Forum Discussion
AlexS_yb
Cirrocumulus
Cirrocumulususing step up auth to client cert want to insert cert into header
So i have a VS where you have to log in. one url /withcert needs to be protected with the user providing a client cert. This is working, i have a per request policy, that matches the url and then us...
spalande
Nacreous
NacreousHave you checked what all session variables are populated from the client cert on APM. You can use any of them to add in the header. to begin with -
when ACCESS_ACL_ALLOWED {
set certsubject [ACCESS::session data get session.ssl.cert.subject]
HTTP::header insert "certsubjectdn" $certsubject
}
AlexS_ybCirrocumulus
CirrocumulusYes, well. its step up auth. so its not done on the access policy. but on a pre request policy. and also has to be done as a subroutine, so my reading tells me that per request subroutines don't have access to the session variables as writeable. only readable.
quick check via the gui interface and it show that the cert info is in the per request sub session variables. how can I insert headers from a subroutine in a pre request policy .. i thinking the only way is to use a irule event ...
but this seems rather hard.
Note - i am note sure when access_acl_allowed is fired, but I have checked the session variables - no sign of the cert in the main session variables :(
- spalande
Can you see if HTTP_REQUEST is able to catch and parse cert details? This iRule is just to log the details first.
when HTTP_REQUEST { if {[SSL::cert count] > 0}{ set certsubjectdn [X509::subject [SSL::cert 0]] set certissuerdn [X509::issuer [SSL::cert 0]] log local0.info "certsubjectdn: $certsubjectdn" log local0.info "certissuerdn: $certissuerdn" } else { return } } - AlexS_yb
yes I have tried and it didn't work
my presumption is [SSL::cert] looks at the current session data and the cert is not stored there. because it was initiated from a sub session
- spalande
okay. Then only option I think of is configuring standard access policy where you can enable it in iRule only for uri /withcert or in VPE itself to check the uri. This should generate session variables from the cert you are looking for to send across the backend server
when HTTP_REQUEST { if { [string tolower [HTTP::uri]] starts_with /withcert] } { ACCESS::enable } else { ACCESS::disable } } when ACCESS_ACL_ALLOWED { set certsubject [ACCESS::session data get session.ssl.cert.subject] HTTP::header insert "certsubjectdn" $certsubject }Or log a support case on why per request policy is not working for session variables.
- AlexS_yb
Hmm, not exactly what i want.
as for the support case - pretty sure the manual F5 stat subsession (pre request subroutines - need for stepup) can't access sessions variables and have their own subsession variables. they might be read only. definitely not allowed to write.
So the step places all the cert info into the subsession variables. which I want to grab and place in the session variables..
trying to do it with irule event, but can't get it to fire :(
- spalande
Any technical reason you don't want per session access policy with rule based on landing uri or iRule? just FYI - there is a way to achieve this with standalone ltm based iRule as well and no need of per session or per request access policy (i.e. apm module)
- AlexS_yb
Hi
No, i am a newbie and this is the current solution i have come up with if you can show me a better way - potentially easier happy to listen
So I will try and outline the problem i am trying to solve
I want users to be able to go to
https://www.example.com - with no APM no login .. as anon. let them use it
but when they hit
https://www.example.com/secret
I want APM to kick in - they must have a valid sso session - maybe group based (I have this working )
but when they hit
https://www.example.com/secret/ultraSecret
I want a OTP or some other MFA to kick in.
I have tried to stay away from using irule for all of that and used the VPE.
I have a sso multidomain setup its at auth.example.com
so that people can go to
https://www.example.com/
then to
https://clients.example.com/
with out having to re login again and to any other site I might manage under example.com
So my presumption is
Access policy - per session only kicks in at the first place a session is started. So
if user goes to
https://www.example.com/secret
APM bumps it to
https://auth.example.com/
and this is where Access policy per session starts - it uses the VPE for auth.example.com not www.example.com
and its only evaluated at session creation.
So thats why i created a per request access policy - also part of the zero trust setup.
So I can use this for
https://www.example.com/secret
bump up to needing to be authorized
and I can do the dump up for
https://www.example.com/secret/ultraSecret
I can force needing a cert - works well.
The issues is getting information from the subsession and back into the session variables.
I'm thinking maybe .. doing more googling that the localdb might be the place to also keep variables / info ...
if you have a different way to produce the above I would be happy to try it
thanks
- spalande
In this sceneria, you can still have per session access policy configured for www.example.com VIP. landing uri can be used to seperate VPE flow. domain cookie (example.com) can be used for SSO across multiple sites withing the same domain. per session policy should populate the certificate variables you need.
Will keep the forum open for anyone else have idea to share for per request access policy.
- AlexS_yb
Hi
Not so sure about that. but happy to proven wrong.
of if follow the flow i had above the person enters on a different uri that doesn't need cert or step up
the AP landing uri is the one set at the creating of the AP, not on subsequence request ?
also the AP associated with this is not for www.example.com but on auth.example.com.
so I would need to build a branch for every vs i had - that would be comber some