Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP APM
Known Affected Versions:
15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4
Fixed In:
15.1.0
Opened: May 14, 2019 Severity: 3-Major
After the client certificate has been provided, the browser waits for a response within a few minutes and then displays the error 'Page cannot be displayed'. At the same time you can watch the following informational messages in the /var/log/apm events log file: info tmm[12245]: 01870000:6: /Common/app1.example.com:Common:dd1d4e4f: Executed agent (/Common/app1.example.com_On-Demand-CRLDP_ondemand_cert_auth_act_ondemand_cert_auth_ag) with return status (Need more data)
On-Demand Certificate Authentication fail, even if a trusted client certificate is provided.
BIG-IP system is configured as Identity Aware Application Proxy for multiple application access, that may require On-Demand Client Certificate Authentication by using different Client SSL profiles. The following is a sample scenario: -- There are 3 web-application (app1.example.com, app2.example.com, app3.example.com) that are located behind the BIG-IP system configured as Identity Aware Application Proxy (by means of using Per-Request Access policy). -- app1.example.com and app2.example.com are configured to require On-Demand Client Certificate Authentication as primary authentication method. -- Each application requires a separate Client SSL profile with separate Client Authentication options specified. -- Client SSL profile for app1.example.com application has 'Default for SNI' option enabled. In this case, all authentication requests to app2.example.com fail, even if a trusted certificate is provided.
Use a single Client SSL profile with a single certificate, where the Subject Alternative Name extension lists fully qualified domain names of all applications, protected by Identity Aware Application Proxy.
None