SSLO Policy Condition - Server Certificate (Issuer DN)

Question

What I'm trying to achieve:Bypass a session if the Server Issuer DN = &lt;trusted-DN&gt;.What I have tried:Policy condition of Server Certificate (Issuer DN) and using data group substring match with DN in a string&nbsp;e.g. : C=xx, ST=xx &lt;omitted&gt; CN=&lt;trusted-DN&gt;, &lt;omitted&gt;The APM logs - its executing an expression (perflow.ssl.server_cert.issuer) contains "/Common/&lt;DATAGROUP&gt;" and the return value is 'Failed'I know the DN is correct (pasted from another of the APM logs), but the policy is not matching against the DG.On another note - I cant put a DN or CN / string into the policy condition as a 'static value' the entry needs to be in SNI format - which leads me to believe that this is not truly looking at the server certificate?What am I missing, is this even possible?Kevin_Stewart​ sorry to tag- but perhaps one for you?Many thanks

kuroki · Answer

Indeed - however 'data group' is an option in the GUI - but the resulting expression does not contain 'class match' - hence the need to modify via VPE..

kuroki · Answer

I think I have found the issue, it appears to be a bug in the SSLO policy UI.If I create a rule with a match condition 'Server Certificate (Issuer DN)' and select a data group the resulting expression in the VPE is:expr {[mcget {perflow.ssl.server_cert.issuer}] contains "/Common/TEST_DG"}This results in a lookup failure (i.e. no match).If I change the expression to:expr {[class match [mcget {perflow.ssl.server_cert.issuer}] contains "/Common/TEST_DG"}Then the expression matches and the rule executes the action.My DG is a string with the CN=&lt;cn-to-match&gt; in vlaue and data fields.. perhaps this is why? Documentation on VPE variables and DG construct is a bit thin&nbsp;

injeyan_kostas · Answer

Hi kuroki​class match is needed when you need to search against a Data GroupThe gui supports basic cases so indeed when you need more avdanced ones you should write custom expressions

kevin_stewart · Answer

Thank you for catching this. A bug has been filed.

kuroki · Answer

Hi Kevin. Thanks for raising a bug. Still waiting on my support acct. to be sorted.So my next problem is the change I make in the VPE is overwritten if a change is redeployed from the UI - I&nbsp;do not tick the 'overwrite' box when asked if I want to keep OOB changes or overwrite..Is there another way to ensure changes persist after a UI deploy? The UI seems to do an atomic replace, even a VLAN change overwrites my custom access rule!BIG-IP v17.5

Forum Discussion

Recent Discussions

Related Content

Automating Certificate Management on F5 BIG-IP

Certificate Automation for BIG-IP using CyberArk Certificate Manager, Self-Hosted

Device certificate Issuer and other information not updating on the browser's certificate details

Automating ACMEv2 Certificate Management on BIG-IP

Conditional XOR operations