Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

APM On-Demand cert auth failing for curl command line client

mlanghorst
Nimbostratus
Nimbostratus

‎04-Apr-2023 16:27

Had a requirement for a site that was moving from Apache with ACL's over to F5 in front of an Apache instance, that only requires a user certificate authentication for a specific /uri.  For the SSL profile, I have to leave it at ignore, as request would always request a cert even for the other uri's.

In an irule I have an if statement in the HTTP_REQUEST block that says if the uri startswith /blah ACCESS::enable, else ACCESS::disable.  

This works as desired for a browser client, but when using:
curl -k --cert ./mlanghorst_cert.pem --key ./mlanghorst_key.pem --cacert CA5_bundle.pem https://mydomain/protected_path/index.html

It doesn't seem to present the cert to the F5, since the SSL profile is ignore, it doesn't seem to renegotiate for the client cert.

Ideas on how to fix this?

Labels:
0 Kudos
3 REPLIES 3

Juergen_Mang
MVP
MVP

‎05-Apr-2023 02:44

Try to enable clientless-mode for APM. Without this APM responses with a redirect to establish a session.

0 Kudos

mlanghorst
Nimbostratus
Nimbostratus
In response to Juergen_Mang

‎05-Apr-2023 07:45

Should've mentioned that.  I've tried setting that header via curl -H 'Clientless-Mode: 1'.  and within the irule:

#Set clientless mode for API
HTTP::header insert "clientless-mode" 1

Setting verbose, I see I'm getting a 302 redirect.  If I add the -L switch, I get returned the my.policy page telling me I've been denied access.

0 Kudos

Nikoolayy1
MVP
MVP

‎10-Apr-2023 03:11 - edited ‎10-Apr-2023 03:19

Also you may try API protection profile as I think you are getting redirection based on APM login page or something like that. You can't use client cert but oauth access token is something similar as this is only what you have:

 

https://clouddocs.f5.com/training/community/access-solutions/solution13/guide/guide.html

 

https://www.youtube.com/watch?v=-2ndGH9Dp1Q

 

The oauth server can still accept the client ssl cert before giving the token:

 

https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-access-policy-manager-oauth-configuration-14-1-0/u...
 
 
 
 
 
 

 

-----------------

When configuring On-Demand certification authentication in a

per-request policy

, avoid having any other agent before the On-Demand Cert Auth agent if the client SSL profile on the virtual server has the

Client Certificate

field set to

ignore

. This configuration makes the per-request policy re-execute the subroutine when it reaches the On-Demand Cert Auth agent. This can cause the per-request policy to go to the unexpected branch on each agent located before On-Demand Cert Auth agent.

 

 

0 Kudos
Copyright © 2023 Khoros, LLC