Forum Discussion

Marvin's avatar
Marvin
Icon for Cirrocumulus rankCirrocumulus
Jun 11, 2024

Retrieve UPN from client certificate SAN RFC 822 Name:

Dear all,   I would like to retrieve the UPN from the SAN of the client certificate which has the field RFC 822 Name:user@domain.com. The APM collect the information inside the session.ssl.cert.x5...
application delivery
Lucas_Thompson's avatar
Lucas_Thompson
Icon for Employee rankEmployee
Jun 12, 2024

Can you share your example certificate's exact "session.ssl.cert.x509extension" value formatted this way? It shouldn't be too tough to adapt that VPE rule to handle either othername:upn or rfc822 style format.

  • Marvin's avatar
    Marvin
    Icon for Cirrocumulus rankCirrocumulus
    Jun 13, 2024

    Hi Lucas, thanks for responding the variable contains the following (i masked sensitive data to test domains only) X509v3 extensions: X509v3 Subject Key Identifier: 76:09:B8:BA:1A:E9:09:86:78:22:9C:53:1B:D4:AF:E9:81:55:57:01 X509v3 Authority Key Identifier: keyid:DD:0C:FD:A1:21:AF:E3:AC:F3:6E:93:04:AB:D5:07:8B:B9:24:08:08 X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.27171.175.10.1.30 CPS: http://info.pki.test.eu/cps Policy: 0.4.0.2042.1.2 X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin X509v3 Key Usage: critical Digital Signature, Non Repudiation X509v3 Subject Alternative Name: email:john.bar@ext.Test.eu X509v3 CRL Distribution Points: Full Name: URI:http://info.pki.test.eu/crl/Test-EU-Users-CA.crl Full Name: URI:ldap://ldap.test.com.eu/CN=Test%20EU%20Users%20CA,O=Test,C=BE?certificateRevocationList?base?objectClass=pkiCA Authority Information Access: CA Issuers - URI:http://info.pki.test.com/cacerts/Test-EU-Users-CA.p7b CA Issuers - URI:ldap://test.domain.comCN=CU%20Users%20CA,O=Tlium,C=BE?cACertificate?base?objectClass=pkiCA OCSP - URI:http://otest.pki.test.com

    • Marvin's avatar
      Marvin
      Icon for Cirrocumulus rankCirrocumulus
      Jun 13, 2024

      so we should find Subject Alternative Name: email:john.bar@ext.Test.eu with mcget command inside the VPE policy, I woild rather prefer this instead of using Irules

      • Lucas_Thompson's avatar
        Lucas_Thompson
        Icon for Employee rankEmployee
        Jun 26, 2024

        When you review the session variables for this session, what exactly do the variables look like? I'd assume looking at the output that APM would already parse these values into session variables. To check that, log in with your user and look at their "Variables" using this part of the GUI:

         

  • Marvin's avatar
    Marvin
    Icon for Cirrocumulus rankCirrocumulus
    Jun 19, 2024

    Hi Lucas would you already have some kind of feedback on this?