Forum Discussion

Shaun_Simmons1's avatar
Shaun_Simmons1
Icon for Altostratus rankAltostratus
Sep 01, 2015

APM Custom Expression - Search for string, if match, replace with

I wish I were better at this...

 

I currently have an APM setup for CAC authentication that pulls the users UPN and matches it to AD --Via: ( nothing special; via F5 "how to" )

 

set e_fields [split [mcget {session.ssl.cert.x509extension}] "\n"]; foreach qq $e_fields { if {[string first "othername:UPN" $qq] >= 0} { return [string range $qq [expr { [string first "<" $qq] + 1 } ] [expr { [string first ">" $qq] - 1 } ] ]; } } return "";

 

--I need to use the idea of this but change a few things that will search a PKI certificate for two fields.

 

mcget {session.ssl.cert.x509extension}

 

UPN(wanted)= session.ssl.cert.serial ,matching it to "00 d2 a5" AND session.ssl.cert.cn ,matching it to "foo.bar.lala.mil" IF both match, replace foo.bar with @mil ,IF both do not match THEN FAIL.

 

*I'm doing two matches to add a layer of security.

 

"SamAccountName" will be foo ,to authenticate to MyServer.

 

What this does allow two servers to communicate via SSL: One server will pass information TO another server.

 

Server --SSL---> MyServer ,the F5 will have the "Server"s Public Cert and Key.

 

I hope I explained it well enough...I'm horrible at explaining my thoughts :)

 

Thank you very much!

 

4 Replies

  • Have you reached out to the Federal team? We may be able to help you out offline in more detail with your specific use case.

     

    Is there any reason you aren't using the SubjectAltName=OtherName Field for the UPN to pull EDIPI@MIL?

     

  • I need a variation of EDIPI@Mil. The certificates I am using are not CAC certs, the certs do not have a "othername" field or EDIPI@MIL. They are ordinary server CA certificates.

     

    The Subject Name of the certificate is: DNS Name: foo.bar.lala.mil

     

    Instead of UPN, I will match to the DistiguishedName of the AD User. The only AD suffix I have available and can have is @mil, hence the "replace" of the FQDN "bar.lala.mil" to @mil.

     

    I usually start with the FED team, but I thought a greater user base would answer my question quicker and also share information.

     

  • I spoke with your Account Team, they should be reaching out to you.

     

    But to be clear, you are putting Server Certificates on Smart Cards? Or are you just trying to accomplish TLS between servers? There are other aspects that you will need to take into consideration for this to work. Servers do not use Browser agents, so you need to enable clientless mode. You will also need to ensure that any additional headers added to the traffic do not break the transactions.

     

    Reading attributes is not an issue, and you may be able to solve your issue more easily by using and iRule event and FindStr.

     

  • I want to say LDAP over SSL.

     

    High Level explanation: A-Server(443) -> WIP -> 443:VIP:B-ServerIP:X-port -A_Server-service has to Authenticate through AD to a B_Server-service ( I have no idea what port / service )

     

    I am assuming the servers will use user/pass authentication written by the developers.

     

    I apologize that my question does not have enough context to paint a great picture.

     

    Thank you very much for reaching out to me. :)