Forum Discussion

John_Antony_162's avatar
John_Antony_162
Icon for Nimbostratus rankNimbostratus
Apr 28, 2015

iRule to check Certificate subject and add http few header values

Hi experts,

Our requirements : [We have LTM & APM on the same unit]

a) Application needs to be exposed based on cert authentication to vendors.

b) Cert subject value should be validated to match a predefined value before allowing the vendor

c) if vendor uses API calls which do not handle multiple 302 redirects while using LTM+APM, insert HTTP::header insert “clientless-mode” 1 which solves the problem.

iRule that I composed based on various forums:

when ACCESS_POLICY_COMPLETED{
if {[SSL::cert count] > 0}{
    set cert [SSL::cert 0]
    set subject [string tolower [X509::subject $cert]]
    set clientIP [IP::client_addr]
    if { $subject contains “cn=vendor-a.xx.com” }
        {
        HTTP::header insert X-UPN vendor-a.xx.com
        }
elseif { $subject contains “cn=salesforce.xx.com” }{
        HTTP::header insert X-UPN salesforce.xx.comm
        HTTP::header insert “clientless-mode” 1
} else {
        log $clientIP
        log local0. “cert CN not valid”
        reject
           }                
    }
}

Problem:

API calls from salesforce cant handle multiple 302's from LTM+APM [if i am not wrong, it struggles after three 302s]. Since I use ACCESS_POLICY_COMPLETED, there will be a 302 which cant be avoided.

Questions:

Can I move this logic other than ACCESS_POLICY_COMPLETED?

Is there a better way to handle these requirements?

APM
application delivery
devops
iRules
LTM
security

5 Replies

Sort By
  • John_Alam_45640's avatar
    John_Alam_45640
    Historic F5 Account
    Apr 29, 2015

    HTTP commands and probably also SSL commands are not available in ACCESS_POLICY_COMPLETED event.

    You may want to stuff values you need in the session table while still in the HTTP_REQUEST event, then you can access them in ACCESS_POLICY_COMPLETED using the [ACCESS::data get ] command.

    when HTTP_REQUEST {
  if {[SSL::cert count] > 0}{
    set cert [SSL::cert 0]
    set subject [string tolower [X509::subject $cert]]
    ACCESS::session data set session.x509.cert_subject $subject
  }
}
when ACCESS_POLICY_COMPLETED {
   set cert_subject [    ACCESS::session data get session.x509.cert_subject]
}

    I have not checked lately but this data may already be in the APM session table.

    HTH

  • John_Alam_45640's avatar
    John_Alam_45640
    Historic F5 Account
    Apr 30, 2015

    The certificate info is collected and stored in the session variable tables: 

    Client certificate authentication   
    session.ssl.cert.x509extension  string  X509 extensions
    session.ssl.cert.valid      string  Certificate result: OK or error string
    session.ssl.cert.exist      integer     0 or 1.
        0 - Certificate does not exist
        1 - Certificate exists

    session.ssl.cert.version    string  Certificate version
    session.ssl.cert.subject    string  Certificate subject field
    session.ssl.cert.serial     string  Certificate serial number
    session.ssl.cert.end        string  Validity end date
    session.ssl.cert.start      string  Validity start date
    session.ssl.cert.issuer     string  Certificate issuer
    session.ssl.cert.whole      string  The whole certificate
  • John_Antony_162's avatar
    John_Antony_162
    Icon for Nimbostratus rankNimbostratus
    Apr 30, 2015

    Thx John for these details. My requirement is to set HTTP::header insert X-UPN salesforce.xx.comm & HTTP::header insert “clientless-mode” 1" values before we even hit APM. Can I use the above iRule within HTTP_REQUEST? This way we can avoid 302 redirection which causes issues with our Salesforce API calls.

    If I just use below 

    HTTP_REQUEST {
    HTTP::header insert “clientless-mode” 1
}

    Salesforce API calls works fine. If I use them under ACCESS_POLICY_COMPLETED [which will wait for APM to be completed and also cause a 302 [i.e /my.policy], Salesforce API calls fails.

  • AN's avatar
    AN
    Icon for Nimbostratus rankNimbostratus
    Apr 26, 2016

    Hi,

     

    I am running into the issue with APM module.... Have tech open and no luck.,,,, Found that they have stop providing support for auth profile in LTM... and F5 preferring to use APM.. I have iRule assigned to vserver for client mode 1 when HTTP_REQUEST { HTTP::header insert "clientless-mode" 1 } With browser it works fine but not with http client. Hope to get some help and instruction around how I can get clientless working with APM or using iRule..

     

    It's frustrating to hear from Tech that browser base client cert is working through APM that states configuration is right,, and iRule for clientless and APM on-demand cert doesn't work well together,

     

    Clientless Mode and OnDemand Cert Auth do not work together well and it's hit or miss , but in most cases it doesn't work.

     

    Our APM operations guide mentions that these two will not normally function together.

     

    https://support.f5.com/content/kb/en-us/products/big-ip_apm/manuals/product/f5-apm-operations-guide/_jcr_content/pdfAttach/download/file.res/f5-apm-operations-guide.pdf

     

    In ACE we never had any issue with those clientlesss,, not sure why would it be an issue on F5.

     

    Please let me know if there is an irule to do cert authetication for those clientless connection..

     

    Thanks.