using step up auth to client cert want to insert cert into header

Question

So i have a VS where you have to log in. one url /withcert needs to be protected with the user providing a client cert.

This is working, i have a per request policy, that matches the url and then uses subroutine to force a renegotiation with a client cert.

Now how do I get the client cert info into my headers.

when i look at active sessions, my main session doesn't have is a sub session so

subsession.ssl.cert.whole

seems to have the whole cert in there. how do I pass that back or how do I add that to headers ?

and that part of the variable name is at the end - looking via the web interface its very long ...

any help thanks

spalande · Answer

Have you checked what all session variables are populated from the  client cert on APM. You can use any of them to add in the header. to begin with - when ACCESS_ACL_ALLOWED {
    set certsubject [ACCESS::session data get session.ssl.cert.subject]
	HTTP::header insert "certsubjectdn" $certsubject
	}

alexs_yb · Answer

Yes, well. its step up auth. so its not done on the access policy. but on a pre request policy. and also has to be done as a subroutine, so my reading tells me that per request subroutines don't have access to the session variables as writeable. only readable.

quick check via the gui interface and it show that the cert info is in the per request sub session variables. how can I insert headers from a subroutine in a pre request policy .. i thinking the only way is to use a irule event ...

but this seems rather hard.

Note - i am note sure when access_acl_allowed is fired, but I have checked the session variables - no sign of the cert in the main session variables :(

spalande · Answer

Can you see if HTTP_REQUEST is able to catch and parse cert details? This iRule is just to log the details first. when HTTP_REQUEST {
  if {[SSL::cert count] &gt; 0}{
   set certsubjectdn [X509::subject [SSL::cert 0]]
   set certissuerdn  [X509::issuer [SSL::cert 0]]
   log local0.info "certsubjectdn: $certsubjectdn"
   log local0.info "certissuerdn: $certissuerdn"
  } else {
    return
 }
}

alexs_yb · Answer

yes I have tried and it didn't work &nbsp;my presumption is [SSL::cert] looks at the current session data and the cert is not stored there. because it was initiated from a sub session&nbsp;

spalande · Answer

okay. Then only option I think of is configuring standard access policy where you can enable it in iRule only for uri /withcert or in VPE itself to check the uri. This should generate session variables from the cert you are looking for to send across the backend serverwhen HTTP_REQUEST { 
 if { [string tolower [HTTP::uri]] starts_with /withcert] } {
       ACCESS::enable
	} else {
	   ACCESS::disable
      }
    }
when ACCESS_ACL_ALLOWED {
    set certsubject [ACCESS::session data get session.ssl.cert.subject]
	HTTP::header insert "certsubjectdn" $certsubject
	}Or log a support case on why per request policy is not working for session variables.

Forum Discussion

using step up auth to client cert want to insert cert into header

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Integrate BIG-IP with AWS CloudWAN Service Insertion

Akamai True-Client-IP Header Persistence

Enhance your Application Security using Client-side signals

HTTP prefetch insertion

Rewrite Host Header to Server Name

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS