Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

iRule for certificate injection into the HTTP header

I tried below iRule according to McAfee KB for their MDM solution. But it seems not work, is there any sample on the VS, Pool config.? How to configure the F5 "request a certificate"? Is it only assign the SSL Server profile?

https://kc.mcafee.com/corporate/ind...dadf007eb4

 

  • This is an example which you might need to modify to work correctly in your environment.
  • You must also configure the F5 Appliance to Request a Certificate from the connecting devices:
  • Lines beginning with a # contain comments that will help you to configure irule.

# Client has already established an SSL connection with the load balancer
# This event is triggered when an http request is detected
when HTTP_REQUEST {
# check if the uri starts with /Trust
if { [HTTP::uri] starts_with "/Trust" } {
# if it does, check if the client offered a certificate by the cert count.
if { [SSL::cert count] <= 0 } {
# if there is no client certificate hold the HTTP request till the SSL re-negotiation is done. Note the cert request.
HTTP::collect
SSL::session invalidate
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode request
SSL::renegotiate
} else {
# else set variable c_cert with the client side certificate
set c_cert [SSL::cert 0]
}
}
}
# This event is triggered when the load balancer sees a certificate message from the client
when CLIENTSSL_CLIENTCERT {
# release any stored data just in case
HTTP::release
# if there is still no cert after the SSL renegotiation kill the connection by sending a reset back to the client
if { [SSL::cert count] < 1 } {
reject
} else {
# otherwise set variable c_cert with the client side certificate. 0 is the first cert, 1 the second, etc.
set c_cert [SSL::cert 0]
}
}

#This event is triggered when sending data to the server
when HTTP_REQUEST_SEND {
#evaluate the if statement under client-side context
clientside {
#if there is a client side cert base64 encode it and inject it in the header
if { [info exists c_cert] } {
HTTP::header insert X-Client-Cert [b64encode $c_cert]
} else {
}
}
}

1
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
At a minimum you need a client SSL profile applied to the VIP with the following characteristics:

Certificate - the server SSL certificate
Key - the server SSL key
Client Authentication Client Certificate - set to ignore
Client Authentication Trusted Certificate Authorities - set to the CA certificate (or chain) that can validate the client's certificate
Client Authentication Advertised Certificate Authorities - set to the CA certificate (or chain) to customize the browser's certificate choices

The above iRule could be simplified greatly if you just set the client SSL profile's Client Authentication Client Certificate to Request or Require. The profile now controls the request of client certificate and your iRule can look like this:


when HTTP_REQUEST {
	HTTP::header insert X-Client-Cert [b64encode [SSL::cert 0]]
}


0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Thx Kevin,

But there's 3 SSL certificates need to be installed to the MDM solution, 1 EV-SSL certificate with its intermediate CA has already assign to the virtual server with client ssl profile and sync with the MDM server. Also, Android devices are working fine. The problem only happend on iPhone & iPad and it should be happened on the Apple MDM certificate and push certificate, since McAfee cliam that these 2 certificates are not necessary install to F5 or assign to the Virtual server.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
I should mention that the most significant difference between your iRule and mine, aside from size, is that your iRule triggers an SSL re-negotiation to get the client certificate if the user attempts to access /Trust. If that's what you need then your iRule should work just fine and you'd want to set the Client Authentication to "ignore" in the client SSL profile.

Are you asking how to request all three, or some specific certificate from the devices? An SSL re/negotiation is only going to be able to request a single certificate. Which certificate you request depends entirely on the client application and the trusted certificate authorities and advertized certificate authorities properties of the client SSL profile.
0