APM Clientless certificate authentication
Problem this snippet solves:
This code allow to configure certificate authentication with APM clientless-mode support.
The APM behavior when configuring following condition is to disable clientless-mode :
- APM clientless-mode in irule
- On-Demand Cert Auth in VPE
This code enable clientless mode if required based.
PS : this code use a list instead of a simple variable to be included in APM Sharepoint authentication code without changes.
How to use this snippet:
Edit the first HTTP_REQUEST event and add condition for enabling certificate authentication.
Code :
when HTTP_REQUEST { set AUTHENTICATION_MODE {certificate} #set AUTHENTICATION_MODE {none} } priority 900 when CLIENTSSL_CLIENTCERT { if {[SSL::cert count] < 1}{ reject } else { HTTP::release } } when HTTP_REQUEST { if { ( [set apm_sessionid [HTTP::cookie value "MRHSession"]] ne "" ) and ( [ACCESS::session exists -state_allow $apm_sessionid] ) } then { # Allow the successfully pre authenticated request to pass return } # Check authentication mode selected in previous HTTP_REQUEST event if {[lindex $AUTHENTICATION_MODE 0] equals "certificate"} { if { [SSL::cert count] <= 0 } { # if there is no client certificate hold the HTTP request till the SSL re-negotiation is done. HTTP::header insert "clientless-mode" 1 HTTP::collect SSL::session invalidate SSL::authenticate always SSL::authenticate depth 9 SSL::cert mode require SSL::renegotiate } elseif {[info exists sessionid]} { # the previous HTTP request in the same TCP connection is already authenticated and session cookie is missing, Insert MRHSession HTTP::cookie insert name MRHSession value $apm_sessionid } else { # SSL client is already authenticated, but Access session not evaluated. enable clientless mode HTTP::header insert "clientless-mode" 1 } } } when ACCESS_SESSION_STARTED { # catch session ID for next requests in the same TCP connection set apm_sessionid [ACCESS::session sid] # extract CN from subject and set in session.logon.last.username variable if {[lindex $AUTHENTICATION_MODE 0] equals "certificate"} { # Allow comma and = to be included in subject. remove space at the end or beginning of strings. set subject [ split [string map {"\\," "," " , " "|" ", " "|" " ," "|" "," "|" "\\=" "=" " = " "|" "= " "|" " =" "|" "=" "|"} [X509::subject [SSL::cert 0]]] "|"]; array set subject_list $subject if {[info exists subject_list(CN)]} { ACCESS::session data set session.logon.last.cn $subject_list(CN) ACCESS::session data set session.logon.last.username $subject_list(CN) ACCESS::session data set session.logon.last.logonname $subject_list(CN) } ACCESS::session data set session.logon.last.upn [findstr [ACCESS::session data get session.ssl.cert.x509extension] "othername:UPN<" 14 ">"] } }
Published Nov 23, 2017
Version 1.0