cancel
Showing results for 
Search instead for 
Did you mean: 

using step up auth to client cert want to insert cert into header

AlexS_yb
Cirrostratus
Cirrostratus

So i have a VS where you have to log in. one url /withcert needs to be protected with the user providing a client cert.

This is working, i have a per request policy, that matches the url and then uses subroutine to force a renegotiation with a client cert.

 

Now how do I get the client cert info into my headers.

 

when i look at active sessions, my main session doesn't have is a sub session so

subsession.ssl.cert.whole

 

seems to have the whole cert in there. how do I pass that back or how do I add that to headers ?

and that part of the variable name is at the end - looking via the web interface its very long ...

 

any help thanks

 

10 REPLIES 10

SanjayP
MVP
MVP

Have you checked what all session variables are populated from the client cert on APM. You can use any of them to add in the header. to begin with -

 

when ACCESS_ACL_ALLOWED { set certsubject [ACCESS::session data get session.ssl.cert.subject] HTTP::header insert "certsubjectdn" $certsubject }

 

 

 

Yes, well. its step up auth. so its not done on the access policy. but on a pre request policy. and also has to be done as a subroutine, so my reading tells me that per request subroutines don't have access to the session variables as writeable. only readable.

 

quick check via the gui interface and it show that the cert info is in the per request sub session variables. how can I insert headers from a subroutine in a pre request policy .. i thinking the only way is to use a irule event ...

 

but this seems rather hard.

 

Note - i am note sure when access_acl_allowed is fired, but I have checked the session variables - no sign of the cert in the main session variables 😞

 

Can you see if HTTP_REQUEST is able to catch and parse cert details? This iRule is just to log the details first.

 

when HTTP_REQUEST { if {[SSL::cert count] > 0}{ set certsubjectdn [X509::subject [SSL::cert 0]] set certissuerdn [X509::issuer [SSL::cert 0]] log local0.info "certsubjectdn: $certsubjectdn" log local0.info "certissuerdn: $certissuerdn" } else { return } }

 

yes I have tried and it didn't work

 

my presumption is [SSL::cert] looks at the current session data and the cert is not stored there. because it was initiated from a sub session

 

okay. Then only option I think of is configuring standard access policy where you can enable it in iRule only for uri /withcert or in VPE itself to check the uri. This should generate session variables from the cert you are looking for to send across the backend server

 

when HTTP_REQUEST { if { [string tolower [HTTP::uri]] starts_with /withcert] } { ACCESS::enable } else { ACCESS::disable } } when ACCESS_ACL_ALLOWED { set certsubject [ACCESS::session data get session.ssl.cert.subject] HTTP::header insert "certsubjectdn" $certsubject }

Or log a support case on why per request policy is not working for session variables.

Hmm, not exactly what i want.

 

as for the support case - pretty sure the manual F5 stat subsession (pre request subroutines - need for stepup) can't access sessions variables and have their own subsession variables. they might be read only. definitely not allowed to write.

 

So the step places all the cert info into the subsession variables. which I want to grab and place in the session variables..

 

trying to do it with irule event, but can't get it to fire 😞

Any technical reason you don't want per session access policy with rule based on landing uri or iRule? just FYI - there is a way to achieve this with standalone ltm based iRule as well and no need of per session or per request access policy (i.e. apm module)

Hi

 

No, i am a newbie and this is the current solution i have come up with if you can show me a better way - potentially easier happy to listen

 

So I will try and outline the problem i am trying to solve

 

I want users to be able to go to

https://www.example.com - with no APM no login .. as anon. let them use it

but when they hit

https://www.example.com/secret

I want APM to kick in - they must have a valid sso session - maybe group based (I have this working )

but when they hit

https://www.example.com/secret/ultraSecret

 

I want a OTP or some other MFA to kick in.

 

I have tried to stay away from using irule for all of that and used the VPE.

I have a sso multidomain setup its at auth.example.com

so that people can go to

https://www.example.com/

then to

https://clients.example.com/

with out having to re login again and to any other site I might manage under example.com

 

So my presumption is

Access policy - per session only kicks in at the first place a session is started. So

if user goes to

https://www.example.com/secret

APM bumps it to

https://auth.example.com/

and this is where Access policy per session starts - it uses the VPE for auth.example.com not www.example.com

 

and its only evaluated at session creation.

 

So thats why i created a per request access policy - also part of the zero trust setup.

So I can use this for

https://www.example.com/secret

bump up to needing to be authorized

and I can do the dump up for

https://www.example.com/secret/ultraSecret

I can force needing a cert - works well.

The issues is getting information from the subsession and back into the session variables.

 

I'm thinking maybe .. doing more googling that the localdb might be the place to also keep variables / info ...

 

if you have a different way to produce the above I would be happy to try it

 

thanks

 

 

 

 

 

 

 

 

In this sceneria, you can still have per session access policy configured for www.example.com VIP. landing uri can be used to seperate VPE flow. domain cookie (example.com) can be used for SSO across multiple sites withing the same domain. per session policy should populate the certificate variables you need.

 

Will keep the forum open for anyone else have idea to share for per request access policy.

Hi

 

Not so sure about that. but happy to proven wrong.

 

of if follow the flow i had above the person enters on a different uri that doesn't need cert or step up

 

the AP landing uri is the one set at the creating of the AP, not on subsequence request ?

 

also the AP associated with this is not for www.example.com but on auth.example.com.

 

so I would need to build a branch for every vs i had - that would be comber some