Forum Discussion
Muhammad_Irfan1
Cirrus
CirrusRequire User ID of client connected in logs.
I have SSL client authentication required and its working fine.
HOw can I get User ID of client certificate in logs?
11 Replies
Muhammad_Irfan1Please any body help. I am in need.- shaggy_121467
Cumulonimbus
check out - https://devcentral.f5.com/wiki/iRules.CLIENTSSL_CLIENTCERT.ashx
the second example in that wiki page (included below) should be a good starting point. i would log that value remotely using HSL instead of logging locally
when CLIENTSSL_CLIENTCERT { Debug flag set debug 1 Check if client presented a cert after it was requested/required if {[SSL::cert count] > 0}{ Client presented at least one cert. The actual client cert should always be first. if {$debug > 1}{ Loop through each cert and log the cert subject, issuer and serial number for {set i 0} {$i < [SSL::cert count]} {incr i}{ log local0. "[IP::client_addr]:[TCP::client_port]: cert $i; subject=[X509::subject [SSL::cert $i]];\ [X509::issuer [SSL::cert $i]]; cert_serial=[X509::serial_number [SSL::cert $i]];" } } } else { if {$debug > 1}{log local0. "[IP::client_addr]:[TCP::client_port]: No client cert found!"} } }- Muhammad_Irfan1Thank you sir for the reply.. I will try this tomorrow and will let you know.
- Muhammad_Irfan1Sir this iRule is not logging anything. Although Client authentication is required and i am presenting client authentication certificate. I recieved not log at all. Although iRule gave no syntax error.
- shaggy_121467like i said, use this for reference. i pulled the rule from examples on the CLIENTSSL_CLIENTCERT wiki page. i did not test, but it looks as if it should log if the client presents a certificate to the virtual server
shaggyNimbostratus
check out - https://devcentral.f5.com/wiki/iRules.CLIENTSSL_CLIENTCERT.ashx
the second example in that wiki page (included below) should be a good starting point. i would log that value remotely using HSL instead of logging locally
when CLIENTSSL_CLIENTCERT { Debug flag set debug 1 Check if client presented a cert after it was requested/required if {[SSL::cert count] > 0}{ Client presented at least one cert. The actual client cert should always be first. if {$debug > 1}{ Loop through each cert and log the cert subject, issuer and serial number for {set i 0} {$i < [SSL::cert count]} {incr i}{ log local0. "[IP::client_addr]:[TCP::client_port]: cert $i; subject=[X509::subject [SSL::cert $i]];\ [X509::issuer [SSL::cert $i]]; cert_serial=[X509::serial_number [SSL::cert $i]];" } } } else { if {$debug > 1}{log local0. "[IP::client_addr]:[TCP::client_port]: No client cert found!"} } }- Muhammad_Irfan1Thank you sir for the reply.. I will try this tomorrow and will let you know.
- Muhammad_Irfan1Sir this iRule is not logging anything. Although Client authentication is required and i am presenting client authentication certificate. I recieved not log at all. Although iRule gave no syntax error.
- shaggylike i said, use this for reference. i pulled the rule from examples on the CLIENTSSL_CLIENTCERT wiki page. i did not test, but it looks as if it should log if the client presents a certificate to the virtual server
