Passing SSL Client Cert data - more info needed

I wonder if anyone can help me with a similar issue.

 

 

We have iRules attached to authentication profiles, and then one main iRule for the virtual server. The iRule in the auth profile saves the client certificate to the session, and then the main iRule can examine it within the session.

 

 

We are also experiencing timeout issues with the data whereby the client certificate gets lost. Users will experience this in terms of being re-prompted for the client certificate in mid session.

 

 

The other aspect of the problem is that when the user is re-prompted for the client certificate and selects one, the main iRule still cannot see it and sends the user to our custom page that indicates a missing client certificate. Our logging shows that when this happens, the user enters the HTTP_REQUEST, and the BIGIP sees no client cert and then executes the iRules attached to the auth profiles. After this, even though it does execute these iRules and resaves the cert to the session, the user still sees the No Cert Provided error page....perhaps because it was already in the HTTP_REQUEST?

 

 

We tried to follow the advice above about session/cache timeouts. The default Cache timeout in the client profile is 3600, so we made our session timeout be 3601 - but this seemed to cause the client cert to be lost immediately.

 

 

So I guess my question is two-fold: 1. How do I make the client cert last in the session indefinitely, and 2. If that is not possible, is there a way to fix it so after the re-prompt it will recognize the certificate within that transaction?

 

 

As is usual with me, this may be unclear or more appropriate for a support ticket. If either is the case, please let me know.

 

 

Thanks.

 

 

-Bill