Certificate authentication, Iphone VPN on demand, BigIP F5, godaddy

So we have this cool VPN device from F5 that gives us basically single click entry into our Qlikview. Unfortunately, a certificate expired and then everything broke. This was setup by an F5 consultant, and wasn’t documented. (Note to self, have your consultants document what they do)

So now the crap hit the fan, after spending all day on the phone with F5 support finally they were able to get us up and running again! Thanks F5 guys for working it out!

So, step one. We needed a SSL certificate (my boss didn’t like the last place) we decided to go with a simple godaddy 5 year ssl cert for $60 versus a verisign which I think cost like $1000 (crazy)

Now actually getting to where you can submit your certificate is a little bit cryptic. After you buy it, you go to the Manage Certificates and your like, so now what? So you click the Credits, and then you click the refresh arrow, and then your credit will show up.

 

 

So now you can redeem your credit, so now on the BigIP size of things you need to create your certificate signing request, (CSR)

 

So goto Local Traffic, SSL Certificates, Create, Give it a name, choose Certificate Authority, fill in the common name (I pretty sure this has to match the DNS entry) make it 2048 bits and fill in the rest of the stuff.

Godaddy has a page describing this as well

http://support.godaddy.com/help/article/5597/generating-a-certificate-signing-request-csr-f5-bigip-loadbalancer?pc_split_value=1

 

 

 

Hit finished copy the encryption garbage into your clipboard and then paste it into the godaddy window that looks like this.

Ok Godaddy will chug on it for a while and then you need to prove that you own the domain. The easiest way was to click on the ‘whats the hold up’ link for go daddy and the create the simple little html file proving you own the site. After you have proved you own it, then you can download the certificate, and the godaddy bundle.

So now you need to import the certificate, and the key. So back to the Local traffic, SSL certificates screen, press import, give it a name (i chose one that matched the domain). There, now you have a server SSL certificate.

http://support.godaddy.com/help/article/5511/installing-an-ssl-certificate-in-f5-bigip-loadbalancer?pc_split_value=1

You have to set your SSL client profile to use this for the certificate & the key.

Ok, now are you ready for even more fun????

So we also need to verify that our iphone clients have a client certificate (in order to do the Iphone VPN demand you need to use certificate based vpn) (we also NT authenticate as well)

So in order to do this you need to create a certificate authority, create and sign client certificates, and then configure the F5 to use them, and then export in an iphone friendly format.

Here we go, so get yourself a copy of openssl.cnf (in my case F5 support had one) and then used winscp to copy it over to /tmp/ert/openssl.cnf

This post has pretty much the same steps, but uses different dir(s)

http://www.gomiworld.net/securing-the-web-with-ssl-client-certificates

Now ssh into your F5 box, I suppose you could do this anywhere openssl was installed.

And then run the following procedure

Creating a CA certificate

Create a directory to contain your CA certificate by typing the following command syntax:

mkdir /tmp/cert

Create a private directory in your CA directory by typing the following command syntax:

mkdir /tmp/cert/private

Create a client certificate directory in your CA directory by typing the following command syntax:

mkdir /tmp/cert/client

Create a serial number file for your CA by typing the following command syntax:

echo “0001” >/tmp/cert/ca.srl

Create a CA certificate and key by typing the following command syntax:

  • openssl req -new -x509 –days 365 -keyout /tmp/cert/private/nffckey.pem -out /tmp/cert/private/nffccert.pem -config /tmp/cert/openssl.cnf

Creating and signing a client certificate

Create a client certificate request by typing the following command syntax:

openssl req -new -newkey rsa:512 -nodes -out /tmp/cert/client/client.req -keyout /tmp/cert/client/client.key

Sign the client certificate by typing the following command syntax:

openssl x509 -CA /tmp/cert/private/nffccet.pem -CAkey /tmp/cert/private/nffckey.pem -CAserial /tmp/cert/ca.srl -req -in /tmp/cert/client/client.req -out /tmp/cert/client/client.pem -days 365

 

Results

You created the CA located at:

/tmp/cert/private/nffccert.pem

/tmp/cert/private/nffckey.pem

You created a client cert located at:

/tmp/cert/client/client.pem

Export to PKCS#12

openssl pkcs12 -export -clcerts -in /tmp/cert/client/client.pem -inkey /tmp/cert/client/client.key -out /tmp/cert/client/client.p12

—-

So now you need to import Your CA cert and Key into the F5, go to the same SSL certificate place. I named them the same and then the system combined them together into a Certificate & Key.

So now under the Local Traffic  ››  Profiles : SSL : Client

I click my vpn profile and change the Trusted Certificate Authorities to my newly created one, and also changed the advertised certificate authorities to the new one.

Then I email out the P12 to the iphone clients, change over the profile to use the new certificate and we are back in business!

joy

 

 

 

 

 

Setting up F5 BigIP with VPN on demand, SSO (Single sign on) for Qlikview

So, initially we were using the PPTP to VPN with our iDevices

https://michaelellerbeck.com/2009/07/08/setting-up-a-vpn-for-an-iphone-using-server-2003-pptp-and-then-connecting-to-qlikview-server/

This worked OK, was kind of flaky though, and the biggest inconvenience was having to manually turn on the VPN. ( Too tricky for VP’s of course)

So our CIO happened on the magic term of VPN on demand. From the there the ball got rolling. Basically, when you go to a pre-defined domain it’s smart enough to fire off the VPN client for you!

I wasn’t involved completely in the install so there are some gaping holes in my knowledge, but I will try to lay out the setup as best as I can.

The F5 big-ip box is a hot rod! We are using only about 1% of its capabilities. It has a very nice visual design tool for configuring your Access Policies

   Click to view the whole screen shot. Basically, it start with a ‘Start’ then runs a Client Cert Inspection. (I believe this is where it inspects the client to see that it has the SSL certificate that we setup (We obtained a trusted cert from somewhere). The next step is to check the UI mode of the Client. Then it checks what OS your are running. Then there is a Logon Page (If I remember correctly, this is where the F5 Edge Client grabs the NT username & password. After that it hits the AD Auth module. This module is configured to use a server that was setup name ‘ActiveDirector’ setup under the Access Policy, AAA Servers with an Active Directory Type, and domain controller and other creds specified. After it’s authenticated it then caches the credentials for single sign on!! Module is called SSO Credential Mapping, and I left the settings at default. This mapping uses the SSO setting set at the Access Profile, Properties selection.  (This is really cool BTW, otherwise the CEO, VP’s etc… have to type in their password every time that connect to the qlikview server) This is configured under Access Policy, SSO Configurations. I named it SSO_IPHONE_POLICY, I used NTLMV1, I enabled Username Conversion and typed in the NTLM domain, left the rest of the settings at default. Next in the mapping is an AD Query, it once again uses the ‘ActiveDirector’ AD server, User Principal Name is Enabled, Under Branch Rules is a ‘MemberOf’ with an expression of
CN=VPN_Users,OU=Custom Groups,OU=My Groups,DC=mydomain,DC=local . This will check users attempting to connect are members of the VPN_Users AD group. Then finally if all the criteria matches it passes to a Resource Assign and then to an Allow.
There are of course a couple of other settings.
Originally when we set it up the VPN worked great, actually too great…. it would never disconnect. After contacting support this is how to fix it

We have determined why the session is not disconnecting after the Inactivity timeout expires. The edge client sends out 40 bytes of data every 30 seconds or so. For the Network Access object, the ‘Session Update Threshold’ is set to 0 by default. So the 40 bytes we send triggers and keeps the tunnel open and prevents the Inactivity Timeout from starting. With a value of 60 bytes,  the tunnel on the iPhone closes  after the timeout expires as expected.

Go into your GUI, Access Policy  ››  Network Access : Network Access List and select the active one for your set up. Change the General Settings view to “Advanced”. You can update the “Session Update Threshold” to 50 or 60. Update and apply the policy and you should be good to go. If you need assistance with changing that value, let me know.

As mentioned above you need to set the SSO Configuration at the ‘properties tab’ of your Access Profile. Then you need to  configure your network access to support SSO through a layered virtual server. This allows your users full network access to multiple web services without requiring them to enter their credential multiple times.

Manual Chapter: Introducing Single Sign-On

http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm_config_10_2_0/apm_config_sso.html?sr=18213209

Open the document above and search for  ‘Using Single Sign-On for web application access over network access tunnel’

I was confused by the terminology of layered virtual server, but the way I understand it is that under Local Traffic, Virtual Servers you create a ‘virtual server’ (This is more like a virtual IP??)

I used a Host type, and did all ports. I did standard, and TCP, and http.

Under VLAN and Tunnel Traffic: Client_Access_cp (the correct connectivity profile)

SNAT is set to Auto Map, then make sure Address Translation and Port Translation are not enabled.

Then under the Virtual Address List for the ip of the above ‘virtual server’ uncheck the ARP

When cleared (disabled), specifies that the system does not accept ARP requests.

So, how does it work? Download the F5 Edge Client. The guy who set us up initially used the iPhone Configuration utility to create us a vpn.mobileconfig file. This is an easy way to email the certificate to the user and have them be able to add it.

Now we need to create our own config so open up the Edge Client, press Add Configuration, give it a name, type in the Server address, click Use Cerificates ON, then you choose the certificate that came in the email. Type your username and password, select Connect On Demand and then choose in the domain list your domain, and connect as needed.

Try a quick test connect, should say Contacting, Authenticating, Negotiating, and then Connected. You will notice the little VPN symbol in the top of your screen (In wanders from the left to the right, who knows why?)

So then, if you open up Safari and surf to your Qlikview server using the domain that was indicated in the connect as needed it should fire off the VPN, go to the Qlikview server, and pass your credentials…. Magic!

Qlikview, F5, VPN on Demand, iPhone, iPad and tigers.. oh my

So one of our recent initiatives has been mobile BI.

Now that we actually got it working I wanted to document it a little, since there are some tricky things about it.

At a high level this is what happens.

Install the F5 Edge Client, configure the VPN on demand with a certificate, NT username and password. Setup the domain list for connect if needed to lets say mydomain.local

So open up Safari, type in myqlikview.mydomain.local

This will bring you to the Qlikview portal, choose your qlikview, after it opens up press the button to add it to your home screen.

So, I will break out the config for the F5 into this post:

http://t.co/0HpFZejp

And then some Qlikview designs and notes here: