iRule not matching

when CLIENTSSL_CLIENTCERT { Set debug variable to 0 for max performance during normal operations. Only negative events will be log local0.error ged. Set debug variable to 1 for more log local0.error ging i.e. during troubleshooting. Negative and postive events will be log local0.error ged. set debug 0 set client_IP [IP::remote_addr] set vs_name [string tolower [virtual name]] set dg_name [string tolower [virtual name]-ma] if {![class exists $dg_name]}{ log local0.error "Virtual server $vs_name: Data Group $dg_name doesn't exist. Check if the Data Group has been created and whether its name is entirely in lower case." reject return } Check if client provided a cert if {[SSL::cert 0] eq ""}{ Reset the connection if no client certificate has been presented log local0.error "Virtual server $vs_name: Client with IP address $client_IP has not presented client certificate. Connection is rejected." reject return } else { If client cert is presented, check validity and access rights if {[SSL::cert count] > 0}{ set subject_dn [X509::subject [SSL::cert 0]] if {$debug} {log local0.error "Client Certificate Received: $subject_dn"} Check if the certificate is valid if { [SSL::verify_result] == 0 }{ Certificate has been verified as valid, now check the CN against the allowed CN list cSSLSubject variable contains only the CN value from the certificate subject set cSSLSubject [string tolower [findstr $subject_dn "CN=" 3 ","]] if {$debug} {log local0.error "SSL Subject CN is: $cSSLSubject"} Check if the client certificate subject is in the allowed certificate subject access list if {$debug} {log local0.error "$dg_name values: [class get $dg_name]"} if { [class match $cSSLSubject equals $dg_name] } { Compare the CN portion of the subject in the presented certificate with the value listed in the access list. Accept the client cert if its CN is listed in the certificate subject access list. For performance reasons do not turn on log local0.error ging of success events unless troubleshooting if {$debug} {log local0.error "Virtual server $vs_name: Client Certificate with subject $subject_dn has been received from client with an IP address $client_IP. $cSSLSubject has been found in the Data Group $dg_name, connection has been accepted."} } else { Reject the client cert if it's not in the certificate subject access list log local0.error "Virtual server $vs_name: Client Certificate with subject $subject_dn has been received from client with an IP address $client_IP. $cSSLSubject has not been found in the Data Group $dg_name, connection would have been rejected." reject return } } else { Certificate verification failed. Use the SSL status code in the HTTP response (defined here: http://www.openssl.org/docs/apps/verify.htmlDIAGNOSTICS) set cert_verify_error [X509::verify_cert_error_string [SSL::verify_result]] log local0.error "Virtual server $vs_name: Failed to Verify Client Certificate $subject_dn presented by client with IP $client_IP. SSL verify result: $cert_verify_error. Connection has been rejected." reject return } } else { Reset the connection if no client certificates log local0.error "Virtual server $vs_name: No client certificate has been presented by client with IP address $client_IP. Connection is rejected." reject return } } }

Hi!

I was not able to see anything wrong with the iRule.

Are you sure that the partition name does not have any upper case letters? Have you tried setting the datagroup manually to verify?

set $dg_name "/olb2-ifapp/c2-ziolb2-ser-t1-uat-v6-443-vsrv-ma"

When objects is mysteriously unaccessible I usually try this one: http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13030.html

/Patrik

I have verified the partition name twice and it is lower case. This irule is used for many virtual server, so I am using "virtual name".

 

Does it hyphen causing the issue?

 

If you add a trailing hyphen it could be a problem. Have you tried logging vs_name and dg_name like this to verify?

log local0. "\"$dg_name\""
log local0. "\"$vs_name\""

/Patrik

Finally identify the issue, but dont know the syntax to include partition details.

 

set dg_name [string tolower [virtual name]-ma] this should include partition name based on virtual-ip selected.

 

Example: c2-ziolb2-ser-t1-uat-v6-443-vsrv (Virtual IP name) partition under which above VIP IP is created : olb2-ifapp

 

Does [URI:: basename[virtual name]-ma] will provide the partition details in v11.3?

 

Hi!

You're right.

set dg_name [string tolower [virtual name]-ma]

would result in

/partition/virtualservername-ma

[URI:: basename[virtual name]-ma] would result in

virtualservername-ma

.

Please note that this has only been tested in 11.4.1.

/Patrik

Patrik, I am still getting error message:

 

/Common/SSLMA-v1.2-allowall : Virtual server /olb2-ifapp/c2-ziolb2-ser-t1-uat-v6-443-vsrv: Data Group /olb2-ifapp/c2-ziolb2-ser-t1-uat-v6-443-vsrv-ma doesn't exist. Check if the Data Group has been created and whether its name is entirely in lower case.

 

I am using v11.3.0

 

Tested it now on a 11.3.0.

 

If I use the variable to test the class, it does not exist, but if I copy the content of the variable, the class exists.

 

Looks like you can't use variables to check if the class exists. Perhaps some iRule guru has an answer, but I don't.

 

Sorry! :(

 

/Patrik