Forum Discussion

David_caceres's avatar
David_caceres
Icon for Nimbostratus rankNimbostratus
Oct 10, 2019

How i config, Soap web services and ocsp client cert validation

Hi

I configured in apm the ocsp validation and works when i use with GET methods in the browser, but when i try to send a post to the soap the connection fails, and in the logs of the apm i didn't see any indication of the error, i think, the problem is the redirection to /mypolicy, but how i can validate the ocsp without apm?

4 Replies

  • Hi, if you are sending a POST then the client won't want to follow the redirects. To counter this you can configure the policy to go into Clientless Mode to proxy the request, complete the APM auth, and then forward on the POST request.

     

    Details can be found here - https://support.f5.com/csp/article/K80934060#link_06

     

    You can limit the use of Clientless mode so that only those clients who sending a POST make use of this. Also, be aware of the size limitation of the POST request as detailed in the link above.

  • Hi Iaine

     

    I try to configure the clientless mode but, when i try to validate the certificate, in the apm logs i saw the log: OCSP Auth agent: Failure status 'Certificate not found for the session'

    that means i didn't receive the certificate but in the soapui the client certificate authentication is configured

     

    i read in the link the only configuration needed for this is a request or require check on ssl_profile.

     

    but after verify both it didn't work

     

    it is another way to insert the client certificate and send to the auth policy to validate the certificate by ocsp?

  • This is the log of my soapui

     

    Mon Oct 14 12:54:39 PYST 2019:DEBUG:>> "GET /de/ws/consultas/consulta-ruc.wsdl?wsdl HTTP/1.1[\r][\n]"

    Mon Oct 14 12:54:39 PYST 2019:DEBUG:>> "Host: sifen-tt.set.gov.py[\r][\n]"

    Mon Oct 14 12:54:39 PYST 2019:DEBUG:>> "Connection: Keep-Alive[\r][\n]"

    Mon Oct 14 12:54:39 PYST 2019:DEBUG:>> "User-Agent: Apache-HttpClient/4.1.1 (java 1.5)[\r][\n]"

    Mon Oct 14 12:54:39 PYST 2019:DEBUG:>> "Cookie: LastMRH_Session=080ab7b7[\r][\n]"

    Mon Oct 14 12:54:39 PYST 2019:DEBUG:>> "Cookie2: $Version=1[\r][\n]"

    Mon Oct 14 12:54:39 PYST 2019:DEBUG:>> "[\r][\n]"

    Mon Oct 14 12:54:39 PYST 2019:DEBUG:<< "HTTP/1.0 302 Found[\r][\n]" <------------/

    Mon Oct 14 12:54:39 PYST 2019:DEBUG:<< "Server: BigIP[\r][\n]"

    Mon Oct 14 12:54:39 PYST 2019:DEBUG:<< "Connection: Close[\r][\n]"

     

    i found again the 302 Found after i use the clientless iRULE added to the VS

     

    can you tell me were i need add the iRule ?

     

  • Hi

     

    The code at a simple level is

     

    when HTTP_REQUEST {
    HTTP::header insert “clientless-mode” 1
    }

    which will evaluate for all connecting clients. You would probably want to narrow the scope of this so that it only fires for requests from particular IPs or specific HTTP host headers for example.

    Where are you requesting the Client Cert? You want to do this as part of the clientssl profile rather than in the APM policy.....as you're proxying the request in clientless mode you need all the info before the APM policy starts.