For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jeff_Green_4244's avatar
Jeff_Green_4244
Icon for Nimbostratus rankNimbostratus
Nov 07, 2011

Create Domino LTPA token on F5 problem

Hi,     I'm trying to use the code at     http://per.lausten.dk/blog/2009/06/how-to-create-a-ltpa-session-cookie-for-lotus-domino-using-f5.html     to create a Domino LTPA token but...
application delivery
dev
devops
iRules
Jeff_Green_4244's avatar
Jeff_Green_4244
Icon for Nimbostratus rankNimbostratus
Nov 15, 2011
F5 have asupplied a workaround that seems to be doing everything correctly. We're going to test more thoroughly before declaring victory. The relevant line in the code is:

 

 


  Create binary formatted token.
 set ltpa_token_raw_bin [binary a* $ltpa_token_raw]

 

 

Here's the entire code that seems to be working:

 

 


when RULE_INIT {
 set ::DEBUG 0
 set cookie_name "LtpaToken"
 set ltpa_version "\x00\x01\x02\x03"
 set ltpa_secret "b64encodedsecretkey"
 set ltpa_timeout "1800"
}

when HTTP_REQUEST {
 
  Do your usual F5 HTTP authentication here
 

  Initial values
 set now [clock seconds]
 set creation_time_temp [expr { $now }]
 set creation_time [format %X $creation_time_temp]
 set expr_time_temp [expr { $creation_time_temp + $::ltpa_timeout}]
 set expr_time [format %X $expr_time_temp]
 set username [HTTP::header "username"]
 set ltpa_secret_decode [b64decode $::ltpa_secret]

  First part of token
 set cookie_data_raw {}
 append cookie_data_raw $::ltpa_version
 append cookie_data_raw $creation_time
 append cookie_data_raw $expr_time
 append cookie_data_raw $username
 append cookie_data_raw $ltpa_secret_decode

  SHA1 of first part of token
 set sha_cookie_raw [sha1 $cookie_data_raw]

  Final not yet encoded token
 set ltpa_token_raw {}
 append ltpa_token_raw $::ltpa_version
 append ltpa_token_raw $creation_time
 append ltpa_token_raw $expr_time
 append ltpa_token_raw $username
 append ltpa_token_raw $sha_cookie_raw

  Create binary formatted token.
 set ltpa_token_raw_bin [binary a* $ltpa_token_raw]

  Final Base64 encoded token
 set ltpa_token_final [b64encode $ltpa_token_raw_bin]

  Insert the cookie
 HTTP::cookie insert name $::cookie_name value $ltpa_token_final


  Loop through the list of Cookie headers to remove
  superfluous trailing semi-colons (known F5 issue)
  if they exist.
  
  Save the Cookie headers to a TCL list
 set cookie_headers [HTTP::header values "Cookie"]

 foreach cookie_header $cookie_headers {
    Check if the last character is a semi-colon
   if {[string range $cookie_header end end] eq ";"}{
     HTTP::cookie remove LtpaToken
      Insert the header without the semi-colon
     HTTP::header insert Cookie [string range $cookie_header 0 end-1]
     } else {
      Insert the original header
     HTTP::header insert Cookie $cookie_header
     }
   }
   
  Remove Authorization HTTP header to avoid using basic authentication
 if { [HTTP::header exists "Authorization"] } {
 HTTP::header remove "Authorization"
 }

 if {$::DEBUG} {
   binary scan $ltpa_token_raw H* ltpa_token_raw_hex
   log local0.debug "LTP_TOKEN raw Hex: $ltpa_token_raw_hex"
   binary scan $ltpa_token_raw H* ltpa_token_raw_hex_bin
   log local0.debug "LTP_TOKEN raw_bin Hex: $ltpa_token_raw_hex_bin"   
   set ltpa_final_decoded [b64decode $ltpa_token_final]
   binary scan $ltpa_final_decoded H* ltpa_final_decoded_hex
   log local0.debug "LTP_TOKEN decoded Hex: $ltpa_final_decoded_hex"
 }
}