Forum Discussion

Miguel_111028's avatar
Icon for Nimbostratus rankNimbostratus
Oct 23, 2008

Inserting SSL client certificate into the header of the HTTP session

Hello group,



I do not have much experience in creating iRules and I need to set an iRule to an https virtual server type with client certificate authentication. The iRule should do the following:



1 .- Insert the entire client certificate (in PEM format) as a Multiline HTTP header named X-Client-Cert into the incoming HTTP request and send this header to the backend server.



2 .- Insert the original ip address of the client into a HTTP header named X-Forwarder-For and send this header to the backend server. I need this because I must use auto map SNAT Pool feature in the implied virtual servers.



It is possible to do all this in only one iRule?




Thanks you.



Miguel Angel.


16 Replies

  • Jeff,



    You would also need to configure/modify the app to read the custom HTTP headers which LTM inserts.



  • Hello



    I'm new to iRules and HTTPS and this link has been very helpful so far.



    I too want to add the certificate's data to the HTTP header and send it to the backend server. But can anyone please tell me - when using "HTTP::header insert" calls, what will be the actual output header I would expect?



    For example, for the following inserts:


    HTTP::header insert SSLClientCertStatus $ssl_errstr2


    HTTP::header insert SSLClientCertSN [X509::serial_number $ssl_cert2]


    HTTP::header insert SSLClientCertb64 [b64encode $ssl_cert2]



    what is the HTTP header going to look like?



    And also - what other SSL attributes can I insert to the HTTP header? (and what are they going to look like in the actual HTTP header?).






  • zafer's avatar
    Icon for Nimbostratus rankNimbostratus
    Hi All


    i want authenticate Clients with their certificate and SSL offload on bigip


    i created two profile on bigip ; Client and Server SSL


    Client SSL profile; i setted certificate, keys, Chain, Trusted Certificate Auth And Client Authentication Section enabled require or request


    Server SSL profile; i setted certificate, keys, Chain, Trusted Certificate Auth And Server Authentication (ingore and require)



    but it does not work



    i found the irule for inserting client cert into the header but still i have problem


    do i need configure on IIS site?


    could you please help me about this issue





  • Hi zafer,



    Can you create a new post which details what your current VIP, client SSL and pool configurations are, what the client sees when trying to connect to the virtual server and ideally analysis of tcpdumps of a failure? If you need help capturing or analyzing the tcpdumps, you can check these solutions:



    SOL411: Overview of packet tracing with the tcpdump utility




    SOL1893: Packet trace analysis




    To list the VIP, client SSL profile and pool config, you can use 'b virtual VIP_NAME list', ' b profile clientssl CLIENTSSL_PROFILE_NAME list all' and 'b pool POOL_NAME list'.



    Can you also clarify whether the IIS server requires a client certificate?



  • Greetings everyone,



    Im trying to implement SSL with client certificate authetication. I have already generated key and secured a test certificate from verisign. Installed the test root certificate from verisign on my test browser, Installed and bundled test certificate, intermediate certificate and root certificate from verisign to bigip. Configured the nodes, pool to port 80 and virtual server to port 443, client profile and iRule set NAT and port translate enabled. Also part of the virtual server configuration is enabling the SSL Client profile set to use the chain and trusted CA, client authentication set to required always.



    When a browsing check from my client passing through bigip, at first without intermediate and server certificate, the browser would ask me to download and trust the Certificate presented by bigip, which I comply and so I am able to view the page. The problem is it seems that the client after the first session still doesn't have the matching certificate after installing the certifiacte from bigip. Checking the clients certificate store the chain is already there. So to further check the session, I used this iRule:





    log local0. "Trigger 1"


    set cur [SSL::sessionid]


    log local0. $cur


    set ask [session lookup ssl $cur]


    set ssl_cert [SSL::cert 0]


    set ssl_errstr [X509::verify_cert_error_string [SSL::verify_result]]


    if { $ssl_cert eq "" } {


    set ssl_stuff [list "No Certificate" $ssl_errstr]


    } else {


    set ssl_stuff [list $ssl_cert $ssl_errstr]




    Log value of ssl_stuff


    log local0. $ssl_stuff


    session add ssl [SSL::sessionid] $ssl_stuff


    Create a log for debug


    log local0. "session add ssl [SSL::sessionid] $ssl_stuff"





    when HTTP_REQUEST {


    Add information to header request


    log local0. "Trigger 2"


    set ssl_stuff2 [session lookup ssl [SSL::sessionid]]


    set ssl_cert2 [lindex $ssl_stuff2 0]


    set ssl_errstr2 [lindex $ssl_stuff2 1]


    log local0. $ssl_errstr2


    if { $ssl_errstr2 eq "ok"} {


    HTTP::header insert $ssl_stuff2


    log local0. "[HTTP::header names]"







    The logs are:



    Oct 28 14:35:57 tmm tmm[1914]: Rule _header_insert : Trigger 1


    Oct 28 14:35:57 tmm tmm[1914]: Rule _header_insert : 0000000000000000000000000000000000000000000000000000000000000000


    Oct 28 14:35:57 tmm tmm[1914]: Rule _header_insert : {No Certificate} ok


    Oct 28 14:35:57 tmm tmm[1914]: Rule _header_insert : session add ssl 0000000000000000000000000000000000000000000000000000000000000000 {No Certificate} ok


    Oct 28 14:35:58 tmm tmm[1914]: Rule _header_insert : Trigger 2


    Oct 28 14:35:58 tmm tmm[1914]: Rule _header_insert : ok


    Oct 28 14:35:58 tmm tmm[1914]: Rule _header_insert : Accept Accept-Language Accept-Encoding User-Agent Host Connection Cache-Control No Certificate



    I wan't to use CLIENTSSL_CLIENTCERT event but it seems this event is not triggered at all when I'm using SSL profile client authentication Request. Later I we would like to create another SSL profile this time client authentication required. I'm using BIG-IP 9.4.8 Build 355.0 Final. We're planning to purchase another set of bigip machines this time 8900 for SSL accelerators but we're still undecided because of this problems.



    Hope somebody could help.