This article describes how to make GSLB connection proxy work when mandatory client certificate authentication is needed.

Scenario 

Two GSLB Sites (Site-1 & Site-2)
GSLB persistency method is set to Connection Proxy
Site-1 and Site-2 are having SSL VServers with client certificate auth Mandatory (SAME CA BOUND) and Auth+SSO to back-end Enabled

The Problem

1. Client Requests resolution for the FQDN and receives IP for Site-1 SSL VServer.
2. Client Browser Establishes SSL Connection with Site-1 SSL VServer, Presents client cert, enters credentials and SSO’s to Backend. Client received the Site + Authentication Cookies.
3. Connection remains idle for some time and/or dns cache entry times out.
4. Client Requests resolution for the FQDN again receives IP for Site-2 SSL VIP.
5. Browser page is refreshed, client successfully performs SSL handshake with Site-2 SSL VServer, Presents client cert, and passes the HTTP GET/POST Request along with the cookies received previously from Site-1.

<< Connection Proxy Kicks in >>

Site-2 (SNIP) attempts an SSL connection with Site-1 SSL VServer, Site-1 SSL VServer requests client Cert, the SSL handshake fails when Site-2 SNIP cannot respond with client certificate and the Site-1 SSL VServer resets the connection, Site-2 SSL VServer in turn resets the connection with client.\

<< Failure at this point >>

---

Instructions

To make it work, Add valid client certificates to GSLB remote services on both sites, at this moment client cert can be bound to GSLB Service via CLI only. 

Example below:
service_cert is a client Cert.
gsvc2 is the remote GSLB service on Site-1 (for Site-2 SSL Vserver).
gsvc1 is the remote GSLB service on Site-2 (for Site-1 SSL Vserver).

Site1

add ssl certKey service_cert -cert "/nsconfig/ssl/complete/client/client_rsa_1024.pem" -key "/nsconfig/ssl/complete/client/client_rsa_1024.ky"
bind ssl service gsvc2 -certkeyName service_cert

Site2

add ssl certKey service_cert -cert "/nsconfig/ssl/complete/client/client_rsa_1024.pem" -key "/nsconfig/ssl/complete/client/client_rsa_1024.ky"
bind ssl service gsvc1 -certkeyName service_cert

Flow after making the above changes:

1. Client Requests resolution for the FQDN receives IP for Site-1 SSL VServer.
2. Client Browser Establishes SSL Connection with Site-1 SSL VServer, Presents client cert, enters credentials and SSO’s to Backend. Client received the Site + Authentication Cookies.
3. Connection remains idle for some time and/or dns cache entry times out.
4. Client Requests resolution for the FQDN again receives IP for Site-2 SSL VIP.
5. Browser page is refreshed, client successfully performs SSL handshake with Site-2 SSL VServer, Presents client cert, and passes the HTTP GET/POST Request along with the cookies received previously from Site-1.

Connection Proxy Kicks in

6. Site-2 (SNIP) attempts an SSL connection with Site-1 SSL VServer, Site-1 SSL VServer requests client Cert, Site-2 (SNIP) presents the service_cert, SSL Handshakes succeeds.

7. Site-2 (SNIP) forwards HTTP GET/POST request received from client along with the cookies to Site-1 SSL VServer, and the  subsequent response is passed back to the client, the client continues with the same session seamlessly, Site-2 Snip continues to proxy the connection on behalf of Client towards Site-2 Vserver in the background.
 

This article describes how to make GSLB connection proxy work when mandatory client certificate authentication is needed.