Client authentication – HP Traffic Director sa7220 User Manual

C H A P T E R 2

SSL Fundamentals (SA8200/SA8220 only)

21

Fulfillment of each virtual service is load balanced across a number
of real servers depending on the load balancing algorithm chosen.
Servers capable of fulfilling requests for a service are identified and
managed with the following commands:

config policygroup <name> service <name> server

delete <name> port <port>

config policygroup <name> service <name> server

create <name> port <port>

Client Authentication

By default, the SA8200/SA8220 does not authenticate client
identities; however you can configure services to request client
certificates for the purpose of verifying identities. When you enable
this feature, the SA8200/SA8220 verifies that client certificates are
signed by a known CA.

Issued client certificates are expected to be in use for their entire
validity period. The CA periodically issues a signed data structure,
called a Certificate Revocation List (CRL), containing the serial
numbers of all expired certificates. You can configure the SA8200/
SA8220 to obtain and use a CRL using LDAP, HTTP or FTP
protocols. The SA8200/SA8220 first verifies a client certificate
against the installed CA certificate, and then looks up its serial
number in the installed CRL. If the serial number exists in the CRL,
then the client connection is terminated. Before the connection is
closed, the SA8200/SA8220 returns a message to the client indicating
that the client’s certificate was revoked.