Configuring an SSL Policy Action for Inserting Client Certificate Thumbprint in the HTTP Header on NetScaler 11.1

Configuring an SSL Policy Action for Inserting Client Certificate Thumbprint in the HTTP Header on NetScaler 11.1

book

Article ID: CTX219901

calendar_today

Updated On:

Description

This article describes how to configure an SSL Policy Action for inserting client certificate thumbprint in the HTTP header on NetScaler 11.1.

Note: This feature is introduced in release 11.1 build 51.21.

Background

NetScaler appliances now support inserting the thumbprint (also called a fingerprint) of a certificate into the header of a request sent to a back-end server. If client authentication is enabled, the appliance computes the thumbprint of the certificate, and uses an SSL policy action to insert the thumbprint into the request. The server searches for the thumbprint, and grants secure access if there is a match.

You must configure an SSL action to enable client certificate fingerprint, specify a header name to insert the client certificate fingerprint, and a digest (hash value) to compute the fingerprint value. The NetScaler appliance supports SHA1 and SHA2 (SHA224, SHA256, SHA384, SHA512) digests. The appliance derives the fingerprint value by computing the specified digest of the DER-encoding of the client certificate. Then, create an SSL policy specifying this action, and bind the policy to an SSL virtual server.

User-added image

Arguments

  • clientCertFingerprint

    Insert the certificate's fingerprint into the HTTP header of the request being sent to the web server. The fingerprint is derived by computing the specified hash value (SHA256, for example) of  the DER-encoding of the client certificate.

  • certFingerprintHeader

    Name of the header into which to insert the client certificate fingerprint. 

  • certFingerprintDigest

    Digest algorithm used to compute the fingerprint of the client certificate. Possible values: SHA1, SHA224, SHA256, SHA384, and SHA512

Instructions

Configure an SSL action for Inserting Client Certificate Thumbprint

To configure an SSL action for inserting client certificate thumbprint by using the NetScaler GUI:

  1. Navigate to Traffic Management SSL > Policies.

    SSL Policies

  2. In the details pane, select the SSL Actions tab, and click Add.

    SSL Actions

  3. In the Create SSL Action dialog box, set the following parameters:

    • Name (A required parameter)
    • Client Certificate Finger Print
    • FingerPrint Tag
    • FingerPrint Digest

    • Create SSL Action

  4. Click Create.

    SSL Create

  5. Select the SSL Policies tab, and click Add.

    SSL Policies

  6. In the Create SSL Policy dialog box, set the following parameters:

    • Name (A required parameter)
    • Action
    • Expressions

      Create SSL Policy

  7. Click Create.

    Create SSL Policy Screen

  8. Navigate to Traffic Management > Load Balancing > Virtual Servers.

    Load Balancing Virtual Servers

  9. In the details pane, from the list of virtual servers, select the virtual server to which you want to bind the SSL policy, and then click Edit.

    Edit Virtual Servers

  10. In Advanced Settings, click SSL Policies.

    Advanced Settings SSL Policies

  11. Click SSL Policy.

    SSL Policy

  12. In Policy Binding dialog box, select the policy created earlier.

    Policy Binding

  13. Assign a Priority.

    Assign Priority

  14. Click Bind.

    Policy Binding

  15. Click Done.

    Complete Policy Binding

 

Issue/Introduction

How to configure an SSL Policy Action for inserting client certificate thumbprint in the HTTP header on NetScaler 11.1. Arguments clientcertfingerprint,certfingerprintheader,certfingerprintdigest.
Powered by Wolken Software