- This article explains the Use Cases and functionality of TLS Mutual Authentication (Client Side) in the Silverline Service
- Guidance for the configuration steps required
- how to upload new SSL certificate and keys,
- then how to create a new SSL Front End Profile with the uploaded certificate/key pair
- how to Enable the Front Enable Profile for mTLS
- How to assigned Authentication action within an App Proxy
- Supporting Articles in this series include:
- Initial SSL Workflow, see: INITIAL SSL Workflow
- How to manage existing SSL certificates or Profiles, see: How to Manage Existing SSL Certificates and SSL Profiles
Mutual TLS Authentication (Client Side) is now available by request, for use within the Silverline proxy infrastructure. It is presently in Beta release.
Learn more about Beta features Scope of Support: Silverline Beta / GA Feature Support Policy
What is TLS Mutual Authentication?
In traditional TLS and SSL connections, only the Servers Certificate is validated to confirm its identity and establish trust.
For an additional insight in to the value of Mutual TLS, please see the F5 Labs Article
With TLS Mutual Authentication (Client Side), a Certificate from the Client is required in order to validate the client’s identity to the Server before initiating a secure connection with the Server. The Certificate provided by the Client must be issued from a CA Trusted by the Server or, in this case, the Silverline Service acting on behalf of the Server.
TLS Mutual Authentication is also referred to as Mutual TLS for short, or mTLS.
- Silverline allows proxy customers the option of terminating their SSL encrypted traffic inside of the service.
- The SSL sessions are terminated within Silverline infrastructure using proxy certificates and keys (SSL Front-End Profile). Then, Silverline creates a separate SSL session and use it to communicate back to your backend server (SSL Backend Profile).
- Only the SSL Front-End Profile, on the Client side can be configured for TLS Mutual Authentication
- Key Use Cases & Considerations:
- Can be used to increase security for Machine to Machine communication
- Helps ensure the identity of the connecting Client device, when User based credentials or authentication are not possible
- Can provide additional protection for API communication from Business Partners or 3rd
- Device identity and validation for IoT (Internet of Things) solutions
- The Certificate provided by the Client must be issued from a CA trusted by Silverline, before a connection can be established.
- Silverline WAF
- Proxy / Proxies
- SSL Certificates
- SSL Profiles
Configuring TLS Mutual Authentication (Client Side) forms part of the standard SSL configuration for Silverline which must be done in this order:
- Upload SSL Certificate
- Create Front End SSL Profile
- Select Trusted CA for use with mTLS (in this article)
- Create Back End SSL Profile (optional)
- Add SSL Profiles to Proxy
- Define mTLS requirement for each FQDN (in this article)
Steps 1. 2. 4. & 5. Are all outlined in the INITIAL SSL Workflow guide
Additional information for managing existing SSL certificates can be found HERE
TLS Mutual Authentication additional Steps
Select a Trusted CA for use with mTLS
- In the Silverline Portal, navigate to Config > Proxy & App Configuration > SSL Management.
- On the Certificate and Keys tab (default view), press the +Add button
- Provide the Name, and Certificate text or upload the cert, and check the Mutual TLS Client CA Certificate checkbox, add Note (optional), and click Save.
- On the Certificate and Keys tab, select Front End SSL Profiles tab.
- Find the Front-end Profile you wish to enable for TLS Mutual Authentication, by navigating down the page, or by using the Search option
- Select the Edit button for the Front-End SSL Profile.
- Navigate to, and expand the Advanced SSL Settings.
- Find the box titled TLS Mutual Authentication
- From the Trusted CA Dropdown box, select the Certificate for the CA to be used to validate the client Certificates (as created in step 3).
- Click Save.
Define mTLS Requirement for each FQDN
Once you have enabled a Front-end SSL profile to be used for TLS Mutual Authentication and attached it to the App Proxy for your Application, you need to define how each FQDN’s within the App Proxy will implement TLS Mutual Authentication.
- In the Silverline Portal, navigate to Config > Proxy & App Configuration > Proxy & App Management
- Locate the Application Proxy you wish to enable for TLS Mutual Authentication
- Select the App Proxy and click Edit
- On the Front and Back End configuration page ensure the new Front-End SSL profile is selected for each relevant Fully Qualified Domain Name (FQDN) for your Application
- Navigate to the HTTPS (443/443) configuration page
- On the Security Policies tab under Profile Settings, you can decide whether to match the Security configuration across all FQDN’s or add specific profiles to each FQDN separately (use the Add option to do this)
- From the TLS Mutual Auth dropdown menu, select the enforcement level required for the FQDN:
- Please see the table below for a description of each enforcement level
- Click Save and Deploy
TLS Mutual Auth is not used for the specific FQDN
Client certificates are Ignored for the specific FQDN
The Silverline system will request a Client SSL Certificate and continue the SSL handshake regardless of whether the client certificate is signed by the trusted CA associated with the Front-end SSL profile
The Silverline system will request a Client SSL Certificate and continue the SSL handshake only if the client certificate is signed by the trusted CA associated with the Front-end SSL profile
Note: mTLS for backend side is not currently available.
- WAF Onboarding Video 3: Configuring WAF Services - Adding SSL Certificates, Proxies, and WAF Policies
- INITIAL SSL Workflow: How to Upload SSL Certificates, Create SSL Profiles, and Add SSL Profiles to Proxy
- How to Manage Existing SSL Certificates and SSL Profiles
- How To: Add multiple FQDNs per Application Proxy / WAO