Enable Client Certificate on Specific Load Balancer Behind a Content Switch

Enable Client Certificate on Specific Load Balancer Behind a Content Switch

book

Article ID: CTX221720

calendar_today

Updated On:

Description

This article describes how to enable Client Certificate on specific load balancer behind a Content Switch.

Background

User is looking to consolidate all of their web apps and resources behind single Public IP Content Switch.

Some of their Web Apps have Client Certificate authentication, but not all. When enabling Client Authentication on an load balancing vServer, behind a Content Switch, this requirement is ignored by the Content Switch. If you enabled it on the Content Switch, it requires a certificate for all target LBs, not just the specific ones.

To achieve this, we need to configure an SSL Profile and Action, along with some SSL Profiles.

Instructions

First, configure an SSL Policy and Action to only apply when connecting to a specific target LB.

Under Traffic Management -> SSL -> Policies and Actions, click Add

Name the Action and Select ENABLED for Client Authentication, this will grey out all the other options; click Create:

User-added image

After this, Select SSL Policies and click Add.
Select your Action and enter in a Policy statement to match the Content Switch policies for your Target LB, then click Create:

User-added image

Once this is done, bind the SSL policy to your Content Switch.
You will also need to bind the CA Certificate to the Content Switch, so it will trust the Client Certs that are presented to it.

Now, the second part requires you to enable SSL Renegotiation on the Content Switch and Target LB, that will have the Client Cert enabled.
This will ensure that when users connect to the Target LB, the Content Switch can renegotiate the SSL handshake with the Client Cert.
This is disabled on the NetScaler by default, for security reasons, but we can enable it on vServers with the use of an SSL Profile.

You will need to create 1 for the Content Switch and 1 for the LB that will have the Client Cert enabled.
This is due to the requirement that Client Authentication needs to be disabled on the CS, but enabled on the LBs

Sample set of SSL Profiles:
add ssl profile cs_ssl_prof -sessReuse DISABLED -tls1 DISABLED -denySSLReneg NONSECURE
add ssl profile cert_ssl_prof -sessReuse DISABLED -clientAuth ENABLED -clientCert Mandatory -tls1 DISABLED -denySSLReneg NONSECURE

Select NONSECURE for the Deny SSL Renegotiation, to ensure that there are no issues with clients trying to attack the system.
You can further improve this system by binding secure Cipher Groups to the SSL profiles and disabling unsecure Protocols, such as SSLv3 and TLSv1.0.

After completing this setup, your Content Switch should have the following:
  • The CA Certificate bound to it.
  • An SSL Profile enabling SSL renegotiation and disabling Client Certificate.
  • An SSL Policy and Action enabling Client Certificate, only when users connect to the specific Target LBs.
Your Target LBs should have the following:
  • The CA Certificate bound to it.
  • An SSL Profile enabling SSL Renegotiation and setting Client Certificate to MANDATORY.
  • Optional: a AAA vServer bound to it to extract the details from the Certificate for further authentication/SSO.

Environment

The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.

Issue/Introduction

This article describes how to enable Client Certificate on specific load balancer behind a Content Switch.

Additional Information

https://support.citrix.com/article/CTX116431
https://docs.citrix.com/en-us/netscaler/11/traffic-management/ssl/config-client-auth.html
https://docs.citrix.com/en-us/netscaler/11/traffic-management/ssl/config-ssl-actions-policies.html

Powered by Wolken Software