Forum Discussion
syntax error- pki client cert count rule
Hoping someone can take a look at this rule copied from 9.0.1 GUI & tell me what's wrong with it. GUI doesn't report an error, but config won't load with this rule on 9.0.1 or 9.0.4. At the command line, bigpipe load command results in a syntax error being reported for the line "lappend subject...."
Thx
when HTTP_REQUEST {
Eliminate any inbound spoofed authentication headers
while {[HTTP::header exists F5PKI_CN]}
{
HTTP::header remove F5PKI_CN
log LOCAL0.warn "removed inbound F5PKI_CN header - possible hack attack"
}
if { [SSL::cert count] } { client certs
User authenticated with PKI, so get PKI DN
set subject {}
lappend subject [X509::subject [SSL::cert 0]]
Parse out the DN fields we need and set outbound header values
foreach entry [ split $subject / ] {
foreach {name value} [ split $entry = ]
{
switch $name {
CN {
HTTP::header replace F5PKI_CN $value
}
OU {
HTTP::header replace F5PKI_OU $value
}
UID {
HTTP::header replace F5PKI_UID $value
}
O {
HTTP::header replace F5PKI_ORG $value
}
}
}
}
}
log LOCAL0.warn "F5PKI_CN=[ HTTP::header value F5PKI_CN ]"
log LOCAL0.warn "F5PKI_ORG =[ HTTP::header value F5PKI_ORG ]"
log LOCAL0.warn "F5PKI_OU=[ HTTP::header value F5PKI_OU ]"
log LOCAL0.warn "F5PKI_UID=[ HTTP::header value F5PKI_UID ]"
}
}
- Got an answer. Previous line, set subject {}, needs to be set subject { }. (need a space between the braces)
- Thanks, jtower. I believe that is correct. This will be fixed in a subsequent release.
