Forum Discussion

Geoff_Fallin_10's avatar
Geoff_Fallin_10
Icon for Nimbostratus rankNimbostratus
Aug 10, 2011

Client cert passthrough to server with i-rule

I am working with a customer that is utilizing Oracle SSO and am currently utilizing the SSL offloading at the F5. I am very new with i-rules and looking for a simple i-rule to pass the SSL data(User Cert) back to the server for authentication reasons. Any help would be greatly appreaciated.

2 Replies

  • Hi Geoff,

     

     

    Here's an example you can try:

     

     

    http://devcentral.f5.com/wiki/iRules.InsertCertInServerHeaders.ashx

     

     

    Aaron
  • Hi Geoff,

     

     

    I've been fiddling with similar and at one point was using the following code.

     

     

     

    A few notes - the SSL Client Profile needs to be set to request/require for this to work as this prompts the user to supply a client certificate.

     

     

     

    You can un-comment the log line if you want to verify that the F5 is seeing the cert correctly. You could also change the redirect structure... in my case I was restricting users based upon the fact they *had* to present a certificate. You might have to change the header field that you insert depending on your application

     

     

     

    *further side note* - this does no validation of the cert - it simply passes it straight on.

     

     

     

    when HTTP_REQUEST {

     

    if { [SSL::cert count] > 0 } then {

     

    set a variable for the whole cert - cut out the BEGIN and END crap though

     

    set ssl_cert_whole [ join [string trim [string map { "-----BEGIN CERTIFICATE-----" "" "-----END CERTIFICATE-----" ""} [X509::whole [SSL::cert 0] ] ] "" ]]

     

     

     

    log to show we are receiving the cert

     

    log local0. "Client Certificate: [X509::subject [SSL::cert 0]]"

     

     

     

    insert the whole cert as a header

     

    HTTP::header insert "X-ENV-SSL_CLIENT_CERTIFICATE" $ssl_cert_whole

     

    } else {

     

    log local0. "Restricted zone. No client cert detected - redirecting."

     

    HTTP::redirect "https://error/error-page.htm";

     

    }

     

    }