For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Dirk_Laan_18877's avatar
Dirk_Laan_18877
Icon for Nimbostratus rankNimbostratus
Jul 18, 2006

problem migrate cert rule from version 4 to 9

Hello,     I'm trying to get the folling rule to work on my bigip with version 9.x     I have a rule that worked fine on the bigip that is running 4.x     but on the bigip with versi...
dev
devops
iControl
Joe_Pruitt's avatar
Joe_Pruitt
Jul 18, 2006
I'll comment here, but next time or for future iRules questions please post them to the iRules forum.

Without having your testing scenario it's very hard for me to comment on why things aren't working. My first suggestion would be to include some log statements to try to isolate the issues. Something like this

when HTTP_REQUEST {
  set hdr [HTTP::header "SSLClientCertStatus"]
  log local0. "SSLClientCertStatus header value: $hdr"
  if { [matchclass $hdr equals $::ccert_ok] } {
    log local0. "found header match in ccert_ok class"
    pool portal-apps
  } elseif { $hdr equals "NoClientCert" } {
    log local0. "No match found in ccert_ok class and header equals "NoClientCert"
    HTTP::redirect "https://test.test.nl/errors/nocert.htm"
  } else {
    log local0. "No match in ccert_ok and header doesn't equal NoClientCert"
    HTTP::redirect "https://test.test.nl/errors/cert_error.htm"
  }
}

Then after you run traffic through this rule, look in the /var/log/ltm file on the BIG-IP. It will contain the log statements. By looking at the value of hdr variable and which conditions were passed, you should be able to diagnose out the issues for yourself.

Where is the SSLClientCertStatus header coming from? Could that be empty? The logs will tell...

-Joe