Forum Discussion

rts's avatar
rts
Icon for Nimbostratus rankNimbostratus
Sep 22, 2023

Missing Certificate after redirect

We have a requirement for any calls coming into https://abc.com to be redirected to Azure APIM https://apim-xyz.com/api

A simple following rule has been setup in F5 for calls coming into https://abc.com
when HTTP_REQUEST {
        HTTP::respond 307 Location "https://apim-xyz.com/api" 
    }

But the problem we are facing is with client certificate.

After the redirect, the client certificate is no longer available and new URL "https://apim-xyz.com/api" is not able to validate the request. We have no control over the client. 
We can control F5, redirect and server.
Any help would be greatly appreciated. 

application delivery
certificate
irule
redirect

4 Replies

Sort By
  • Paulius's avatar
    Paulius
    Icon for MVP rankMVP
    Sep 23, 2023

    rts What is the function of https://abc.com? Are you sending the client to https://apim-xyz.com/api  to handle part of the client request and then the client is back to use https://abc.com?  I'm not all that familiar with Azure APIM so I'm not aware of it's function in the client request. In regards to the client certificate, is that used as an authentication method for Azure APIM or are you referring to the SSL cert that the client uses to connect to the website? If it's for client authentication I'm not sure how you could handle this without the F5 acting as the proxy between the client and Azure APIM since a redirect just hands the client off to the next URL.

    • rts's avatar
      rts
      Icon for Nimbostratus rankNimbostratus
      Sep 23, 2023

      abc.com has no function. It is a legacy URL.

      Client doesn't return back to abc.com, everything is handled in APIM.

      Certificate is used for authentication. I am not too familiar with F5, so any light you can shed on the redirect would be helpful. Or any information on how to achieve authentication in this case.

      • Paulius's avatar
        Paulius
        Icon for MVP rankMVP
        Sep 23, 2023

        rts If abc.com is legacy then you want to change your redirect to a 301 rather than a 307. Now in regards to client authentication, they would need a client certificate for both abc.com and apim-xyz.com in order for things to work after the redirect. Most likely the client certificate is for domain abc.com and since the destination is no longer abc.com they would need the one cert to cover both FQDNs or have two certs with each one having the name for the appropriate destination.

  • Aswin_mk's avatar
    Aswin_mk
    Icon for Nimbostratus rankNimbostratus
    Sep 25, 2023

    Hello,

    1. are you facing any certificate issues while accessing the abc.com and after redirection?\

    2. try directly https://apim-xyz.com/api and check getting any certificate issues.

     

    Hope F5 having client SSL profile with SAN name "abc.com"