Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Insert client certificate into APM session variable via IRule

Hello!

First time poster longtime reader.

I´m trying to extract the Subject value from a client certificate and insert the value in to a APM session variable but with no luck. The Irule in question looks like this

when CLIENTSSL_CLIENTCERT {
log local0. "Subject: [X509::subject [SSL::cert 0]]"
  if {[SSL::cert count] > 0}{
    set client_cert [SSL::cert 0]
    set subject [findstr [X509::subject [SSL::cert 0]] "CN=" 3 ","]
    ACCESS::session data set session.client.unique_id $subject
    log local0. "Current ID = $subject"
  }
}   
when ACCESS_POLICY_COMPLETED {
   set subject [ACCESS::session data get session.client.unique_id]
}

I´m able to see the subject" variable in /var/log Image Text

When I´m executing the Access Policy, the session.client.unique_id variable are not populated with the subject" variable from the Irule.

Image Text

My VPE looks like this,

Image Text

Thanks in advance!

//Mikael,

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hello Squeak,

Have you added the event "Access_Policy_Agent_Event" to set your variable ?

when ACCESS_POLICY_AGENT_EVENT {

if { [ACCESS::policy agent_id] eq "id_of_your_irule_event" } {
 ACCESS::session data set session.client.unique_id $subject
 log local0. "Verifying the value of unique_id ===> [ACCESS::session data get session.client.unique_id]"
} 

}
0
Comments on this Answer
Comment made 20-Jun-2017 by Squeak 77

Thank you for your response I´ll try it out.

0
Comment made 20-Jun-2017 by MikeJ 54

Also, have you added the iRule to the VS?

0
Comment made 20-Jun-2017 by Stanislas Piron 10454

Hi,

The best event is ACCESS_SESSION_STARTED instead of irule event / ACCESS_POLICY_AGENT_EVENT

ACCESS_SESSION_STARTED raise just before policy evaluation.

0
Comment made 21-Jun-2017 by Squeak 77

I´ve tried to add JT´s Irule but with no luck and even tried with "ACCESS_SESSION_STARTED" instead of "ACCESS_POLICY_AGENT_EVENT". The Irules does not create the "session.client.unique_id" variable. The only way for me to create the session.client.unique_id variable is to use the "variable assign" box in the VPE.

My variable assign look like this

session.client.unique_id = 
set e_fields [split [mcget {session.ssl.cert.subject}] "\n"]; foreach qq $e_fields 
{ if {[string first "name:Subject" $qq] >= 0} { return [string range $qq [expr { [string first 
"<" $qq] + 1 } ] [expr { [string first "@" $qq] - 1 } ] ]; } } return ""`

But the session.client.unique_id variable is still empty.

0
Comment made 21-Jun-2017 by Stanislas Piron 10454

Hi,

can you provide an example of subject value.

subject may not contain new line (\n).

are you sure the name:Subject is in cert subject.

expr {[regsub -all ".*name:Subject<(.\[^>\]*)>.*" [mcget {session.ssl.cert.x509extension}] {\1}]}
0
Comment made 21-Jun-2017 by Jad Tabbara (JTI) 2361

Hello,

Thanks for the feedback.

Using my irule it shound work because I use the same. Maybe the only difference in my case is that I created variables at the begning of the VPE using a variable assign.

I set it to "empty" value just to initialize variables.

Normally when the irule event is called it will update the value.

Try this ;)

Regards

0
Comment made 21-Jun-2017 by Stanislas Piron 10454

@JT when working with APM, ACCESS_SESSION_STARTED, ACCESS_POLICY_COMPLETEDand ACCESS_ACL_ALLOWEDare event you can use.

ACCESS_POLICY_AGENT_EVENT may be used only if it is required (new APM variable creation during policy evaluation when not possible at policy start :ACCESS_SESSION_STARTED) and function is not available in APM variable assign.

if variable assign does the job, use it instead of ACCESS_POLICY_AGENT_EVENT.

there are some limitations in ACCESS_POLICY_AGENT_EVENT like if the variable already exists, the initial value is cached and any modification in ACCESS_POLICY_AGENT_EVENT will not be available by next steps in Policy evaluation.

another point to use variable assigninstead of irule is ACCESS::session can suspend irule processing waiting for other tmm status: https://support.f5.com/csp/article/K12962

0
Comment made 28-Jul-2017 by BM0001 54

Squeak, did you get this issue resolved? I am able to get my unique_id variable to populated but I am still receiving an error Device ID was not found in session variables... does anyone know what else I need to do to get it to query for the device in Airwatch? My policy is the same as Squeaks above. And Yes I have the Airwatch API connected and working.

0