Need to pass the entire CGI collection

Joe (and anyone else who may care to reply),

 

 

The issue we're facing (Tom and I, along with other web developers here) is that we need to get at data that's normally in the cgi.cert_subject variable when the SSL connection is terminated at the web server. We are using client-side personal certificates to uniquely identify each individual accessing our web servers (DoD-issued Common Access Cards or CACs). The user's public certs are installed in the user's Windows profile, and our IIS web servers are currently set to accept client certificates in the SSL configuration of the Internet Server Manager tool. With this configuration, our web applications can access the cgi.cert_subject variable, pull portions of the CN= substring and look up the PKI serialized ID in our application user tables as part of user authentication. We also double-check against the cgi.auth_user to make sure the user credentials match up with the PKI credentials.

 

 

When I terminate the SSL connection at the BigIP and set the BigIP to "request" client certs, and set up the IIS server to NOT require SSL connections, I still get the cgi.auth_user, but the cgi.cert_subject is blank. We're looking for some way to: ideally, pick up the cert_subject at the BigIP and jam it back into the same cgi field when the request gets tossed over to the internal interface (no web application rewrites required), or less than ideally, pick up the cert_subject at the BigIP and put it somewhere else in the headers passed along with the request on the internal interface (some web application rewrites required).

 

 

Thanks!

 

 

-matt