Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
code share

APM Clientless certificate authentication

Problem this snippet solves:

This code allow to configure certificate authentication with APM clientless-mode support.

The APM behavior when configuring following condition is to disable clientless-mode :

  • APM clientless-mode in irule
  • On-Demand Cert Auth in VPE

This code enable clientless mode if required based.

PS : this code use a list instead of a simple variable to be included in APM Sharepoint authentication code without changes.

How to use this snippet:

Edit the first HTTP_REQUEST event and add condition for enabling certificate authentication.

Comments on this Snippet
Comment made 30-Apr-2018 by C Ang 0

Hi Stanislas,

I have a situation that might be able to use this, but we do have an On-Demand Certificate Authentication in our APM policy. We now have a requirement to connect to this VIP on a specific URL for a SOAP-based web service. Unfortunately, the POST method with the SOAP payload is encountering the 302 redirects to /my.policy. By the time it gets to back to the original SOAP endpoint, the request has become a GET and the payload is no longer being transmitted.

Also, we are trying to do this with mutual TLS, but because of the On-Demand Certificate Authentication, the client certificate is not requested until at least the 3rd redirect (the one with my.policy?nonce=?????). Is there no way around this?

Thanks in advance for any direction you might be able to point me towards,


Comment made 02-May-2018 by Stanislas Piron 10677

This code usage is to not add a On-Demand Certificate Authentication box but only a Client Cert Inspection box. This irule manage the certificate request.

If you add a On-Demand Certificate Authentication box, it breaks the clientless mode.

Comment made 30-May-2018 by jkreyes 2

Thanks. What if you just want to allow this for specific users? For example, allow a certain Common Name based on the client certificate supplied?

Comment made 31-May-2018 by Stanislas Piron 10677

@jkreyes : This code manage clientless authentication for APM and import CN in session.logon.last.cn variable.

you can filter in APM based on this variable.

Comment made 02-Jun-2018 by C Ang 0

@stanislas. Thank you for the clarification. I am a little late getting back to you, but our F5 folks decided it was too clunky to squeeze both use-cases (requiring on-demand client cert and MTLS for web services) onto the same Virtual Server. So we are going with an HAProxy or a separate VIP.