Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

using step up auth to client cert want to insert cert into header


So i have a VS where you have to log in. one url /withcert needs to be protected with the user providing a client cert.

This is working, i have a per request policy, that matches the url and then uses subroutine to force a renegotiation with a client cert.


Now how do I get the client cert info into my headers.


when i look at active sessions, my main session doesn't have is a sub session so



seems to have the whole cert in there. how do I pass that back or how do I add that to headers ?

and that part of the variable name is at the end - looking via the web interface its very long ...


any help thanks




Have you checked what all session variables are populated from the client cert on APM. You can use any of them to add in the header. to begin with -

    set certsubject [ACCESS::session data get session.ssl.cert.subject]
	HTTP::header insert "certsubjectdn" $certsubject

Yes, well. its step up auth. so its not done on the access policy. but on a pre request policy. and also has to be done as a subroutine, so my reading tells me that per request subroutines don't have access to the session variables as writeable. only readable.


quick check via the gui interface and it show that the cert info is in the per request sub session variables. how can I insert headers from a subroutine in a pre request policy .. i thinking the only way is to use a irule event ...


but this seems rather hard.


Note - i am note sure when access_acl_allowed is fired, but I have checked the session variables - no sign of the cert in the main session variables 😞


Can you see if HTTP_REQUEST is able to catch and parse cert details? This iRule is just to log the details first.

  if {[SSL::cert count] > 0}{
   set certsubjectdn [X509::subject [SSL::cert 0]]
   set certissuerdn  [X509::issuer [SSL::cert 0]]
   log "certsubjectdn: $certsubjectdn"
   log "certissuerdn: $certissuerdn"
  } else {

yes I have tried and it didn't work


my presumption is [SSL::cert] looks at the current session data and the cert is not stored there. because it was initiated from a sub session


okay. Then only option I think of is configuring standard access policy where you can enable it in iRule only for uri /withcert or in VPE itself to check the uri. This should generate session variables from the cert you are looking for to send across the backend server

 if { [string tolower [HTTP::uri]] starts_with /withcert] } {
	} else {
    set certsubject [ACCESS::session data get session.ssl.cert.subject]
	HTTP::header insert "certsubjectdn" $certsubject

Or log a support case on why per request policy is not working for session variables.

Hmm, not exactly what i want.


as for the support case - pretty sure the manual F5 stat subsession (pre request subroutines - need for stepup) can't access sessions variables and have their own subsession variables. they might be read only. definitely not allowed to write.


So the step places all the cert info into the subsession variables. which I want to grab and place in the session variables..


trying to do it with irule event, but can't get it to fire 😞

Any technical reason you don't want per session access policy with rule based on landing uri or iRule? just FYI - there is a way to achieve this with standalone ltm based iRule as well and no need of per session or per request access policy (i.e. apm module)



No, i am a newbie and this is the current solution i have come up with if you can show me a better way - potentially easier happy to listen


So I will try and outline the problem i am trying to solve


I want users to be able to go to - with no APM no login .. as anon. let them use it

but when they hit

I want APM to kick in - they must have a valid sso session - maybe group based (I have this working )

but when they hit


I want a OTP or some other MFA to kick in.


I have tried to stay away from using irule for all of that and used the VPE.

I have a sso multidomain setup its at

so that people can go to

then to

with out having to re login again and to any other site I might manage under


So my presumption is

Access policy - per session only kicks in at the first place a session is started. So

if user goes to

APM bumps it to

and this is where Access policy per session starts - it uses the VPE for not


and its only evaluated at session creation.


So thats why i created a per request access policy - also part of the zero trust setup.

So I can use this for

bump up to needing to be authorized

and I can do the dump up for

I can force needing a cert - works well.

The issues is getting information from the subsession and back into the session variables.


I'm thinking maybe .. doing more googling that the localdb might be the place to also keep variables / info ...


if you have a different way to produce the above I would be happy to try it











In this sceneria, you can still have per session access policy configured for VIP. landing uri can be used to seperate VPE flow. domain cookie ( can be used for SSO across multiple sites withing the same domain. per session policy should populate the certificate variables you need.


Will keep the forum open for anyone else have idea to share for per request access policy.



Not so sure about that. but happy to proven wrong.


of if follow the flow i had above the person enters on a different uri that doesn't need cert or step up


the AP landing uri is the one set at the creating of the AP, not on subsequence request ?


also the AP associated with this is not for but on


so I would need to build a branch for every vs i had - that would be comber some