2 i.e. using multiple instance of CA AG as that is OOB and CA tested.



  • 9.  Re: Protect Web Services Auth using certificate authentication

    Posted 03-22-2017 03:33 AM

    Thanks Hubert.. I will check this and comeback if any queries. 



  • 10.  Re: Protect Web Services Auth using certificate authentication

    Posted 03-22-2017 03:33 AM

    Thanks Ujwol