APM Clientless certificate authentication

Problem this snippet solves: This code allow to configure certificate authentication with APM clientless-mode support. The APM behavior when configuring following condition is to disable clientles...
Published Nov 23, 2017
Version 1.0
application delivery
BIG-IP Access Policy Manager (APM)
certificate authentication
iRules
security
antec42's avatar
antec42
Icon for Altostratus rankAltostratus
Feb 11, 2021

Picking up an old thread here maybe, but I have a use case for this but I also need to split the VIP into a layered VS.

 

I do the SSL stuff in the terminating LTM Vs and the APM part in the second Vs (to which I pass the traffic with the "virtual <apm_vs>" line in the LTM Vs. The reason for this is that I need to alter some responses that I do not see from APM if they are on the same Vs.

 

Anyway, when I'm doing this the SSL gets terminated on the LTM vs and I can not do the certificate checks in APM as I normally could. I'm trying a solution where I pass the client certificate on to APM by inserting it as a header into the HTTP traffic on the LTM vs, so that I could pick it up on the APM vs. It works to some extent (I can pass CN, Subject string etc properly) but when I try to pass the whole "[X509::whole [SSL::cert 0]]" and insert it with ACCESS::session data set session.ssl.cert.whole it fails. The set command seems to truncate the certificate or can not handle certain characters in the PEM cert. Does anyone has a clue to what I can do?