For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

eric_haupt1's avatar
eric_haupt1
Icon for Nimbostratus rankNimbostratus
Sep 06, 2017

Client Certificate - Regex to parse numbers from cert subject

I've been using an irule from Devcentral for quite some time to parse the othername:UPN x509 field from our client certificates for APM use. However, our clients are provided two certs and one of th...
application delivery
BIG-IP Access Policy Manager (APM)
iRules
Simon_Blakely's avatar
Simon_Blakely
Icon for Employee rankEmployee
Sep 07, 2017

And as a further addendum, regexp does not return a string, it takes a variable name to set to the match:

when ACCESS_POLICY_AGENT_EVENT {
     switch [ACCESS::policy agent_id] {
          "CACPROCESSING" {
                if { [ACCESS::session data get session.ssl.cert.x509extension] contains "othername:UPN<" } {
                     set tempupn [findstr [ACCESS::session data get session.ssl.cert.x509extension] "othername:UPN<" 14 ">"]
                     ACCESS::session data set session.custom.certupn $tempupn }
                else { if { [regexp {([0-9]{16}|[0-9]{10})} [ACCESS::session data get session.ssl.cert.subject] temppiv ] == 1 } {
                          set tempupn "$temppiv@company"
                          ACCESS::session data set session.custom.certupn $tempupn }
                     }
            }
        }
}

Add some logging and do some testing. I hope this helps.