Passing Client CAC / Smart Card Cert to Application Server
I am reaching to see if anyone has created or come across the most stream line process of passing a Client cert through F5 which then reaches the an Application server. The most important piece of data that needs to reach the server is just the CN (Common Name) I have looked online and come across many iRules but none seems to work. Example: when CLIENTSSL_CLIENTCERT { # Save the first client cert to a variable. Not sure why, but... set ssl_cert [SSL::cert 0] } More or less, I am looking for an iRule that will just do a "Pass through" for the Client cert through the F5 Proxy that would then reach the Application server. Thanks in advance for the help, I have spend a few hours on this as F5 BIG-IP is still very new to me across the board.Solved1KViews0likes3Comments[F5 LTM 11.4.1 HF9][2-Way-auth] CLIENTSSL_CLIENTCERT is not triggered in the Irule
Hello all, I am trying to implement an Irule to filter CN names. below the irule : when RULE_INIT { set static::org "O=OPS" log local0.alert "RULE_INIT" } when CLIENTSSL_CLIENTCERT { Check if client provided a cert if {[SSL::cert 0] eq ""}{ Reset the connection reject } else { Example Subject DN: /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith set subject_dn [X509::subject [SSL::cert 0]] log local0.alert "Client Certificate Received: $subject_dn" Check if the client certificate contains the correct O and a CN from the list if { ([matchclass $subject_dn contains cn_allowed]) and ($subject_dn contains $static::org) } { Accept the client cert log local0.alert "Client Certificate Accepted: $subject_dn" } else { log local0.alert "No Matching Client Certificate Was Found Using: $subject_dn" reject } } } The "cn_allowed" contains the list of allowed CNs. When I make a new connection with the browser (after sending the client certificate), I am not getting any log in /var/log/ltm related to the CLIENTSSL_CLIENTCERT section (only the rule init is shown). Kindly help me to resolve this problem. Thanks in advance.487Views0likes7CommentsNot able to connect 2 way SSL from application server to f5
From my application server , for client side connections towards my f5 i am trying to establish a 2 way ssl , but am not able to connect [client server ~] openssl s_client -connect f5.c1.com.gn:9010 CONNECTED(00000003) depth=0 C = GN, O = MTN, CN = f5.Cust1.com.gn verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = GN, O = CUST1, CN = f5.Cust1.com.gn verify error:num=27:certificate not trusted verify return:1 depth=0 C = GN, O = CUST1, CN = f5.Cust1.com.gn verify error:num=21:unable to verify the first certificate verify return:1 Certificate chain 0 s:/C=GN/O=CUST1/CN=f5.Cust1.com.gn i:/CN=m3-internal-ca-guina Server certificate -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- subject=/C=GN/O=CUST1/CN=f5.Cust1.com.gn issuer=/CN=m3-internal-ca-guina No client certificate CA names sent SSL handshake has read 1263 bytes and written 621 bytes New, TLSv1/SSLv3, Cipher is AES256-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : AES256-SHA256 Session-ID: E712FFC846A4669E74AC3793C2A0E3E41714CE2DB06FEF08CD90D81A210F0593 Session-ID-ctx: Master-Key: 12F2D283B35FD56F25EA30CED9239BAA5155C692024DCA9C1E3400539D123637 8921C39456C9DBD399B3D99444497465 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1468237189 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) read:errno=0 along with this iam getting following error on server : https://f5.cust1.com.gn:9010/********: peer not authenticated549Views0likes5Comments