Forum Discussion

Cirrocumulus

Apr 08, 2021

using step up auth to client cert want to insert cert into header

So i have a VS where you have to log in. one url /withcert needs to be protected with the user providing a client cert. This is working, i have a per request policy, that matches the url and then us...

BIG-IP Access Policy Manager (APM)

iRules

security

AlexS_yb

Cirrocumulus

Apr 08, 2021

Yes, well. its step up auth. so its not done on the access policy. but on a pre request policy. and also has to be done as a subroutine, so my reading tells me that per request subroutines don't have access to the session variables as writeable. only readable.

quick check via the gui interface and it show that the cert info is in the per request sub session variables. how can I insert headers from a subroutine in a pre request policy .. i thinking the only way is to use a irule event ...

but this seems rather hard.

Note - i am note sure when access_acl_allowed is fired, but I have checked the session variables - no sign of the cert in the main session variables :(

spalande

Nacreous

Apr 09, 2021

okay. Then only option I think of is configuring standard access policy where you can enable it in iRule only for uri /withcert or in VPE itself to check the uri. This should generate session variables from the cert you are looking for to send across the backend server

when HTTP_REQUEST { 
 if { [string tolower [HTTP::uri]] starts_with /withcert] } {
       ACCESS::enable
	} else {
	   ACCESS::disable
      }
    }
when ACCESS_ACL_ALLOWED {
    set certsubject [ACCESS::session data get session.ssl.cert.subject]
	HTTP::header insert "certsubjectdn" $certsubject
	}

Or log a support case on why per request policy is not working for session variables.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)