How to configure Netscaler LB to perform Client Certificate authentication against the Backend server (SSL Offload)

How to configure Netscaler LB to perform Client Certificate authentication against the Backend server (SSL Offload)

book

Article ID: CTX204637

calendar_today

Updated On:

Description

 This article shows how to configure Netscaler to authenticate using Client Certificate against the Backend server which is configured as a service (SSL based protocol – excluding SSL_Bridge) on the Netscaler LB.

Instructions

Netscaler configuration:
 
The following steps details how to configure Netscaler Service to send Client Certificate to the Backend server.
 
  1. You need to add a Client Certificate on the Netscaler. This is the certificate that will be sent by the Netscaler to the backend when the backend server request a certificate. Below screen shot show has an example of imported cert.
User-added image

          2. Then you need to create a service and apply this certificate under the service. To do this, Navigate to Traffic Management > Load Balancing > Services > Click Add button > then create an SSL based service. For e.g Shown Below is the SSL based service:
 
User-added image

         3. Under this Service we need map the User Certificate. To do this, Under this service goto Advance Settings > Certificates. You will see below option:

User-added image
       Here, Click on the “No Client Certificate” > Select the Client Certificate > Choose the Client Certificate which we imported in step1 from the list. Below shows an e.g of the chosen certificate > Click Bind > Done.

User-added image

       4. Finally bind this service under the LB Virtual Server.

Below shows the snippet of the trace which was taken at the Netscaler while the Real User access the service through LB Vserver. The below shows the communication from the SNIP(IP 10.104.22.49) to Backend Server( IP 10.104.23.143):
 
  1. In the Client Hello Packet we see that Server Responds with Server Hello and Request a certificate from the Client.
User-added image

     2. Next we see that Client( Netscaler SNIP) sends the certificate and next part of SSL handshake messages.

User-added image

      3. To this server replied with “Change cipher Spec, Encrypted Handshake Messages” correctly without any Alert message.

User-added image
    4.  Now the application data between the client and server flows encrypted.

User-added image

Powered by Wolken Software