F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Michael_107360's avatar
Michael_107360
Icon for Cirrus rankCirrus
Dec 10, 2013

SSL Caller Authentication and Access Control

We have a web service that wishes to use client certificates for caller authentication and access control. The client certificate is sent as part of the SSL handshake (when the server is configured ...
BIG-IP Access Policy Manager (APM)
design
security
IheartF5_45022's avatar
IheartF5_45022
Icon for Nacreous rankNacreous
Dec 10, 2013

Yes it is possible. Apply a clientssl profile with Client Certificate set to "require", and Trusted Cert Authority set to your CA, the apply this iRule;-

when CLIENTSSL_HANDSHAKE {
     Check if the client supplied one or more client certs
    if {[SSL::cert count] > 0}{

     Check the first client cert subject
    set subject [X509::subject [SSL::cert 0]]
}
when HTTP_REQUEST {
     Remove the customer header if already present
    HTTP::header remove "X-subject"
    HTTP::header insert "X-subject" $subject
 }