Forum Discussion
NimbostratusHow i config, Soap web services and ocsp client cert validation
Hi
I configured in apm the ocsp validation and works when i use with GET methods in the browser, but when i try to send a post to the soap the connection fails, and in the logs of the apm i didn't see any indication of the error, i think, the problem is the redirection to /mypolicy, but how i can validate the ocsp without apm?
4 Replies
iaineNacreous
Hi, if you are sending a POST then the client won't want to follow the redirects. To counter this you can configure the policy to go into Clientless Mode to proxy the request, complete the APM auth, and then forward on the POST request.
Details can be found here - https://support.f5.com/csp/article/K80934060#link_06
You can limit the use of Clientless mode so that only those clients who sending a POST make use of this. Also, be aware of the size limitation of the POST request as detailed in the link above.
David_caceresHi Iaine
I try to configure the clientless mode but, when i try to validate the certificate, in the apm logs i saw the log: OCSP Auth agent: Failure status 'Certificate not found for the session'
that means i didn't receive the certificate but in the soapui the client certificate authentication is configured
i read in the link the only configuration needed for this is a request or require check on ssl_profile.
but after verify both it didn't work
it is another way to insert the client certificate and send to the auth policy to validate the certificate by ocsp?
- David_caceres
This is the log of my soapui
Mon Oct 14 12:54:39 PYST 2019:DEBUG:>> "GET /de/ws/consultas/consulta-ruc.wsdl?wsdl HTTP/1.1[\r][\n]"
Mon Oct 14 12:54:39 PYST 2019:DEBUG:>> "Host: sifen-tt.set.gov.py[\r][\n]"
Mon Oct 14 12:54:39 PYST 2019:DEBUG:>> "Connection: Keep-Alive[\r][\n]"
Mon Oct 14 12:54:39 PYST 2019:DEBUG:>> "User-Agent: Apache-HttpClient/4.1.1 (java 1.5)[\r][\n]"
Mon Oct 14 12:54:39 PYST 2019:DEBUG:>> "Cookie: LastMRH_Session=080ab7b7[\r][\n]"
Mon Oct 14 12:54:39 PYST 2019:DEBUG:>> "Cookie2: $Version=1[\r][\n]"
Mon Oct 14 12:54:39 PYST 2019:DEBUG:>> "[\r][\n]"
Mon Oct 14 12:54:39 PYST 2019:DEBUG:<< "HTTP/1.0 302 Found[\r][\n]" <------------/
Mon Oct 14 12:54:39 PYST 2019:DEBUG:<< "Server: BigIP[\r][\n]"
Mon Oct 14 12:54:39 PYST 2019:DEBUG:<< "Connection: Close[\r][\n]"
i found again the 302 Found after i use the clientless iRULE added to the VS
can you tell me were i need add the iRule ?
- iaine
Hi
The code at a simple level is
when HTTP_REQUEST { HTTP::header insert “clientless-mode” 1 }which will evaluate for all connecting clients. You would probably want to narrow the scope of this so that it only fires for requests from particular IPs or specific HTTP host headers for example.
Where are you requesting the Client Cert? You want to do this as part of the clientssl profile rather than in the APM policy.....as you're proxying the request in clientless mode you need all the info before the APM policy starts.
