LyonsG_85618
Nov 16, 2012Cirrostratus
Passing decoded certficates in HTTP header
Hi folks.
I have been requested to setup BIG-IP to request certificate authentication and then insert the WHOLE UNENCODED certificate into the HTTP header and pass it to a differnt virtual server.
I have trawled the forum already but can't find the resolution anywhere.
The IRULE I have set-up at present is:
First check to see whether cert is present then validate it
when CLIENTSSL_CLIENTCERT {
set debug 0
Check if client provided a cert
if {[SSL::cert 0] eq ""}{
Reset the connection if no cert present
reject
} else {
Example Subject DN: /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith
set ssl_cert [SSL::cert 0]
set subject_dn [X509::subject [SSL::cert 0]] }
Check if the certificate contains valid CN
if { ($subject_dn contains "CN=Company A") or ($subject_dn contains "CN=Company B")} {
Accept the client cert
log "Client Certificate Accepted:$subject_dn [X509::whole $ssl_cert]"
} else {
log "No Matching Client Certificate Was Found Using: $subject_dn"
reject
}
}
Then re-write and pass to a different VIP
when HTTP_REQUEST {
set requestedhost [string tolower [HTTP::host]]
set requestedURI [HTTP::uri]
if { $requestedhost equals "string1.domainA.com"} {
HTTP::header replace Host "string2.domainA.com"
HTTP::header insert "X509Certificate" [X509::whole [b64decode [SSL::cert 0]]]
virtual VS_SYST_SOA_EXTERNAL_LIVE_HTTPS
}
}
Any help or suggestions would be gratefully received.
Thanks
Graham