Forum Discussion
Bhargav_9588
Nimbostratus
NimbostratusSSLClientCert issue
Hi,
I need to pass client certificate to backend server (SAP Portal) from F5 using http headers. I have checked one of the topic and implemented the following in iRule:
when CLIENTSSL_CLIENTCERT
{
set cur [SSL::sessionid]
set ask [session lookup ssl $cur]
if { $ask eq "" } {
session add ssl [SSL::sessionid] [SSL::cert 0]
set ssl_cert [SSL::cert 0]
}
}
when HTTP_REQUEST
{
set id [SSL::sessionid]
set the_cert [session lookup ssl $id]
if { $the_cert != ""}
{
HTTP::header replace SSLClientCert [b64encode $the_cert]
}
}
The certificate is being passed in http header but SAP Portal is not recognizing that certificate and throwing following exception while parsing that certificate:
Certificate generation failed. java.security.cert.CertificateException: iaik.asn1.CodingException: ASN.1 creation error:Length: Too large ASN.1 object: 66
The same configuration works when I use Apache as WebServer and as Proxy for backend server (SAP Portal). Now I need to use F5 instead of Apache. This is what I noticed in the headers for Apache and F5:
In Apache, I am seeing the certificate as the following in header:
sslclientcert: -----BEGIN CERTIFICATE----- MIICITCCAYoCAxAAAjANBgkqhkiG9w0BAQQFADBgMQwwCgYDVQQKEwNBRVMxDDAK BgNVBAsTA0NJUzESMBAGA1UEBxMJQXJsaW5ndG9uMQswCQYDVQQIEwJWQTELMAkG A1UEBhMCVVMxFDASBgNVBAMTC0FFUyBSb290IENBMB4XDTA3MDIxMzE5MzQ0MloX DTA4MDIxMzE5MzQ0MlowUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlZBMQwwCgYD VQQKEwNBRVMxDDAKBgNVBAsTA0NJUzEYMBYGA1UEAxMPQmhhcmdhdiBTdW5rYXJh MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDD9VuERo1Qkk0E/nYmHPylrW7y jP48Y7jGXmXGZW1znRnxScwtOEKot18oAIqMLXRbCuaJ7/yDD+5fk4bwkwx7qe0P 6JTfCW6LDbHeKTyx1SVYC2Q7lf+Bq0EgJmYpRe2qsrPv+xo07cjQDPj7ZT8eUu1e 8FBXYuu/Uq3er6molQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAAE52QGkM5MzxCEt 1NFuYzcEN5ieSzWCagj5Pg30mROePdg8EgJcaQ47nsLPwM1pl7Ge8ET7hFSnmAs3 pthUwQ7tOwAgP4rnNvyPzFjxlaNb4HAxguYYQhNFm9n6bGVUZ0Cst+Eu9+q11Zxg O4pEdqcLXPVlEfb7itekh+pnyVUI -----END CERTIFICATE-----
When I use F5, I am seeing the certificate as the following in header:
MMKCBcKGMMKCBTDCoAMCAQICClHDg8Osw6DAgMCAwIDAgMCAFjANBgkqwoZIwobDtw0BAQUFwIAwXDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlZBMRIwEAYDVQQHEwlBcmxpbmd0b24xEjAQBgNVBAoTCUFFUyBDb3JwLjEYMBYGA1UEAxMPQUVTIFJvb3QgTEFCIENBMB4XDTA3MDQyNjE1MDc1N1oXDTA4MDQyNTE1MDc1N1owGjEYMBYGA1UEAxMPQmhhcmdhdiBTdW5rYXJhMMKBwp8wDQYJKsKGSMKGw7cNAQEBBcCAA8KBwo3AgDDCgcKJAsKBwoHAgMOOP8OJKFtywrACwq4CPDQkPsObTcO0w63CgDtcX8OTw6p8w6nClMObH8OlZX7Csg5jQsOEXXjDpMK
Please notice that there is not "BEGIN CERTIFICATE....&....END CERTIFICATE" for F5 request. Please let me know if you have any idea of encoding format in F5 to send same as Apache.
Thanks in Advance
--
Bhargav
hoolioCirrostratus
I haven't looked at the X509:: commands much before, but this poster had a rule that was inserting the BEGIN and END CERTIFICATE lines into the header:
http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&postid=13667&ptarget=13667
Click here
Aaron
Bhargav_9588Thanks Aaron. I have checked the post that you have mentioned above. It worked. Thanks a lot.
--
Bhargav