For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Keith_Black's avatar
Keith_Black
Icon for Nimbostratus rankNimbostratus
Mar 04, 2020

Extract the Principal Name (UPN) from the Subject Alternative Name (SAN) iRule

I need to extract the 'Other Name:  Principal Name=' from the Subject Alternative Name field in the X509, regardless of the length of the principal name value. Here is what I have so far but unsure ...
application delivery
BIG-IP
devops
iRules
NA
SteveMC's avatar
SteveMC
Icon for Altostratus rankAltostratus
Mar 06, 2020

I don't think "Principal Name=1" is going to get you anywhere, as it is "othername:UPN<whatever>" in the x509 extension itself.

To be honest, I have only ever done this with APM:

https://support.f5.com/csp/article/K17063

Or with an iRule event called by APM:

when ACCESS_POLICY_AGENT_EVENT {
set upn [findstr [ACCESS::session data get session.ssl.cert.x509extension] "UPN" 4 > ]
...
}

* Edit *

Don't forget when you're testing stuff like this out, you can always just shove the whole thing into the log to figure out exactly what strings to search for.

https://clouddocs.f5.com/api/irules/X509__extensions.html

when CLIENTSSL_CLIENTCERT {
  set client_cert [SSL::cert 0]
  log local0. "Client cert extensions - [X509::extensions $client_cert]"
 
  # Split the X509::extensions output on each newline character and log the values
  foreach item [split [X509::extensions [SSL::cert 0]] \n] {
    log local0. "$item"
  }
}