Forum Discussion
Chris_Broomes
Altostratus
AltostratusClient certificate pass through
I am trying to pass a client certificate through the BIGIP to my backend system for client authentication without using APM.
Any help would be appreciated.
Chris_BroomesAltostratus
AltostratusI was told that this iRule should do the trick by one of my colleagues:
when CLIENTSSL_CLIENTCERT {
log local0. "Debug: cert_counter : [SSL::cert count]" log local0. "Debug: client ip : [IP::client_addr]" log local0. "Debug: verify : [SSL::verify_result]"store the client certificate information in-memory if {[SSL::cert count] > 0}{ table set -subtable Cert_Data [SSL::sessionid] [list \ [SSL::verify_result] \ [X509::whole [SSL::cert 0]] \ [X509::subject [SSL::cert 0]] \ [X509::serial_number [SSL::cert 0]] \ ] 1200 } }
when HTTP_REQUEST { define values set no_cert "no_cert" set no_user "no_user"
remove SSL_CLIENT_CERT header HTTP::header remove SSL_CLIENT_CERT remove SSL_CLIENT_USER header HTTP::header remove SSL_CLIENT_USER
if {[SSL::sessionid] ne ""}{ set id [SSL::sessionid] read the client certificate information in-memory set the_cert [table lookup -subtable Cert_Data $id]
if {[lindex $the_cert 0] == 0 || [lindex $the_cert 0] == 21 || [lindex $the_cert 0] == 19 }{
convert from PEM to DER
set the_cert_mod [b64encode [lindex $the_cert 1]]
log local0. "Debug: sslsession $id"
log local0. "Debug: the cert 0 : [lindex $the_cert 0]"
log local0. "Debug: the cert 2 : [lindex $the_cert 2]"
log local0. "Debug: the cert 1 : $the_cert_mod"
get the CN or user from the subject
set the_user [findstr [lindex $the_cert 2] "CN=" 3 ","]
copy the whole certificate in DER format to the header
HTTP::header insert SSL_CLIENT_CERT $the_cert_mod
copy the username to the header
HTTP::header insert SSL_CLIENT_USER $the_user
log local0. "Debug: SSL_CLIENT_CERT : [HTTP::header value SSL_CLIENT_CERT]"
log local0. "Debug: SSL_CLIENT_USER : [HTTP::header value SSL_CLIENT_USER]"
}
} }