Forum Discussion

Dirk_Laan_18877's avatar
Dirk_Laan_18877
Icon for Nimbostratus rankNimbostratus
Jul 18, 2006

problem migrate cert rule from version 4 to 9

Hello,

 

 

I'm trying to get the folling rule to work on my bigip with version 9.x

 

 

I have a rule that worked fine on the bigip that is running 4.x

 

 

but on the bigip with version 9.x it still gives me the error that i did not have a client cert

 

 

the rule from version 4.x:

 

 

if (http_header("SSLClientCertStatus") == one of ccert_ok) {

 

use pool Portal-apps

 

}

 

else if (http_header("SSLClientCertStatus") == "NoClientCert") {

 

redirect to "https://test.test.nl/errors/cert_error.htm"

 

}

 

else {

 

redirect to "https://test.test.nl/errors/nocert.htm"

 

}

 

 

 

the rule from version 9.x:

 

i've created the class

 

 

 

when HTTP_REQUEST {

 

set hdr [HTTP::header "SSLClientCertStatus"]

 

if { [matchclass $hdr equals $::ccert_ok] } {

 

pool portal-apps

 

} elseif { $hdr equals "NoClientCert" } {

 

HTTP::redirect "https://test.test.nl/errors/nocert.htm"

 

} else {

 

HTTP::redirect "https://test.test.nl/errors/cert_error.htm"

 

}

 

}

 

 

any help would be great

 

 

7 Replies

  • iControl is our remote management API. If you would post this to our iRules forum, we'll see if we can help you out.

     

     

    -Joe
  • Hello Joe,

     

     

    Can you help us out with the rule ?

     

    We tried you're rule but it did not work ?

     

     

    Please help us out

     

     

    Dirk & Hille

     

     

  • I'll comment here, but next time or for future iRules questions please post them to the iRules forum.

    Without having your testing scenario it's very hard for me to comment on why things aren't working. My first suggestion would be to include some log statements to try to isolate the issues. Something like this

    when HTTP_REQUEST {
      set hdr [HTTP::header "SSLClientCertStatus"]
      log local0. "SSLClientCertStatus header value: $hdr"
      if { [matchclass $hdr equals $::ccert_ok] } {
        log local0. "found header match in ccert_ok class"
        pool portal-apps
      } elseif { $hdr equals "NoClientCert" } {
        log local0. "No match found in ccert_ok class and header equals "NoClientCert"
        HTTP::redirect "https://test.test.nl/errors/nocert.htm"
      } else {
        log local0. "No match in ccert_ok and header doesn't equal NoClientCert"
        HTTP::redirect "https://test.test.nl/errors/cert_error.htm"
      }
    }

    Then after you run traffic through this rule, look in the /var/log/ltm file on the BIG-IP. It will contain the log statements. By looking at the value of hdr variable and which conditions were passed, you should be able to diagnose out the issues for yourself.

    Where is the SSLClientCertStatus header coming from? Could that be empty? The logs will tell...

    -Joe
  • The results of the log:

     

     

    Jul 18 23:04:17 tmm tmm[743]: Rule dirk : SSLClientCertStatus header value:

     

    Jul 18 23:04:17 tmm tmm[743]: Rule dirk : No match in ccert_ok and header doesn't equal NoClientCert

     

     

    So I have still no idea what's the problem.

     

    I've made a datagroup named: ccert_ok

     

    The strings in this data group are:

     

    OK

     

    Error 12

     

     

     

    Dirk
  • Looks like your client request has no header value of SSLClientCertStatus. No way of getting the iRule to work if the browser isn't sending that header. I didn't see any reference in your v4 rule of inserting the header. Where is this header coming from?

     

     

    -Joe
  • the rule on version 4 worked:

     

     

    if (http_header("SSLClientCertStatus") == one of ccert_ok) {

     

     

    so the header is filled in version 4

     

    the header is coming from the client, because he has the client certificate

     

     

    Dirk
  • Hi Joe,

     

     

    We tested with the "log local0." lines. And we found out that there is no SSLClientCert value in the HTTP-request header.

     

     

    So how can we fill the variable with the SSLClientCert value?