Forum Discussion
Stanley_87566
Sep 06, 2012Nimbostratus
iRule for certificate injection into the HTTP header
I tried below iRule according to McAfee KB for their MDM solution. But it seems not work, is there any sample on the VS, Pool config.? How to configure the F5 "request a certificate"? Is it only assign the SSL Server profile?
https://kc.mcafee.com/corporate/ind...dadf007eb4
- This is an example which you might need to modify to work correctly in your environment.
- You must also configure the F5 Appliance to Request a Certificate from the connecting devices:
- Lines beginning with a contain comments that will help you to configure irule.
Client has already established an SSL connection with the load balancer
This event is triggered when an http request is detected
when HTTP_REQUEST {
check if the uri starts with /Trust
if { [] starts_with "/Trust" } {
if it does, check if the client offered a certificate by the cert count.
if { [SSL::cert count] <= 0 } {
if there is no client certificate hold the HTTP request till the SSL re-negotiation is done. Note the cert request.
SSL::session invalidate
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode request
SSL::renegotiate
} else {
else set variable c_cert with the client side certificate
set c_cert [SSL::cert 0]
}
}
}
This event is triggered when the load balancer sees a certificate message from the client
when CLIENTSSL_CLIENTCERT {
release any stored data just in case
if there is still no cert after the SSL renegotiation kill the connection by sending a reset back to the client
if { [SSL::cert count] < 1 } {
reject
} else {
otherwise set variable c_cert with the client side certificate. 0 is the first cert, 1 the second, etc.
set c_cert [SSL::cert 0]
}
}
This event is triggered when sending data to the server
when HTTP_REQUEST_SEND {
evaluate the if statement under client-side context
clientside {
if there is a client side cert base64 encode it and inject it in the header
if { [info exists c_cert] } {
insert X-Client-Cert [b64encode $c_cert]
} else {
}
}
}
- Kevin_StewartEmployeeAt a minimum you need a client SSL profile applied to the VIP with the following characteristics:
when HTTP_REQUEST { HTTP::header insert X-Client-Cert [b64encode [SSL::cert 0]] }
- Stanley_87566NimbostratusThx Kevin,
- Kevin_StewartEmployeeI should mention that the most significant difference between your iRule and mine, aside from size, is that your iRule triggers an SSL re-negotiation to get the client certificate if the user attempts to access /Trust. If that's what you need then your iRule should work just fine and you'd want to set the Client Authentication to "ignore" in the client SSL profile.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects