2019F5DevCentra
Dec 05, 2019Cirrus
Solved
Client Cert validation
Trying to understand the Logistics here in KB Article - https://clouddocs.f5.com/api/irules/ClientCertificateCNChecking.html
#Example Subject DN: /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith
set subject_dn [X509::subject [SSL::cert 0]]
log "Client Certificate Received: $subject_dn"
#Check if the client certificate contains the correct O and a CN from the list
if { ([matchclass $subject_dn contains my_cn_list]) and ($subject_dn contains $static::org) } {
#Accept the client cert
log "Client Certificate Accepted: $subject_dn"
} else {
log "No Matching Client Certificate Was Found Using: $subject_dn"
reject
}
With this code. Does the F5 just automatically just Accept the Client Cert and pass the user on to the HTTP_REQUEST portion of the irule if it's matching the DataGroup List here or does some action need to happen within the Client Cert Section of the If statement to pass on the data?
when CLIENTSSL_CLIENTCERT { set s_dn [X509::subject [SSL::cert 0]] set s_serial [X509::serial_number [SSL::cert 0]] log local0. "Client Certificate Received: $s_dn" if { $s_dn != "" }{ if { ([matchclass $s_serial contains DatagroupS]) } { #Accept the client cert log local0. "Client Certificate Accepted: $s_serial" } else { reject log local0. "Failed Cert Auth - No Certificate" } } else { reject } }
Try this, it should work 🙂