Symptoms
After the client certificate has been provided, the browser waits for a response within a few minutes and then displays the error 'Page cannot be displayed'. At the same time you can watch the following informational messages in the /var/log/apm events log file:
info tmm[12245]: 01870000:6: /Common/app1.example.com:Common:dd1d4e4f: Executed agent (/Common/app1.example.com_On-Demand-CRLDP_ondemand_cert_auth_act_ondemand_cert_auth_ag) with return status (Need more data)
Impact
On-Demand Certificate Authentication fail, even if a trusted client certificate is provided.
Conditions
BIG-IP system is
configured as Identity Aware Application Proxy for multiple application access, that may require On-Demand Client Certificate Authentication by using different Client SSL profiles.
The following is a sample scenario:
-- There are 3 web-application (app1.example.com, app2.example.com, app3.example.com) that are located behind the BIG-IP system configured as Identity Aware Application Proxy (by means of using Per-Request Access policy).
-- app1.example.com and app2.example.com are configured to require On-Demand Client Certificate Authentication as primary authentication method.
-- Each application requires a separate Client SSL profile with separate Client Authentication options specified.
-- Client SSL profile for app1.example.com application has 'Default for SNI' option enabled.
In this case, all authentication requests to app2.example.com fail, even if a trusted certificate is provided.
Workaround
Use a single Client SSL profile with a single certificate, where the Subject Alternative Name extension lists fully qualified domain names of all applications, protected by Identity Aware Application Proxy.
