4.19. Implementing C3D Integration

4.19.1. What it is

The Client Certificate Constrained Delegation (C3D) feature enables the BIG-IP system to perform client authentication tasks when end-to-end encryption in a reverse proxy environment is required. Specifically, when a backend application requires client certificate (i.e., mutual TLS or “mTLS”) authentication, it is otherwise impossible to decrypt this traffic between the client and server, as an intermediary decrypting device would need to possess the client’s private key in order to satisfy key signing functions required in the mTLS operations. When the C3D feature is enabled for a virtual server, the BIG-IP system dynamically generates a client certificate on behalf of the client when receiving a certificate request message from the backend server. The C3D feature is designed to address the following security requirements:

  • Client certificate authentication

  • End-to-end encryption in a reverse proxy environment

  • Perfect Forward Secrecy (PFS)

  • Ability to validate the client certificate using the Online Certificate Status Protocol (OCSP)

Integration of Client Certificate Constrained Delegation (C3D) with SSL Orchestrator enables decryption and inspection of the content to detect malware. Previously, to integrate C3D with an inbound SSL Orchestrator topology, you had to manually create an iRule and add it to the Interception Rule configuration of the topology. Also, it was supported only for the Inbound Gateway mode. Now, for a deployed Inbound topology, the C3D SSL profiles are listed in the Protocol Settings section of the Interception Rules tab. You can replace the client and server SSL profiles created by SSL Orchestrator, with C3D SSL profiles in the Interception Rules tab to support C3D. The C3D support is now extended to both Gateway and Application modes.


4.19.2. How to build it

The first important steps in the integration process is to create the C3D-enabled client and server SSL profiles. This process is described in the following articles:

The latter reference is intended for C3D integrations prior to the BIG-IP 17.1.0 release, but includes expansive details on defining the C3D configuration, and additional iRule options to inject attributes into the locally-minted client certificates. In this case, all content is still relevant except for the iRule used to select SSL profiles.

Once the C3D-enabled client and server SSL profiles are created, perform the following operations to integrate with an inbound (application or gateway) topology.

  • Deploy an Inbound SSL Orchestrator topology.

  • On the Interception Rules page of the topology workflow, in the Protocol Settings section, remove the default SSL client and server profiles (created by SSL Orchestrator), and then add the C3D client and server SSL profiles from the list.

  • Click Deploy.