Lab 1: Implement C3D with APM Enhancements

Expected time to complete: 1 hour

Task 1 - Setup Lab Environment

To access your dedicated student lab environment, you will need a web browser and Remote Desktop Protocol (RDP) client software. The web browser will be used to access the Unified Demo Framework (UDF) Training Portal. The RDP client will be used to connect to the jumphost, where you will be able to access the BIG-IP management interfaces (HTTPS, SSH).

1. Click DEPLOYMENT located on the top left corner to display the environment

2. Click ACCESS next to jumpbox.f5lab.local

   

3. Select your RDP resolution.

4. The RDP client on your local host establishes a RDP connection to the Jump Host.

5. Login with the following credentials:

   • User: f5lab\user1
   • Password: user1

6. After successful logon the Chrome browser will auto launch opening the site https://portal.f5lab.local. This process usually takes 30 seconds after logon.

   

7. Click the Classes tab at the top of the page.

8. Scroll down the page until you see 302 Ephemeral Authentication on the left

   

9. Hover over tile Implement C3D with APM Enchancements. A start and stop icon should appear within the tile. Click the Play Button to start the automation to build the environment

   

10. The screen should refresh displaying the progress of the automation within 30 seconds. Scroll to the bottom of the automation workflow to ensure all requests succeeded. If you you experience errors try running the automation a second time or open an issue on the Access Labs Repo.

    

Task 2 - Create an Active Directory AAA Object

The first step in deploying CertSSO is creating the objects required for the user to authenticate to APM. In this lab, the user will authenticate via Active Directory and simulated MFA via RADIUS. The user’s authentication method to APM is independent of how the BIG-IP authenticates the user to the backend server for Single-Sign-On. This allows an organization to choose an authentication scheme that matches their needs such as SAML, OAuth, or other method.

1. Navigate to Access >> Authentication >> Active Directory, then click the + (plus symbol) to create a new AAA object

   

2. Enter the following information for the AD Authentication Object

   • Name: ad_servers
   • Domain Name: f5lab.local
   • Domain Controller Pool Name: ad_pool
   • Domain Controller IP address: 10.1.20.7
   • Domain Controller Hostname: dc1.f5lab.local
   • Admin name: admin
   • Admin Password: admin

   

3. Click Finished

Task 3 - Create a RADIUS AAA Object

1. Navigate to Access >> Authentication >> RADIUS, then click the + (plus symbol) to create a new AAA object

   

2. Enter the following information for the Radius Authentication Object

   • Name: radius_servers
   • Server Pool Name: radius_pool
   • Server Addresses: 10.1.20.8
   • Secret password: secret

   

3. Click Finished

Task 4 - Create the cert_sso Access Profile

In this section, you will create the APM Access Profile.

1. Navigate to Access >> Profile/ Policies >> Access Profile(Per-Session Policies), then click the + (plus symbol) to create a new Access Profile

   

2. Enter the Name cert_sso

3. Select the profile Type All from the dropdown

   

4. Scroll to the bottom of the profile settings to set the default language to English

5. Click Finished

   

Task 5 - Create the Access Policy

In this section, edit the policy using the Visual Policy Editor to enable users to login via AD+MFA, then transition to CertSSO.

1. On the cert_sso profile line click edit under Per-Session Policy

   

2. Click the + (plus symbol) located on the fallback branch located between the Start and Deny boxes

   

3. Click the Logon Tab

4. Select Logon Page

5. Click Add Item

   

6. Add an additional field to the logon page by selecting password from the Type dropdown (line 3)

7. Enter OTP for Post Variable Name

8. Enter OTP for Session Variable Name

9. Enter OTP for Logon Page Input Field #3

10. Click Save

    

11. Click the + (plus symbol) located on the fallback branch located between the Logon Page and Deny boxes

    

12. Click the Authentication tab

13. Select RADIUS Auth

14. Click Add Item

    

15. Select radius_servers from the AAA Server dropdown box

16. Change the password source to %{session.logon.last.OTP}

17. Click Save

    

18. Click the + (plus symbol) located on the Successful branch located between RADIUS Auth and Deny boxes

    

19. In the Authentication tab, select AD Auth

20. Click Add Item

    

21. Select ad_servers from the Server dropdown box

22. Click Save

    

23. Click the + (plus symbol) located on the Successful branch located between AD Auth and Deny box

24. Click Add Item

    

25. In the Assignment tab, select Variable Assign

26. Click Add Item

    

27. Click Add new entry

    

28. Click change

    

29. Enter session.ssl.cert.whole in the custom variable field

    

30. Locate the F5CertSSO.f5lab.local.txt file in the C:\access-labs\class3\module2\student_files directory.

    

31. Open the file with notepad++ and copy the contents of the file

    

32. Return to the Visual Policy Editor and paste the certificate into the custom expression field

33. Click Finished

    

34. Click Save

    

35. Click the Deny ending icon located on the fallback branch of the Variable Assign agent

    

36. Click Allow

37. Click Save

    

38. Click Apply Access Policy located in the top left corner to commit the policy changes

Task 6 - Create a Client SSL Profile

1. Navigate to Local Traffic >> Profiles >> SSL >> Client, then click the + (plus symbol) to create a new SSL Profile

   

2. Enter the name client_certsso

3. Check the custom box to the right of Certificate Key Chain

4. Click add

   

5. Select acme.com-wildcard from the certificate dropdown box

6. Select acme.com-wildcard from the key dropdown box

7. Click Add

   

8. Check the custom box to the right of Client Certificate Constrained Delegation

9. Select Enabled from the Client Certificate Constrained Delegation dropdown box

10. Click Finished

    

11. Click Finished

Task 7 - Create a Server SSL Profile

1. Navigate to Local Traffic >> Profiles >> SSL >> Server, then click the + (plus symbol) to create a new SSL Profile

   

2. Enter server_certsso for profile name

3. Change the Configuraiton from Basic to Advanced via the dropdown box.

4. Check the two custom boxes next to Certificate and Key

5. Select F5CertSSO.f5lab.local from the certificate dropbox box

6. Select F5CertSSO.f5lab.local from the key dropdown box

7. Check the custom box for Servername.

8. Enter the name mtls.acme.com

   

9. Check the custom box about the Client Certificate Constrained Delegation box

10. Select Enabled from the Client Certificate Constrained Delegation dropdown box

11. Select F5SubCA.f5lab.local from the CA Certificate dropdown box

12. Select F5SubCA.f5lab.local from the CA Key dropdown box

13. Click Finished

    

Task 8 - Create the Pool

In this section you create a pool that contains the IP address of the CentOS server hosting the website requiring mTLS.

1. Navigate to Local Traffic >> Pools >> Pool List, then click the + (plus symbol) to create a new Pool

   

2. Enter mtls_pool for the Pool Name

3. Select https from the list of available monitors

4. Enter 10.1.20.9 for the member address

5. Enter 443 for the member port

6. Click add

7. Click Finished

   

Task 9 - Create a Virtual Server

1. Navigate to Local Traffic >> Virtual Servers >> Virtual Server List, then click the + (plus symbol) to create a new virtual Server

   

2. Enter mtls_vs for the Name

3. Enter 10.1.10.105 for the DestinationAddress/Mask

4. Enter 443 for the Service Port

5. Select http for HTTP Profile (Client)

6. Select client_certsso from the SSL Profile (Client) List

   

7. Select server_certsso from the SSL Profile (Server) List

8. Select Auto Map from the Source Address Translation dropdown Box

9. Select cert_sso from the Access Profile dropdown Box

   

10. Select the irule Cert_SSO

11. Select mtls_pool for the Default Pool

12. Click Finished

Note

The following iRule must be used when inserting custom extensions using C3D.

when SERVERSSL_CLIENTHELLO_SEND {
   set username [ACCESS::session data get "session.logon.last.username"]
   set domain [ACCESS::session data get "session.ad.last.actualdomain"]
   SSL::c3d extension 1.1.1.1 "Minted Extension=$username@$domain"
}

Task 10 - Test CertSSO

In this section, you will test access to an NGINX website requiring mTLS.

1. From the jumpbox’s web browser, access https://mtls.acme.com

2. Use the following credentials:

   • Username user1
   • Password: user1
   • OTP: 123456

   

3. You will be logged into the site as User1.

   Note

   The contents of the certificate used for logging into the website was the CertSSO certificate copied into Per-Session Policy. The iRule that was attached inserted the custom extension 1.1.1.1 with the value of the user’s logon name. Notice that the Subject Name is CertSSO, the Subject Alternative Name is empty, and the custom extension is user1@f5lab.local.

   • Cert Subject: f5certsso
   • Subject Alt: <empty>
   • Custom Ext: user1@f5lab.local

   

4. Open a new incognito browser window so you can test access to https://mtls.acme.com with different user credentials.

   

5. Use the following credentials:

   • Username user2
   • Password: user2
   • OTP: 123456

   

6. You will be logged into the site as user2@f5lab.local

   Note

   Notice that user2’s Cert Subject is the same as in User1, but the custom extension name is different (now user2@f5lab.local).

   • Cert Subject: f5certsso
   • Subject Alt: <empty>
   • Custom Ext: user2@f5lab.local

   

Task 11 - Create an HTTP Connector Transport

1. Navigate to Access >> Authentication >> HTTP Connector >> HTTP Connector Transport and click the + (plus symbol)

   

2. Enter Name demo-http-connector

3. Select internal-dns-resolver from the DNS Resolver dropdown

4. Select apiadmin-serverssl from the Server SSL Profile

5. Click Save

   

Task 12 - Create a HTTP Connector Request

1. Navigate to Access >> Authentication >> HTTP Connector >> HTTP Connector Request and click the + (plus symbol)

   

2. Enter name get-cert

3. Select demo-http-connector from the dropdown

4. Enter URL https://adapi.f5lab.local:8443/user/cert?username=%{perflow.username}

5. Enter GET for the Method

6. Select Parse for the Response Action

7. Click Save

   

Task 13 - Create a Per-Request Policy

1. Navigate to Access >> Profiles/Policies >> Per-Request Policies and click the + (plus symbol)

   

2. Enter the name certsso_prp

3. Select the Language English

4. Click Finished

   

5. Click edit under Per-Request Policy

   

6. Click Add New Subroutine

   

7. Enter the name Request Cert

8. Click Save

   

9. Expand the subroutine by click the + (plus symbol)

   

10. Click the + (plus symbol) on the fallback branch.

    

11. Click the General Purpose tab

12. Select HTTP Connector

13. Click Add Item

    

14. Select get-cert drop the dropdown

    

15. Click Edit Terminals

    

16. Click Add Terminal

    

17. Change the name for the default branch to Fail

18. Change the default branch text to Red

19. Enter the name Success for the new branch

20. Change the color of the new branch to Green

    

21. Click the Fail terminal at the end of the Successful branch

    

22. Select the Success terminal

23. Click Save

    

24. Click the + (plus symbol) on the successful branch

    

25. Click the Assignment tab

26. Select Variable Assign

27. Click Add Item

    

28. Click Add new entry

29. Click change

    

30. Enter session.ssl.cert.whole for the Custom Variable

31. Select Session Variable from the dropdown

32. Enter subsession.http_connector.body.certificate for the Session Variable

33. Click Finished

    

34. Click Save

    

35. Click the + (plus symbol) located between Start and Allow in the policy

    

36. Click the Subroutines tab

37. Select the Request Cert subroutine

38. Click Add Item

    

39. Click the + (plus symbol) on the success branch of Request Cert

    

40. Click the General Purpose tab

41. Select irule Event

42. Click Add Item

Note

This iRule event triggers the code from the previously attached iRule. This iRule must be used when inserting a certificate using C3D in a per-request policy.

when ACCESS_PER_REQUEST_AGENT_EVENT {
   set cert [ACCESS::session data get {session.ssl.cert.whole}]
   log local0. "My cert: $cert"
   SSL::c3d cert [X509::pem2der $cert]
}


|image080|

1. Enter lab for the ID

2. Click Save

   

Task 14 - Attach the PRP to the mTLS Virtual Server

1. Navigate to Local Traffic >> Virtual Servers. Click Virtual Server List

   

2. Click mtls_vs

   

3. Navigate to the Access Policy section and select certsso_prp from the Per-Request Policy dropdown

4. Click Update

   

Task 15 - Access mtls.acme.com with Dynamic Certificate

1. From the web browser on the jumphost, access https://mtls.acme.com

2. Use the following credentials: - Username: user1 - password: user1 - OTP: 123456

   

3. You will be logged into the site as user1@f5lab.local

   Note

   The contents of the certificate used for logging into the website were from certificate retrieved via HTTP connector in Active Directory. The irule continues to insert the custom extension 1.1.1.1 with the value containing the user’s logon name. Notice the Subject Name is user1, the Subject Alternative Name is user1@f5lab.local and the custom extension is user1@f5lab.local

   • Cert Subject: user1
   • Subject Alt: user1@f5lab.local
   • Custom Ext: user1@f5lab.local

   

4. Open a new incognito browser window so you can test access to mtls.acme.com with different user credentials.

   

5. Use the following credentials:

   • Username: user1
   • password: user1
   • OTP: 123456

   

6. You will be logged into the site as user2@f5lab.local

   Note

   Notice that user2’s Cert Subject is now user2 and the subject alt is user2@f5lab.local. The irule continues to insert the custom extension.

   • Subject: user2
   • Subject Alt: user2@f5lab.local
   • Custom Ext: user2@f5lab.local

   

This concludes our lab on APM C3D Enchancements