Forum Discussion
James_D__376338
Apr 11, 2019Nimbostratus
Using iRule to prompt for Client SSL Cert
Currently we have it configured where the Client SSL profile Requests once for a cert, which prompts the user to authenticate with their piv. This is causing issues with a few edge cases. What I would like to do is move the request into an iRule when the user hits a specific URI query such as below:
when HTTP_REQUEST {
if { ([URI::query [HTTP::uri]] contains "authenticator=PIVAuthenticator") }{
}
Any ideas on how to proceed would be greatly appreciated.
when CLIENTSSL_CLIENTCERT { HTTP::release if { [SSL::cert count] < 1 } { reject } } when HTTP_REQUEST { if { ([URI::query [HTTP::uri]] contains "auth=x509") || ([URI::query [HTTP::uri]] contains "auth=auth2") }{ if { [SSL::cert count] < 1}{ HTTP::collect SSL::authenticate always SSL::authenticate depth 9 SSL::cert mode require SSL::renegotiate } } } when HTTP_REQUEST_SEND { clientside { if { [SSL::cert count] > 0 } { HTTP::header insert "SSLClientCertStatus" [X509::verify_cert_error_string [SSL::verify_result]] HTTP::header insert "SSLClientCertSerialNumber" [X509::serial_number [SSL::cert 0]] HTTP::header insert "SSLClientCertSubject" [X509::subject [SSL::cert 0]] HTTP::header insert "SSLClientCert" [X509::whole [SSL::cert 0]] } } }
- James_D__376338Nimbostratus
when CLIENTSSL_CLIENTCERT { HTTP::release if { [SSL::cert count] < 1 } { reject } } when HTTP_REQUEST { if { ([URI::query [HTTP::uri]] contains "auth=x509") || ([URI::query [HTTP::uri]] contains "auth=auth2") }{ if { [SSL::cert count] < 1}{ HTTP::collect SSL::authenticate always SSL::authenticate depth 9 SSL::cert mode require SSL::renegotiate } } } when HTTP_REQUEST_SEND { clientside { if { [SSL::cert count] > 0 } { HTTP::header insert "SSLClientCertStatus" [X509::verify_cert_error_string [SSL::verify_result]] HTTP::header insert "SSLClientCertSerialNumber" [X509::serial_number [SSL::cert 0]] HTTP::header insert "SSLClientCertSubject" [X509::subject [SSL::cert 0]] HTTP::header insert "SSLClientCert" [X509::whole [SSL::cert 0]] } } }
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects