How to Configure Mutual TLS (mTLS) Authentication (Client Side)

Description

• This article explains the Use Cases and functionality of TLS Mutual Authentication (Client Side) in the Silverline Service
• Guidance for the configuration steps required
  • how to upload new SSL certificate and keys,
  • then how to create a new SSL Front End Profile with the uploaded certificate/key pair
  • how to Enable the Front Enable Profile for mTLS
  • How to assigned Authentication action within an App Proxy
• Supporting Articles in this series include:

• Initial SSL Workflow, see: INITIAL SSL Workflow
• How to manage existing SSL certificates or Profiles, see:  How to Manage Existing SSL Certificates and SSL Profiles

Availability Mutual TLS Authentication (Client Side) is now available by request, for use within the Silverline proxy infrastructure.  It is presently in Beta release.   Learn more about Beta features Scope of Support: Silverline Beta / GA Feature Support Policy

 

What is TLS Mutual Authentication?

In traditional TLS and SSL connections, only the Servers Certificate is validated to confirm its identity and establish trust.

For an additional insight in to the value of Mutual TLS, please see the F5 Labs Article

With TLS Mutual Authentication (Client Side), a Certificate from the Client is required in order to validate the client’s identity to the Server before initiating a secure connection with the Server. The Certificate provided by the Client must be issued from a CA Trusted by the Server or, in this case, the Silverline Service acting on behalf of the Server.

TLS Mutual Authentication is also referred to as Mutual TLS for short, or mTLS.

• Functionality:
  • Silverline allows proxy customers the option of terminating their SSL encrypted traffic inside of the service. 
  • The SSL sessions are terminated within Silverline infrastructure using proxy certificates and keys (SSL Front-End Profile). Then, Silverline creates a separate SSL session and use it to communicate back to your backend server (SSL Backend Profile).
  • Only the SSL Front-End Profile, on the Client side can be configured for TLS Mutual Authentication
• Key Use Cases & Considerations:
  • Can be used to increase security for Machine to Machine communication
  • Helps ensure the identity of the connecting Client device, when User based credentials or authentication are not possible
  • Can provide additional protection for API communication from Business Partners or 3^rd
  • Device identity and validation for IoT (Internet of Things) solutions
  • The Certificate provided by the Client must be issued from a CA trusted by Silverline, before a connection can be established.

 

Environment

• Silverline WAF
• Proxy / Proxies
• SSL Certificates
• SSL Profiles

 

Procedure

Configuring TLS Mutual Authentication (Client Side) forms part of the standard SSL configuration for Silverline which must be done in this order:

1. Upload SSL Certificate
2. Create Front End SSL Profile
3. Select Trusted CA for use with mTLS (in this article)
4. Create Back End SSL Profile (optional)
5. Add SSL Profiles to Proxy
6. Define mTLS requirement for each FQDN (in this article)

Steps 1. 2. 4. & 5. Are all outlined in the INITIAL SSL Workflow guide

Additional information for managing existing SSL certificates can be found HERE

TLS Mutual Authentication additional Steps 

 

Select a Trusted CA for use with mTLS

Requirements Certificate Authority (CA) Upload the certificate that will be used as the CA Front-End SSL Profile Created from a Certificate and Key pair that you have already uploaded to Silverline Intermediate Chain for CA A Certificate Authority (CA) Chain for the Intermediate CA or Root CA issuing the Clients Certificate must be uploaded to Silverline to establish the chain of Trust. This can be done as part of the upload of the original Certificate and key pair used for the Front-end profile, or as a separate Cert & Key pair.

Procedure

1. In the Silverline Portal, navigate to Config > Proxy & App Configuration > SSL Management.
2. On the Certificate and Keys tab (default view), press the +Add button
3. Provide the Name, and Certificate text or upload the cert, and check the Mutual TLS Client CA Certificate checkbox, add Note (optional), and click Save.
4. On the Certificate and Keys tab, select Front End SSL Profiles tab.
5. Find the Front-end Profile you wish to enable for TLS Mutual Authentication, by navigating down the page, or by using the Search option
6. Select the Edit button for the Front-End SSL Profile.
7. Navigate to, and expand the Advanced SSL Settings.
8. Find the box titled TLS Mutual Authentication
9. From the Trusted CA Dropdown box, select the Certificate for the CA to be used to validate the client Certificates (as created in step 3).
10. Click Save.

 

Define mTLS Requirement for each FQDN

Once you have enabled a Front-end SSL profile to be used for TLS Mutual Authentication and attached it to the App Proxy for your Application, you need to define how each FQDN’s within the App Proxy will implement TLS Mutual Authentication.

1. In the Silverline Portal, navigate to Config > Proxy & App Configuration > Proxy & App Management
2. Locate the Application Proxy you wish to enable for TLS Mutual Authentication
3. Select the App Proxy and click Edit
4. On the Front and Back End configuration page ensure the new Front-End SSL profile is selected for each relevant Fully Qualified Domain Name (FQDN) for your Application
5. Navigate to the HTTPS (443/443) configuration page
6. On the Security Policies tab under Profile Settings, you can decide whether to match the Security configuration across all FQDN’s or add specific profiles to each FQDN separately (use the Add option to do this)
   
7. From the TLS Mutual Auth dropdown menu, select the enforcement level required for the FQDN:
   1. • None
      • Ignore
      • Request
      • Require
8. Please see the table below for a description of each enforcement level
9. Click Save and Deploy

1. •  

Enforcement Options

Enforcement Option	Description
None	TLS Mutual Auth is not used for the specific FQDN
Ignore	Client certificates are Ignored for the specific FQDN
Request (Loose)	The Silverline system will request a Client SSL Certificate and continue the SSL handshake regardless of whether the client certificate is signed by the trusted CA associated with the Front-end SSL profile
Require (Strict)	The Silverline system will request a Client SSL Certificate and continue the SSL handshake only if the client certificate is signed by the trusted CA associated with the Front-end SSL profile

 

 

Note: mTLS for backend side is not currently available.

 

Related Content 

• WAF Onboarding Video 3: Configuring WAF Services - Adding SSL Certificates, Proxies, and WAF Policies
• INITIAL SSL Workflow: How to Upload SSL Certificates, Create SSL Profiles, and Add SSL Profiles to Proxy
• How to Manage Existing SSL Certificates and SSL Profiles
  • How to: Update an SSL certificate on an existing Frontend SSL profile
  • Q&A: Are SSL Profile Changes Queued and Deployed Automatically?
• How To: Add multiple FQDNs per Application Proxy / WAO