CSS Loadbalance connections that require a client certificate

Answered Question
Sep 17th, 2008

We have a requirement to deploy a web services application that uses client certificates to authenticate users when connecting to the web site. The CSS is configured to load balance the SSL connection and forward the connection using backend ssl to a web server running IIS.

How will the CSS handle the forwarding of client certificates to the IIS server? Are there any known problems with this type of setup?

Many thanks

I have this problem too.
0 votes
Correct Answer by Syed Iftekhar Ahmed about 8 years 2 months ago

You can locally create the root & Client certs . You will need to import the Root certificate file on to the CSS and associate it as your CA cert. The client cert will

need to be installed on your workstation.

Syed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Syed Iftekhar Ahmed Wed, 09/17/2008 - 16:16

CSS acts as SSL client for the SSL Server. If the SSL server requires the client certs then you need to import client certs & RSA key pair on CSS and configure the SSL service using

backend-server rsacert

backend-server rsakey

commands.

More details at

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20/configuration/ssl/guide/initiate.html#wp1010802

Syed Iftekhar Ahmed

davidbuit Wed, 09/17/2008 - 16:52

Does that mean that the connection is only verified from the CSS to the SSL server and not from the client to the SSL server or do you need the client certificate on the end user client and the CSS? Or does it mean that anyone connecting to the CSS using SSL will be allowed to connect to the SSL web site as long as the CSS can authenticate with the SSL server?

I am just trying to understand how the end user can be authenticated using certificates if the CSS is acting as the client.

Many thanks

Syed Iftekhar Ahmed Wed, 09/17/2008 - 17:07

Since you are using end to end ssl. There are two ssl sessions.

First Session will be the client hitting the VIPs (listening on 443).Here you will be offloading SSL requests (using SSL Server Certificates & Keys).

Once the request is decrypted CSS will make the loadbalancing decision and will select a Real server from the avialble serevrs in the server farm.

If you want CSS to do the client authentication then you need to enable client authentication on CSS. Please look for "client authentication" section in the link I provided.

One the server is selected the Second session will be from CSS to the selected Real Server (Listening on secure port again). If this servers requires a client certificate to establish connection then you need to send the client certs in the requests to this real server.

HTH

Syed Iftekhar Ahmed

davidbuit Wed, 09/17/2008 - 18:07

That info is great thanks! I may only use client authentication up to the CSS and then just plain SSL on the backend. Do you know if it is possible to use self signed certs for the client authentication on the CSS or do they need to be valid certs checked against a CRL?

Correct Answer
Syed Iftekhar Ahmed Wed, 09/17/2008 - 22:43

You can locally create the root & Client certs . You will need to import the Root certificate file on to the CSS and associate it as your CA cert. The client cert will

need to be installed on your workstation.

Syed

Actions

This Discussion