kunjan
Mar 24, 2014Nimbostratus
APM Clientless Mode
Hi list,
Few queries regarding clientless mode-
1) Does every request create a new session id for clientless mode for APM?
2) When will it clear/remove the session id?
Kevin, It's being a while since you answered this question. We have few vendors who uses API calls and the APM's 302 is causing issues. So we decided to introduce clientless mode for only who has issues and leave other traffic as it is.
Requirements:
a)Our external partners will be connecting to our webserver from the internet.
b)We will check for certificate using APM and also check for the certificate subject value.
c)If it matches what we already defined for each vendor, they will be allowed to access the web server and we will configure additional http header X-CUSTOM-UPN “ and also add clientless mode http header value HTTP::header insert "clientless-mode" 1 for vendors that have problem with 302 redirect. For other vendors, we dont use clientless-mode http header.
The rule that I already created:
when ACCESS_POLICY_COMPLETED {
if {[SSL::cert count] > 0}{
set cert [SSL::cert 0]
set subject [string tolower [X509::subject $cert]]
set clientIP [IP::client_addr]
if { $subject contains “cn=vendor-a.mycompany” }
{
HTTP::header insert X-CUSTOM-UPN vendor-a
}
elseif { $subject contains “cn=vendor-b.mycompany.com” }{
We only wanted clientless mode for specific applications that cant handle the 302 redirect coming from F5.
HTTP::header insert X-CUSTOM-UPN vendor-b
HTTP::header insert “clientless-mode”
} else {
log $clientIP
log local0. “cert CN not valid”
reject
}
}
}
As you noticed, I put them under ACCESS_POLICY_COMPLETED. So this does not help as to redirect to APM's my.policy, there will be a 302. So I tried to put them under HTTP_REQUEST and it is still not working. What am I missing?