SSLClientCert issue

Question

Hi,&nbsp;
&nbsp;I need to pass client certificate to backend server (SAP Portal) from F5 using http headers. I have checked one of the topic and implemented the following in iRule:&nbsp;
&nbsp;when CLIENTSSL_CLIENTCERT
&nbsp;{
&nbsp;  set cur [SSL::sessionid]
&nbsp;  set ask [session lookup ssl $cur] 
&nbsp;  if { $ask eq "" } { 
&nbsp;    session add ssl [SSL::sessionid] [SSL::cert 0]
&nbsp;    set ssl_cert [SSL::cert 0]
&nbsp;  }
&nbsp;}&nbsp;
&nbsp;when HTTP_REQUEST
&nbsp;{
&nbsp;  set id [SSL::sessionid]
&nbsp;  set the_cert [session lookup ssl $id]
&nbsp;  if { $the_cert != ""}
&nbsp;  {
&nbsp;    HTTP::header replace SSLClientCert [b64encode $the_cert]
&nbsp;  }
&nbsp;}&nbsp;&nbsp;
&nbsp;The certificate is being passed in http header but SAP Portal is not recognizing that certificate and throwing following exception while parsing that certificate:&nbsp;
&nbsp;Certificate generation failed. java.security.cert.CertificateException: iaik.asn1.CodingException: ASN.1 creation error:Length: Too large ASN.1 object: 66&nbsp;&nbsp;
&nbsp;The same configuration works when I use Apache as WebServer and as Proxy for backend server (SAP Portal). Now I need to use F5 instead of Apache. This is what I noticed in the headers for Apache and F5:&nbsp;
&nbsp;In Apache, I am seeing the certificate as the following in header:&nbsp;
&nbsp;sslclientcert: -----BEGIN CERTIFICATE----- MIICITCCAYoCAxAAAjANBgkqhkiG9w0BAQQFADBgMQwwCgYDVQQKEwNBRVMxDDAK BgNVBAsTA0NJUzESMBAGA1UEBxMJQXJsaW5ndG9uMQswCQYDVQQIEwJWQTELMAkG A1UEBhMCVVMxFDASBgNVBAMTC0FFUyBSb290IENBMB4XDTA3MDIxMzE5MzQ0MloX DTA4MDIxMzE5MzQ0MlowUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlZBMQwwCgYD VQQKEwNBRVMxDDAKBgNVBAsTA0NJUzEYMBYGA1UEAxMPQmhhcmdhdiBTdW5rYXJh MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDD9VuERo1Qkk0E/nYmHPylrW7y jP48Y7jGXmXGZW1znRnxScwtOEKot18oAIqMLXRbCuaJ7/yDD+5fk4bwkwx7qe0P 6JTfCW6LDbHeKTyx1SVYC2Q7lf+Bq0EgJmYpRe2qsrPv+xo07cjQDPj7ZT8eUu1e 8FBXYuu/Uq3er6molQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAAE52QGkM5MzxCEt 1NFuYzcEN5ieSzWCagj5Pg30mROePdg8EgJcaQ47nsLPwM1pl7Ge8ET7hFSnmAs3 pthUwQ7tOwAgP4rnNvyPzFjxlaNb4HAxguYYQhNFm9n6bGVUZ0Cst+Eu9+q11Zxg O4pEdqcLXPVlEfb7itekh+pnyVUI -----END CERTIFICATE-----&nbsp;
&nbsp;When I use F5, I am seeing the certificate as the following in header:&nbsp;
&nbsp;MMKCBcKGMMKCBTDCoAMCAQICClHDg8Osw6DAgMCAwIDAgMCAFjANBgkqwoZIwobDtw0BAQUFwIAwXDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlZBMRIwEAYDVQQHEwlBcmxpbmd0b24xEjAQBgNVBAoTCUFFUyBDb3JwLjEYMBYGA1UEAxMPQUVTIFJvb3QgTEFCIENBMB4XDTA3MDQyNjE1MDc1N1oXDTA4MDQyNTE1MDc1N1owGjEYMBYGA1UEAxMPQmhhcmdhdiBTdW5rYXJhMMKBwp8wDQYJKsKGSMKGw7cNAQEBBcCAA8KBwo3AgDDCgcKJAsKBwoHAgMOOP8OJKFtywrACwq4CPDQkPsObTcO0w63CgDtcX8OTw6p8w6nClMObH8OlZX7Csg5jQsOEXXjDpMK&nbsp;
&nbsp;Please notice that there is not "BEGIN CERTIFICATE....&amp;....END CERTIFICATE" for F5 request. Please let me know if you have any idea of encoding format in F5 to send same as Apache.&nbsp;
&nbsp;Thanks in Advance&nbsp;
&nbsp;--
&nbsp;Bhargav

hooleylist · Answer

I haven't looked at the X509:: commands much before, but this poster had a rule that was inserting the BEGIN and END CERTIFICATE lines into the header:&nbsp;
&nbsp;http://devcentral.f5.com/Default.aspx?tabid=53&amp;view=topic&amp;postid=13667&amp;ptarget=13667&nbsp;Click here&nbsp;
&nbsp;Aaron

bhargav_9588 · Answer

Thanks Aaron. I have checked the post that you have mentioned above. It worked. Thanks a lot.&nbsp;
&nbsp;--
&nbsp;Bhargav

Forum Discussion

SSLClientCert issue

2 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

Regex issue

F5 GTM resolution issue

Irule Example Issue

Issue on management route

F5 virtual edition license issue.