Forum Discussion
John_Klemm_4418
Nimbostratus
NimbostratusSSL and CAC Auth
Here is the deal, I pulled this irule off of a Dartmouth site. Dartmouth did a study where they were able to get CAC authentication to work using an irule. Here is the rule.
when CLIENTSSL_CLIENTCERT {
if { [SSL::verify_result] } {
log LOCAL0.warn "Client cert didn't verify, openssl code=[SSL::verify_result]"
reject
}
}
when HTTP_REQUEST {
Eliminate any inbound spoofed authentication headers
if { [HTTP::header exists F5PKI_CN] } {
log LOCAL0.warn "removed inbound F5PKI_CN header - possible attack"
reject
}
if { [SSL::cert count] != 0 } {
User authenticated with PKI, so get PKI DN
set subject { }
lappend subject [X509::subject [SSL::cert 0]]
Parse out the DN fields we need and set outbound header values
foreach entry [ split $subject / ] {
foreach {name value} [ split $entry = ] {
switch $name {
CN {
HTTP::header replace F5PKI_CN $value
}
OU {
HTTP::header replace F5PKI_OU $value
}
UID {
HTTP::header replace F5PKI_UID $value
}
}
}
}
}
}
we currently are using a 2400 with an 80 and 443 VIP. The 80 Vip has this irule attached. We have a pool of sharepoint servers that we are trying to get CAC authentication and Single sign on to. If anyone has any ideas as to why this hasn't worked or what we can do to make this work please I am all ears.
KevinB_49644Should the rule go on the 443 VIP site? The client certificate (cac) can only travel by SSL. Do you have an example (like a jsp) on one of your servers to display the certifcate to verify that it made it all the way to your application pool? I guess in your case, you are just sending in the vales of the certificate and not the certificate itself. Anyway, can you post some example code at the application level.
mbuenrostro_182Were you able to get the cert over to your web server?