APM session username/password vars not copied in from iRule? Not showing in session report, and auth always fails
I am setting up a clientless mode policy for a web service, where the caller passes in a basic auth header, and I want to pass the provided username/password into the policy. The iRule I'm using to do this is as follows:
when HTTP_REQUEST {
HTTP::header insert "clientless-mode" 1
if { not ( [HTTP::header exists Authorization] ) } {
HTTP::respond 401 WWW-Authenticate "Basic realm=\"FISERV Credentials\""
return
}
if { [HTTP::username] eq "" or [HTTP::password] eq "" } {
HTTP::respond 401 WWW-Authenticate "Basic realm=\"FISERV Credentials\""
return
}
log local0. "In HTTP_REQUEST, FISERV Username [HTTP::username], pw [HTTP::password]"
}
when ACCESS_SESSION_STARTED {
log local0. "In APM session, FISERV Username [HTTP::username], pw [HTTP::password]"
ACCESS::session data set session.logon.last.username [HTTP::username]
ACCESS::session data set session.logon.last.password [HTTP::password]
}
(Sorry, can't figure out how to do a clean code block).
The LTM log shows the correct HTTP vars, in both events in the iRule. In the policy, i have a logging agent that dumps session.logon.*, but last.username and last.password are never present (the only session.logon vars shown are captcha.tracking, page.errorcode, and page.challenge, all blank). And my local user db auth agent always denies access, going down the "locked out" branch (even though the user is not locked out per the local user DB info elsewhere in the APM menues). I get the following errors associated with the auth attempt:
"unable to decrypt user password due to invalid ciphertext" "Login for user FISERV, instance /Common/ESB-Fiserv rejected - Account locked out."
Again, the account doesn't show as locked out, and attempts is 0.
This is on 11.5.1HF5.
Thoughts? Suggestions on how to debug? Should I put in a var assignment agent in the policy, and if so, how to I acccess the HTTP vars in that context?
thx!