Forum Discussion

Shaun_Simmons1's avatar
Shaun_Simmons1
Icon for Altostratus rankAltostratus
Feb 03, 2015

APM - CAC Authentication: Present specific Certificate to User

We recently upgraded from 11.2 to 11.5 HF7: CAC authentication is functional via APM. Users are currently being presented 3 certificates and I'd like the users to be presented with 1 certificate.

 

What I'd like to do: *I'm not too savvy with VPE and APM in how our old iRules translate to APM. :)

 

Currently my access policy reads:

 

session.logon.last.upn = set e_fields [split [mcget {session.ssl.cert.x509extension}] "\n"]; foreach qq $e_fields { if {[string first "othername:UPN" $qq] >= 0} { return [string range $qq [expr { [string first "<" $qq] + 1 } ] [expr { [string first ">" $qq] - 1 } ] ]; } } return "";

 

--- I'd like to have *Cert 0, which is the "Email" cert, presented.

 

  • From what I have researched and theorize, I need to change the "othername:UPN" or add a branch Rule?

Our old iRule / Pertinent information that allowed this to work:

 

set this_cert [SSL::cert 0] set clientip [IP::client_addr]

 

*Of the above, how do I do the equivalent in APM?

 

-

 

1 Reply

  • It is not clear from your question whether you refer to the client certificate or the certificate presented by the virtual server on the LTM/APM.

     

    If it is the client certificate, then the user has to select which one she wants to present. If there are multiple but only 1 meets the criterion based on the "Advertised CAs" on the connection the the user will not be presented with an option to choose the client certificate.

     

    If you are indeed referring to the server certificate presented by the virtual server, then one suggestion is to have a generic clientssl profile on the virtual server which is not doing any client certificate authentication. Later on in the APM policy add a policy element to do an "OnDemand Certificate Authentication" with the clientssl profile set to the appropriate profile which advertises the CA which you want.

     

    Best.