Forum Discussion

David_G__33241's avatar
David_G__33241
Icon for Nimbostratus rankNimbostratus
Aug 11, 2017

Selective Client SSL Profile

I am performing certificate based authentication for Android devices. The Client SSL profile is set to Ignore the Client Certificate and I have defined both the Trusted and Advertised CAs. The Access Policy performs an On Demand Authentication set to Request and everything is working perfect.

In order to roll out a new internal CA, I would like be be able to use a different Trusted and Advertised CA in the Client SSL profile but only when specifically requested. My thought was to create a new Client SSL profile using the new internal CA and then to switch profiles on the fly using SSL::profile. I would like to do this based on a specific URI - something to the effect of:

when CLIENT_ACCEPTED {
    if { ([HTTP::uri] contains "/new-ca") } { SSL::profile /Common/new-ca_client-ssl-profile }
}

The problem with this is that HTTP::uri is not valid during a CLIENT_ACCEPTED event. I tried an iRule event in the Access Policy prior to the On Demand Auth however SSL:profile is not allowed at that time.

Is there another way to accomplish this? I would really like to change profiles based on URI if possible. Client IP is not really an option.

Thanks

APM 12.1.2

1 Reply