Extract CN Field from SSL Client Certificate

Hi

Have inherited an APM configuration from a software developer, and been asked by the customer to apply the same technology on an external facing reverse proxy (currently running TMOS/APM 11.5.4)

We use the following APM macro to extract the user name from a client SSL certificate.

set f1 [mcget {session.ssl.cert.subject} ] 
set f2 [split $f1 "=" ] 
set f3 [lindex $f2 1]
set f4 [split $f3 ","] 
set f5 [lindex $f4 0]

It works as long as CN is the first field in the data returned by session.ssl.cert.subject, but unfortunately, the externally signed certificate presented by the web browser has the data in a different order:

OU=MULTI-ALLOWED
OU=XXXXXXX
CN=USERNAME

The resulting LDAP search macro tries to look up a user called "MULTI-ALLOWED" and fails. We don't have control over the format of the client certificate which we believe will be issued by the customer. How would I ensure that we extract the CN field regardless of its position in the certificate subject field. Would simply changing the search term in the first split command resolve the issue?

set f2 [split $f1 "CN=" ]

My knowledge of Tcl, UNIX/Linux string manipulation and regular expressions is very limited. I found a reference to session.ssl.cert.cn in the documentation for 10.1.x but it isn't mentioned for later versions. Is it still supported?