Forum Discussion

Dan_Markhasin_1's avatar
Dan_Markhasin_1
Icon for Nimbostratus rankNimbostratus
Feb 24, 2016

APM Client Certificate Validation when using policy evaluate

I am in the process of creating an iRule that uses ACCESS::policy evaluate to run the incoming HTTP request through an APM policy, but am having issues with getting the Client Certificate Validation to work - it is failing even though the provided client certificate is valid and successfully passes the Client SSL profile validation which is set to require with a list of trusted CAs.

I tried adding logging of the certificate variables in the APM VPE (session.ssl.*) but it is coming up empty, which leads me to believe that when using ACCESS::policy evaluate, the policy is not properly getting the client certificate details.

This is what my iRule basically looks like:

set flow_sid [ACCESS::session create -timeout 30 -lifetime 30]
ACCESS::policy evaluate -sid $flow_sid -profile $static::policyName \
session.logon.last.username [HTTP::username] \
session.logon.last.password [HTTP::password]

Does anyone know how I can "pass" the client certificate details to the policy? The trivial session.ssl.cert.whole [SSL::cert 0] didn't work 😞

3 Replies

  • Dan,

     

    First question, is there a reason you are using an iRule? Is the APM policy configured in the Virtual Server configuration?

     

    ACCESS::policy evaluate is for evaluating a policy against an EXISTING APM session. So if there is no existing session, evaluate will return null for everything. If you are creating a session in an irule, and the policy requires client interaction there is a good chance that policy evaluation is failing.

     

    Do you have Client Certificate Authentication enabled in the ClientSSL profile, or within APM? If you are evaluating the Client Cert at LTM with ClientSSL, you should use Client Certificate Inspection. If you are NOT performing Client Certificate Auth with the ClientSSL profile, I recommend using the On Demand Client Certificate Authentication agent.

     

  • AN's avatar
    AN
    Icon for Nimbostratus rankNimbostratus

    Hi,

     

    I am running into the issue with APM module.... Have tech open and no luck.,,,, Found that they have stop providing support for auth profile in LTM... and F5 preferring to use APM.. I have iRule assigned to vserver for client mode 1 when HTTP_REQUEST {

     

    HTTP::header insert "clientless-mode" 1 } With browser it works fine but not with http client. Hope to get some help and instruction around how I can get clientless working with APM or using iRule Thanks.

     

  • FYI, I also had implemented a workaround for this issue by doing the certificate validation in the iRule rather than in the VPE flow, by using the [SSL::verify result] command.