For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

MikeRobinson_64's avatar
MikeRobinson_64
Icon for Nimbostratus rankNimbostratus
Jul 14, 2009

CAC authentication and http headers

Hello everyone,     I am trying to get a CAC authentication irule working properly and have run into a glitch. The initial pass through the rule identifies the folder and requires a CAC fo...
application delivery
dev
devops
iRules
MikeRobinson_64's avatar
MikeRobinson_64
Icon for Nimbostratus rankNimbostratus
Jul 24, 2009
Ok, so the fix for this was twofold...

 

 

One: Add an LB_SELECTED function to pass the headers to the server (see below)

 

 

when LB_SELECTED {

 

if {$needcert ==1} {

 

set ssl_array1 [session lookup ssl $id]

 

set ssl_data0 [lindex $ssl_array1 0]

 

set ssl_data1 [lindex $ssl_array1 1]

 

if { $ssl_data0 contains "ok" } {

 

HTTP::header replace "SSLCLientCertStatus" $ssl_data1

 

HTTP::header replace "SSLClientCertVersion" [X509::version $somecert]

 

HTTP::header replace "SSLClientCertSerialNumber" [X509::serial_number $somecert]

 

HTTP::header replace "SSLClientCertIssuer" [X509::issuer $somecert]

 

HTTP::header replace "SSLClientCertNotValidBefore" [X509::not_valid_before $somecert]

 

HTTP::header replace "SSLClientCertNotValidAfter" [X509::not_valid_after $somecert]

 

HTTP::header replace "SSLClientCertSubject" [X509::subject $somecert]

 

}

 

}

 

}

 

 

You could even send the failures through as headers this way too if you want to customize a response page back on the server.

 

 

Two: Add in a HTTP_RESPONSE section to handle the failure responses back to the client.

 

 

It works as intended now!

 

 

Mike