NimbostratusiRule for requesting client certificate and injecting it into HTTP header
I'm trying to inject a user prompted cert (only for a specific URL) into a header that will eventually make it's way to an Oracle OAM cluster on the back end. I've found a number of posts on the subject but I just can't get it working. Here is my iRule.
when HTTP_REQUEST {
if {[HTTP::uri] starts_with "/oam/servlet/credentials" } {
if {[SSL::cert count] == 0} {
HTTP::collect
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode require
SSL::renegotiate
}
}
else {
else set variable client_cert with the client side certificate
set client_cert [SSL::cert 0]
log local0. "HTTP_REQUEST client_cert is $client_cert"
}
}
This event is triggered when the load balancer sees a certificate message from the client
when CLIENTSSL_CLIENTCERT {
release any stored data just in case
HTTP::release
if there is still no cert after the SSL renegotiation kill the connection by sending a reset back to the client
if { [SSL::cert count] < 1 } {
reject
} else {
otherwise set variable client_cert with the client side certificate. 0 is the first cert, 1 the second, etc.
set client_cert [SSL::cert 0]
log local0. "CLIENTSSL_CLIENTCERT client_cert is $client_cert"
}
}
This event is triggered when sending data to the server
when HTTP_REQUEST_SEND {
log local0. "HTTP_REQUEST_SEND Logic"
evaluate the if statement under client-side context
clientside {
if there is a client side cert base64 encode it and inject it in the header
if { [info exists client_cert] } {
log local0. "Attempting injection"
HTTP::header insert X-Client-Cert [b64encode $client_cert]
} else {
}
}
}
Excuse the excessive logging, just trying to see what's going on. The client_cert variable is always empty except for "CLIENTSSL_CLIENTCERT client_cert is $client_cert". I can see the HTTP::header insert logic is being initiated but I never see my cert in the headers. I'm using the default http profile and my ssl profiles: Certificate Key chain has full chain, Client Certificate set to ignore, Trusted certificate authorities set to a valid CA, Advertised certificate authorities set to a valid CA. Thanks.