APM Session Variable Not Being Cached

Understood. The Client Certificate Inspection agent in the visual policy relies on settings in the Client SSL profile. Specifically, you need to:

1. Set Client Certificate (under Client Authentication) to Request or Require. This can also be done with the On-Demand Cert Auth agent, but it's somewhat redundant to use this and the Client Certificate Inspection agent.

    

2. Set the Trusted Certificate Authorities option to either a single CA or a bundle of CAs. When the client presents its certificate to the server (BIG-IP), the server must be able to validate that certificate based on validity, expiration, and trust. The CA or CA bundle in this option is used to built the trust chain from the client's certificate through an explicitly trusted chain of CAs.

    

3. Optionally you can set the Advertised Certificate Authorities option. When the server sends its CertificateRequest message to the client, it can optionally send a list of supported CAs, called a "root hint", that most browsers will check before prompting the client to send a certificate. In this way you can potentially limit the choices that a user can make by filtering the list of possible client certificates to just the ones issued by the CAs in the root hint.

    

What I would do at this point is simply remove the access policy and ensure that basic mutual PKI authentication happens - that you get a certificate prompt, that you send a certificate, that the server (BIG-IP) validates that certificate, and that you get to the web server behind the BIG-IP. Once that works, you can re-apply the access policy. The session.ssl.cert.* session variables will be populated as soon as the client sends its certificate and the client SSL profile accepts it. You could therefore add a message box at the beginning of the visual policy to look at session.ssl.cert.subject.