Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Mutual TLS (mTLS) configuration on a Virtual Service

 

Information

 

Summary:

This article will outline how to configure Mutual TLS (mTLS) on a LoadMaster Virtual Service.

Environment:

Product: LoadMaster

Version: Any

Platform: Any

Application: HTTPS Applications

Question/Problem Description:

How to configure Mutual TLS (mTLS) on a LoadMaster Virtual Service.

Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  
Cause: Mutual TLS, or mTLS for short, is a method for mutual authentication. mTLS ensures that the parties at each end of a network connection are who they claim to be by verifying that they both have the correct private key. The information within their respective TLS certificates provides additional verification.
Resolution:

Scenario 1: SSL Acceleration is enabled on the Virtual Service

When using SSL Acceleration on a Virtual Service, the LoadMaster can check if the client presents a client certificate in the TLS handshake. This can be enabled on a Virtual Service under SSL Properties > Client Certificates > Client Certificates required as follows:

mceclip0.png

If a valid Client Certificate is presented by the client, then the TLS handshake completes with a successful connection established between the client and the virtual service. In this scenario, Client Certificate checks or mTLS checks are not supported on the real server.

 

Scenario 2: The Virtual Service is an SSL Passthrough service

In this scenario, there is no SSL Acceleration enabled on the Virtual Service. It is configured as a Passthrough SSL Virtual Service. Client Certificate or mTLS checks must be enabled on the real server side, as the TLS handshake is conducted between the client and server in this configuration.

Workaround:  
Notes:

SSL Acceleration:

https://support.kemptechnologies.com/hc/en-us/articles/10109869351693-SSL-Accelerated-Services


Comments