Forum Discussion
Dirk_Laan_18877
Nimbostratus
Nimbostratusproblem migrate cert rule from version 4 to 9
Hello,
I'm trying to get the folling rule to work on my bigip with version 9.x
I have a rule that worked fine on the bigip that is running 4.x
but on the bigip with version 9.x it still gives me the error that i did not have a client cert
the rule from version 4.x:
if (http_header("SSLClientCertStatus") == one of ccert_ok) {
use pool Portal-apps
}
else if (http_header("SSLClientCertStatus") == "NoClientCert") {
redirect to "https://test.test.nl/errors/cert_error.htm"
}
else {
redirect to "https://test.test.nl/errors/nocert.htm"
}
the rule from version 9.x:
i've created the class
when HTTP_REQUEST {
set hdr [HTTP::header "SSLClientCertStatus"]
if { [matchclass $hdr equals $::ccert_ok] } {
pool portal-apps
} elseif { $hdr equals "NoClientCert" } {
HTTP::redirect "https://test.test.nl/errors/nocert.htm"
} else {
HTTP::redirect "https://test.test.nl/errors/cert_error.htm"
}
}
any help would be great
7 Replies
- iControl is our remote management API. If you would post this to our iRules forum, we'll see if we can help you out.
-Joe 
Dirk_Laan_18877Hello Joe,
Can you help us out with the rule ?
We tried you're rule but it did not work ?
Please help us out
Dirk & Hille- I'll comment here, but next time or for future iRules questions please post them to the iRules forum.
Without having your testing scenario it's very hard for me to comment on why things aren't working. My first suggestion would be to include some log statements to try to isolate the issues. Something like thiswhen HTTP_REQUEST { set hdr [HTTP::header "SSLClientCertStatus"] log local0. "SSLClientCertStatus header value: $hdr" if { [matchclass $hdr equals $::ccert_ok] } { log local0. "found header match in ccert_ok class" pool portal-apps } elseif { $hdr equals "NoClientCert" } { log local0. "No match found in ccert_ok class and header equals "NoClientCert" HTTP::redirect "https://test.test.nl/errors/nocert.htm" } else { log local0. "No match in ccert_ok and header doesn't equal NoClientCert" HTTP::redirect "https://test.test.nl/errors/cert_error.htm" } }
Then after you run traffic through this rule, look in the /var/log/ltm file on the BIG-IP. It will contain the log statements. By looking at the value of hdr variable and which conditions were passed, you should be able to diagnose out the issues for yourself.
Where is the SSLClientCertStatus header coming from? Could that be empty? The logs will tell...
-Joe - Dirk_Laan_18877The results of the log:
Jul 18 23:04:17 tmm tmm[743]: Rule dirk : SSLClientCertStatus header value:
Jul 18 23:04:17 tmm tmm[743]: Rule dirk : No match in ccert_ok and header doesn't equal NoClientCert
So I have still no idea what's the problem.
I've made a datagroup named: ccert_ok
The strings in this data group are:
OK
Error 12
Dirk - Looks like your client request has no header value of SSLClientCertStatus. No way of getting the iRule to work if the browser isn't sending that header. I didn't see any reference in your v4 rule of inserting the header. Where is this header coming from?
-Joe - Dirk_Laan_18877the rule on version 4 worked:
if (http_header("SSLClientCertStatus") == one of ccert_ok) {
so the header is filled in version 4
the header is coming from the client, because he has the client certificate
Dirk 
Hille_de_Graaf_Hi Joe,
We tested with the "log local0." lines. And we found out that there is no SSLClientCert value in the HTTP-request header.
So how can we fill the variable with the SSLClientCert value?
