How to configure the LoadMaster to send a client certificate to the server
Information
Summary: |
How to configure the LoadMaster to present a client certificate to the server. |
Environment: |
Product: LoadMaster. Version: Any. Platform: Any. Application: HTTPS-based applications. |
Question/Problem Description: |
How to configure the LoadMaster to send a client certificate to the server if this is required for a HTTPS application. |
Steps to Reproduce: | |
Error Message: | |
Defect Number: | |
Enhancement Number: | |
Cause: | |
Resolution: |
NOTE: The LoadMaster can only be configured to send a single client certificate to servers in a Virtual Service. If it is required that the LoadMaster handles multiple client certificates as enforced by the server, please configure the Virtual Service as a HTTPS passthrough instead which means disabling SSL Accelaration altogether as shown below: By default, the LoadMaster does not present any client certificate to a back-end server when establishing the connection (LoadMaster to server). However, if the server requires the LoadMaster to present a client certificate, this behavior can be changed by using Reencryption Usage (LoadMaster WUI > Certificates & Security > SSL Certificates). To configure a certificate to be sent to a server as a client certificate in a specific VS we'd need to do the following: 1. Locate the SSL certificate in the SSL certificates tab. 2. Click on Reencryption Usage. 3. Select the Virtual Service (which needs to be configured to Reencrypt the traffic) and use > button to move the IP address to the Assigned VSs box. 4. Save changes. Once these changes are made, navigate to the VIP > SSL properties and the client certificate will be populated next to Reencryption Client Certificate. |
Workaround: | |
Notes: |
Jason Phillips
I've updated the config to reflect the following image below. For the field Strict Transport Security Header, I originally had "Add - with include subdomain" and updated to what you have provided, as reflected in the image

The vss shows as up and healthy so I would expect to be able to connect at this point, but still unable to do so. We will continue to t-shoot
I've uploaded the latest config for the ticket.