Client Cert Request by URI with OCSP Checking

Problem this snippet solves:

This iRule requests a client cert for specific URIs and then validates the client cert against the client SSL profile's trusted CA cert bundle. If that succeeds, then the client cert is validated against an OCSP server (or pool of servers). Invalid certs are redirected to a URL with the Openssl verify code appended.

Note: See below for a sample bigip.conf showing the profile and virtual server definitions.

Warning: This is an anonymized version of an OCSP iRule that was tested in a customer implementation. I have not done any testing of the iRule since anonymizing it. So test, test, test!

Code :

# hooleya_auth_ssl_cc_ocsp_rule
# https://devcentral.f5.com/s/Wiki/default.aspx/iRules/client_cert_request_by_uri_with_ocsp_checking
#
# Requires 9.4.8 and hotfix 3 for:
#   CR125264 - HTTP::respond should be allowed in CLIENTSSL_HANDSHAKE
#   CR126501 - OCSP AUTH iRules need to detect server down vs. bad cert
#   CR111646: Connections are no longer rejected when clients fail to send a 
#             certificate to a virtual server with a clientssl profile configured to "request" one.
# v0.9.9 - 2010-02-22

# Description:
#
# This iRule requests a client cert for specific URIs and then validates the client cert against the client SSL profile's 
# trusted CA cert bundle.  If that succeeds, then the client cert is validated against an OCSP server (or pool of servers).
# Invalid certs are redirected to a URL with the Openssl verify code appended.
#
# Configuration requirements:
#
# 0. This iRule will only work for 9.4.8 with hotfix 3.  It cannot work for any lower LTM version.
#       It could be updated for 10.0.x.  In 10.1, you don't need to use the session table to store the cert details,
#       so this iRule is probably not worth updating for 10.1.
# 1. Configure the URIs to request a client cert for in a datagroup named ocsp_pages_to_require_cert_class.
# 2. You might also need to customize the cert parsing based on your requirements for which headers to insert.
# 3. Add this iRule to an OCSP auth profile.
# 4. Ideally, configure an OCSP server pool and VIP to use in the OCSP responder field
#       and consider uncommenting the code in this iRule to check the state of the OCSP server pool
#       before attempting the OCSP validation of a client cert.
# 5. Test, test test! This is an anonymized version of an OCSP iRule that was tested in a customer implementation.
#       I have not done any testing of the iRule since anonymizing it.

when RULE_INIT {

   # URL to redirect clients to for failed authentication
   # The error code is appended to the URL in the iRule
   set ::auth_failure_url "https://example.com/error.asp?errCode="

   # Session timeout. Length of time (in seconds) to store the client cert in the session table.
   set ::ocsp_session_timeout 1800

   # Log debug messages? (0=none, 1=minimal, 2=verbose, 3=everything)
   set ::ocsp_debug 3

   # Enable audit logging? (0=none, 1=unvalidated requests only, 2=all requests)
   set ::ocsp_audit_log_level 2

   # Pages to require a client cert for (replace with datagroup post-testing)
   #   This is now configured in the ocsp_pages_to_require_cert_class datagroup

   # Prefix to use when inserting the certificate details in the HTTP headers
   set ::header_prefix "CRT_"

   # SSL::sessionid returns 64 0's if the session ID doesn't exist, so set a variable to check for this
   set ::ocsp_null_sessionid [string repeat 0 64]
}
when CLIENT_ACCEPTED {

   # Initialise the TMM session id and variables tracking the auth status on each new connection
   set tmm_auth_ssl_ocsp_sid 0
   set invalidate_session 0
   set need_cert 0
   set inserted_headers 0

   # Save the client IP:port and VIP name to shorten the log lines
   set log_prefix "client IP:port=[IP::client_addr]:[TCP::client_port]; VIP=[virtual name]"
   if {$::ocsp_debug > 0}{log local0. "$log_prefix: New TCP connection to [IP::local_addr]:[TCP::local_port]"}
}
when CLIENTSSL_CLIENTCERT {

   # This event is triggered when LTM requests/requires a cert, even if the client doesn't present a cert.
   if {$::ocsp_debug > 0}{log local0. "$log_prefix: Cert count: [SSL::cert count], SSL sessionid: [SSL::sessionid]"}

   # Exit this event if we didn't request a cert
   if {$need_cert == 0}{
      if {$::ocsp_debug > 2}{log local0. "$log_prefix: Exiting event as \$need_cert is 0"}
      return
   }
   # Check if client presented a cert after it was requested
   if {[SSL::cert count] == 0}{

      # No client cert received.  Use -1 to track this (0 will be used to indicate no error by SSL::verify_result)
      set ssl_status_code "-1"

      # $ssl_status_desc is only used in this rule for debug logging.
      set ssl_status_desc "Required client certificate not present for resource."

      if {$::ocsp_debug > 0}{log local0. "$log_prefix: No cert for protected resource. Invalidating session."}
      set invalidate_session 1

      # Audit logging
      if {$::ocsp_audit_log_level > 0}{catch {log -noname local0. "cc_audit: $log_prefix; status_text=No cert for secured URI; URI=$requested_uri;"}}

   } else {

      # Client presented at least one cert.  The actual client cert should always be first.
      if {$::ocsp_debug > 1}{

         # Loop through each cert and log the cert subject
         for {set i 0} {$i < [SSL::cert count]} {incr i}{

            log local0. "$log_prefix: cert $i, subject: [X509::subject [SSL::cert $i]],\
               issuer: [X509::issuer [SSL::cert $i]], cert_serial=[X509::serial_number [SSL::cert $i]]"
         }
      }
      if {$::ocsp_debug > 2}{log local0. "$log_prefix: Received cert with SSL session ID: [SSL::sessionid]. Base64 encoded cert: [b64encode [SSL::cert 0]]"}

      # Save the SSL status code (defined here: http://www.openssl.org/docs/apps/verify.html#DIAGNOSTICS)
      set ssl_status_code [SSL::verify_result]
      set ssl_status_desc [X509::verify_cert_error_string [SSL::verify_result]]

      # Check if there was no error in validating the client cert against LTM's server cert
      if { $ssl_status_code == 0 }{
         if {$::ocsp_debug > 0}{log local0. "$log_prefix: Certificate validation against root cert OK. status: $ssl_status_desc. Checking against OCSP."}

         ######################################################################################################
 ##### TODO:
         ##### If the OCSP responder is an LTM VIP (used for load balancing multiple OCSP servers)
 ##### you could add a check here of the OCSP server pool before attempting the OCSP validation.
 ##### Just change my_ocsp_http_pool to the actual OCSP server pool name.


         ## Check if the OCSP server pool does not have any
 #if {[active_members my_ocsp_http_pool] == 0}{

         #   # OCSP servers are not available!!
         #   log local0.emerg "$log_prefix: OCSP auth pool is down! Resuming SSL handshake and blocking HTTP request."

         #   # Audit logging
         #   if {$::ocsp_audit_log_level > 0}{
         #      catch {log -noname local0. "cc_audit: $log_prefix; status_text=OCSP server pool is unavailable. Blocking request."}
         #   }

         #   # We could send an HTTP response from this event, but it doesn't actually get sent until
         #   # the CLIENTSSL_HANDSHAKE event anyhow.  So track that this is an invalid request and set the app auth status code
         #   # to indicate OCSP validation of the cert failed.
         #   set invalidate_session 1
         #   SSL::handshake resume
 #   return
 #}
 ##### TODO END:
         ######################################################################################################

 # Check if there isn't already a TMM authentication OCSP session ID
         if {$tmm_auth_ssl_ocsp_sid == 0} {

            # [AUTH::start pam default_ssl_ocsp] returns an authentication session ID
            set tmm_auth_ssl_ocsp_sid [AUTH::start pam default_ssl_ocsp]

            if {$::ocsp_debug > 2}{log local0. "$log_prefix: \$tmm_auth_ssl_ocsp_sid was 0, \$tmm_auth_ssl_ocsp_sid: $tmm_auth_ssl_ocsp_sid"}

            if {[info exists tmm_auth_subscription]} {
               if {$::ocsp_debug > 1}{log local0. "$log_prefix: Subscribing to \$tmm_auth_ssl_ocsp_sid: $tmm_auth_ssl_ocsp_sid"}
               AUTH::subscribe $tmm_auth_ssl_ocsp_sid
            }
         }
         AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0]
         AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0]
         AUTH::authenticate $tmm_auth_ssl_ocsp_sid

         # Hold the SSL handshake until the auth result is returned from OCSP
 # The AUTH::authenticate command triggers an OCSP lookup and then the AUTH_RESULT event.
 # In AUTH_RESULT, SSL::handshake resume triggers CLIENTSSL_HANDSHAKE.
         if {$::ocsp_debug > 0}{log local0. "$log_prefix: Holding SSL handshake for OCSP check"}
         SSL::handshake hold

      } else {

         # Client cert validation against the CA's root server cert failed.

         if {$::ocsp_debug > 0}{log local0. "$log_prefix: Certificate validation not ok. Status: $ssl_status_code, $ssl_status_desc"}

         # Audit logging
         if {$::ocsp_audit_log_level > 0}{catch {log -noname local0. "cc_audit: $log_prefix; \
            status_text=Invalid cert for secured URI; openssl_code=$ssl_status_code; openssl_desc=$ssl_status_desc;\
            cert_subject=[X509::subject [SSL::cert 0]]; cert_issuer=[X509::issuer [SSL::cert 0]];\
            cert_serial=[X509::serial_number [SSL::cert 0]]; URI=$requested_uri"}}

         # Delete the SSL session from the session table
         if {$::ocsp_debug > 1}{log local0. "$log_prefix: Invalidating SSL session [SSL::sessionid]"}
         session delete ssl [SSL::sessionid]
         SSL::session invalidate
         set invalidate_session 1

         # Release the request flow as we want to send an HTTP response to clients who don't send a valid cert
         if {$::ocsp_debug > 0}{log local0. "$log_prefix: Invalid cert. Releasing HTTP."}
      }
   }
}
when AUTH_RESULT {

   # AUTH::status values:
   # https://devcentral.f5.com/s/wiki/default.aspx/iRules/AUTH__status.html
   #  0 = success
   #  1 = failure
   # -1 = error
   #  2 = not-authed

   if {$::ocsp_debug > 0}{log local0. "$log_prefix: \[AUTH::status\]: [AUTH::status]; (0=success, 1=failure, -1=error, 2=not-authed)"}

   # Check if there is an existing TMM SSL OCSP session ID
   if {[info exists tmm_auth_ssl_ocsp_sid] and ($tmm_auth_ssl_ocsp_sid == [AUTH::last_event_session_id])} {

      # Save the auth status
      set tmm_auth_status [AUTH::status]

      # TESTING ONLY: If you want to take any response from the OCSP server as valid, 
      # uncomment this line and set tmm_auth_status to 0.
      #set tmm_auth_status 0

      # Check if auth was successful
      if {$tmm_auth_status == 0 } {

 # OCSP auth was successful, so resume the SSL handshake.  This will trigger the CLIENTSSL_HANDSHAKE event next.
         if {$::ocsp_debug > 0}{log local0. "$log_prefix: Valid cert per OCSP. Resuming SSL handshake"}
         SSL::handshake resume

      } else {

         # OCSP auth failed

         # Audit logging
         if {$::ocsp_audit_log_level > 0}{
            catch {log -noname local0. "cc_audit: status=403.13. $log_prefix; status_text=Invalid cert per OCSP for secured URI; URI=$requested_uri"}
         }

         # We could send an HTTP response from this event, but it doesn't actually get sent until
         # the CLIENTSSL_HANDSHAKE event anyhow.  So track that this is an invalid request and set the app auth status code
         # to indicate OCSP validation of the cert failed.
         set invalidate_session 1

         if {$::ocsp_debug > 0}{log local0. "$log_prefix: Invalid cert per OCSP. \[AUTH::response_data\]: [AUTH::response_data]. Resuming SSL handshake."}
         SSL::handshake resume
      }
   }
}
when CLIENTSSL_HANDSHAKE {

   # This event is triggered when the SSL handshake with the client completes

   # Log SSL cipher details
   if {$::ocsp_debug > 2}{log local0. "$log_prefix: Cipher name, version, bits: [SSL::cipher name], [SSL::cipher version], [SSL::cipher bits]"}

   # Exit this event if cert isn't required
   if {$need_cert == 0}{
      if {$::ocsp_debug > 2}{log local0. "$log_prefix: \$need_cert is 0, exiting event."}
      return
   }

   # Check if OCSP auth was already successful
   if {[info exists tmm_auth_status] and $tmm_auth_status == 0}{

      if {$::ocsp_debug > 1}{log local0. "$log_prefix: Auth succeeded, parsing cert fields and adding session table entry."}

      # The parsing of the cert can be customized based on the application's requirements
      # For this particular implementation, the customer wanted the following fields inserted into the request HTTP headers:
      #
      #        Issuer
      #        Serial number
      #        Valid from date
      #        Valid to date
      #        Subject

      # Add the client cert fields as a list to the session table
      if {$::ocsp_debug > 0}{log local0. "$log_prefix: Saving client cert details in session using SSL sessionid [SSL::sessionid]."}

      session add ssl [SSL::sessionid] [list \
         ${::header_prefix}Issuer [X509::issuer [SSL::cert 0]] \
         ${::header_prefix}SerialNumber [X509::serial_number [SSL::cert 0]] \
         ${::header_prefix}ValidFrom [X509::not_valid_before [SSL::cert 0]] \
         ${::header_prefix}ValidUntil [X509::not_valid_after [SSL::cert 0]] \
         ${::header_prefix}Subject [X509::subject [SSL::cert 0]]
      ] $::ocsp_session_timeout

      # Audit logging
      if {$::ocsp_audit_log_level > 1}{
         catch {log -noname local0. "cc_audit: status=okay; $log_prefix; status_text=Valid cert per OCSP for secured URI (new SSL session);\
            cert_subject=[X509::subject [SSL::cert 0]]; cert_issuer=[X509::issuer [SSL::cert 0]]; cert_serial=[X509::serial_number [SSL::cert 0]]; \
    URI=$requested_uri"}
      }

      if {$::ocsp_debug > 1}{log local0. "$log_prefix: Auth was successful, releasing HTTP"}
      HTTP::release

   } elseif {$invalidate_session}{

      if {$::ocsp_debug > 0}{log local0. "$log_prefix: No/invalid cert received, sending block response."}

      # Send response to client for invalid request
      HTTP::respond 302 Location "${::auth_failure_url}${ssl_status_code}" Connection Close Cache-Control No-Cache Pragma No-Cache
      HTTP::release
      session delete ssl [SSL::sessionid]
      SSL::session invalidate
      TCP::close
   } else {
      if {$::ocsp_debug > 2}{log local0. "$log_prefix: default case."}
   }
}
when HTTP_REQUEST {

   if {$::ocsp_debug > 1}{log local0. "$log_prefix: URI: [HTTP::uri], SSL session ID: [SSL::sessionid],\
      session lookup llength: [llength [session lookup ssl [SSL::sessionid]]],\
      string len: [string length [session lookup ssl [SSL::sessionid]]]\
      User-Agent: [HTTP::header User-Agent]"}

   # Double check that the session is valid
   if {[info exists invalidate_session] and $invalidate_session == 1}{

      if {$::ocsp_debug > 0}{log local0. "$log_prefix: Invalidating SSL session ID: [SSL::sessionid]"}
      session delete ssl [SSL::sessionid]
      SSL::session invalidate
   }
   # Check if request is to a page which requires a client SSL certificate
   if {[matchclass [string tolower [HTTP::path]] starts_with $::ocsp_pages_to_require_cert_class]}{

      # Save the requested URI for logging in subsequent events
      set requested_uri [HTTP::uri]

      # Track that this is a request for a restricted URI
      set need_cert 1
      if {$::ocsp_debug > 0}{log local0. "$log_prefix: Request to restricted path: [HTTP::path]. \$need_cert: $need_cert"}

      # Check if there is an existing SSL session ID and if the cert is in the session table
      #   This condition should only be true on resumed SSL sessions.
      if {[SSL::sessionid] ne $::ocsp_null_sessionid and [session lookup ssl [SSL::sessionid]] ne ""}{

         if {$::ocsp_debug > 0}{
            log local0. "$log_prefix: Allowed request to [HTTP::host][HTTP::uri]. Inserting SSL cert details in HTTP headers."

            # Debug logging of each session table list item
            if {$::ocsp_debug > 2}{
               foreach session_element [session lookup ssl [SSL::sessionid]] {
                  log local0. "$log_prefix: $session_element"
               }
            }
         }

         # Remove any HTTP header which starts with "crt_"
         foreach a_header [HTTP::header names] {

            # Check if this header name starts with "crt_"
            if {[string match -nocase ${::header_prefix}* $a_header]}{
               HTTP::header remove $a_header

               # If there is a header which starts with crt_, it is probably someone attacking the application!
               log local0.emerg "$log_prefix: Client with possible spoofed client cert header [HTTP::request]"
            }
         }

         # Insert SSL cert details in the HTTP headers
         HTTP::header insert [session lookup ssl [SSL::sessionid]]

         # Track that we've inserted the HTTP headers, so we don't do it again in HTTP_REQUEST_SEND
         set inserted_headers 1

         if {$::ocsp_debug > 0}{log local0. "$log_prefix: Valid request"}

         # Audit logging
         if {$::ocsp_audit_log_level > 1}{

            # Get the cert details from the session table for the audit logging
            set session_list [session lookup ssl [SSL::sessionid]]

            catch {log -noname local0. "cc_audit: status=okay; $log_prefix; status_text=Valid cert per OCSP for secured URI (resumed SSL session);\
               cert_subject=[lindex $session_list 9]; cert_issuer=[lindex $session_list 1]; cert_serial=[lindex $session_list 3]; URI=$requested_uri"}
         }

      } else {

         # Hold the HTTP request until the SSL re-negotiation is complete
         HTTP::collect

         # Force renegotiation of the SSL connection with a cert requested
         SSL::session invalidate
         SSL::authenticate always
         SSL::authenticate depth 9
         SSL::cert mode request
         SSL::renegotiate

         if {$::ocsp_debug > 0}{log local0. "$log_prefix: Restricted path, [HTTP::uri], with no client cert. Collecting HTTP and renegotiating SSL"}
      }
   } else {
      if {$::ocsp_debug > 1}{log local0. "$log_prefix: Request to unrestricted path: [HTTP::path]"}
      set need_cert 0
   }
}
when HTTP_REQUEST_SEND {

   # This event is relevant only on the initial request of a secured URI (non-resumed SSL sessions).
   # The insertion of cert details for resumed SSL sessions is handled in HTTP_REQUEST.

   # Force evaluation in clientside context as HTTP_REQUEST_SEND is a serverside event
   clientside {

      if {$::ocsp_debug > 0}{log local0. "$log_prefix: \$invalidate_session: $invalidate_session,\
         \$need_cert: $need_cert, \[SSL::sessionid\]: [SSL::sessionid], \[session lookup ssl \[SSL::sessionid\]\]: [session lookup ssl [SSL::sessionid]],\
         URI: [clientside {HTTP::uri}]"}

      # Check if request was to a restricted URI and the headers weren't inserted already in HTTP_REQUEST
      if {$need_cert==1 and $inserted_headers==0}{

         # Check if the session is still valid, there is an existing SSL session ID and that the cert is in the session table
         if {$invalidate_session == 0 and [SSL::sessionid] ne $::ocsp_null_sessionid and [session lookup ssl [SSL::sessionid]] ne ""}{

            # Remove any HTTP header which starts with "crt_"
            foreach a_header [HTTP::header names] {

               # Check if this header name starts with "crt_"
               if {[string match -nocase ${::header_prefix}* $a_header]}{

                  HTTP::header remove $a_header

                  # If there is a header which starts with crt_, it is probably someone attacking the application!
                  log local0.emerg "$log_prefix: Client with possible spoofed client cert header [HTTP::host][HTTP::uri], [HTTP::header User-Agent"]"
               }
            }

            if {$::ocsp_debug > 0}{log local0. "$log_prefix: Inserting SSL cert details in HTTP headers."}

            # Insert SSL cert details from the session table in the HTTP headers
            HTTP::header insert [session lookup ssl [SSL::sessionid]]

         } else {

             # Client request for secured URI wasn't valid
             log local0. "$log_prefix: Rejecting connection for invalid request to [HTTP::host][HTTP::uri] ([IP::local_addr]:[TCP::local_port])\
                with session ID: [SSL::sessionid]"

            # Reject the connection as we should never get here
            reject
         }
      }
   }
}
Published Mar 16, 2015
Version 1.0

3 Comments

  • Is there any chance this to be updated to work on version 12.1 ? I am trying to adopt it, but facing a lot of issues/ errors.

     

  • We would like to have F5 configured to not always request client certificate authentication, but to request it only when the path matches specific URL

"}},"componentScriptGroups({\"componentId\":\"custom.widget.Beta_MetaNav\"})":{"__typename":"ComponentScriptGroups","scriptGroups":{"__typename":"ComponentScriptGroupsDefinition","afterInteractive":{"__typename":"PageScriptGroupDefinition","group":"AFTER_INTERACTIVE","scriptIds":[]},"lazyOnLoad":{"__typename":"PageScriptGroupDefinition","group":"LAZY_ON_LOAD","scriptIds":[]}},"componentScripts":[]},"component({\"componentId\":\"custom.widget.Beta_Footer\"})":{"__typename":"Component","render({\"context\":{\"component\":{\"entities\":[],\"props\":{}},\"page\":{\"entities\":[\"message:284211\"],\"name\":\"TkbMessagePage\",\"props\":{},\"url\":\"https://community.f5.com/kb/codeshare/client-cert-request-by-uri-with-ocsp-checking/284211\"}}})":{"__typename":"ComponentRenderResult","html":"
 
 
 
 
 

\"F5 ©2024 F5, Inc. All rights reserved.
Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information
"}},"componentScriptGroups({\"componentId\":\"custom.widget.Beta_Footer\"})":{"__typename":"ComponentScriptGroups","scriptGroups":{"__typename":"ComponentScriptGroupsDefinition","afterInteractive":{"__typename":"PageScriptGroupDefinition","group":"AFTER_INTERACTIVE","scriptIds":[]},"lazyOnLoad":{"__typename":"PageScriptGroupDefinition","group":"LAZY_ON_LOAD","scriptIds":[]}},"componentScripts":[]},"component({\"componentId\":\"custom.widget.Tag_Manager_Helper\"})":{"__typename":"Component","render({\"context\":{\"component\":{\"entities\":[],\"props\":{}},\"page\":{\"entities\":[\"message:284211\"],\"name\":\"TkbMessagePage\",\"props\":{},\"url\":\"https://community.f5.com/kb/codeshare/client-cert-request-by-uri-with-ocsp-checking/284211\"}}})":{"__typename":"ComponentRenderResult","html":" "}},"componentScriptGroups({\"componentId\":\"custom.widget.Tag_Manager_Helper\"})":{"__typename":"ComponentScriptGroups","scriptGroups":{"__typename":"ComponentScriptGroupsDefinition","afterInteractive":{"__typename":"PageScriptGroupDefinition","group":"AFTER_INTERACTIVE","scriptIds":[]},"lazyOnLoad":{"__typename":"PageScriptGroupDefinition","group":"LAZY_ON_LOAD","scriptIds":[]}},"componentScripts":[]},"component({\"componentId\":\"custom.widget.Consent_Blackbar\"})":{"__typename":"Component","render({\"context\":{\"component\":{\"entities\":[],\"props\":{}},\"page\":{\"entities\":[\"message:284211\"],\"name\":\"TkbMessagePage\",\"props\":{},\"url\":\"https://community.f5.com/kb/codeshare/client-cert-request-by-uri-with-ocsp-checking/284211\"}}})":{"__typename":"ComponentRenderResult","html":"
"}},"componentScriptGroups({\"componentId\":\"custom.widget.Consent_Blackbar\"})":{"__typename":"ComponentScriptGroups","scriptGroups":{"__typename":"ComponentScriptGroupsDefinition","afterInteractive":{"__typename":"PageScriptGroupDefinition","group":"AFTER_INTERACTIVE","scriptIds":[]},"lazyOnLoad":{"__typename":"PageScriptGroupDefinition","group":"LAZY_ON_LOAD","scriptIds":[]}},"componentScripts":[]},"cachedText({\"lastModified\":\"1744046271000\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/common/QueryHandler\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/common/QueryHandler-1744046271000"}],"cachedText({\"lastModified\":\"1744046271000\",\"locale\":\"en-US\",\"namespaces\":[\"components/community/NavbarDropdownToggle\"]})":[{"__ref":"CachedAsset:text:en_US-components/community/NavbarDropdownToggle-1744046271000"}],"cachedText({\"lastModified\":\"1744046271000\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageSubject\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageSubject-1744046271000"}],"cachedText({\"lastModified\":\"1744046271000\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageBody\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageBody-1744046271000"}],"cachedText({\"lastModified\":\"1744046271000\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageCustomFields\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageCustomFields-1744046271000"}],"cachedText({\"lastModified\":\"1744046271000\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageRevision\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageRevision-1744046271000"}],"cachedText({\"lastModified\":\"1744046271000\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageReplyButton\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageReplyButton-1744046271000"}],"cachedText({\"lastModified\":\"1744046271000\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageAuthorBio\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageAuthorBio-1744046271000"}],"cachedText({\"lastModified\":\"1744046271000\",\"locale\":\"en-US\",\"namespaces\":[\"components/guides/GuideBottomNavigation\"]})":[{"__ref":"CachedAsset:text:en_US-components/guides/GuideBottomNavigation-1744046271000"}],"cachedText({\"lastModified\":\"1744046271000\",\"locale\":\"en-US\",\"namespaces\":[\"components/tags/TagView/TagViewChip\"]})":[{"__ref":"CachedAsset:text:en_US-components/tags/TagView/TagViewChip-1744046271000"}],"cachedText({\"lastModified\":\"1744046271000\",\"locale\":\"en-US\",\"namespaces\":[\"components/users/UserLink\"]})":[{"__ref":"CachedAsset:text:en_US-components/users/UserLink-1744046271000"}],"cachedText({\"lastModified\":\"1744046271000\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/users/UserRank\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/users/UserRank-1744046271000"}],"cachedText({\"lastModified\":\"1744046271000\",\"locale\":\"en-US\",\"namespaces\":[\"components/users/UserRegistrationDate\"]})":[{"__ref":"CachedAsset:text:en_US-components/users/UserRegistrationDate-1744046271000"}],"cachedText({\"lastModified\":\"1744046271000\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageListMenu\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageListMenu-1744046271000"}],"cachedText({\"lastModified\":\"1744046271000\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageTime\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageTime-1744046271000"}],"cachedText({\"lastModified\":\"1744046271000\",\"locale\":\"en-US\",\"namespaces\":[\"components/customComponent/CustomComponent\"]})":[{"__ref":"CachedAsset:text:en_US-components/customComponent/CustomComponent-1744046271000"}],"message({\"id\":\"message:284212\"})":{"__ref":"TkbReplyMessage:message:284212"},"message({\"id\":\"message:284213\"})":{"__ref":"TkbReplyMessage:message:284213"},"message({\"id\":\"message:284214\"})":{"__ref":"TkbReplyMessage:message:284214"},"cachedText({\"lastModified\":\"1744046271000\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/users/UserAvatar\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/users/UserAvatar-1744046271000"}],"cachedText({\"lastModified\":\"1744046271000\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/ranks/UserRankLabel\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/ranks/UserRankLabel-1744046271000"}]},"Theme:customTheme1":{"__typename":"Theme","id":"customTheme1"},"User:user:-1":{"__typename":"User","id":"user:-1","uid":-1,"login":"Former Member","email":"","avatar":null,"rank":null,"kudosWeight":1,"registrationData":{"__typename":"RegistrationData","status":"ANONYMOUS","registrationTime":null,"confirmEmailStatus":false,"registrationAccessLevel":"VIEW","ssoRegistrationFields":[]},"ssoId":null,"profileSettings":{"__typename":"ProfileSettings","dateDisplayStyle":{"__typename":"InheritableStringSettingWithPossibleValues","key":"layout.friendly_dates_enabled","value":"false","localValue":"true","possibleValues":["true","false"]},"dateDisplayFormat":{"__typename":"InheritableStringSetting","key":"layout.format_pattern_date","value":"dd-MMM-yyyy","localValue":"MM-dd-yyyy"},"language":{"__typename":"InheritableStringSettingWithPossibleValues","key":"profile.language","value":"en-US","localValue":null,"possibleValues":["en-US","es-ES"]},"repliesSortOrder":{"__typename":"InheritableStringSettingWithPossibleValues","key":"config.user_replies_sort_order","value":"DEFAULT","localValue":"DEFAULT","possibleValues":["DEFAULT","LIKES","PUBLISH_TIME","REVERSE_PUBLISH_TIME"]}},"deleted":false},"CachedAsset:pages-1745486768810":{"__typename":"CachedAsset","id":"pages-1745486768810","value":[{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"HowDoI.GetInvolved.MvpProgram","type":"COMMUNITY","urlPath":"/c/how-do-i/get-involved/mvp-program","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"BlogViewAllPostsPage","type":"BLOG","urlPath":"/category/:categoryId/blog/:boardId/all-posts/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"CasePortalPage","type":"CASE_PORTAL","urlPath":"/caseportal","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"CreateGroupHubPage","type":"GROUP_HUB","urlPath":"/groups/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"CaseViewPage","type":"CASE_DETAILS","urlPath":"/case/:caseId/:caseNumber","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"InboxPage","type":"COMMUNITY","urlPath":"/inbox","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"HowDoI.GetInvolved.AdvocacyProgram","type":"COMMUNITY","urlPath":"/c/how-do-i/get-involved/advocacy-program","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"HowDoI.GetHelp.NonCustomer","type":"COMMUNITY","urlPath":"/c/how-do-i/get-help/non-customer","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"HelpFAQPage","type":"COMMUNITY","urlPath":"/help","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"HowDoI.GetHelp.F5Customer","type":"COMMUNITY","urlPath":"/c/how-do-i/get-help/f5-customer","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"IdeaMessagePage","type":"IDEA_POST","urlPath":"/idea/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"IdeaViewAllIdeasPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId/all-ideas/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"LoginPage","type":"USER","urlPath":"/signin","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"BlogPostPage","type":"BLOG","urlPath":"/category/:categoryId/blogs/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"HowDoI.GetInvolved","type":"COMMUNITY","urlPath":"/c/how-do-i/get-involved","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"HowDoI.Learn","type":"COMMUNITY","urlPath":"/c/how-do-i/learn","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1739501996000,"localOverride":null,"page":{"id":"Test","type":"CUSTOM","urlPath":"/custom-test-2","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"ThemeEditorPage","type":"COMMUNITY","urlPath":"/designer/themes","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"TkbViewAllArticlesPage","type":"TKB","urlPath":"/category/:categoryId/kb/:boardId/all-articles/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"OccasionEditPage","type":"EVENT","urlPath":"/event/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"OAuthAuthorizationAllowPage","type":"USER","urlPath":"/auth/authorize/allow","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"PageEditorPage","type":"COMMUNITY","urlPath":"/designer/pages","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"PostPage","type":"COMMUNITY","urlPath":"/category/:categoryId/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"ForumBoardPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"TkbBoardPage","type":"TKB","urlPath":"/category/:categoryId/kb/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"EventPostPage","type":"EVENT","urlPath":"/category/:categoryId/events/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"UserBadgesPage","type":"COMMUNITY","urlPath":"/users/:login/:userId/badges","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"GroupHubMembershipAction","type":"GROUP_HUB","urlPath":"/membership/join/:nodeId/:membershipType","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"MaintenancePage","type":"COMMUNITY","urlPath":"/maintenance","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"IdeaReplyPage","type":"IDEA_REPLY","urlPath":"/idea/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"UserSettingsPage","type":"USER","urlPath":"/mysettings/:userSettingsTab","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"GroupHubsPage","type":"GROUP_HUB","urlPath":"/groups","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"ForumPostPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"OccasionRsvpActionPage","type":"OCCASION","urlPath":"/event/:boardId/:messageSubject/:messageId/rsvp/:responseType","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"VerifyUserEmailPage","type":"USER","urlPath":"/verifyemail/:userId/:verifyEmailToken","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"AllOccasionsPage","type":"OCCASION","urlPath":"/category/:categoryId/events/:boardId/all-events/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"EventBoardPage","type":"EVENT","urlPath":"/category/:categoryId/events/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"TkbReplyPage","type":"TKB_REPLY","urlPath":"/kb/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"IdeaBoardPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"CommunityGuideLinesPage","type":"COMMUNITY","urlPath":"/communityguidelines","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"CaseCreatePage","type":"SALESFORCE_CASE_CREATION","urlPath":"/caseportal/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"TkbEditPage","type":"TKB","urlPath":"/kb/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"ForgotPasswordPage","type":"USER","urlPath":"/forgotpassword","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"IdeaEditPage","type":"IDEA","urlPath":"/idea/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"TagPage","type":"COMMUNITY","urlPath":"/tag/:tagName","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"BlogBoardPage","type":"BLOG","urlPath":"/category/:categoryId/blog/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"OccasionMessagePage","type":"OCCASION_TOPIC","urlPath":"/event/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"ManageContentPage","type":"COMMUNITY","urlPath":"/managecontent","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"ClosedMembershipNodeNonMembersPage","type":"GROUP_HUB","urlPath":"/closedgroup/:groupHubId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"HowDoI.GetHelp.Community","type":"COMMUNITY","urlPath":"/c/how-do-i/get-help/community","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"CommunityPage","type":"COMMUNITY","urlPath":"/","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"HowDoI.GetInvolved.ContributeCode","type":"COMMUNITY","urlPath":"/c/how-do-i/get-involved/contribute-code","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"ForumMessagePage","type":"FORUM_TOPIC","urlPath":"/discussions/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"IdeaPostPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"BlogMessagePage","type":"BLOG_ARTICLE","urlPath":"/blog/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"RegistrationPage","type":"USER","urlPath":"/register","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"EditGroupHubPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"ForumEditPage","type":"FORUM","urlPath":"/discussions/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"ResetPasswordPage","type":"USER","urlPath":"/resetpassword/:userId/:resetPasswordToken","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"TkbMessagePage","type":"TKB_ARTICLE","urlPath":"/kb/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"HowDoI.Learn.AboutIrules","type":"COMMUNITY","urlPath":"/c/how-do-i/learn/about-irules","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"BlogEditPage","type":"BLOG","urlPath":"/blog/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"HowDoI.GetHelp.F5Support","type":"COMMUNITY","urlPath":"/c/how-do-i/get-help/f5-support","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"ManageUsersPage","type":"USER","urlPath":"/users/manage/:tab?/:manageUsersTab?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"ForumReplyPage","type":"FORUM_REPLY","urlPath":"/discussions/:boardId/:messageSubject/:messageId/replies/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"PrivacyPolicyPage","type":"COMMUNITY","urlPath":"/privacypolicy","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"NotificationPage","type":"COMMUNITY","urlPath":"/notifications","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"UserPage","type":"USER","urlPath":"/users/:login/:userId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"HealthCheckPage","type":"COMMUNITY","urlPath":"/health","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"OccasionReplyPage","type":"OCCASION_REPLY","urlPath":"/event/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"ManageMembersPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/manage/:tab?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"SearchResultsPage","type":"COMMUNITY","urlPath":"/search","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"BlogReplyPage","type":"BLOG_REPLY","urlPath":"/blog/:boardId/:messageSubject/:messageId/replies/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"GroupHubPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"TermsOfServicePage","type":"COMMUNITY","urlPath":"/termsofservice","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"HowDoI.GetHelp","type":"COMMUNITY","urlPath":"/c/how-do-i/get-help","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"HowDoI.GetHelp.SecurityIncident","type":"COMMUNITY","urlPath":"/c/how-do-i/get-help/security-incident","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"CategoryPage","type":"CATEGORY","urlPath":"/category/:categoryId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"ForumViewAllTopicsPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId/all-topics/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"TkbPostPage","type":"TKB","urlPath":"/category/:categoryId/kbs/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"GroupHubPostPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745486768810,"localOverride":null,"page":{"id":"HowDoI","type":"COMMUNITY","urlPath":"/c/how-do-i","__typename":"PageDescriptor"},"__typename":"PageResource"}],"localOverride":false},"CachedAsset:text:en_US-components/context/AppContext/AppContextProvider-0":{"__typename":"CachedAsset","id":"text:en_US-components/context/AppContext/AppContextProvider-0","value":{"noCommunity":"Cannot find community","noUser":"Cannot find current user","noNode":"Cannot find node with id {nodeId}","noMessage":"Cannot find message with id {messageId}","userBanned":"We're sorry, but you have been banned from using this site.","userBannedReason":"You have been banned for the following reason: {reason}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/Loading/LoadingDot-0":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/Loading/LoadingDot-0","value":{"title":"Loading..."},"localOverride":false},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/cmstMzctMmdkZklv\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/cmstMzctMmdkZklv","height":0,"width":0,"mimeType":"image/svg+xml"},"Rank:rank:37":{"__typename":"Rank","id":"rank:37","position":14,"name":"Cirrostratus","color":"CCCCCC","icon":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/cmstMzctMmdkZklv\"}"},"rankStyle":"FILLED"},"User:user:29768":{"__typename":"User","id":"user:29768","uid":29768,"login":"hoolio","deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://community.f5.com/t5/s/zihoc95639/m_assets/avatars/default/avatar-7.svg?time=0"},"rank":{"__ref":"Rank:rank:37"},"email":"","messagesCount":11146,"biography":null,"topicsCount":104,"kudosReceivedCount":13,"kudosGivenCount":0,"kudosWeight":1,"registrationData":{"__typename":"RegistrationData","status":null,"registrationTime":"2005-09-08T01:00:00.000-07:00","confirmEmailStatus":null},"followersCount":null,"solutionsCount":1},"Category:category:CrowdSRC":{"__typename":"Category","id":"category:CrowdSRC","entityType":"CATEGORY","displayId":"CrowdSRC","nodeType":"category","depth":1,"title":"CrowdSRC","shortTitle":"CrowdSRC","parent":{"__ref":"Category:category:top"},"categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:top":{"__typename":"Category","id":"category:top","entityType":"CATEGORY","displayId":"top","nodeType":"category","depth":0,"title":"Top","shortTitle":"Top"},"Tkb:board:codeshare":{"__typename":"Tkb","id":"board:codeshare","entityType":"TKB","displayId":"codeshare","nodeType":"board","depth":2,"conversationStyle":"TKB","repliesProperties":{"__typename":"RepliesProperties","sortOrder":"PUBLISH_TIME","repliesFormat":"threaded"},"tagProperties":{"__typename":"TagNodeProperties","tagsEnabled":{"__typename":"PolicyResult","failureReason":null}},"requireTags":true,"tagType":"FREEFORM_AND_PRESET","description":"Have some code. Share some code.","title":"CodeShare","shortTitle":"CodeShare","parent":{"__ref":"Category:category:CrowdSRC"},"ancestors":{"__typename":"CoreNodeConnection","edges":[{"__typename":"CoreNodeEdge","node":{"__ref":"Community:community:zihoc95639"}},{"__typename":"CoreNodeEdge","node":{"__ref":"Category:category:CrowdSRC"}}]},"userContext":{"__typename":"NodeUserContext","canAddAttachments":false,"canUpdateNode":false,"canPostMessages":false,"isSubscribed":false},"theme":{"__ref":"Theme:customTheme1"},"boardPolicies":{"__typename":"BoardPolicies","canViewSpamDashBoard":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.feature.moderation_spam.action.access_spam_quarantine.allowed.accessDenied","key":"error.lithium.policies.feature.moderation_spam.action.access_spam_quarantine.allowed.accessDenied","args":[]}},"canArchiveMessage":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.content_archivals.enable_content_archival_settings.accessDenied","key":"error.lithium.policies.content_archivals.enable_content_archival_settings.accessDenied","args":[]}},"canPublishArticleOnCreate":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.forums.policy_can_publish_on_create_workflow_action.accessDenied","key":"error.lithium.policies.forums.policy_can_publish_on_create_workflow_action.accessDenied","args":[]}},"canReadNode":{"__typename":"PolicyResult","failureReason":null}},"isManualSortOrderAvailable":false,"tkbPolicies":{"__typename":"TkbPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}},"eventPath":"category:CrowdSRC/community:zihoc95639board:codeshare/"},"TkbTopicMessage:message:284211":{"__typename":"TkbTopicMessage","uid":284211,"subject":"Client Cert Request by URI with OCSP Checking","id":"message:284211","revisionNum":1,"repliesCount":3,"author":{"__ref":"User:user:29768"},"depth":0,"hasGivenKudo":false,"helpful":null,"board":{"__ref":"Tkb:board:codeshare"},"conversation":{"__ref":"Conversation:conversation:284211"},"messagePolicies":{"__typename":"MessagePolicies","canPublishArticleOnEdit":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.forums.policy_can_publish_on_edit_workflow_action.accessDenied","key":"error.lithium.policies.forums.policy_can_publish_on_edit_workflow_action.accessDenied","args":[]}},"canModerateSpamMessage":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.feature.moderation_spam.action.moderate_entity.allowed.accessDenied","key":"error.lithium.policies.feature.moderation_spam.action.moderate_entity.allowed.accessDenied","args":[]}}},"contentWorkflow":{"__typename":"ContentWorkflow","state":"PUBLISH","scheduledPublishTime":null,"scheduledTimezone":null,"userContext":{"__typename":"MessageWorkflowContext","canSubmitForReview":null,"canEdit":false,"canRecall":null,"canSubmitForPublication":null,"canReturnToAuthor":null,"canPublish":null,"canReturnToReview":null,"canSchedule":false},"shortScheduledTimezone":null},"readOnly":false,"editFrozen":false,"moderationData":{"__ref":"ModerationData:moderation_data:284211"},"teaser":"","body":"

Problem this snippet solves:

This iRule requests a client cert for specific URIs and then validates the client cert against the client SSL profile's trusted CA cert bundle. If that succeeds, then the client cert is validated against an OCSP server (or pool of servers). Invalid certs are redirected to a URL with the Openssl verify code appended.

\n

Note: See below for a sample bigip.conf showing the profile and virtual server definitions.

\n

Warning: This is an anonymized version of an OCSP iRule that was tested in a customer implementation. I have not done any testing of the iRule since anonymizing it. So test, test, test!

Code :

# hooleya_auth_ssl_cc_ocsp_rule\n# https://devcentral.f5.com/s/Wiki/default.aspx/iRules/client_cert_request_by_uri_with_ocsp_checking\n#\n# Requires 9.4.8 and hotfix 3 for:\n#   CR125264 - HTTP::respond should be allowed in CLIENTSSL_HANDSHAKE\n#   CR126501 - OCSP AUTH iRules need to detect server down vs. bad cert\n#   CR111646: Connections are no longer rejected when clients fail to send a \n#             certificate to a virtual server with a clientssl profile configured to \"request\" one.\n# v0.9.9 - 2010-02-22\n\n# Description:\n#\n# This iRule requests a client cert for specific URIs and then validates the client cert against the client SSL profile's \n# trusted CA cert bundle.  If that succeeds, then the client cert is validated against an OCSP server (or pool of servers).\n# Invalid certs are redirected to a URL with the Openssl verify code appended.\n#\n# Configuration requirements:\n#\n# 0. This iRule will only work for 9.4.8 with hotfix 3.  It cannot work for any lower LTM version.\n#       It could be updated for 10.0.x.  In 10.1, you don't need to use the session table to store the cert details,\n#       so this iRule is probably not worth updating for 10.1.\n# 1. Configure the URIs to request a client cert for in a datagroup named ocsp_pages_to_require_cert_class.\n# 2. You might also need to customize the cert parsing based on your requirements for which headers to insert.\n# 3. Add this iRule to an OCSP auth profile.\n# 4. Ideally, configure an OCSP server pool and VIP to use in the OCSP responder field\n#       and consider uncommenting the code in this iRule to check the state of the OCSP server pool\n#       before attempting the OCSP validation of a client cert.\n# 5. Test, test test! This is an anonymized version of an OCSP iRule that was tested in a customer implementation.\n#       I have not done any testing of the iRule since anonymizing it.\n\nwhen RULE_INIT {\n\n   # URL to redirect clients to for failed authentication\n   # The error code is appended to the URL in the iRule\n   set ::auth_failure_url \"https://example.com/error.asp?errCode=\"\n\n   # Session timeout. Length of time (in seconds) to store the client cert in the session table.\n   set ::ocsp_session_timeout 1800\n\n   # Log debug messages? (0=none, 1=minimal, 2=verbose, 3=everything)\n   set ::ocsp_debug 3\n\n   # Enable audit logging? (0=none, 1=unvalidated requests only, 2=all requests)\n   set ::ocsp_audit_log_level 2\n\n   # Pages to require a client cert for (replace with datagroup post-testing)\n   #   This is now configured in the ocsp_pages_to_require_cert_class datagroup\n\n   # Prefix to use when inserting the certificate details in the HTTP headers\n   set ::header_prefix \"CRT_\"\n\n   # SSL::sessionid returns 64 0's if the session ID doesn't exist, so set a variable to check for this\n   set ::ocsp_null_sessionid [string repeat 0 64]\n}\nwhen CLIENT_ACCEPTED {\n\n   # Initialise the TMM session id and variables tracking the auth status on each new connection\n   set tmm_auth_ssl_ocsp_sid 0\n   set invalidate_session 0\n   set need_cert 0\n   set inserted_headers 0\n\n   # Save the client IP:port and VIP name to shorten the log lines\n   set log_prefix \"client IP:port=[IP::client_addr]:[TCP::client_port]; VIP=[virtual name]\"\n   if {$::ocsp_debug > 0}{log local0. \"$log_prefix: New TCP connection to [IP::local_addr]:[TCP::local_port]\"}\n}\nwhen CLIENTSSL_CLIENTCERT {\n\n   # This event is triggered when LTM requests/requires a cert, even if the client doesn't present a cert.\n   if {$::ocsp_debug > 0}{log local0. \"$log_prefix: Cert count: [SSL::cert count], SSL sessionid: [SSL::sessionid]\"}\n\n   # Exit this event if we didn't request a cert\n   if {$need_cert == 0}{\n      if {$::ocsp_debug > 2}{log local0. \"$log_prefix: Exiting event as \\$need_cert is 0\"}\n      return\n   }\n   # Check if client presented a cert after it was requested\n   if {[SSL::cert count] == 0}{\n\n      # No client cert received.  Use -1 to track this (0 will be used to indicate no error by SSL::verify_result)\n      set ssl_status_code \"-1\"\n\n      # $ssl_status_desc is only used in this rule for debug logging.\n      set ssl_status_desc \"Required client certificate not present for resource.\"\n\n      if {$::ocsp_debug > 0}{log local0. \"$log_prefix: No cert for protected resource. Invalidating session.\"}\n      set invalidate_session 1\n\n      # Audit logging\n      if {$::ocsp_audit_log_level > 0}{catch {log -noname local0. \"cc_audit: $log_prefix; status_text=No cert for secured URI; URI=$requested_uri;\"}}\n\n   } else {\n\n      # Client presented at least one cert.  The actual client cert should always be first.\n      if {$::ocsp_debug > 1}{\n\n         # Loop through each cert and log the cert subject\n         for {set i 0} {$i < [SSL::cert count]} {incr i}{\n\n            log local0. \"$log_prefix: cert $i, subject: [X509::subject [SSL::cert $i]],\\\n               issuer: [X509::issuer [SSL::cert $i]], cert_serial=[X509::serial_number [SSL::cert $i]]\"\n         }\n      }\n      if {$::ocsp_debug > 2}{log local0. \"$log_prefix: Received cert with SSL session ID: [SSL::sessionid]. Base64 encoded cert: [b64encode [SSL::cert 0]]\"}\n\n      # Save the SSL status code (defined here: http://www.openssl.org/docs/apps/verify.html#DIAGNOSTICS)\n      set ssl_status_code [SSL::verify_result]\n      set ssl_status_desc [X509::verify_cert_error_string [SSL::verify_result]]\n\n      # Check if there was no error in validating the client cert against LTM's server cert\n      if { $ssl_status_code == 0 }{\n         if {$::ocsp_debug > 0}{log local0. \"$log_prefix: Certificate validation against root cert OK. status: $ssl_status_desc. Checking against OCSP.\"}\n\n         ######################################################################################################\n ##### TODO:\n         ##### If the OCSP responder is an LTM VIP (used for load balancing multiple OCSP servers)\n ##### you could add a check here of the OCSP server pool before attempting the OCSP validation.\n ##### Just change my_ocsp_http_pool to the actual OCSP server pool name.\n\n\n         ## Check if the OCSP server pool does not have any\n #if {[active_members my_ocsp_http_pool] == 0}{\n\n         #   # OCSP servers are not available!!\n         #   log local0.emerg \"$log_prefix: OCSP auth pool is down! Resuming SSL handshake and blocking HTTP request.\"\n\n         #   # Audit logging\n         #   if {$::ocsp_audit_log_level > 0}{\n         #      catch {log -noname local0. \"cc_audit: $log_prefix; status_text=OCSP server pool is unavailable. Blocking request.\"}\n         #   }\n\n         #   # We could send an HTTP response from this event, but it doesn't actually get sent until\n         #   # the CLIENTSSL_HANDSHAKE event anyhow.  So track that this is an invalid request and set the app auth status code\n         #   # to indicate OCSP validation of the cert failed.\n         #   set invalidate_session 1\n         #   SSL::handshake resume\n #   return\n #}\n ##### TODO END:\n         ######################################################################################################\n\n # Check if there isn't already a TMM authentication OCSP session ID\n         if {$tmm_auth_ssl_ocsp_sid == 0} {\n\n            # [AUTH::start pam default_ssl_ocsp] returns an authentication session ID\n            set tmm_auth_ssl_ocsp_sid [AUTH::start pam default_ssl_ocsp]\n\n            if {$::ocsp_debug > 2}{log local0. \"$log_prefix: \\$tmm_auth_ssl_ocsp_sid was 0, \\$tmm_auth_ssl_ocsp_sid: $tmm_auth_ssl_ocsp_sid\"}\n\n            if {[info exists tmm_auth_subscription]} {\n               if {$::ocsp_debug > 1}{log local0. \"$log_prefix: Subscribing to \\$tmm_auth_ssl_ocsp_sid: $tmm_auth_ssl_ocsp_sid\"}\n               AUTH::subscribe $tmm_auth_ssl_ocsp_sid\n            }\n         }\n         AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0]\n         AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0]\n         AUTH::authenticate $tmm_auth_ssl_ocsp_sid\n\n         # Hold the SSL handshake until the auth result is returned from OCSP\n # The AUTH::authenticate command triggers an OCSP lookup and then the AUTH_RESULT event.\n # In AUTH_RESULT, SSL::handshake resume triggers CLIENTSSL_HANDSHAKE.\n         if {$::ocsp_debug > 0}{log local0. \"$log_prefix: Holding SSL handshake for OCSP check\"}\n         SSL::handshake hold\n\n      } else {\n\n         # Client cert validation against the CA's root server cert failed.\n\n         if {$::ocsp_debug > 0}{log local0. \"$log_prefix: Certificate validation not ok. Status: $ssl_status_code, $ssl_status_desc\"}\n\n         # Audit logging\n         if {$::ocsp_audit_log_level > 0}{catch {log -noname local0. \"cc_audit: $log_prefix; \\\n            status_text=Invalid cert for secured URI; openssl_code=$ssl_status_code; openssl_desc=$ssl_status_desc;\\\n            cert_subject=[X509::subject [SSL::cert 0]]; cert_issuer=[X509::issuer [SSL::cert 0]];\\\n            cert_serial=[X509::serial_number [SSL::cert 0]]; URI=$requested_uri\"}}\n\n         # Delete the SSL session from the session table\n         if {$::ocsp_debug > 1}{log local0. \"$log_prefix: Invalidating SSL session [SSL::sessionid]\"}\n         session delete ssl [SSL::sessionid]\n         SSL::session invalidate\n         set invalidate_session 1\n\n         # Release the request flow as we want to send an HTTP response to clients who don't send a valid cert\n         if {$::ocsp_debug > 0}{log local0. \"$log_prefix: Invalid cert. Releasing HTTP.\"}\n      }\n   }\n}\nwhen AUTH_RESULT {\n\n   # AUTH::status values:\n   # https://devcentral.f5.com/s/wiki/default.aspx/iRules/AUTH__status.html\n   #  0 = success\n   #  1 = failure\n   # -1 = error\n   #  2 = not-authed\n\n   if {$::ocsp_debug > 0}{log local0. \"$log_prefix: \\[AUTH::status\\]: [AUTH::status]; (0=success, 1=failure, -1=error, 2=not-authed)\"}\n\n   # Check if there is an existing TMM SSL OCSP session ID\n   if {[info exists tmm_auth_ssl_ocsp_sid] and ($tmm_auth_ssl_ocsp_sid == [AUTH::last_event_session_id])} {\n\n      # Save the auth status\n      set tmm_auth_status [AUTH::status]\n\n      # TESTING ONLY: If you want to take any response from the OCSP server as valid, \n      # uncomment this line and set tmm_auth_status to 0.\n      #set tmm_auth_status 0\n\n      # Check if auth was successful\n      if {$tmm_auth_status == 0 } {\n\n # OCSP auth was successful, so resume the SSL handshake.  This will trigger the CLIENTSSL_HANDSHAKE event next.\n         if {$::ocsp_debug > 0}{log local0. \"$log_prefix: Valid cert per OCSP. Resuming SSL handshake\"}\n         SSL::handshake resume\n\n      } else {\n\n         # OCSP auth failed\n\n         # Audit logging\n         if {$::ocsp_audit_log_level > 0}{\n            catch {log -noname local0. \"cc_audit: status=403.13. $log_prefix; status_text=Invalid cert per OCSP for secured URI; URI=$requested_uri\"}\n         }\n\n         # We could send an HTTP response from this event, but it doesn't actually get sent until\n         # the CLIENTSSL_HANDSHAKE event anyhow.  So track that this is an invalid request and set the app auth status code\n         # to indicate OCSP validation of the cert failed.\n         set invalidate_session 1\n\n         if {$::ocsp_debug > 0}{log local0. \"$log_prefix: Invalid cert per OCSP. \\[AUTH::response_data\\]: [AUTH::response_data]. Resuming SSL handshake.\"}\n         SSL::handshake resume\n      }\n   }\n}\nwhen CLIENTSSL_HANDSHAKE {\n\n   # This event is triggered when the SSL handshake with the client completes\n\n   # Log SSL cipher details\n   if {$::ocsp_debug > 2}{log local0. \"$log_prefix: Cipher name, version, bits: [SSL::cipher name], [SSL::cipher version], [SSL::cipher bits]\"}\n\n   # Exit this event if cert isn't required\n   if {$need_cert == 0}{\n      if {$::ocsp_debug > 2}{log local0. \"$log_prefix: \\$need_cert is 0, exiting event.\"}\n      return\n   }\n\n   # Check if OCSP auth was already successful\n   if {[info exists tmm_auth_status] and $tmm_auth_status == 0}{\n\n      if {$::ocsp_debug > 1}{log local0. \"$log_prefix: Auth succeeded, parsing cert fields and adding session table entry.\"}\n\n      # The parsing of the cert can be customized based on the application's requirements\n      # For this particular implementation, the customer wanted the following fields inserted into the request HTTP headers:\n      #\n      #        Issuer\n      #        Serial number\n      #        Valid from date\n      #        Valid to date\n      #        Subject\n\n      # Add the client cert fields as a list to the session table\n      if {$::ocsp_debug > 0}{log local0. \"$log_prefix: Saving client cert details in session using SSL sessionid [SSL::sessionid].\"}\n\n      session add ssl [SSL::sessionid] [list \\\n         ${::header_prefix}Issuer [X509::issuer [SSL::cert 0]] \\\n         ${::header_prefix}SerialNumber [X509::serial_number [SSL::cert 0]] \\\n         ${::header_prefix}ValidFrom [X509::not_valid_before [SSL::cert 0]] \\\n         ${::header_prefix}ValidUntil [X509::not_valid_after [SSL::cert 0]] \\\n         ${::header_prefix}Subject [X509::subject [SSL::cert 0]]\n      ] $::ocsp_session_timeout\n\n      # Audit logging\n      if {$::ocsp_audit_log_level > 1}{\n         catch {log -noname local0. \"cc_audit: status=okay; $log_prefix; status_text=Valid cert per OCSP for secured URI (new SSL session);\\\n            cert_subject=[X509::subject [SSL::cert 0]]; cert_issuer=[X509::issuer [SSL::cert 0]]; cert_serial=[X509::serial_number [SSL::cert 0]]; \\\n    URI=$requested_uri\"}\n      }\n\n      if {$::ocsp_debug > 1}{log local0. \"$log_prefix: Auth was successful, releasing HTTP\"}\n      HTTP::release\n\n   } elseif {$invalidate_session}{\n\n      if {$::ocsp_debug > 0}{log local0. \"$log_prefix: No/invalid cert received, sending block response.\"}\n\n      # Send response to client for invalid request\n      HTTP::respond 302 Location \"${::auth_failure_url}${ssl_status_code}\" Connection Close Cache-Control No-Cache Pragma No-Cache\n      HTTP::release\n      session delete ssl [SSL::sessionid]\n      SSL::session invalidate\n      TCP::close\n   } else {\n      if {$::ocsp_debug > 2}{log local0. \"$log_prefix: default case.\"}\n   }\n}\nwhen HTTP_REQUEST {\n\n   if {$::ocsp_debug > 1}{log local0. \"$log_prefix: URI: [HTTP::uri], SSL session ID: [SSL::sessionid],\\\n      session lookup llength: [llength [session lookup ssl [SSL::sessionid]]],\\\n      string len: [string length [session lookup ssl [SSL::sessionid]]]\\\n      User-Agent: [HTTP::header User-Agent]\"}\n\n   # Double check that the session is valid\n   if {[info exists invalidate_session] and $invalidate_session == 1}{\n\n      if {$::ocsp_debug > 0}{log local0. \"$log_prefix: Invalidating SSL session ID: [SSL::sessionid]\"}\n      session delete ssl [SSL::sessionid]\n      SSL::session invalidate\n   }\n   # Check if request is to a page which requires a client SSL certificate\n   if {[matchclass [string tolower [HTTP::path]] starts_with $::ocsp_pages_to_require_cert_class]}{\n\n      # Save the requested URI for logging in subsequent events\n      set requested_uri [HTTP::uri]\n\n      # Track that this is a request for a restricted URI\n      set need_cert 1\n      if {$::ocsp_debug > 0}{log local0. \"$log_prefix: Request to restricted path: [HTTP::path]. \\$need_cert: $need_cert\"}\n\n      # Check if there is an existing SSL session ID and if the cert is in the session table\n      #   This condition should only be true on resumed SSL sessions.\n      if {[SSL::sessionid] ne $::ocsp_null_sessionid and [session lookup ssl [SSL::sessionid]] ne \"\"}{\n\n         if {$::ocsp_debug > 0}{\n            log local0. \"$log_prefix: Allowed request to [HTTP::host][HTTP::uri]. Inserting SSL cert details in HTTP headers.\"\n\n            # Debug logging of each session table list item\n            if {$::ocsp_debug > 2}{\n               foreach session_element [session lookup ssl [SSL::sessionid]] {\n                  log local0. \"$log_prefix: $session_element\"\n               }\n            }\n         }\n\n         # Remove any HTTP header which starts with \"crt_\"\n         foreach a_header [HTTP::header names] {\n\n            # Check if this header name starts with \"crt_\"\n            if {[string match -nocase ${::header_prefix}* $a_header]}{\n               HTTP::header remove $a_header\n\n               # If there is a header which starts with crt_, it is probably someone attacking the application!\n               log local0.emerg \"$log_prefix: Client with possible spoofed client cert header [HTTP::request]\"\n            }\n         }\n\n         # Insert SSL cert details in the HTTP headers\n         HTTP::header insert [session lookup ssl [SSL::sessionid]]\n\n         # Track that we've inserted the HTTP headers, so we don't do it again in HTTP_REQUEST_SEND\n         set inserted_headers 1\n\n         if {$::ocsp_debug > 0}{log local0. \"$log_prefix: Valid request\"}\n\n         # Audit logging\n         if {$::ocsp_audit_log_level > 1}{\n\n            # Get the cert details from the session table for the audit logging\n            set session_list [session lookup ssl [SSL::sessionid]]\n\n            catch {log -noname local0. \"cc_audit: status=okay; $log_prefix; status_text=Valid cert per OCSP for secured URI (resumed SSL session);\\\n               cert_subject=[lindex $session_list 9]; cert_issuer=[lindex $session_list 1]; cert_serial=[lindex $session_list 3]; URI=$requested_uri\"}\n         }\n\n      } else {\n\n         # Hold the HTTP request until the SSL re-negotiation is complete\n         HTTP::collect\n\n         # Force renegotiation of the SSL connection with a cert requested\n         SSL::session invalidate\n         SSL::authenticate always\n         SSL::authenticate depth 9\n         SSL::cert mode request\n         SSL::renegotiate\n\n         if {$::ocsp_debug > 0}{log local0. \"$log_prefix: Restricted path, [HTTP::uri], with no client cert. Collecting HTTP and renegotiating SSL\"}\n      }\n   } else {\n      if {$::ocsp_debug > 1}{log local0. \"$log_prefix: Request to unrestricted path: [HTTP::path]\"}\n      set need_cert 0\n   }\n}\nwhen HTTP_REQUEST_SEND {\n\n   # This event is relevant only on the initial request of a secured URI (non-resumed SSL sessions).\n   # The insertion of cert details for resumed SSL sessions is handled in HTTP_REQUEST.\n\n   # Force evaluation in clientside context as HTTP_REQUEST_SEND is a serverside event\n   clientside {\n\n      if {$::ocsp_debug > 0}{log local0. \"$log_prefix: \\$invalidate_session: $invalidate_session,\\\n         \\$need_cert: $need_cert, \\[SSL::sessionid\\]: [SSL::sessionid], \\[session lookup ssl \\[SSL::sessionid\\]\\]: [session lookup ssl [SSL::sessionid]],\\\n         URI: [clientside {HTTP::uri}]\"}\n\n      # Check if request was to a restricted URI and the headers weren't inserted already in HTTP_REQUEST\n      if {$need_cert==1 and $inserted_headers==0}{\n\n         # Check if the session is still valid, there is an existing SSL session ID and that the cert is in the session table\n         if {$invalidate_session == 0 and [SSL::sessionid] ne $::ocsp_null_sessionid and [session lookup ssl [SSL::sessionid]] ne \"\"}{\n\n            # Remove any HTTP header which starts with \"crt_\"\n            foreach a_header [HTTP::header names] {\n\n               # Check if this header name starts with \"crt_\"\n               if {[string match -nocase ${::header_prefix}* $a_header]}{\n\n                  HTTP::header remove $a_header\n\n                  # If there is a header which starts with crt_, it is probably someone attacking the application!\n                  log local0.emerg \"$log_prefix: Client with possible spoofed client cert header [HTTP::host][HTTP::uri], [HTTP::header User-Agent\"]\"\n               }\n            }\n\n            if {$::ocsp_debug > 0}{log local0. \"$log_prefix: Inserting SSL cert details in HTTP headers.\"}\n\n            # Insert SSL cert details from the session table in the HTTP headers\n            HTTP::header insert [session lookup ssl [SSL::sessionid]]\n\n         } else {\n\n             # Client request for secured URI wasn't valid\n             log local0. \"$log_prefix: Rejecting connection for invalid request to [HTTP::host][HTTP::uri] ([IP::local_addr]:[TCP::local_port])\\\n                with session ID: [SSL::sessionid]\"\n\n            # Reject the connection as we should never get here\n            reject\n         }\n      }\n   }\n}
","body@stringLength":"20939","rawBody":"

Problem this snippet solves:

This iRule requests a client cert for specific URIs and then validates the client cert against the client SSL profile's trusted CA cert bundle. If that succeeds, then the client cert is validated against an OCSP server (or pool of servers). Invalid certs are redirected to a URL with the Openssl verify code appended.

\n

Note: See below for a sample bigip.conf showing the profile and virtual server definitions.

\n

Warning: This is an anonymized version of an OCSP iRule that was tested in a customer implementation. I have not done any testing of the iRule since anonymizing it. So test, test, test!

Code :

# hooleya_auth_ssl_cc_ocsp_rule\n# https://devcentral.f5.com/s/Wiki/default.aspx/iRules/client_cert_request_by_uri_with_ocsp_checking\n#\n# Requires 9.4.8 and hotfix 3 for:\n#   CR125264 - HTTP::respond should be allowed in CLIENTSSL_HANDSHAKE\n#   CR126501 - OCSP AUTH iRules need to detect server down vs. bad cert\n#   CR111646: Connections are no longer rejected when clients fail to send a \n#             certificate to a virtual server with a clientssl profile configured to \"request\" one.\n# v0.9.9 - 2010-02-22\n\n# Description:\n#\n# This iRule requests a client cert for specific URIs and then validates the client cert against the client SSL profile's \n# trusted CA cert bundle.  If that succeeds, then the client cert is validated against an OCSP server (or pool of servers).\n# Invalid certs are redirected to a URL with the Openssl verify code appended.\n#\n# Configuration requirements:\n#\n# 0. This iRule will only work for 9.4.8 with hotfix 3.  It cannot work for any lower LTM version.\n#       It could be updated for 10.0.x.  In 10.1, you don't need to use the session table to store the cert details,\n#       so this iRule is probably not worth updating for 10.1.\n# 1. Configure the URIs to request a client cert for in a datagroup named ocsp_pages_to_require_cert_class.\n# 2. You might also need to customize the cert parsing based on your requirements for which headers to insert.\n# 3. Add this iRule to an OCSP auth profile.\n# 4. Ideally, configure an OCSP server pool and VIP to use in the OCSP responder field\n#       and consider uncommenting the code in this iRule to check the state of the OCSP server pool\n#       before attempting the OCSP validation of a client cert.\n# 5. Test, test test! This is an anonymized version of an OCSP iRule that was tested in a customer implementation.\n#       I have not done any testing of the iRule since anonymizing it.\n\nwhen RULE_INIT {\n\n   # URL to redirect clients to for failed authentication\n   # The error code is appended to the URL in the iRule\n   set ::auth_failure_url \"https://example.com/error.asp?errCode=\"\n\n   # Session timeout. Length of time (in seconds) to store the client cert in the session table.\n   set ::ocsp_session_timeout 1800\n\n   # Log debug messages? (0=none, 1=minimal, 2=verbose, 3=everything)\n   set ::ocsp_debug 3\n\n   # Enable audit logging? (0=none, 1=unvalidated requests only, 2=all requests)\n   set ::ocsp_audit_log_level 2\n\n   # Pages to require a client cert for (replace with datagroup post-testing)\n   #   This is now configured in the ocsp_pages_to_require_cert_class datagroup\n\n   # Prefix to use when inserting the certificate details in the HTTP headers\n   set ::header_prefix \"CRT_\"\n\n   # SSL::sessionid returns 64 0's if the session ID doesn't exist, so set a variable to check for this\n   set ::ocsp_null_sessionid [string repeat 0 64]\n}\nwhen CLIENT_ACCEPTED {\n\n   # Initialise the TMM session id and variables tracking the auth status on each new connection\n   set tmm_auth_ssl_ocsp_sid 0\n   set invalidate_session 0\n   set need_cert 0\n   set inserted_headers 0\n\n   # Save the client IP:port and VIP name to shorten the log lines\n   set log_prefix \"client IP:port=[IP::client_addr]:[TCP::client_port]; VIP=[virtual name]\"\n   if {$::ocsp_debug > 0}{log local0. \"$log_prefix: New TCP connection to [IP::local_addr]:[TCP::local_port]\"}\n}\nwhen CLIENTSSL_CLIENTCERT {\n\n   # This event is triggered when LTM requests/requires a cert, even if the client doesn't present a cert.\n   if {$::ocsp_debug > 0}{log local0. \"$log_prefix: Cert count: [SSL::cert count], SSL sessionid: [SSL::sessionid]\"}\n\n   # Exit this event if we didn't request a cert\n   if {$need_cert == 0}{\n      if {$::ocsp_debug > 2}{log local0. \"$log_prefix: Exiting event as \\$need_cert is 0\"}\n      return\n   }\n   # Check if client presented a cert after it was requested\n   if {[SSL::cert count] == 0}{\n\n      # No client cert received.  Use -1 to track this (0 will be used to indicate no error by SSL::verify_result)\n      set ssl_status_code \"-1\"\n\n      # $ssl_status_desc is only used in this rule for debug logging.\n      set ssl_status_desc \"Required client certificate not present for resource.\"\n\n      if {$::ocsp_debug > 0}{log local0. \"$log_prefix: No cert for protected resource. Invalidating session.\"}\n      set invalidate_session 1\n\n      # Audit logging\n      if {$::ocsp_audit_log_level > 0}{catch {log -noname local0. \"cc_audit: $log_prefix; status_text=No cert for secured URI; URI=$requested_uri;\"}}\n\n   } else {\n\n      # Client presented at least one cert.  The actual client cert should always be first.\n      if {$::ocsp_debug > 1}{\n\n         # Loop through each cert and log the cert subject\n         for {set i 0} {$i < [SSL::cert count]} {incr i}{\n\n            log local0. \"$log_prefix: cert $i, subject: [X509::subject [SSL::cert $i]],\\\n               issuer: [X509::issuer [SSL::cert $i]], cert_serial=[X509::serial_number [SSL::cert $i]]\"\n         }\n      }\n      if {$::ocsp_debug > 2}{log local0. \"$log_prefix: Received cert with SSL session ID: [SSL::sessionid]. Base64 encoded cert: [b64encode [SSL::cert 0]]\"}\n\n      # Save the SSL status code (defined here: http://www.openssl.org/docs/apps/verify.html#DIAGNOSTICS)\n      set ssl_status_code [SSL::verify_result]\n      set ssl_status_desc [X509::verify_cert_error_string [SSL::verify_result]]\n\n      # Check if there was no error in validating the client cert against LTM's server cert\n      if { $ssl_status_code == 0 }{\n         if {$::ocsp_debug > 0}{log local0. \"$log_prefix: Certificate validation against root cert OK. status: $ssl_status_desc. Checking against OCSP.\"}\n\n         ######################################################################################################\n ##### TODO:\n         ##### If the OCSP responder is an LTM VIP (used for load balancing multiple OCSP servers)\n ##### you could add a check here of the OCSP server pool before attempting the OCSP validation.\n ##### Just change my_ocsp_http_pool to the actual OCSP server pool name.\n\n\n         ## Check if the OCSP server pool does not have any\n #if {[active_members my_ocsp_http_pool] == 0}{\n\n         #   # OCSP servers are not available!!\n         #   log local0.emerg \"$log_prefix: OCSP auth pool is down! Resuming SSL handshake and blocking HTTP request.\"\n\n         #   # Audit logging\n         #   if {$::ocsp_audit_log_level > 0}{\n         #      catch {log -noname local0. \"cc_audit: $log_prefix; status_text=OCSP server pool is unavailable. Blocking request.\"}\n         #   }\n\n         #   # We could send an HTTP response from this event, but it doesn't actually get sent until\n         #   # the CLIENTSSL_HANDSHAKE event anyhow.  So track that this is an invalid request and set the app auth status code\n         #   # to indicate OCSP validation of the cert failed.\n         #   set invalidate_session 1\n         #   SSL::handshake resume\n #   return\n #}\n ##### TODO END:\n         ######################################################################################################\n\n # Check if there isn't already a TMM authentication OCSP session ID\n         if {$tmm_auth_ssl_ocsp_sid == 0} {\n\n            # [AUTH::start pam default_ssl_ocsp] returns an authentication session ID\n            set tmm_auth_ssl_ocsp_sid [AUTH::start pam default_ssl_ocsp]\n\n            if {$::ocsp_debug > 2}{log local0. \"$log_prefix: \\$tmm_auth_ssl_ocsp_sid was 0, \\$tmm_auth_ssl_ocsp_sid: $tmm_auth_ssl_ocsp_sid\"}\n\n            if {[info exists tmm_auth_subscription]} {\n               if {$::ocsp_debug > 1}{log local0. \"$log_prefix: Subscribing to \\$tmm_auth_ssl_ocsp_sid: $tmm_auth_ssl_ocsp_sid\"}\n               AUTH::subscribe $tmm_auth_ssl_ocsp_sid\n            }\n         }\n         AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0]\n         AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0]\n         AUTH::authenticate $tmm_auth_ssl_ocsp_sid\n\n         # Hold the SSL handshake until the auth result is returned from OCSP\n # The AUTH::authenticate command triggers an OCSP lookup and then the AUTH_RESULT event.\n # In AUTH_RESULT, SSL::handshake resume triggers CLIENTSSL_HANDSHAKE.\n         if {$::ocsp_debug > 0}{log local0. \"$log_prefix: Holding SSL handshake for OCSP check\"}\n         SSL::handshake hold\n\n      } else {\n\n         # Client cert validation against the CA's root server cert failed.\n\n         if {$::ocsp_debug > 0}{log local0. \"$log_prefix: Certificate validation not ok. Status: $ssl_status_code, $ssl_status_desc\"}\n\n         # Audit logging\n         if {$::ocsp_audit_log_level > 0}{catch {log -noname local0. \"cc_audit: $log_prefix; \\\n            status_text=Invalid cert for secured URI; openssl_code=$ssl_status_code; openssl_desc=$ssl_status_desc;\\\n            cert_subject=[X509::subject [SSL::cert 0]]; cert_issuer=[X509::issuer [SSL::cert 0]];\\\n            cert_serial=[X509::serial_number [SSL::cert 0]]; URI=$requested_uri\"}}\n\n         # Delete the SSL session from the session table\n         if {$::ocsp_debug > 1}{log local0. \"$log_prefix: Invalidating SSL session [SSL::sessionid]\"}\n         session delete ssl [SSL::sessionid]\n         SSL::session invalidate\n         set invalidate_session 1\n\n         # Release the request flow as we want to send an HTTP response to clients who don't send a valid cert\n         if {$::ocsp_debug > 0}{log local0. \"$log_prefix: Invalid cert. Releasing HTTP.\"}\n      }\n   }\n}\nwhen AUTH_RESULT {\n\n   # AUTH::status values:\n   # https://devcentral.f5.com/s/wiki/default.aspx/iRules/AUTH__status.html\n   #  0 = success\n   #  1 = failure\n   # -1 = error\n   #  2 = not-authed\n\n   if {$::ocsp_debug > 0}{log local0. \"$log_prefix: \\[AUTH::status\\]: [AUTH::status]; (0=success, 1=failure, -1=error, 2=not-authed)\"}\n\n   # Check if there is an existing TMM SSL OCSP session ID\n   if {[info exists tmm_auth_ssl_ocsp_sid] and ($tmm_auth_ssl_ocsp_sid == [AUTH::last_event_session_id])} {\n\n      # Save the auth status\n      set tmm_auth_status [AUTH::status]\n\n      # TESTING ONLY: If you want to take any response from the OCSP server as valid, \n      # uncomment this line and set tmm_auth_status to 0.\n      #set tmm_auth_status 0\n\n      # Check if auth was successful\n      if {$tmm_auth_status == 0 } {\n\n # OCSP auth was successful, so resume the SSL handshake.  This will trigger the CLIENTSSL_HANDSHAKE event next.\n         if {$::ocsp_debug > 0}{log local0. \"$log_prefix: Valid cert per OCSP. Resuming SSL handshake\"}\n         SSL::handshake resume\n\n      } else {\n\n         # OCSP auth failed\n\n         # Audit logging\n         if {$::ocsp_audit_log_level > 0}{\n            catch {log -noname local0. \"cc_audit: status=403.13. $log_prefix; status_text=Invalid cert per OCSP for secured URI; URI=$requested_uri\"}\n         }\n\n         # We could send an HTTP response from this event, but it doesn't actually get sent until\n         # the CLIENTSSL_HANDSHAKE event anyhow.  So track that this is an invalid request and set the app auth status code\n         # to indicate OCSP validation of the cert failed.\n         set invalidate_session 1\n\n         if {$::ocsp_debug > 0}{log local0. \"$log_prefix: Invalid cert per OCSP. \\[AUTH::response_data\\]: [AUTH::response_data]. Resuming SSL handshake.\"}\n         SSL::handshake resume\n      }\n   }\n}\nwhen CLIENTSSL_HANDSHAKE {\n\n   # This event is triggered when the SSL handshake with the client completes\n\n   # Log SSL cipher details\n   if {$::ocsp_debug > 2}{log local0. \"$log_prefix: Cipher name, version, bits: [SSL::cipher name], [SSL::cipher version], [SSL::cipher bits]\"}\n\n   # Exit this event if cert isn't required\n   if {$need_cert == 0}{\n      if {$::ocsp_debug > 2}{log local0. \"$log_prefix: \\$need_cert is 0, exiting event.\"}\n      return\n   }\n\n   # Check if OCSP auth was already successful\n   if {[info exists tmm_auth_status] and $tmm_auth_status == 0}{\n\n      if {$::ocsp_debug > 1}{log local0. \"$log_prefix: Auth succeeded, parsing cert fields and adding session table entry.\"}\n\n      # The parsing of the cert can be customized based on the application's requirements\n      # For this particular implementation, the customer wanted the following fields inserted into the request HTTP headers:\n      #\n      #        Issuer\n      #        Serial number\n      #        Valid from date\n      #        Valid to date\n      #        Subject\n\n      # Add the client cert fields as a list to the session table\n      if {$::ocsp_debug > 0}{log local0. \"$log_prefix: Saving client cert details in session using SSL sessionid [SSL::sessionid].\"}\n\n      session add ssl [SSL::sessionid] [list \\\n         ${::header_prefix}Issuer [X509::issuer [SSL::cert 0]] \\\n         ${::header_prefix}SerialNumber [X509::serial_number [SSL::cert 0]] \\\n         ${::header_prefix}ValidFrom [X509::not_valid_before [SSL::cert 0]] \\\n         ${::header_prefix}ValidUntil [X509::not_valid_after [SSL::cert 0]] \\\n         ${::header_prefix}Subject [X509::subject [SSL::cert 0]]\n      ] $::ocsp_session_timeout\n\n      # Audit logging\n      if {$::ocsp_audit_log_level > 1}{\n         catch {log -noname local0. \"cc_audit: status=okay; $log_prefix; status_text=Valid cert per OCSP for secured URI (new SSL session);\\\n            cert_subject=[X509::subject [SSL::cert 0]]; cert_issuer=[X509::issuer [SSL::cert 0]]; cert_serial=[X509::serial_number [SSL::cert 0]]; \\\n    URI=$requested_uri\"}\n      }\n\n      if {$::ocsp_debug > 1}{log local0. \"$log_prefix: Auth was successful, releasing HTTP\"}\n      HTTP::release\n\n   } elseif {$invalidate_session}{\n\n      if {$::ocsp_debug > 0}{log local0. \"$log_prefix: No/invalid cert received, sending block response.\"}\n\n      # Send response to client for invalid request\n      HTTP::respond 302 Location \"${::auth_failure_url}${ssl_status_code}\" Connection Close Cache-Control No-Cache Pragma No-Cache\n      HTTP::release\n      session delete ssl [SSL::sessionid]\n      SSL::session invalidate\n      TCP::close\n   } else {\n      if {$::ocsp_debug > 2}{log local0. \"$log_prefix: default case.\"}\n   }\n}\nwhen HTTP_REQUEST {\n\n   if {$::ocsp_debug > 1}{log local0. \"$log_prefix: URI: [HTTP::uri], SSL session ID: [SSL::sessionid],\\\n      session lookup llength: [llength [session lookup ssl [SSL::sessionid]]],\\\n      string len: [string length [session lookup ssl [SSL::sessionid]]]\\\n      User-Agent: [HTTP::header User-Agent]\"}\n\n   # Double check that the session is valid\n   if {[info exists invalidate_session] and $invalidate_session == 1}{\n\n      if {$::ocsp_debug > 0}{log local0. \"$log_prefix: Invalidating SSL session ID: [SSL::sessionid]\"}\n      session delete ssl [SSL::sessionid]\n      SSL::session invalidate\n   }\n   # Check if request is to a page which requires a client SSL certificate\n   if {[matchclass [string tolower [HTTP::path]] starts_with $::ocsp_pages_to_require_cert_class]}{\n\n      # Save the requested URI for logging in subsequent events\n      set requested_uri [HTTP::uri]\n\n      # Track that this is a request for a restricted URI\n      set need_cert 1\n      if {$::ocsp_debug > 0}{log local0. \"$log_prefix: Request to restricted path: [HTTP::path]. \\$need_cert: $need_cert\"}\n\n      # Check if there is an existing SSL session ID and if the cert is in the session table\n      #   This condition should only be true on resumed SSL sessions.\n      if {[SSL::sessionid] ne $::ocsp_null_sessionid and [session lookup ssl [SSL::sessionid]] ne \"\"}{\n\n         if {$::ocsp_debug > 0}{\n            log local0. \"$log_prefix: Allowed request to [HTTP::host][HTTP::uri]. Inserting SSL cert details in HTTP headers.\"\n\n            # Debug logging of each session table list item\n            if {$::ocsp_debug > 2}{\n               foreach session_element [session lookup ssl [SSL::sessionid]] {\n                  log local0. \"$log_prefix: $session_element\"\n               }\n            }\n         }\n\n         # Remove any HTTP header which starts with \"crt_\"\n         foreach a_header [HTTP::header names] {\n\n            # Check if this header name starts with \"crt_\"\n            if {[string match -nocase ${::header_prefix}* $a_header]}{\n               HTTP::header remove $a_header\n\n               # If there is a header which starts with crt_, it is probably someone attacking the application!\n               log local0.emerg \"$log_prefix: Client with possible spoofed client cert header [HTTP::request]\"\n            }\n         }\n\n         # Insert SSL cert details in the HTTP headers\n         HTTP::header insert [session lookup ssl [SSL::sessionid]]\n\n         # Track that we've inserted the HTTP headers, so we don't do it again in HTTP_REQUEST_SEND\n         set inserted_headers 1\n\n         if {$::ocsp_debug > 0}{log local0. \"$log_prefix: Valid request\"}\n\n         # Audit logging\n         if {$::ocsp_audit_log_level > 1}{\n\n            # Get the cert details from the session table for the audit logging\n            set session_list [session lookup ssl [SSL::sessionid]]\n\n            catch {log -noname local0. \"cc_audit: status=okay; $log_prefix; status_text=Valid cert per OCSP for secured URI (resumed SSL session);\\\n               cert_subject=[lindex $session_list 9]; cert_issuer=[lindex $session_list 1]; cert_serial=[lindex $session_list 3]; URI=$requested_uri\"}\n         }\n\n      } else {\n\n         # Hold the HTTP request until the SSL re-negotiation is complete\n         HTTP::collect\n\n         # Force renegotiation of the SSL connection with a cert requested\n         SSL::session invalidate\n         SSL::authenticate always\n         SSL::authenticate depth 9\n         SSL::cert mode request\n         SSL::renegotiate\n\n         if {$::ocsp_debug > 0}{log local0. \"$log_prefix: Restricted path, [HTTP::uri], with no client cert. Collecting HTTP and renegotiating SSL\"}\n      }\n   } else {\n      if {$::ocsp_debug > 1}{log local0. \"$log_prefix: Request to unrestricted path: [HTTP::path]\"}\n      set need_cert 0\n   }\n}\nwhen HTTP_REQUEST_SEND {\n\n   # This event is relevant only on the initial request of a secured URI (non-resumed SSL sessions).\n   # The insertion of cert details for resumed SSL sessions is handled in HTTP_REQUEST.\n\n   # Force evaluation in clientside context as HTTP_REQUEST_SEND is a serverside event\n   clientside {\n\n      if {$::ocsp_debug > 0}{log local0. \"$log_prefix: \\$invalidate_session: $invalidate_session,\\\n         \\$need_cert: $need_cert, \\[SSL::sessionid\\]: [SSL::sessionid], \\[session lookup ssl \\[SSL::sessionid\\]\\]: [session lookup ssl [SSL::sessionid]],\\\n         URI: [clientside {HTTP::uri}]\"}\n\n      # Check if request was to a restricted URI and the headers weren't inserted already in HTTP_REQUEST\n      if {$need_cert==1 and $inserted_headers==0}{\n\n         # Check if the session is still valid, there is an existing SSL session ID and that the cert is in the session table\n         if {$invalidate_session == 0 and [SSL::sessionid] ne $::ocsp_null_sessionid and [session lookup ssl [SSL::sessionid]] ne \"\"}{\n\n            # Remove any HTTP header which starts with \"crt_\"\n            foreach a_header [HTTP::header names] {\n\n               # Check if this header name starts with \"crt_\"\n               if {[string match -nocase ${::header_prefix}* $a_header]}{\n\n                  HTTP::header remove $a_header\n\n                  # If there is a header which starts with crt_, it is probably someone attacking the application!\n                  log local0.emerg \"$log_prefix: Client with possible spoofed client cert header [HTTP::host][HTTP::uri], [HTTP::header User-Agent\"]\"\n               }\n            }\n\n            if {$::ocsp_debug > 0}{log local0. \"$log_prefix: Inserting SSL cert details in HTTP headers.\"}\n\n            # Insert SSL cert details from the session table in the HTTP headers\n            HTTP::header insert [session lookup ssl [SSL::sessionid]]\n\n         } else {\n\n             # Client request for secured URI wasn't valid\n             log local0. \"$log_prefix: Rejecting connection for invalid request to [HTTP::host][HTTP::uri] ([IP::local_addr]:[TCP::local_port])\\\n                with session ID: [SSL::sessionid]\"\n\n            # Reject the connection as we should never get here\n            reject\n         }\n      }\n   }\n}
","kudosSumWeight":0,"postTime":"2015-03-16T16:00:59.000-07:00","images":{"__typename":"AssociatedImageConnection","edges":[],"totalCount":0,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"attachments":{"__typename":"AttachmentConnection","pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges":[]},"tags":{"__typename":"TagConnection","pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges":[{"__typename":"TagEdge","cursor":"MjUuM3wyLjF8b3wxMHxfTlZffDE","node":{"__typename":"Tag","id":"tag:application delivery","text":"application delivery","time":"2021-06-30T01:48:44.000-07:00","lastActivityTime":null,"messagesCount":null,"followersCount":null}},{"__typename":"TagEdge","cursor":"MjUuM3wyLjF8b3wxMHxfTlZffDI","node":{"__typename":"Tag","id":"tag:content manipulation","text":"content manipulation","time":"2022-01-24T02:33:20.817-08:00","lastActivityTime":null,"messagesCount":null,"followersCount":null}},{"__typename":"TagEdge","cursor":"MjUuM3wyLjF8b3wxMHxfTlZffDM","node":{"__typename":"Tag","id":"tag:devops","text":"devops","time":"2011-10-19T17:50:55.000-07:00","lastActivityTime":null,"messagesCount":null,"followersCount":null}},{"__typename":"TagEdge","cursor":"MjUuM3wyLjF8b3wxMHxfTlZffDQ","node":{"__typename":"Tag","id":"tag:iRules","text":"iRules","time":"2022-01-24T02:29:45.106-08:00","lastActivityTime":null,"messagesCount":null,"followersCount":null}}]},"timeToRead":11,"rawTeaser":"","introduction":"","currentRevision":{"__ref":"Revision:revision:284211_1"},"latestVersion":{"__typename":"FriendlyVersion","major":"1","minor":"0"},"metrics":{"__typename":"MessageMetrics","views":2043},"visibilityScope":"PUBLIC","canonicalUrl":null,"seoTitle":null,"seoDescription":null,"placeholder":false,"originalMessageForPlaceholder":null,"contributors":{"__typename":"UserConnection","edges":[]},"nonCoAuthorContributors":{"__typename":"UserConnection","edges":[]},"coAuthors":{"__typename":"UserConnection","edges":[{"__typename":"UserEdge","node":{"__ref":"User:user:29768"}}]},"tkbMessagePolicies":{"__typename":"TkbMessagePolicies","canDoAuthoringActionsOnTkb":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.tkb.policy_can_do_authoring_action.accessDenied","key":"error.lithium.policies.tkb.policy_can_do_authoring_action.accessDenied","args":[]}}},"archivalData":null,"replies":{"__typename":"MessageConnection","edges":[{"__typename":"MessageEdge","cursor":"MjUuM3wyLjF8aXwxMHwzOToxfGludCwyODQyMTIsMjg0MjEy","node":{"__ref":"TkbReplyMessage:message:284212"}},{"__typename":"MessageEdge","cursor":"MjUuM3wyLjF8aXwxMHwzOToxfGludCwyODQyMTIsMjg0MjEz","node":{"__ref":"TkbReplyMessage:message:284213"}},{"__typename":"MessageEdge","cursor":"MjUuM3wyLjF8aXwxMHwzOToxfGludCwyODQyMTIsMjg0MjE0","node":{"__ref":"TkbReplyMessage:message:284214"}}],"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"customFields":[],"revisions({\"constraints\":{\"isPublished\":{\"eq\":true}},\"first\":1})":{"__typename":"RevisionConnection","totalCount":1}},"Conversation:conversation:284211":{"__typename":"Conversation","id":"conversation:284211","solved":false,"topic":{"__ref":"TkbTopicMessage:message:284211"},"lastPostingActivityTime":"2020-05-01T07:30:20.000-07:00","lastPostTime":"2020-05-01T07:30:20.000-07:00","unreadReplyCount":3,"isSubscribed":false},"ModerationData:moderation_data:284211":{"__typename":"ModerationData","id":"moderation_data:284211","status":"APPROVED","rejectReason":null,"isReportedAbuse":false,"rejectUser":null,"rejectTime":null,"rejectActorType":null},"Revision:revision:284211_1":{"__typename":"Revision","id":"revision:284211_1","lastEditTime":"2015-03-16T16:00:59.000-07:00"},"CachedAsset:theme:customTheme1-1745486311603":{"__typename":"CachedAsset","id":"theme:customTheme1-1745486311603","value":{"id":"customTheme1","animation":{"fast":"150ms","normal":"250ms","slow":"500ms","slowest":"750ms","function":"cubic-bezier(0.07, 0.91, 0.51, 1)","__typename":"AnimationThemeSettings"},"avatar":{"borderRadius":"50%","collections":["custom"],"__typename":"AvatarThemeSettings"},"basics":{"browserIcon":{"imageAssetName":"JimmyPackets-512-1702592938213.png","imageLastModified":"1702592945815","__typename":"ThemeAsset"},"customerLogo":{"imageAssetName":"f5_logo_fix-1704824537976.svg","imageLastModified":"1704824540697","__typename":"ThemeAsset"},"maximumWidthOfPageContent":"1600px","oneColumnNarrowWidth":"800px","gridGutterWidthMd":"30px","gridGutterWidthXs":"10px","pageWidthStyle":"WIDTH_OF_PAGE_CONTENT","__typename":"BasicsThemeSettings"},"buttons":{"borderRadiusSm":"5px","borderRadius":"5px","borderRadiusLg":"5px","paddingY":"5px","paddingYLg":"7px","paddingYHero":"var(--lia-bs-btn-padding-y-lg)","paddingX":"12px","paddingXLg":"14px","paddingXHero":"42px","fontStyle":"NORMAL","fontWeight":"400","textTransform":"NONE","disabledOpacity":0.5,"primaryTextColor":"var(--lia-bs-white)","primaryTextHoverColor":"var(--lia-bs-white)","primaryTextActiveColor":"var(--lia-bs-white)","primaryBgColor":"var(--lia-bs-primary)","primaryBgHoverColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) * 0.85))","primaryBgActiveColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) * 0.7))","primaryBorder":"1px solid transparent","primaryBorderHover":"1px solid transparent","primaryBorderActive":"1px solid transparent","primaryBorderFocus":"1px solid var(--lia-bs-white)","primaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","secondaryTextColor":"var(--lia-bs-gray-900)","secondaryTextHoverColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.95))","secondaryTextActiveColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.9))","secondaryBgColor":"var(--lia-bs-gray-400)","secondaryBgHoverColor":"hsl(var(--lia-bs-gray-400-h), var(--lia-bs-gray-400-s), calc(var(--lia-bs-gray-400-l) * 0.96))","secondaryBgActiveColor":"hsl(var(--lia-bs-gray-400-h), var(--lia-bs-gray-400-s), calc(var(--lia-bs-gray-400-l) * 0.92))","secondaryBorder":"1px solid transparent","secondaryBorderHover":"1px solid transparent","secondaryBorderActive":"1px solid transparent","secondaryBorderFocus":"1px solid transparent","secondaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","tertiaryTextColor":"var(--lia-bs-gray-900)","tertiaryTextHoverColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.95))","tertiaryTextActiveColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.9))","tertiaryBgColor":"transparent","tertiaryBgHoverColor":"transparent","tertiaryBgActiveColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.04)","tertiaryBorder":"1px solid transparent","tertiaryBorderHover":"1px solid hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","tertiaryBorderActive":"1px solid transparent","tertiaryBorderFocus":"1px solid transparent","tertiaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","destructiveTextColor":"var(--lia-bs-danger)","destructiveTextHoverColor":"hsl(var(--lia-bs-danger-h), var(--lia-bs-danger-s), calc(var(--lia-bs-danger-l) * 0.95))","destructiveTextActiveColor":"hsl(var(--lia-bs-danger-h), var(--lia-bs-danger-s), calc(var(--lia-bs-danger-l) * 0.9))","destructiveBgColor":"var(--lia-bs-gray-300)","destructiveBgHoverColor":"hsl(var(--lia-bs-gray-300-h), var(--lia-bs-gray-300-s), calc(var(--lia-bs-gray-300-l) * 0.96))","destructiveBgActiveColor":"hsl(var(--lia-bs-gray-300-h), var(--lia-bs-gray-300-s), calc(var(--lia-bs-gray-300-l) * 0.92))","destructiveBorder":"1px solid transparent","destructiveBorderHover":"1px solid transparent","destructiveBorderActive":"1px solid transparent","destructiveBorderFocus":"1px solid transparent","destructiveBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","__typename":"ButtonsThemeSettings"},"border":{"color":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","mainContent":"NONE","sideContent":"NONE","radiusSm":"3px","radius":"5px","radiusLg":"9px","radius50":"100vw","__typename":"BorderThemeSettings"},"boxShadow":{"xs":"0 0 0 1px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.08), 0 3px 0 -1px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.08)","sm":"0 2px 4px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.06)","md":"0 5px 15px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.15)","lg":"0 10px 30px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.15)","__typename":"BoxShadowThemeSettings"},"cards":{"bgColor":"var(--lia-panel-bg-color)","borderRadius":"var(--lia-panel-border-radius)","boxShadow":"var(--lia-box-shadow-xs)","__typename":"CardsThemeSettings"},"chip":{"maxWidth":"300px","height":"30px","__typename":"ChipThemeSettings"},"coreTypes":{"defaultMessageLinkColor":"var(--lia-bs-primary)","defaultMessageLinkDecoration":"none","defaultMessageLinkFontStyle":"NORMAL","defaultMessageLinkFontWeight":"400","defaultMessageFontStyle":"NORMAL","defaultMessageFontWeight":"400","defaultMessageFontFamily":"var(--lia-bs-font-family-base)","forumColor":"#0C5C8D","forumFontFamily":"var(--lia-bs-font-family-base)","forumFontWeight":"var(--lia-default-message-font-weight)","forumLineHeight":"var(--lia-bs-line-height-base)","forumFontStyle":"var(--lia-default-message-font-style)","forumMessageLinkColor":"var(--lia-default-message-link-color)","forumMessageLinkDecoration":"var(--lia-default-message-link-decoration)","forumMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","forumMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","forumSolvedColor":"#62C026","blogColor":"#730015","blogFontFamily":"var(--lia-bs-font-family-base)","blogFontWeight":"var(--lia-default-message-font-weight)","blogLineHeight":"1.75","blogFontStyle":"var(--lia-default-message-font-style)","blogMessageLinkColor":"var(--lia-default-message-link-color)","blogMessageLinkDecoration":"var(--lia-default-message-link-decoration)","blogMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","blogMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","tkbColor":"#C20025","tkbFontFamily":"var(--lia-bs-font-family-base)","tkbFontWeight":"var(--lia-default-message-font-weight)","tkbLineHeight":"1.75","tkbFontStyle":"var(--lia-default-message-font-style)","tkbMessageLinkColor":"var(--lia-default-message-link-color)","tkbMessageLinkDecoration":"var(--lia-default-message-link-decoration)","tkbMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","tkbMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","qandaColor":"#4099E2","qandaFontFamily":"var(--lia-bs-font-family-base)","qandaFontWeight":"var(--lia-default-message-font-weight)","qandaLineHeight":"var(--lia-bs-line-height-base)","qandaFontStyle":"var(--lia-default-message-link-font-style)","qandaMessageLinkColor":"var(--lia-default-message-link-color)","qandaMessageLinkDecoration":"var(--lia-default-message-link-decoration)","qandaMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","qandaMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","qandaSolvedColor":"#3FA023","ideaColor":"#F3704B","ideaFontFamily":"var(--lia-bs-font-family-base)","ideaFontWeight":"var(--lia-default-message-font-weight)","ideaLineHeight":"var(--lia-bs-line-height-base)","ideaFontStyle":"var(--lia-default-message-font-style)","ideaMessageLinkColor":"var(--lia-default-message-link-color)","ideaMessageLinkDecoration":"var(--lia-default-message-link-decoration)","ideaMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","ideaMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","contestColor":"#FCC845","contestFontFamily":"var(--lia-bs-font-family-base)","contestFontWeight":"var(--lia-default-message-font-weight)","contestLineHeight":"var(--lia-bs-line-height-base)","contestFontStyle":"var(--lia-default-message-link-font-style)","contestMessageLinkColor":"var(--lia-default-message-link-color)","contestMessageLinkDecoration":"var(--lia-default-message-link-decoration)","contestMessageLinkFontStyle":"ITALIC","contestMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","occasionColor":"#EE4B5B","occasionFontFamily":"var(--lia-bs-font-family-base)","occasionFontWeight":"var(--lia-default-message-font-weight)","occasionLineHeight":"var(--lia-bs-line-height-base)","occasionFontStyle":"var(--lia-default-message-font-style)","occasionMessageLinkColor":"var(--lia-default-message-link-color)","occasionMessageLinkDecoration":"var(--lia-default-message-link-decoration)","occasionMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","occasionMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","grouphubColor":"#491B62","categoryColor":"#949494","communityColor":"#FFFFFF","productColor":"#949494","__typename":"CoreTypesThemeSettings"},"colors":{"black":"#000000","white":"#FFFFFF","gray100":"#F7F7F7","gray200":"#F7F7F7","gray300":"#E8E8E8","gray400":"#D9D9D9","gray500":"#CCCCCC","gray600":"#949494","gray700":"#707070","gray800":"#545454","gray900":"#333333","dark":"#545454","light":"#F7F7F7","primary":"#0C5C8D","secondary":"#333333","bodyText":"#222222","bodyBg":"#F5F5F5","info":"#1D9CD3","success":"#62C026","warning":"#FFD651","danger":"#C20025","alertSystem":"#FF6600","textMuted":"#707070","highlight":"#FFFCAD","outline":"var(--lia-bs-primary)","custom":["#C20025","#081B85","#009639","#B3C6D7","#7CC0EB","#F29A36"],"__typename":"ColorsThemeSettings"},"divider":{"size":"3px","marginLeft":"4px","marginRight":"4px","borderRadius":"50%","bgColor":"var(--lia-bs-gray-600)","bgColorActive":"var(--lia-bs-gray-600)","__typename":"DividerThemeSettings"},"dropdown":{"fontSize":"var(--lia-bs-font-size-sm)","borderColor":"var(--lia-bs-border-color)","borderRadius":"var(--lia-bs-border-radius-sm)","dividerBg":"var(--lia-bs-gray-300)","itemPaddingY":"5px","itemPaddingX":"20px","headerColor":"var(--lia-bs-gray-700)","__typename":"DropdownThemeSettings"},"email":{"link":{"color":"#0069D4","hoverColor":"#0061c2","decoration":"none","hoverDecoration":"underline","__typename":"EmailLinkSettings"},"border":{"color":"#e4e4e4","__typename":"EmailBorderSettings"},"buttons":{"borderRadiusLg":"5px","paddingXLg":"16px","paddingYLg":"7px","fontWeight":"700","primaryTextColor":"#ffffff","primaryTextHoverColor":"#ffffff","primaryBgColor":"#0069D4","primaryBgHoverColor":"#005cb8","primaryBorder":"1px solid transparent","primaryBorderHover":"1px solid transparent","__typename":"EmailButtonsSettings"},"panel":{"borderRadius":"5px","borderColor":"#e4e4e4","__typename":"EmailPanelSettings"},"__typename":"EmailThemeSettings"},"emoji":{"skinToneDefault":"#ffcd43","skinToneLight":"#fae3c5","skinToneMediumLight":"#e2cfa5","skinToneMedium":"#daa478","skinToneMediumDark":"#a78058","skinToneDark":"#5e4d43","__typename":"EmojiThemeSettings"},"heading":{"color":"var(--lia-bs-body-color)","fontFamily":"Inter","fontStyle":"NORMAL","fontWeight":"600","h1FontSize":"30px","h2FontSize":"25px","h3FontSize":"20px","h4FontSize":"18px","h5FontSize":"16px","h6FontSize":"16px","lineHeight":"1.2","subHeaderFontSize":"11px","subHeaderFontWeight":"500","h1LetterSpacing":"normal","h2LetterSpacing":"normal","h3LetterSpacing":"normal","h4LetterSpacing":"normal","h5LetterSpacing":"normal","h6LetterSpacing":"normal","subHeaderLetterSpacing":"2px","h1FontWeight":"var(--lia-bs-headings-font-weight)","h2FontWeight":"var(--lia-bs-headings-font-weight)","h3FontWeight":"var(--lia-bs-headings-font-weight)","h4FontWeight":"var(--lia-bs-headings-font-weight)","h5FontWeight":"var(--lia-bs-headings-font-weight)","h6FontWeight":"var(--lia-bs-headings-font-weight)","__typename":"HeadingThemeSettings"},"icons":{"size10":"10px","size12":"12px","size14":"14px","size16":"16px","size20":"20px","size24":"24px","size30":"30px","size40":"40px","size50":"50px","size60":"60px","size80":"80px","size120":"120px","size160":"160px","__typename":"IconsThemeSettings"},"imagePreview":{"bgColor":"var(--lia-bs-gray-900)","titleColor":"var(--lia-bs-white)","controlColor":"var(--lia-bs-white)","controlBgColor":"var(--lia-bs-gray-800)","__typename":"ImagePreviewThemeSettings"},"input":{"borderColor":"var(--lia-bs-gray-600)","disabledColor":"var(--lia-bs-gray-600)","focusBorderColor":"var(--lia-bs-primary)","labelMarginBottom":"10px","btnFontSize":"var(--lia-bs-font-size-sm)","focusBoxShadow":"0 0 0 3px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","checkLabelMarginBottom":"2px","checkboxBorderRadius":"3px","borderRadiusSm":"var(--lia-bs-border-radius-sm)","borderRadius":"var(--lia-bs-border-radius)","borderRadiusLg":"var(--lia-bs-border-radius-lg)","formTextMarginTop":"4px","textAreaBorderRadius":"var(--lia-bs-border-radius)","activeFillColor":"var(--lia-bs-primary)","__typename":"InputThemeSettings"},"loading":{"dotDarkColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.2)","dotLightColor":"hsla(var(--lia-bs-white-h), var(--lia-bs-white-s), var(--lia-bs-white-l), 0.5)","barDarkColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.06)","barLightColor":"hsla(var(--lia-bs-white-h), var(--lia-bs-white-s), var(--lia-bs-white-l), 0.4)","__typename":"LoadingThemeSettings"},"link":{"color":"var(--lia-bs-primary)","hoverColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) - 10%))","decoration":"none","hoverDecoration":"underline","__typename":"LinkThemeSettings"},"listGroup":{"itemPaddingY":"15px","itemPaddingX":"15px","borderColor":"var(--lia-bs-gray-300)","__typename":"ListGroupThemeSettings"},"modal":{"contentTextColor":"var(--lia-bs-body-color)","contentBg":"var(--lia-bs-white)","backgroundBg":"var(--lia-bs-black)","smSize":"440px","mdSize":"760px","lgSize":"1080px","backdropOpacity":0.3,"contentBoxShadowXs":"var(--lia-bs-box-shadow-sm)","contentBoxShadow":"var(--lia-bs-box-shadow)","headerFontWeight":"700","__typename":"ModalThemeSettings"},"navbar":{"position":"FIXED","background":{"attachment":null,"clip":null,"color":"var(--lia-bs-white)","imageAssetName":null,"imageLastModified":"0","origin":null,"position":"CENTER_CENTER","repeat":"NO_REPEAT","size":"COVER","__typename":"BackgroundProps"},"backgroundOpacity":0.8,"paddingTop":"15px","paddingBottom":"15px","borderBottom":"1px solid var(--lia-bs-border-color)","boxShadow":"var(--lia-bs-box-shadow-sm)","brandMarginRight":"30px","brandMarginRightSm":"10px","brandLogoHeight":"30px","linkGap":"10px","linkJustifyContent":"flex-start","linkPaddingY":"5px","linkPaddingX":"10px","linkDropdownPaddingY":"9px","linkDropdownPaddingX":"var(--lia-nav-link-px)","linkColor":"var(--lia-bs-body-color)","linkHoverColor":"var(--lia-bs-primary)","linkFontSize":"var(--lia-bs-font-size-sm)","linkFontStyle":"NORMAL","linkFontWeight":"400","linkTextTransform":"NONE","linkLetterSpacing":"normal","linkBorderRadius":"var(--lia-bs-border-radius-sm)","linkBgColor":"transparent","linkBgHoverColor":"transparent","linkBorder":"none","linkBorderHover":"none","linkBoxShadow":"none","linkBoxShadowHover":"none","linkTextBorderBottom":"none","linkTextBorderBottomHover":"none","dropdownPaddingTop":"10px","dropdownPaddingBottom":"15px","dropdownPaddingX":"10px","dropdownMenuOffset":"2px","dropdownDividerMarginTop":"10px","dropdownDividerMarginBottom":"10px","dropdownBorderColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","controllerBgHoverColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.1)","controllerIconColor":"var(--lia-bs-body-color)","controllerIconHoverColor":"var(--lia-bs-body-color)","controllerTextColor":"var(--lia-nav-controller-icon-color)","controllerTextHoverColor":"var(--lia-nav-controller-icon-hover-color)","controllerHighlightColor":"hsla(30, 100%, 50%)","controllerHighlightTextColor":"var(--lia-yiq-light)","controllerBorderRadius":"var(--lia-border-radius-50)","hamburgerColor":"var(--lia-nav-controller-icon-color)","hamburgerHoverColor":"var(--lia-nav-controller-icon-color)","hamburgerBgColor":"transparent","hamburgerBgHoverColor":"transparent","hamburgerBorder":"none","hamburgerBorderHover":"none","collapseMenuMarginLeft":"20px","collapseMenuDividerBg":"var(--lia-nav-link-color)","collapseMenuDividerOpacity":0.16,"__typename":"NavbarThemeSettings"},"pager":{"textColor":"var(--lia-bs-link-color)","textFontWeight":"var(--lia-font-weight-md)","textFontSize":"var(--lia-bs-font-size-sm)","__typename":"PagerThemeSettings"},"panel":{"bgColor":"var(--lia-bs-white)","borderRadius":"var(--lia-bs-border-radius)","borderColor":"var(--lia-bs-border-color)","boxShadow":"none","__typename":"PanelThemeSettings"},"popover":{"arrowHeight":"8px","arrowWidth":"16px","maxWidth":"300px","minWidth":"100px","headerBg":"var(--lia-bs-white)","borderColor":"var(--lia-bs-border-color)","borderRadius":"var(--lia-bs-border-radius)","boxShadow":"0 0.5rem 1rem hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.15)","__typename":"PopoverThemeSettings"},"prism":{"color":"#000000","bgColor":"#f5f2f0","fontFamily":"var(--font-family-monospace)","fontSize":"var(--lia-bs-font-size-base)","fontWeightBold":"var(--lia-bs-font-weight-bold)","fontStyleItalic":"italic","tabSize":2,"highlightColor":"#b3d4fc","commentColor":"#62707e","punctuationColor":"#6f6f6f","namespaceOpacity":"0.7","propColor":"#990055","selectorColor":"#517a00","operatorColor":"#906736","operatorBgColor":"hsla(0, 0%, 100%, 0.5)","keywordColor":"#0076a9","functionColor":"#d3284b","variableColor":"#c14700","__typename":"PrismThemeSettings"},"rte":{"bgColor":"var(--lia-bs-white)","borderRadius":"var(--lia-panel-border-radius)","boxShadow":" var(--lia-panel-box-shadow)","customColor1":"#bfedd2","customColor2":"#fbeeb8","customColor3":"#f8cac6","customColor4":"#eccafa","customColor5":"#c2e0f4","customColor6":"#2dc26b","customColor7":"#f1c40f","customColor8":"#e03e2d","customColor9":"#b96ad9","customColor10":"#3598db","customColor11":"#169179","customColor12":"#e67e23","customColor13":"#ba372a","customColor14":"#843fa1","customColor15":"#236fa1","customColor16":"#ecf0f1","customColor17":"#ced4d9","customColor18":"#95a5a6","customColor19":"#7e8c8d","customColor20":"#34495e","customColor21":"#000000","customColor22":"#ffffff","defaultMessageHeaderMarginTop":"14px","defaultMessageHeaderMarginBottom":"10px","defaultMessageItemMarginTop":"0","defaultMessageItemMarginBottom":"10px","diffAddedColor":"hsla(170, 53%, 51%, 0.4)","diffChangedColor":"hsla(43, 97%, 63%, 0.4)","diffNoneColor":"hsla(0, 0%, 80%, 0.4)","diffRemovedColor":"hsla(9, 74%, 47%, 0.4)","specialMessageHeaderMarginTop":"14px","specialMessageHeaderMarginBottom":"10px","specialMessageItemMarginTop":"0","specialMessageItemMarginBottom":"10px","__typename":"RteThemeSettings"},"tags":{"bgColor":"var(--lia-bs-gray-200)","bgHoverColor":"var(--lia-bs-gray-400)","borderRadius":"var(--lia-bs-border-radius-sm)","color":"var(--lia-bs-body-color)","hoverColor":"var(--lia-bs-body-color)","fontWeight":"var(--lia-font-weight-md)","fontSize":"var(--lia-font-size-xxs)","textTransform":"UPPERCASE","letterSpacing":"0.5px","__typename":"TagsThemeSettings"},"toasts":{"borderRadius":"var(--lia-bs-border-radius)","paddingX":"12px","__typename":"ToastsThemeSettings"},"typography":{"fontFamilyBase":"Atkinson Hyperlegible","fontStyleBase":"NORMAL","fontWeightBase":"400","fontWeightLight":"300","fontWeightNormal":"400","fontWeightMd":"500","fontWeightBold":"700","letterSpacingSm":"normal","letterSpacingXs":"normal","lineHeightBase":"1.3","fontSizeBase":"15px","fontSizeXxs":"11px","fontSizeXs":"12px","fontSizeSm":"13px","fontSizeLg":"20px","fontSizeXl":"24px","smallFontSize":"14px","customFonts":[],"__typename":"TypographyThemeSettings"},"unstyledListItem":{"marginBottomSm":"5px","marginBottomMd":"10px","marginBottomLg":"15px","marginBottomXl":"20px","marginBottomXxl":"25px","__typename":"UnstyledListItemThemeSettings"},"yiq":{"light":"#ffffff","dark":"#000000","__typename":"YiqThemeSettings"},"colorLightness":{"primaryDark":0.36,"primaryLight":0.74,"primaryLighter":0.89,"primaryLightest":0.95,"infoDark":0.39,"infoLight":0.72,"infoLighter":0.85,"infoLightest":0.93,"successDark":0.24,"successLight":0.62,"successLighter":0.8,"successLightest":0.91,"warningDark":0.39,"warningLight":0.68,"warningLighter":0.84,"warningLightest":0.93,"dangerDark":0.41,"dangerLight":0.72,"dangerLighter":0.89,"dangerLightest":0.95,"__typename":"ColorLightnessThemeSettings"},"localOverride":false,"__typename":"Theme"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/Loading/LoadingDot-1744046271000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/Loading/LoadingDot-1744046271000","value":{"title":"Loading..."},"localOverride":false},"CachedAsset:quilt:f5.prod:pages/kbs/TkbMessagePage:board:codeshare-1745486309711":{"__typename":"CachedAsset","id":"quilt:f5.prod:pages/kbs/TkbMessagePage:board:codeshare-1745486309711","value":{"id":"TkbMessagePage","container":{"id":"Common","headerProps":{"backgroundImageProps":null,"backgroundColor":null,"addComponents":null,"removeComponents":["community.widget.bannerWidget"],"componentOrder":null,"__typename":"QuiltContainerSectionProps"},"headerComponentProps":{"community.widget.breadcrumbWidget":{"disableLastCrumbForDesktop":false}},"footerProps":null,"footerComponentProps":null,"items":[{"id":"message-list","layout":"MAIN_SIDE","bgColor":"transparent","showTitle":true,"showDescription":true,"textPosition":"CENTER","textColor":"var(--lia-bs-body-color)","sectionEditLevel":null,"bgImage":null,"disableSpacing":null,"edgeToEdgeDisplay":null,"fullHeight":null,"showBorder":null,"__typename":"MainSideQuiltSection","columnMap":{"main":[{"id":"tkbs.widget.tkbArticleWidget","className":"lia-tkb-container","props":{"contributorListType":"panel","showHelpfulness":false,"showTimestamp":true,"showGuideNavigationSection":true,"showVersion":true,"lazyLoad":false,"editLevel":"CONFIGURE"},"__typename":"QuiltComponent"}],"side":[{"id":"featuredWidgets.widget.featuredContentWidget","className":null,"props":{"instanceId":"featuredWidgets.widget.featuredContentWidget-1702666556326","layoutProps":{"layout":"card","layoutOptions":{"useRepliesCount":false,"useAuthorRank":false,"useTimeToRead":true,"useKudosCount":false,"useViewCount":true,"usePreviewMedia":true,"useBody":false,"useCenteredCardContent":false,"useTags":true,"useTimestamp":false,"useBoardLink":true,"useAuthorLink":false,"useSolvedBadge":true}},"titleSrOnly":false,"showPager":true,"pageSize":3,"lazyLoad":true},"__typename":"QuiltComponent"},{"id":"messages.widget.relatedContentWidget","className":null,"props":{"hideIfEmpty":true,"enablePagination":true,"useTitle":true,"listVariant":{"type":"listGroup"},"pageSize":3,"style":"list","pagerVariant":{"type":"loadMore"},"viewVariant":{"type":"inline","props":{"useRepliesCount":true,"useMedia":true,"useAuthorRank":false,"useNode":true,"useTimeToRead":true,"useSpoilerFreeBody":true,"useKudosCount":true,"useNodeLink":true,"useViewCount":true,"usePreviewMedia":false,"useBody":false,"timeStampType":"postTime","useTags":true,"clampSubjectLines":2,"useBoardIcon":false,"useMessageTimeLink":true,"clampBodyLines":3,"useTextBody":true,"useSolvedBadge":true,"useAvatar":true,"useAuthorLogin":true,"useUnreadCount":true}},"lazyLoad":true,"panelType":"divider"},"__typename":"QuiltComponent"}],"__typename":"MainSideSectionColumns"}}],"__typename":"QuiltContainer"},"__typename":"Quilt","localOverride":false},"localOverride":false},"CachedAsset:text:en_US-components/common/EmailVerification-1744046271000":{"__typename":"CachedAsset","id":"text:en_US-components/common/EmailVerification-1744046271000","value":{"email.verification.title":"Email Verification Required","email.verification.message.update.email":"To participate in the community, you must first verify your email address. The verification email was sent to {email}. To change your email, visit My Settings.","email.verification.message.resend.email":"To participate in the community, you must first verify your email address. The verification email was sent to {email}. Resend email."},"localOverride":false},"CachedAsset:text:en_US-pages/kbs/TkbMessagePage-1744046271000":{"__typename":"CachedAsset","id":"text:en_US-pages/kbs/TkbMessagePage-1744046271000","value":{"title":"{contextMessageSubject} | {communityTitle}","errorMissing":"This article cannot be found","name":"TKB Message Page","section.message-list.title":"","archivedMessageTitle":"This Content Has Been Archived","section.erPqcf.title":"","section.erPqcf.description":"","section.message-list.description":""},"localOverride":false},"CachedAsset:text:en_US-components/common/ActionFeedback-1744046271000":{"__typename":"CachedAsset","id":"text:en_US-components/common/ActionFeedback-1744046271000","value":{"joinedGroupHub.title":"Welcome","joinedGroupHub.message":"You are now a member of this group and are subscribed to updates.","groupHubInviteNotFound.title":"Invitation Not Found","groupHubInviteNotFound.message":"Sorry, we could not find your invitation to the group. The owner may have canceled the invite.","groupHubNotFound.title":"Group Not Found","groupHubNotFound.message":"The grouphub you tried to join does not exist. It may have been deleted.","existingGroupHubMember.title":"Already Joined","existingGroupHubMember.message":"You are already a member of this group.","accountLocked.title":"Account Locked","accountLocked.message":"Your account has been locked due to multiple failed attempts. Try again in {lockoutTime} minutes.","editedGroupHub.title":"Changes Saved","editedGroupHub.message":"Your group has been updated.","leftGroupHub.title":"Goodbye","leftGroupHub.message":"You are no longer a member of this group and will not receive future updates.","deletedGroupHub.title":"Deleted","deletedGroupHub.message":"The group has been deleted.","groupHubCreated.title":"Group Created","groupHubCreated.message":"{groupHubName} is ready to use","accountClosed.title":"Account Closed","accountClosed.message":"The account has been closed and you will now be redirected to the homepage","resetTokenExpired.title":"Reset Password Link has Expired","resetTokenExpired.message":"Try resetting your password again","invalidUrl.title":"Invalid URL","invalidUrl.message":"The URL you're using is not recognized. Verify your URL and try again.","accountClosedForUser.title":"Account Closed","accountClosedForUser.message":"{userName}'s account is closed","inviteTokenInvalid.title":"Invitation Invalid","inviteTokenInvalid.message":"Your invitation to the community has been canceled or expired.","inviteTokenError.title":"Invitation Verification Failed","inviteTokenError.message":"The url you are utilizing is not recognized. Verify your URL and try again","pageNotFound.title":"Access Denied","pageNotFound.message":"You do not have access to this area of the community or it doesn't exist","eventAttending.title":"Responded as Attending","eventAttending.message":"You'll be notified when there's new activity and reminded as the event approaches","eventInterested.title":"Responded as Interested","eventInterested.message":"You'll be notified when there's new activity and reminded as the event approaches","eventNotFound.title":"Event Not Found","eventNotFound.message":"The event you tried to respond to does not exist.","redirectToRelatedPage.title":"Showing Related Content","redirectToRelatedPageForBaseUsers.title":"Showing Related Content","redirectToRelatedPageForBaseUsers.message":"The content you are trying to access is archived","redirectToRelatedPage.message":"The content you are trying to access is archived","relatedUrl.archivalLink.flyoutMessage":"The content you are trying to access is archived View Archived Content"},"localOverride":false},"CachedAsset:quiltWrapper:f5.prod:Common:1745486251318":{"__typename":"CachedAsset","id":"quiltWrapper:f5.prod:Common:1745486251318","value":{"id":"Common","header":{"backgroundImageProps":{"assetName":"header.jpg","backgroundSize":"COVER","backgroundRepeat":"NO_REPEAT","backgroundPosition":"LEFT_CENTER","lastModified":"1702932449000","__typename":"BackgroundImageProps"},"backgroundColor":"transparent","items":[{"id":"custom.widget.GainsightShared","props":{"widgetVisibility":"signedInOnly","useTitle":true,"useBackground":false,"title":"","lazyLoad":false},"__typename":"QuiltComponent"},{"id":"custom.widget.Beta_MetaNav","props":{"widgetVisibility":"signedInOrAnonymous","useTitle":true,"useBackground":false,"title":"","lazyLoad":false},"__typename":"QuiltComponent"},{"id":"community.widget.navbarWidget","props":{"showUserName":false,"showRegisterLink":true,"style":{"boxShadow":"var(--lia-bs-box-shadow-sm)","linkFontWeight":"700","controllerHighlightColor":"hsla(30, 100%, 50%)","dropdownDividerMarginBottom":"10px","hamburgerBorderHover":"none","linkFontSize":"15px","linkBoxShadowHover":"none","backgroundOpacity":0.4,"controllerBorderRadius":"var(--lia-border-radius-50)","hamburgerBgColor":"transparent","linkTextBorderBottom":"none","hamburgerColor":"var(--lia-nav-controller-icon-color)","brandLogoHeight":"48px","linkLetterSpacing":"normal","linkBgHoverColor":"transparent","collapseMenuDividerOpacity":0.16,"paddingBottom":"10px","dropdownPaddingBottom":"15px","dropdownMenuOffset":"2px","hamburgerBgHoverColor":"transparent","borderBottom":"0","hamburgerBorder":"none","dropdownPaddingX":"10px","brandMarginRightSm":"10px","linkBoxShadow":"none","linkJustifyContent":"center","linkColor":"var(--lia-bs-primary)","collapseMenuDividerBg":"var(--lia-nav-link-color)","dropdownPaddingTop":"10px","controllerHighlightTextColor":"var(--lia-yiq-dark)","background":{"imageAssetName":"","color":"var(--lia-bs-white)","size":"COVER","repeat":"NO_REPEAT","position":"CENTER_CENTER","imageLastModified":""},"linkBorderRadius":"var(--lia-bs-border-radius-sm)","linkHoverColor":"var(--lia-bs-primary)","position":"FIXED","linkBorder":"none","linkTextBorderBottomHover":"2px solid #0C5C8D","brandMarginRight":"30px","hamburgerHoverColor":"var(--lia-nav-controller-icon-color)","linkBorderHover":"none","collapseMenuMarginLeft":"20px","linkFontStyle":"NORMAL","linkPaddingX":"10px","paddingTop":"10px","linkPaddingY":"5px","linkTextTransform":"NONE","dropdownBorderColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","controllerBgHoverColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.1)","linkDropdownPaddingX":"var(--lia-nav-link-px)","linkBgColor":"transparent","linkDropdownPaddingY":"9px","controllerIconColor":"#0C5C8D","dropdownDividerMarginTop":"10px","linkGap":"10px","controllerIconHoverColor":"#0C5C8D"},"links":{"sideLinks":[],"mainLinks":[{"children":[{"linkType":"INTERNAL","id":"migrated-link-1","params":{"boardId":"TechnicalForum","categoryId":"Forums"},"routeName":"ForumBoardPage"},{"linkType":"INTERNAL","id":"migrated-link-2","params":{"boardId":"WaterCooler","categoryId":"Forums"},"routeName":"ForumBoardPage"}],"linkType":"INTERNAL","id":"migrated-link-0","params":{"categoryId":"Forums"},"routeName":"CategoryPage"},{"children":[{"linkType":"INTERNAL","id":"migrated-link-4","params":{"boardId":"codeshare","categoryId":"CrowdSRC"},"routeName":"TkbBoardPage"},{"linkType":"INTERNAL","id":"migrated-link-5","params":{"boardId":"communityarticles","categoryId":"CrowdSRC"},"routeName":"TkbBoardPage"}],"linkType":"INTERNAL","id":"migrated-link-3","params":{"categoryId":"CrowdSRC"},"routeName":"CategoryPage"},{"children":[{"linkType":"INTERNAL","id":"migrated-link-7","params":{"boardId":"TechnicalArticles","categoryId":"Articles"},"routeName":"TkbBoardPage"},{"linkType":"INTERNAL","id":"article-series","params":{"boardId":"article-series","categoryId":"Articles"},"routeName":"TkbBoardPage"},{"linkType":"INTERNAL","id":"security-insights","params":{"boardId":"security-insights","categoryId":"Articles"},"routeName":"TkbBoardPage"},{"linkType":"INTERNAL","id":"migrated-link-8","params":{"boardId":"DevCentralNews","categoryId":"Articles"},"routeName":"TkbBoardPage"}],"linkType":"INTERNAL","id":"migrated-link-6","params":{"categoryId":"Articles"},"routeName":"CategoryPage"},{"children":[{"linkType":"INTERNAL","id":"migrated-link-10","params":{"categoryId":"CommunityGroups"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"migrated-link-11","params":{"categoryId":"F5-Groups"},"routeName":"CategoryPage"}],"linkType":"INTERNAL","id":"migrated-link-9","params":{"categoryId":"GroupsCategory"},"routeName":"CategoryPage"},{"children":[],"linkType":"INTERNAL","id":"migrated-link-12","params":{"boardId":"Events","categoryId":"top"},"routeName":"EventBoardPage"},{"children":[],"linkType":"INTERNAL","id":"migrated-link-13","params":{"boardId":"Suggestions","categoryId":"top"},"routeName":"IdeaBoardPage"},{"children":[],"linkType":"EXTERNAL","id":"Common-external-link","url":"https://community.f5.com/c/how-do-i","target":"SELF"}]},"className":"QuiltComponent_lia-component-edit-mode__lQ9Z6","showSearchIcon":false},"__typename":"QuiltComponent"},{"id":"community.widget.bannerWidget","props":{"backgroundColor":"transparent","visualEffects":{"showBottomBorder":false},"backgroundImageProps":{"backgroundSize":"COVER","backgroundPosition":"CENTER_CENTER","backgroundRepeat":"NO_REPEAT"},"fontColor":"#222222"},"__typename":"QuiltComponent"},{"id":"community.widget.breadcrumbWidget","props":{"backgroundColor":"var(--lia-bs-primary)","linkHighlightColor":"#FFFFFF","visualEffects":{"showBottomBorder":false},"backgroundOpacity":60,"linkTextColor":"#FFFFFF"},"__typename":"QuiltComponent"}],"__typename":"QuiltWrapperSection"},"footer":{"backgroundImageProps":{"assetName":null,"backgroundSize":"COVER","backgroundRepeat":"NO_REPEAT","backgroundPosition":"CENTER_CENTER","lastModified":null,"__typename":"BackgroundImageProps"},"backgroundColor":"var(--lia-bs-body-color)","items":[{"id":"custom.widget.Beta_Footer","props":{"widgetVisibility":"signedInOrAnonymous","useTitle":true,"useBackground":false,"title":"","lazyLoad":false},"__typename":"QuiltComponent"},{"id":"custom.widget.Tag_Manager_Helper","props":{"widgetVisibility":"signedInOrAnonymous","useTitle":true,"useBackground":false,"title":"","lazyLoad":false},"__typename":"QuiltComponent"},{"id":"custom.widget.Consent_Blackbar","props":{"widgetVisibility":"signedInOrAnonymous","useTitle":true,"useBackground":false,"title":"","lazyLoad":false},"__typename":"QuiltComponent"}],"__typename":"QuiltWrapperSection"},"__typename":"QuiltWrapper","localOverride":false},"localOverride":false},"CachedAsset:component:custom.widget.GainsightShared-en-us-1745486333270":{"__typename":"CachedAsset","id":"component:custom.widget.GainsightShared-en-us-1745486333270","value":{"component":{"id":"custom.widget.GainsightShared","template":{"id":"GainsightShared","markupLanguage":"HTML","style":null,"texts":{},"defaults":{"config":{"applicablePages":[],"description":"Shared functions for Gainsight integration","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"components":[{"id":"custom.widget.GainsightShared","form":null,"config":null,"props":[],"__typename":"Component"}],"grouping":"TEXTHTML","__typename":"ComponentTemplate"},"properties":{"config":{"applicablePages":[],"description":"Shared functions for Gainsight integration","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":null,"form":null},"localOverride":false},"CachedAsset:component:custom.widget.Beta_MetaNav-en-us-1745486333270":{"__typename":"CachedAsset","id":"component:custom.widget.Beta_MetaNav-en-us-1745486333270","value":{"component":{"id":"custom.widget.Beta_MetaNav","template":{"id":"Beta_MetaNav","markupLanguage":"HANDLEBARS","style":null,"texts":{},"defaults":{"config":{"applicablePages":[],"description":"MetaNav menu at the top of every page.","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"components":[{"id":"custom.widget.Beta_MetaNav","form":null,"config":null,"props":[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":{"applicablePages":[],"description":"MetaNav menu at the top of every page.","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":null,"form":null},"localOverride":false},"CachedAsset:component:custom.widget.Beta_Footer-en-us-1745486333270":{"__typename":"CachedAsset","id":"component:custom.widget.Beta_Footer-en-us-1745486333270","value":{"component":{"id":"custom.widget.Beta_Footer","template":{"id":"Beta_Footer","markupLanguage":"HANDLEBARS","style":null,"texts":{},"defaults":{"config":{"applicablePages":[],"description":"DevCentral´s custom footer.","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"components":[{"id":"custom.widget.Beta_Footer","form":null,"config":null,"props":[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":{"applicablePages":[],"description":"DevCentral´s custom footer.","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":null,"form":null},"localOverride":false},"CachedAsset:component:custom.widget.Tag_Manager_Helper-en-us-1745486333270":{"__typename":"CachedAsset","id":"component:custom.widget.Tag_Manager_Helper-en-us-1745486333270","value":{"component":{"id":"custom.widget.Tag_Manager_Helper","template":{"id":"Tag_Manager_Helper","markupLanguage":"HANDLEBARS","style":null,"texts":{},"defaults":{"config":{"applicablePages":[],"description":"Helper widget to inject Tag Manager scripts into head element","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"components":[{"id":"custom.widget.Tag_Manager_Helper","form":null,"config":null,"props":[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":{"applicablePages":[],"description":"Helper widget to inject Tag Manager scripts into head element","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":null,"form":null},"localOverride":false},"CachedAsset:component:custom.widget.Consent_Blackbar-en-us-1745486333270":{"__typename":"CachedAsset","id":"component:custom.widget.Consent_Blackbar-en-us-1745486333270","value":{"component":{"id":"custom.widget.Consent_Blackbar","template":{"id":"Consent_Blackbar","markupLanguage":"HTML","style":null,"texts":{},"defaults":{"config":{"applicablePages":[],"description":"","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"components":[{"id":"custom.widget.Consent_Blackbar","form":null,"config":null,"props":[],"__typename":"Component"}],"grouping":"TEXTHTML","__typename":"ComponentTemplate"},"properties":{"config":{"applicablePages":[],"description":"","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":null,"form":null},"localOverride":false},"CachedAsset:text:en_US-components/community/Breadcrumb-1744046271000":{"__typename":"CachedAsset","id":"text:en_US-components/community/Breadcrumb-1744046271000","value":{"navLabel":"Breadcrumbs","dropdown":"Additional parent page navigation"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageBanner-1744046271000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageBanner-1744046271000","value":{"messageMarkedAsSpam":"This post has been marked as spam","messageMarkedAsSpam@board:TKB":"This article has been marked as spam","messageMarkedAsSpam@board:BLOG":"This post has been marked as spam","messageMarkedAsSpam@board:FORUM":"This discussion has been marked as spam","messageMarkedAsSpam@board:OCCASION":"This event has been marked as spam","messageMarkedAsSpam@board:IDEA":"This idea has been marked as spam","manageSpam":"Manage Spam","messageMarkedAsAbuse":"This post has been marked as abuse","messageMarkedAsAbuse@board:TKB":"This article has been marked as abuse","messageMarkedAsAbuse@board:BLOG":"This post has been marked as abuse","messageMarkedAsAbuse@board:FORUM":"This discussion has been marked as abuse","messageMarkedAsAbuse@board:OCCASION":"This event has been marked as abuse","messageMarkedAsAbuse@board:IDEA":"This idea has been marked as abuse","preModCommentAuthorText":"This comment will be published as soon as it is approved","preModCommentModeratorText":"This comment is awaiting moderation","messageMarkedAsOther":"This post has been rejected due to other reasons","messageMarkedAsOther@board:TKB":"This article has been rejected due to other reasons","messageMarkedAsOther@board:BLOG":"This post has been rejected due to other reasons","messageMarkedAsOther@board:FORUM":"This discussion has been rejected due to other reasons","messageMarkedAsOther@board:OCCASION":"This event has been rejected due to other reasons","messageMarkedAsOther@board:IDEA":"This idea has been rejected due to other reasons","messageArchived":"This post was archived on {date}","relatedUrl":"View Related Content","relatedContentText":"Showing related content","archivedContentLink":"View Archived Content"},"localOverride":false},"CachedAsset:text:en_US-components/tkbs/TkbArticleWidget-1744046271000":{"__typename":"CachedAsset","id":"text:en_US-components/tkbs/TkbArticleWidget-1744046271000","value":{},"localOverride":false},"Category:category:Forums":{"__typename":"Category","id":"category:Forums","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Forum:board:TechnicalForum":{"__typename":"Forum","id":"board:TechnicalForum","forumPolicies":{"__typename":"ForumPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}},"boardPolicies":{"__typename":"BoardPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Forum:board:WaterCooler":{"__typename":"Forum","id":"board:WaterCooler","forumPolicies":{"__typename":"ForumPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}},"boardPolicies":{"__typename":"BoardPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Articles":{"__typename":"Category","id":"category:Articles","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Tkb:board:TechnicalArticles":{"__typename":"Tkb","id":"board:TechnicalArticles","tkbPolicies":{"__typename":"TkbPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}},"boardPolicies":{"__typename":"BoardPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Tkb:board:DevCentralNews":{"__typename":"Tkb","id":"board:DevCentralNews","tkbPolicies":{"__typename":"TkbPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}},"boardPolicies":{"__typename":"BoardPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:GroupsCategory":{"__typename":"Category","id":"category:GroupsCategory","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:F5-Groups":{"__typename":"Category","id":"category:F5-Groups","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:CommunityGroups":{"__typename":"Category","id":"category:CommunityGroups","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Occasion:board:Events":{"__typename":"Occasion","id":"board:Events","boardPolicies":{"__typename":"BoardPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}},"occasionPolicies":{"__typename":"OccasionPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Idea:board:Suggestions":{"__typename":"Idea","id":"board:Suggestions","boardPolicies":{"__typename":"BoardPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}},"ideaPolicies":{"__typename":"IdeaPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Tkb:board:communityarticles":{"__typename":"Tkb","id":"board:communityarticles","tkbPolicies":{"__typename":"TkbPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}},"boardPolicies":{"__typename":"BoardPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Tkb:board:security-insights":{"__typename":"Tkb","id":"board:security-insights","tkbPolicies":{"__typename":"TkbPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}},"boardPolicies":{"__typename":"BoardPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Tkb:board:article-series":{"__typename":"Tkb","id":"board:article-series","tkbPolicies":{"__typename":"TkbPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}},"boardPolicies":{"__typename":"BoardPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"QueryVariables:TopicReplyList:message:284211:1":{"__typename":"QueryVariables","id":"TopicReplyList:message:284211:1","value":{"id":"message:284211","first":10,"sorts":{"postTime":{"direction":"ASC"}},"repliesFirst":3,"repliesFirstDepthThree":1,"repliesSorts":{"postTime":{"direction":"ASC"}},"useAvatar":true,"useAuthorLogin":true,"useAuthorRank":true,"useBody":true,"useKudosCount":true,"useTimeToRead":false,"useMedia":false,"useReadOnlyIcon":false,"useRepliesCount":true,"useSearchSnippet":false,"useAcceptedSolutionButton":false,"useSolvedBadge":false,"useAttachments":false,"attachmentsFirst":5,"useTags":true,"useNodeAncestors":false,"useUserHoverCard":false,"useNodeHoverCard":false,"useModerationStatus":true,"usePreviewSubjectModal":false,"useMessageStatus":true}},"ROOT_MUTATION":{"__typename":"Mutation"},"CachedAsset:text:en_US-components/community/Navbar-1744046271000":{"__typename":"CachedAsset","id":"text:en_US-components/community/Navbar-1744046271000","value":{"community":"Community Home","inbox":"Inbox","manageContent":"Manage Content","tos":"Terms of Service","forgotPassword":"Forgot Password","themeEditor":"Theme Editor","edit":"Edit Navigation Bar","skipContent":"Skip to content","migrated-link-9":"Groups","migrated-link-7":"Technical Articles","migrated-link-8":"DevCentral News","migrated-link-1":"Technical Forum","migrated-link-10":"Community Groups","migrated-link-2":"Water Cooler","migrated-link-11":"F5 Groups","Common-external-link":"How Do I...?","migrated-link-0":"Forums","article-series":"Article Series","migrated-link-5":"Community Articles","migrated-link-6":"Articles","security-insights":"Security Insights","migrated-link-3":"CrowdSRC","migrated-link-4":"CodeShare","migrated-link-12":"Events","migrated-link-13":"Suggestions"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarHamburgerDropdown-1744046271000":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarHamburgerDropdown-1744046271000","value":{"hamburgerLabel":"Side Menu"},"localOverride":false},"CachedAsset:text:en_US-components/community/BrandLogo-1744046271000":{"__typename":"CachedAsset","id":"text:en_US-components/community/BrandLogo-1744046271000","value":{"logoAlt":"Khoros","themeLogoAlt":"Brand Logo"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarTextLinks-1744046271000":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarTextLinks-1744046271000","value":{"more":"More"},"localOverride":false},"CachedAsset:text:en_US-components/authentication/AuthenticationLink-1744046271000":{"__typename":"CachedAsset","id":"text:en_US-components/authentication/AuthenticationLink-1744046271000","value":{"title.login":"Sign In","title.registration":"Register","title.forgotPassword":"Forgot Password","title.multiAuthLogin":"Sign In"},"localOverride":false},"CachedAsset:text:en_US-components/nodes/NodeLink-1744046271000":{"__typename":"CachedAsset","id":"text:en_US-components/nodes/NodeLink-1744046271000","value":{"place":"Place {name}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageView/MessageViewStandard-1744046271000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageView/MessageViewStandard-1744046271000","value":{"anonymous":"Anonymous","author":"{messageAuthorLogin}","authorBy":"{messageAuthorLogin}","board":"{messageBoardTitle}","replyToUser":" to {parentAuthor}","showMoreReplies":"Show More","replyText":"Reply","repliesText":"Replies","markedAsSolved":"Marked as Solution","movedMessagePlaceholder.BLOG":"{count, plural, =0 {This comment has been} other {These comments have been} }","movedMessagePlaceholder.TKB":"{count, plural, =0 {This comment has been} other {These comments have been} }","movedMessagePlaceholder.FORUM":"{count, plural, =0 {This reply has been} other {These replies have been} }","movedMessagePlaceholder.IDEA":"{count, plural, =0 {This comment has been} other {These comments have been} }","movedMessagePlaceholder.OCCASION":"{count, plural, =0 {This comment has been} other {These comments have been} }","movedMessagePlaceholderUrlText":"moved.","messageStatus":"Status: ","statusChanged":"Status changed: {previousStatus} to {currentStatus}","statusAdded":"Status added: {status}","statusRemoved":"Status removed: {status}","labelExpand":"expand replies","labelCollapse":"collapse replies","unhelpfulReason.reason1":"Content is outdated","unhelpfulReason.reason2":"Article is missing information","unhelpfulReason.reason3":"Content is for a different Product","unhelpfulReason.reason4":"Doesn't match what I was searching for"},"localOverride":false},"CachedAsset:text:en_US-components/messages/ThreadedReplyList-1744046271000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/ThreadedReplyList-1744046271000","value":{"title":"{count, plural, one{# Reply} other{# Replies}}","title@board:BLOG":"{count, plural, one{# Comment} other{# Comments}}","title@board:TKB":"{count, plural, one{# Comment} other{# Comments}}","title@board:IDEA":"{count, plural, one{# Comment} other{# Comments}}","title@board:OCCASION":"{count, plural, one{# Comment} other{# Comments}}","noRepliesTitle":"No Replies","noRepliesTitle@board:BLOG":"No Comments","noRepliesTitle@board:TKB":"No Comments","noRepliesTitle@board:IDEA":"No Comments","noRepliesTitle@board:OCCASION":"No Comments","noRepliesDescription":"Be the first to reply","noRepliesDescription@board:BLOG":"Be the first to comment","noRepliesDescription@board:TKB":"Be the first to comment","noRepliesDescription@board:IDEA":"Be the first to comment","noRepliesDescription@board:OCCASION":"Be the first to comment","messageReadOnlyAlert:BLOG":"Comments have been turned off for this post","messageReadOnlyAlert:TKB":"Comments have been turned off for this article","messageReadOnlyAlert:IDEA":"Comments have been turned off for this idea","messageReadOnlyAlert:FORUM":"Replies have been turned off for this discussion","messageReadOnlyAlert:OCCASION":"Comments have been turned off for this event"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageReplyCallToAction-1744046271000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageReplyCallToAction-1744046271000","value":{"leaveReply":"Leave a reply...","leaveReply@board:BLOG@message:root":"Leave a comment...","leaveReply@board:TKB@message:root":"Leave a comment...","leaveReply@board:IDEA@message:root":"Leave a comment...","leaveReply@board:OCCASION@message:root":"Leave a comment...","repliesTurnedOff.FORUM":"Replies are turned off for this topic","repliesTurnedOff.BLOG":"Comments are turned off for this topic","repliesTurnedOff.TKB":"Comments are turned off for this topic","repliesTurnedOff.IDEA":"Comments are turned off for this topic","repliesTurnedOff.OCCASION":"Comments are turned off for this topic","infoText":"Stop poking me!"},"localOverride":false},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/cmstNDEtSzFzVEth\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/cmstNDEtSzFzVEth","height":0,"width":0,"mimeType":"image/svg+xml"},"Rank:rank:41":{"__typename":"Rank","id":"rank:41","position":18,"name":"Nimbostratus","color":"CCCCCC","icon":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/cmstNDEtSzFzVEth\"}"},"rankStyle":"FILLED"},"User:user:25057":{"__typename":"User","id":"user:25057","uid":25057,"login":"Alin_Vasile_134","biography":null,"registrationData":{"__typename":"RegistrationData","status":null,"registrationTime":"2019-05-04T15:13:01.000-07:00"},"deleted":false,"email":"","avatar":{"__typename":"UserAvatar","url":"https://community.f5.com/t5/s/zihoc95639/m_assets/avatars/default/avatar-1.svg?time=0"},"rank":{"__ref":"Rank:rank:41"},"entityType":"USER","eventPath":"community:zihoc95639/user:25057"},"ModerationData:moderation_data:284212":{"__typename":"ModerationData","id":"moderation_data:284212","status":"APPROVED","rejectReason":null,"isReportedAbuse":false,"rejectUser":null,"rejectTime":null,"rejectActorType":null},"TkbReplyMessage:message:284212":{"__typename":"TkbReplyMessage","author":{"__ref":"User:user:25057"},"id":"message:284212","revisionNum":1,"uid":284212,"depth":1,"hasGivenKudo":false,"subscribed":false,"board":{"__ref":"Tkb:board:codeshare"},"parent":{"__ref":"TkbTopicMessage:message:284211"},"conversation":{"__ref":"Conversation:conversation:284211"},"subject":"Re: Client Cert Request by URI with OCSP Checking","moderationData":{"__ref":"ModerationData:moderation_data:284212"},"body":"Missing sample bigip.conf?","body@stripHtml({\"removeProcessingText\":false,\"removeSpoilerMarkup\":false,\"removeTocMarkup\":false,\"truncateLength\":200})@stringLength":"26","kudosSumWeight":0,"repliesCount":0,"postTime":"2016-05-19T05:37:29.000-07:00","lastPublishTime":"2016-05-19T05:37:29.000-07:00","metrics":{"__typename":"MessageMetrics","views":1456},"visibilityScope":"PUBLIC","placeholder":false,"originalMessageForPlaceholder":null,"entityType":"TKB_REPLY","eventPath":"category:CrowdSRC/community:zihoc95639board:codeshare/message:284211/message:284212","replies":{"__typename":"MessageConnection","pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges":[]},"customFields":[],"attachments":{"__typename":"AttachmentConnection","edges":[],"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}}},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/cmstMzgtTzNNNGh5\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/cmstMzgtTzNNNGh5","height":0,"width":0,"mimeType":"image/svg+xml"},"Rank:rank:38":{"__typename":"Rank","id":"rank:38","position":15,"name":"Cirrus","color":"CCCCCC","icon":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/cmstMzgtTzNNNGh5\"}"},"rankStyle":"FILLED"},"User:user:182504":{"__typename":"User","id":"user:182504","uid":182504,"login":"Kaloyan","biography":null,"registrationData":{"__typename":"RegistrationData","status":null,"registrationTime":"2019-06-28T05:18:41.000-07:00"},"deleted":false,"email":"","avatar":{"__typename":"UserAvatar","url":"https://community.f5.com/t5/s/zihoc95639/m_assets/avatars/default/avatar-2.svg?time=0"},"rank":{"__ref":"Rank:rank:38"},"entityType":"USER","eventPath":"community:zihoc95639/user:182504"},"ModerationData:moderation_data:284213":{"__typename":"ModerationData","id":"moderation_data:284213","status":"APPROVED","rejectReason":null,"isReportedAbuse":false,"rejectUser":null,"rejectTime":null,"rejectActorType":null},"TkbReplyMessage:message:284213":{"__typename":"TkbReplyMessage","author":{"__ref":"User:user:182504"},"id":"message:284213","revisionNum":1,"uid":284213,"depth":1,"hasGivenKudo":false,"subscribed":false,"board":{"__ref":"Tkb:board:codeshare"},"parent":{"__ref":"TkbTopicMessage:message:284211"},"conversation":{"__ref":"Conversation:conversation:284211"},"subject":"Re: Client Cert Request by URI with OCSP Checking","moderationData":{"__ref":"ModerationData:moderation_data:284213"},"body":"

Is there any chance this to be updated to work on version 12.1 ?\nI am trying to adopt it, but facing a lot of issues/ errors.

 

","body@stripHtml({\"removeProcessingText\":false,\"removeSpoilerMarkup\":false,\"removeTocMarkup\":false,\"truncateLength\":200})@stringLength":"135","kudosSumWeight":0,"repliesCount":0,"postTime":"2019-01-16T10:47:20.000-08:00","lastPublishTime":"2019-01-16T10:47:20.000-08:00","metrics":{"__typename":"MessageMetrics","views":1450},"visibilityScope":"PUBLIC","placeholder":false,"originalMessageForPlaceholder":null,"entityType":"TKB_REPLY","eventPath":"category:CrowdSRC/community:zihoc95639board:codeshare/message:284211/message:284213","replies":{"__typename":"MessageConnection","pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges":[]},"customFields":[],"attachments":{"__typename":"AttachmentConnection","edges":[],"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}}},"User:user:323389":{"__typename":"User","id":"user:323389","uid":323389,"login":"Yogesh_Joshi","biography":null,"registrationData":{"__typename":"RegistrationData","status":null,"registrationTime":"2020-05-01T07:21:53.000-07:00"},"deleted":false,"email":"","avatar":{"__typename":"UserAvatar","url":"https://community.f5.com/t5/s/zihoc95639/m_assets/avatars/default/avatar-9.svg?time=0"},"rank":{"__ref":"Rank:rank:41"},"entityType":"USER","eventPath":"community:zihoc95639/user:323389"},"ModerationData:moderation_data:284214":{"__typename":"ModerationData","id":"moderation_data:284214","status":"APPROVED","rejectReason":null,"isReportedAbuse":false,"rejectUser":null,"rejectTime":null,"rejectActorType":null},"TkbReplyMessage:message:284214":{"__typename":"TkbReplyMessage","author":{"__ref":"User:user:323389"},"id":"message:284214","revisionNum":1,"uid":284214,"depth":1,"hasGivenKudo":false,"subscribed":false,"board":{"__ref":"Tkb:board:codeshare"},"parent":{"__ref":"TkbTopicMessage:message:284211"},"conversation":{"__ref":"Conversation:conversation:284211"},"subject":"Re: Client Cert Request by URI with OCSP Checking","moderationData":{"__ref":"ModerationData:moderation_data:284214"},"body":"

We would like to have F5 configured to not always request client certificate authentication, but to request it only when the path matches specific URL

","body@stripHtml({\"removeProcessingText\":false,\"removeSpoilerMarkup\":false,\"removeTocMarkup\":false,\"truncateLength\":200})@stringLength":"152","kudosSumWeight":0,"repliesCount":0,"postTime":"2020-05-01T07:30:20.000-07:00","lastPublishTime":"2020-05-01T07:30:20.000-07:00","metrics":{"__typename":"MessageMetrics","views":1445},"visibilityScope":"PUBLIC","placeholder":false,"originalMessageForPlaceholder":null,"entityType":"TKB_REPLY","eventPath":"category:CrowdSRC/community:zihoc95639board:codeshare/message:284211/message:284214","replies":{"__typename":"MessageConnection","pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges":[]},"customFields":[],"attachments":{"__typename":"AttachmentConnection","edges":[],"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}}},"CachedAsset:text:en_US-shared/client/components/common/QueryHandler-1744046271000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/QueryHandler-1744046271000","value":{"title":"Query Handler"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarDropdownToggle-1744046271000":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarDropdownToggle-1744046271000","value":{"ariaLabelClosed":"Press the down arrow to open the menu"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageSubject-1744046271000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageSubject-1744046271000","value":{"noSubject":"(no subject)"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageBody-1744046271000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageBody-1744046271000","value":{"showMessageBody":"Show More","mentionsErrorTitle":"{mentionsType, select, board {Board} user {User} message {Message} other {}} No Longer Available","mentionsErrorMessage":"The {mentionsType} you are trying to view has been removed from the community.","videoProcessing":"Video is being processed. Please try again in a few minutes.","bannerTitle":"Video provider requires cookies to play the video. Accept to continue or {url} it directly on the provider's site.","buttonTitle":"Accept","urlText":"watch"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageCustomFields-1744046271000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageCustomFields-1744046271000","value":{"CustomField.default.label":"Value of {name}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageRevision-1744046271000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageRevision-1744046271000","value":{"lastUpdatedDatePublished":"{publishCount, plural, one{Published} other{Updated}} {date}","lastUpdatedDateDraft":"Created {date}","version":"Version {major}.{minor}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageReplyButton-1744046271000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageReplyButton-1744046271000","value":{"repliesCount":"{count}","title":"Reply","title@board:BLOG@message:root":"Comment","title@board:TKB@message:root":"Comment","title@board:IDEA@message:root":"Comment","title@board:OCCASION@message:root":"Comment"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageAuthorBio-1744046271000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageAuthorBio-1744046271000","value":{"sendMessage":"Send Message","actionMessage":"Follow this blog board to get notified when there's new activity","coAuthor":"CO-PUBLISHER","contributor":"CONTRIBUTOR","userProfile":"View Profile","iconlink":"Go to {name} {type}"},"localOverride":false},"CachedAsset:text:en_US-components/guides/GuideBottomNavigation-1744046271000":{"__typename":"CachedAsset","id":"text:en_US-components/guides/GuideBottomNavigation-1744046271000","value":{"nav.label":"Previous/Next Page","nav.previous":"Previous","nav.next":"Next"},"localOverride":false},"CachedAsset:text:en_US-components/tags/TagView/TagViewChip-1744046271000":{"__typename":"CachedAsset","id":"text:en_US-components/tags/TagView/TagViewChip-1744046271000","value":{"tagLabelName":"Tag name {tagName}"},"localOverride":false},"CachedAsset:text:en_US-components/users/UserLink-1744046271000":{"__typename":"CachedAsset","id":"text:en_US-components/users/UserLink-1744046271000","value":{"authorName":"View Profile: {author}","anonymous":"Anonymous"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/users/UserRank-1744046271000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/users/UserRank-1744046271000","value":{"rankName":"{rankName}","userRank":"Author rank {rankName}"},"localOverride":false},"CachedAsset:text:en_US-components/users/UserRegistrationDate-1744046271000":{"__typename":"CachedAsset","id":"text:en_US-components/users/UserRegistrationDate-1744046271000","value":{"noPrefix":"{date}","withPrefix":"Joined {date}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageListMenu-1744046271000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageListMenu-1744046271000","value":{"postTimeAsc":"Oldest","postTimeDesc":"Newest","kudosSumWeightAsc":"Least Liked","kudosSumWeightDesc":"Most Liked","sortTitle":"Sort By","sortedBy.item":" { itemName, select, postTimeAsc {Oldest} postTimeDesc {Newest} kudosSumWeightAsc {Least Liked} kudosSumWeightDesc {Most Liked} other {}}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageTime-1744046271000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageTime-1744046271000","value":{"postTime":"Published: {time}","lastPublishTime":"Last Update: {time}","conversation.lastPostingActivityTime":"Last posting activity time: {time}","conversation.lastPostTime":"Last post time: {time}","moderationData.rejectTime":"Rejected time: {time}"},"localOverride":false},"CachedAsset:text:en_US-components/customComponent/CustomComponent-1744046271000":{"__typename":"CachedAsset","id":"text:en_US-components/customComponent/CustomComponent-1744046271000","value":{"errorMessage":"Error rendering component id: {customComponentId}","bannerTitle":"Video provider requires cookies to play the video. Accept to continue or {url} it directly on the provider's site.","buttonTitle":"Accept","urlText":"watch"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/users/UserAvatar-1744046271000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/users/UserAvatar-1744046271000","value":{"altText":"{login}'s avatar","altTextGeneric":"User's avatar"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/ranks/UserRankLabel-1744046271000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/ranks/UserRankLabel-1744046271000","value":{"altTitle":"Icon for {rankName} rank"},"localOverride":false}}}},"page":"/kbs/TkbMessagePage/TkbMessagePage","query":{"boardId":"codeshare","messageSubject":"client-cert-request-by-uri-with-ocsp-checking","messageId":"284211"},"buildId":"ISAhs0UxT148eG089lpQq","runtimeConfig":{"buildInformationVisible":false,"logLevelApp":"info","logLevelMetrics":"info","openTelemetryClientEnabled":false,"openTelemetryConfigName":"f5","openTelemetryServiceVersion":"25.3.0","openTelemetryUniverse":"prod","openTelemetryCollector":"http://localhost:4318","openTelemetryRouteChangeAllowedTime":"5000","apolloDevToolsEnabled":false,"inboxMuteWipFeatureEnabled":false},"isFallback":false,"isExperimentalCompile":false,"dynamicIds":["./components/customComponent/CustomComponent/CustomComponent.tsx","./components/community/Navbar/NavbarWidget.tsx","./components/community/Breadcrumb/BreadcrumbWidget.tsx","./components/tkbs/TkbArticleWidget/TkbArticleWidget.tsx","./components/messages/MessageView/MessageViewStandard/MessageViewStandard.tsx","./components/messages/ThreadedReplyList/ThreadedReplyList.tsx","./components/customComponent/CustomComponentContent/TemplateContent.tsx","../shared/client/components/common/List/UnwrappedList/UnwrappedList.tsx","./components/tags/TagView/TagView.tsx","./components/tags/TagView/TagViewChip/TagViewChip.tsx","../shared/client/components/common/List/UnstyledList/UnstyledList.tsx","./components/messages/MessageView/MessageView.tsx","./components/customComponent/CustomComponentContent/HtmlContent.tsx","./components/customComponent/CustomComponentContent/CustomComponentScripts.tsx"],"appGip":true,"scriptLoader":[]}