The F5 BIG-IP appliance APM Access Policies that grant access to web application resources must allow only client certificates that have the User Persona Name (UPN) value in the User Persona Client Certificates.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-260054	F5BI-AP-000235	SV-260054r947386_rule		Low

Description
To enhance the security, it is advisable to append additional checks and APM Deny/Fallback branches to APM Access Profiles in scenarios where a UPN cannot be extracted. To guarantee the exclusive use of User Persona DISA Certificates for accessing Web Applications, it is recommended to carry out additional APM Access Policy checks against the Client Certificate. DISA incorporates a User Principal Name (UPN) in their User Persona Client Certificates. However, this key/value pair is not present in the DISA server certificates. Based on DOD session authentication policy, the LTM+APM configuration will include Client Certificate Authentication, OCSP Revocation Check, a Variable Assignment to extract the UserPrincipalName, followed by an LDAP query. This query verifies the existence of a corresponding Active Directory User object for the provided UserPrincipalName. Subsequently, the identified sAMAccountName is set as an APM Session variable for use by the SSO Profile. Once an APM LTM+APM session is granted, the User-Agent is permitted to transmit data to the Server-Side of the proxy, which will invoke the SSO Profile if applicable. To ensure that only DISA Client Certificates from CACs can access the Web Application, an additional branch was added to the Variable Assignment. The scripts were adjusted to verify the existence of the UserPrincipalName. If it does not exist, the value of the UserPrincipalName APM session variable is set to "UPN Collection Error", which would be directed to an APM Policy Deny. NPE Certificates issued by DISA incorporate both the TLS WWW Client Authentication (OID.1.3.6.1.5.5.7.3.2) and TLS WWW Server Authentication (OID.1.3.6.1.5.5.7.3.1) key usage policies.

Description

To enhance the security, it is advisable to append additional checks and APM Deny/Fallback branches to APM Access Profiles in scenarios where a UPN cannot be extracted. To guarantee the exclusive use of User Persona DISA Certificates for accessing Web Applications, it is recommended to carry out additional APM Access Policy checks against the Client Certificate. DISA incorporates a User Principal Name (UPN) in their User Persona Client Certificates. However, this key/value pair is not present in the DISA server certificates. Based on DOD session authentication policy, the LTM+APM configuration will include Client Certificate Authentication, OCSP Revocation Check, a Variable Assignment to extract the UserPrincipalName, followed by an LDAP query. This query verifies the existence of a corresponding Active Directory User object for the provided UserPrincipalName. Subsequently, the identified sAMAccountName is set as an APM Session variable for use by the SSO Profile. Once an APM LTM+APM session is granted, the User-Agent is permitted to transmit data to the Server-Side of the proxy, which will invoke the SSO Profile if applicable. To ensure that only DISA Client Certificates from CACs can access the Web Application, an additional branch was added to the Variable Assignment. The scripts were adjusted to verify the existence of the UserPrincipalName. If it does not exist, the value of the UserPrincipalName APM session variable is set to "UPN Collection Error", which would be directed to an APM Policy Deny. NPE Certificates issued by DISA incorporate both the TLS WWW Client Authentication (OID.1.3.6.1.5.5.7.3.2) and TLS WWW Server Authentication (OID.1.3.6.1.5.5.7.3.1) key usage policies.

STIG	Date
F5 BIG-IP Access Policy Manager Security Technical Implementation Guide	2024-01-26

Details

Check Text ( C-63785r947383_chk )
If the BIG-IP appliance does not provide user authentication intermediary services, this is not applicable. If the site has documented that this setting has been tested operationally and is operationally harmful because of false positives, this is not a finding. 1. Review the applicable Access Control Profiles that give access to web application resources. 2. Verify that a Branch Rule exists to check for the UPN on the session certificate. 3. Verify there is a check for failed extractions that results in an APM Policy Deny. If any BIG-IP appliance APM Access Policies do not deny sessions using client certificates that do not have the DISA UPN, this is a finding.

Check Text ( C-63785r947383_chk )

If the BIG-IP appliance does not provide user authentication intermediary services, this is not applicable.

If the site has documented that this setting has been tested operationally and is operationally harmful because of false positives, this is not a finding.

1. Review the applicable Access Control Profiles that give access to web application resources.
2. Verify that a Branch Rule exists to check for the UPN on the session certificate.
3. Verify there is a check for failed extractions that results in an APM Policy Deny.

If any BIG-IP appliance APM Access Policies do not deny sessions using client certificates that do not have the DISA UPN, this is a finding.

Fix Text (F-63691r947384_fix)
Note: If NPE certificates are not in use, implementation is REQUIRED. Note: If NPE certificates are in use, implementation is OPTIONAL. Sites should test this configuration to prevent operational impacts since this process may potentially flag server and NPE certificates, resulting in denied sessions. Configure each APM Access Policy to verify use of user persona DISA client certificates for accessing web applications. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click "Edit" on each profile listed to enter the VPE. 5. Click on the object where the Certificate UPN is extracted and assigned to a variable. 6. Append a known variable to the end of the variable assignment expression that will trigger if the UPN cannot be extracted from the client certificate, such as: else { return "UPN Collection Error" } 7. Click "Finished". 8. In the same Variable Assign object, click the "Branch Rules" tab. 9. On the branch that continues the policy evaluation (Does not lead to Deny ending) click the "change" link next to "Expression". 10. "Advanced" tab. 11. Enter an expression that verifies the UPN was extracted successfully, such as: expr {[mcget {session.logon.last.upn}] !="UPN Collection Error"} Note - the above assumes the UPN variable name is "session.logon.last.upn". Adjust this if another variable name is used to store the client UPN. 12. Click "Finished". 13. Click "Save". 14. Click "Apply Access Policy".

Fix Text (F-63691r947384_fix)

Note: If NPE certificates are not in use, implementation is REQUIRED.

Note: If NPE certificates are in use, implementation is OPTIONAL. Sites should test this configuration to prevent operational impacts since this process may potentially flag server and NPE certificates, resulting in denied sessions.

Configure each APM Access Policy to verify use of user persona DISA client certificates for accessing web applications.

From the BIG-IP GUI:
1. Access.
2. Profiles/Policies.
3. Access Profiles.
4. Click "Edit" on each profile listed to enter the VPE.
5. Click on the object where the Certificate UPN is extracted and assigned to a variable.
6. Append a known variable to the end of the variable assignment expression that will trigger if the UPN cannot be extracted from the client certificate, such as:

else {
return "UPN Collection Error"
}

7. Click "Finished".
8. In the same Variable Assign object, click the "Branch Rules" tab.
9. On the branch that continues the policy evaluation (Does not lead to Deny ending) click the "change" link next to "Expression".
10. "Advanced" tab.
11. Enter an expression that verifies the UPN was extracted successfully, such as:

expr {[mcget {session.logon.last.upn}] !="UPN Collection Error"}
Note - the above assumes the UPN variable name is "session.logon.last.upn". Adjust this if another variable name is used to store the client UPN.

12. Click "Finished".
13. Click "Save".
14. Click "Apply Access Policy".