For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Dan_Markhasin_1's avatar
Dan_Markhasin_1
Icon for Nimbostratus rankNimbostratus
Feb 24, 2016

APM Client Certificate Validation when using policy evaluate

I am in the process of creating an iRule that uses ACCESS::policy evaluate to run the incoming HTTP request through an APM policy, but am having issues with getting the Client Certificate Validation ...
application delivery
BIG-IP Access Policy Manager (APM)
MichaelatF5's avatar
MichaelatF5
Icon for Employee rankEmployee
Feb 24, 2016

Dan,

 

First question, is there a reason you are using an iRule? Is the APM policy configured in the Virtual Server configuration?

 

ACCESS::policy evaluate is for evaluating a policy against an EXISTING APM session. So if there is no existing session, evaluate will return null for everything. If you are creating a session in an irule, and the policy requires client interaction there is a good chance that policy evaluation is failing.

 

Do you have Client Certificate Authentication enabled in the ClientSSL profile, or within APM? If you are evaluating the Client Cert at LTM with ClientSSL, you should use Client Certificate Inspection. If you are NOT performing Client Certificate Auth with the ClientSSL profile, I recommend using the On Demand Client Certificate Authentication agent.