Forum Discussion

Andrew_Chan_472's avatar
Andrew_Chan_472
Icon for Nimbostratus rankNimbostratus
Jun 14, 2012

APM support for web services

I have setup APM to perform certificate authentication and use LDAP query to check the user assigned with the certificate is a valid user. The client certificate authentication comes with LTM does not support client certificates coming from multiple CA's. That's reason why we went with APM which is more flexible in this regard. Everything is working fine with a browser and using SOAPUI 4.5 test tool.

 

 

We ran into a problem with a customer who is using Microsoft Visual Studio method to consume our web service and it is not a browser client and it does not support Javascript. Even I am not using any of the client checking, however the first thing APM check is the connecting client is supported or not and refused to connect the client returning a HTML page stating client is not supported. Most web service is not expecting to be able to understand Javascript and be able to handle redirect. I tested with wget and get the same HTML page.

 

 

I checked with support and they told me it can be done with iRules. However it is out of scope of technical support and unable to help. Is there anyway I can bypass the client checking and resume the APM certificate checking bypassing the logon page?

 

application delivery
dev
devops
iRules

1 Reply

Sort By
  • MiLK_MaN's avatar
    MiLK_MaN
    Icon for Nimbostratus rankNimbostratus
    Jun 14, 2012
    APM is obviously intended out of the box to support clients that support javascript, cookies etc.

     

     

    There are definitely ways to do what you want, but it's going to be more than just bypassing the client check... you are also going to have to manually perform the cookie insertion that the APM automatically does to identify a user flow. We do this now for some of the in built iRules used for Microsoft Exchange clients like ActiveSync & Outlook Anywhere.

     

     

    The basic principal in achieving this is to insert a HTTP header as such:

     

     

    HTTP::header insert "clientless-mode" 1

     

     

    This will force APM to bypass the logon page, and should continue with the SSL certificate check. You'll then need to form your own MRHSession cookie which is what the APM uses to track a valid user session.

     

     

    Take a look at the system iRule _sys_APM_ExchangeSupport_main, which has been designed to perform this task. This uses a md5 hash of some TCL variables to form the MRHSession cookie which should be sufficient to uniquely identify the user session.