Forum Discussion

dp_119903's avatar
dp_119903
Icon for Cirrostratus rankCirrostratus
Feb 10, 2015

RSA Self Service iRule no longer works

I upgraded from 11.2 to 11.6 and the RSA secureID selfservice page that was working is no longer working. I have an irule that we are using

 

Code
when HTTP_REQUEST {
if { [HTTP::header host] eq "PUBLIC.URL.COM" } { 
   HTTP::header replace Host "ACTUAL_SERVER_FQDN:7004" 
}

}

 

when HTTP_RESPONSE { if { [HTTP::header Location] eq "ACTUAL_SERVER_FQDN:7004" } { HTTP::header replace Location [string map -nocase {ACTUAL_SERVER_FQDN:7004 PUBLIC.URL.COM} [HTTP::header value Location]] } }

 

Everything was working great until we upgraded to 11.6. Now it looks like the http response part of the irule isn't working. Any updates to this irule to get it working in 11.6?

 

Thanks!

 

rsa
self service
  • dp_119903's avatar
    dp_119903
    Icon for Cirrostratus rankCirrostratus
    Feb 10, 2015
    Nope. I'm at a loss. It is consistent though b/c it's broken in both our dev/test as well as production environments. And it was working like a champ prior to the upgrade.
  • shaggy's avatar
    shaggy
    Icon for Nimbostratus rankNimbostratus
    Feb 10, 2015

    I've no explanation why it stopped working in 11.6 (11.2 to 11.6 isn't a small jump, so it's not a huge surprise). Have you tried logging the HTTP Location header in the HTTP_RESPONSE to make sure the Location value is ACTUAL_SERVER_FQDN:7004? That should help narrow down the issue to either the if-logic or the location-replacement logic.

     

    It looks like you stripped some code from the iRule - are you using any global variables or data-groups?

     

    Also, probably unrelated, it seems like a "contains" or "starts_with" would be more fitting than "eq" in the if-statement.

     

  • dp_119903's avatar
    dp_119903
    Icon for Cirrostratus rankCirrostratus
    Feb 10, 2015

    F5 support really rocked this.

     

    It turns out, after looking at the packet capture, that the server was receiving an "invalid parameter" in SSL negotiation.

     

    We were using the "default" serverssl profile, which also uses the default ciphers. After connecting to the server using openssl we could see that the cipher was using RC4-SHA. If you use the "tmm --serverciphers 'DEFAULT'" command on the F5 you can see what ciphers are in the "default". And with 11.6 they removed RC4-SHA. To fix it, temporarily, I just added :RC4-SHA to the cipher list so it now looks like:

     

    DEFAULT:RC4-SHA

     

    and it works. I think a more permanent fix is to update SSL on the server itself. But this fixed it.

     

    • shaggy's avatar
      shaggy
      Icon for Nimbostratus rankNimbostratus
      Feb 10, 2015
      nice find - SSL cipher suites often change between F5 releases. i highly recommend not altering the F5 default profiles - create your own based on the F5 default and make your tweaks there. changing defaults can cause migration/upgrade/support headaches