Retrieve UPN from client certificate SAN RFC 822 Name:

Question

Dear all,&nbsp;I would like to retrieve the UPN from the SAN of the client certificate which has the field RFC 822 Name:user@domain.com.The APM collect the information inside the session.ssl.cert.x509extension variable as email:user@domain.com&nbsp;In this link it is explained however here they use SAN field type of&nbsp;otherName:UPNhttps://my.f5.com/manage/s/article/K17063How should we modify the mcget command to get this value in session.logon.last.upn?

marvin · Answer

Hi Lucas, thanks for responding the variable contains the following (i masked sensitive data to test domains only) X509v3 extensions: X509v3 Subject Key Identifier: 76:09:B8:BA:1A:E9:09:86:78:22:9C:53:1B:D4:AF:E9:81:55:57:01 X509v3 Authority Key Identifier: keyid:DD:0C:FD:A1:21:AF:E3:AC:F3:6E:93:04:AB:D5:07:8B:B9:24:08:08 X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.27171.175.10.1.30 CPS: http://info.pki.test.eu/cps Policy: 0.4.0.2042.1.2 X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin X509v3 Key Usage: critical Digital Signature, Non Repudiation X509v3 Subject Alternative Name: email:john.bar@ext.Test.eu X509v3 CRL Distribution Points: Full Name: URI:http://info.pki.test.eu/crl/Test-EU-Users-CA.crl Full Name: URI:ldap://ldap.test.com.eu/CN=Test%20EU%20Users%20CA,O=Test,C=BE?certificateRevocationList?base?objectClass=pkiCA Authority Information Access: CA Issuers - URI:http://info.pki.test.com/cacerts/Test-EU-Users-CA.p7b CA Issuers - URI:ldap://test.domain.comCN=CU%20Users%20CA,O=Tlium,C=BE?cACertificate?base?objectClass=pkiCA OCSP - URI:http://otest.pki.test.com

marvin · Answer

so we should find Subject Alternative Name: email:john.bar@ext.Test.eu with mcget command inside the VPE policy, I woild rather prefer this instead of using Irules

marvin · Answer

Hi Lucas would you already have some kind of feedback on this?

lucas_thompson · Answer

Can you share your example certificate's exact "session.ssl.cert.x509extension" value formatted this way? It shouldn't be too tough to adapt that VPE rule to handle either othername:upn or rfc822 style format.

lucas_thompson · Answer

When you review the session variables for this session, what exactly do the variables look like? I'd assume looking at the output that APM would already parse these values into session variables. To check that, log in with your user and look at their "Variables" using this part of the GUI:

&nbsp;

Forum Discussion

Retrieve UPN from client certificate SAN RFC 822 Name:

Recent Discussions

Can you set Kerberos AAA server via session variable?

HTML Code injection Not detected by ASM

What will be happen to live and existing connections when failover HA BIG IP active-standby

SSL Offload and remove FQDN

High CPU utilization (100%).

Related Content

BIG-IQ Client Certificate (PKI) Authentication

Slack Mutual TLS Recipe: Adding X-Client-Certificate-SAN header from client certificate

Re: Management Certificate

Automating NGINX Certificate Rotation on AWS

ASM vs to APM vs and client certificates

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS