Merge pull request #11 from f5devcentral/matt-update

lab3 updated

docs/class1/module3/lab1.rst

@@ -1,65 +1,18 @@
-Lab 3.1 - Creating a Certificate
-################################
+Lab 3.1 - Check CA Certificate
+##############################
 
-Create a certificate in Next Central Manager
-********************************************
+In your lab environment, a Certificate Authority is already up and running. The CA certificate has been added into BIG-IP Next CM.
 
-1. Access **BIG-IP Next Central Manager** if you're not already logged in.
+* In Applications menu, and Certificates & Keys sub-menu, check the certificate list
+* You can see the CA certificate called CA-DEMO
 
-.. image:: images/lab3-cmlogin.png
-    :width: 600 px
+.. image:: images/lab3-list-cert.png
+    :width: 1200 px
 
-2. Click on the Workspace button and select **Application**. 
-
-.. image:: images/lab3-app1.png
-    :width: 600 px
-
-3. Click on **Certificate & Keys**
-
-.. image:: images/lab3-certkeysbtn.png
-    :width: 600 px
-
-4. Click on **Add** button to add a certifcate. 
-
-.. image:: images/lab3-certadd.png
-    :width: 600 px
-
-5. In the **Add Certificate & Keys** fly out menu 
-
-- Select the **Import a Certificate**. 
-- Under **Name**, select **New**, and type: **ADDC_CA**
-- In the **Tag** drop down box, select **Access**
-- In the **Type** drop down box, select **Certificate**
-- In the **Source** section, select **Import**
-- In the **Certificate Section**, click on the **Import** button, and import the **f5access-ADDC-CA.crt** certificate
+* Click on ``CA-DEMO``
 
-.. note:: The certificates are in the Access Lab folder in Documents as well as pinned to the Windows Explorer Quick Access
-
-The result should look like the image below.
-
-.. image:: images/lab3-cacert.png
-    :width: 600 px
-
-1. Click **Save**
-
-You have successfully uploaded a certificate. 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+  * You can notice the object is a ``Certificate Bundle``, and not a certificate
+  * You can see details of the CA
 
+.. note:: This CA will be used to validate the client certificate presented by the browser. This CE has been imported and trusted into the client browser.
 

docs/class1/module3/lab2.rst

@@ -19,14 +19,14 @@ Creating an security policy with client cert authentication
 .. image:: images/lab3-accessbtn.png
     :width: 600 px
 
-4. Click **Start Creating** button to create a new Access policy 
+4. Click **Start Creating** button to create a new Access policy, or click on **Create** if you have already several policy created.
 
 .. image:: images/lab3-createapbtn.png
     :width: 600 px
 
-5. This will open Access Visual Policy Design screen. Click on the pencil next to create new policy.
+5. This will open Access Visual Policy Design screen. Choose a **Per-Session Policy** and **Start from Scratch**, click Next
 
-.. image:: images/lab3-createpolicypencil.png
+.. image:: images/lab3-persession.png
     :width: 600 px
 
 6. In the **Create Policy** screen, this is where you set the different properties of the policy, such as, logging, language, Single Sign On, etc… Let’s start configuring the policy Start Selecting policy name and adjust policy parameters.
@@ -64,7 +64,9 @@ In the **General Properties** screen set the following parameters, for the rest
 .. image:: images/lab3-resources.png
     :width: 600 px
 
-12. **Policy Endings** you can define additional policy ending logic as needed for your use case here. For this lab we will accept the default. Click **Finish**.
+12. **Connectivity** you can set the SSL VPN (Network Access) connectivity settings. Keep as default and click **Continue**
+
+13. **Policy Endings** you can define additional policy ending logic as needed for your use case here. For this lab we will accept the default. Click **Finish**.
 
 .. image:: images/lab3-policyendings.png
     :width: 600 px
@@ -74,7 +76,7 @@ After clicking on **Finish** it should bring you back to the Create Policy scree
 .. image:: images/lab3-createpolicy2.png
     :width: 600 px
 
-13. Under **Flows**, drag and drop **Empty** flow to the VPD. You will need click on the little dots to the right of the flow type to grab the flow and drop into the VPD. 
+14. Under **Flows**, drag and drop **Empty** flow to the VPD. You will need click on the little dots to the right of the flow type to grab the flow and drop into the VPD. 
 
 .. image:: images/lab3-emptyflow.png
     :width: 600 px
@@ -88,72 +90,52 @@ The result should look like the following screen shot.
 .. image:: images/lab3-emptyok.png
     :width: 600 px
 
-14. Click inside the Flow type box. This show 3 buttons; **Delete**, **Edit**, and **Collapse** buttons. Click on the **Collapse** button to start adding Rules to the Flow.
+15. Click inside the Flow type box. This show 3 buttons; **Delete**, **Edit**, and **Collapse** buttons. Click on the **Collapse** button to start adding Rules to the Flow and Editing settings.
 
 .. image:: images/lab3-allthebtns.png
     :width: 600 px
 
-15. On the left hand side menu, select the **R** (Rules) button, and scroll down on the **Rules** till you find **On-Demand Certificate Authentication**.
+16. Click on the **pen** to edit the Empty box. Change the name to **client-cert-auth** and add a new ending branch called **Allow**
+
+.. image:: images/lab3-empty-branch.png
+    :width: 600 px
+
+17. On the left hand side menu, select the **R** (Rules) button, and scroll down on the **Rules** till you find **On-Demand Certificate Authentication**.
 
 .. image:: images/lab3-rules1.png
     :width: 600 px
 
-16. Click and drag **On-Demand Certificate Authenticate** to the VPD.
+17. Click and drag **On-Demand Certificate Authenticate** to the VPD.
 
 .. image:: images/lab3-rules2.png
     :width: 600 px
 
-17. Edit the **On-Demand Certificate** rule by clicking on the edit button.
+18. Edit the **On-Demand Certificate** rule by clicking on the edit button.
 
 .. image:: images/lab3-rules3.png
     :width: 600 px
 
-18. In the **Rule Configurations**, **Rule Properties**, change **Authentication Mode** to **Require**. Click **Continue**.
+19. In the **Rule Configurations**, **Rule Properties**, change **Authentication Mode** to **Require**. Click **Continue** and **Finish**
 
 .. image:: images/lab3-rules4.png
     :width: 600 px
 
-19. In the **Rule Configurations**, **Branches** screen we will add another branch for a successful authentication. 
+20. Change the **Deny** ending of the successful branch by the **Allow** ending
 
-Click on **Create** button to add a new Branch 
-
-.. image:: images/lab3-branches.png
+.. image:: images/lab3-change-ending-allow.png
     :width: 600 px
 
-20. In the **Create Branch** screen, adjust the parameters to the following, and click **Save** when done. 
-
-- **Name:** Successful
-- **Context:** Client Certificate
-- **Condition:** Validity
-- **Client Certificate:** Valid
-
-.. image:: images/lab3-branches2.png
-    :width: 600 px
 
-You should now have two branches in Successful and Fallback, see image below. Click **Finish**.
-
-.. image:: images/lab3-branchcomp.png
-    :width: 600 px
-
-21. Click on the **Collapse** button to close the **Rules and Flow** box so you’re back to the main VPD. See image below for reference.
+21.  Click on the **Collapse** button to close the **Rules and Flow** box so you’re back to the main VPD. See image below for reference.
 
 .. image:: images/lab3-branchclose.png
     :width: 600 px
 
-22. Click on **Edit** button on the **Empty Flow** box. This will open up the **Empty Flow** property screen. 
-
-.. image:: images/lab3-term1.png
-    :width: 600 px
-
-23. We want to add another terminal or Flow Ending for an Allow policy if the certificate matches. 
-
-- Click on **Create** to add another Flow Ending
-- In the **Name** box type **Allow** 
-- Select the color **#199D4D** (Green) for the Allow ending
+22. On the **Allow** branch, change the ending to **Allow**.
 
-.. image:: images/lab3-flowending.png
+.. image:: images/lab3-final-allow.png
     :width: 600 px
 
-24. Save the policy and close the VPD by clicking on **Cancel**.
+23.  Save the policy and close the VPD by clicking on **Exit**.
 
 You have completed creating a security policy. Next we will deploy an Application and assigned the access policy. 

docs/class1/module3/lab3.rst

@@ -54,33 +54,28 @@ Creating an application and assign an Access policy to the application
 .. image:: images/lab3-pp.png
     :width: 600 px
 
-10. Next to **Please choose an trust CA certificate**, select the CA certificate we uploaded earlier in the lab.
+10. Click on the **Add** button to create a new client ssl profile, and add the following information
 
-.. image:: images/lab3-cacert2.png
-    :width: 600 px
-
-11. Click on the **Add** button under the **No Client-Side TLS** to add a certificate.
+- **Name:** client-cert-auth
+- **RSA Certificate:** self_demo.f5.com
+- Click **Continue**
 
-.. image:: images/lab3-tls.png
+.. image:: images/lab3-client-cert-config.png
     :width: 600 px
 
-12. In the Add **Client-Side TLS** screen, input the following information
+11.  In Authentication menu, **Enable Authentication** with the following information
 
-- **Name:** cert_auth
-- **RSA Certificate:** self_demo.f5.com
+- **Client certificate authentication mode** : Request
+- **Trusted Certificate Authorities** : xca-demo
 - Click **Save**
 
-.. image:: images/lab3-addtls.png
+.. image:: images/lab3-profile-auth.png
     :width: 600 px
 
-Before continuing, please verify the proper certificates has been applied, see image below for reference.
-
-.. image:: images/lab3-certcheck.png
-    :width: 600 px
 
-13. This will take you back to the **Protocols and Profiles** screen. Keep the rest of the settings as default. Click **Save**. 
+12.   This will take you back to the **Protocols and Profiles** screen. Enable the **HTTP Profile**. Click **Save**. 
 
-.. image:: images/lab3-addtls2.png
+.. image:: images/lab3-http-profile.png
     :width: 600 px
 
 14.  This will take you back to the **Virtual Server** screen. Now we will attach the Access Policy we created previously to this application. Click on the **Edit** button under Security Policies.

docs/class1/module3/lab4.rst

@@ -4,15 +4,9 @@ Lab 3.4 - Test Application
 Test Connectivity to Application
 ********************************
 
-1. Open a new Chrome browser or tab and type: https://10.1.10.112  
-
-.. image:: images/lab3-security.png
-    :width: 600 px
-
-You may get a security warning **Your Connection is Not Private**, this is because we're using a self-signed certificate. It is safe to proceed. 
-
-2. You will get a pop up to Select a certificate pop in the browser, verify it’s the ADDC CA certificate you have uploaded earlier, click **Ok**. 
+1. Open a new Firefox browser or tab and type: https://client-cert.example.com
 
+2. You will get a pop up to Select a user certificate pop in the browser, select the user-cert certificate , click **Ok**. 
 
 3. You should see the F5 Demo App after a successful login. 
 

docs/class1/module3/module3.rst

@@ -7,7 +7,6 @@ In this lab we will explore how to setup certificate based authentication.
 
 **Learning Objectives:**
 
-- Import CA Certificate to Central Manager
 - Create Policy via Visual Policy Designer (VPD).  
 - Assign Flows and rules to the policy.  
 - Create Application and associate it with policy