Client Certificate CN Checking - F5 Cloud Docs

Trang chủ » Cn-check » Client Certificate CN Checking - F5 Cloud Docs

Có thể bạn quan tâm

0.9.1
  • iApps Home
  • iControlREST Home
  • iControl (SOAP) Home
  • iRules Home
  • iRulesLX Home
  • TMSH Home
  • Clouddocs > > Client Certificate CN Checking

Version notice:

Client Certificate CN Checking¶

Description

These iRules will check the presented client certificate for a valid CN, allowing or rejecting For either example, if you will be examining client certs signed by a CA not in LTM’s Trusted CA bundle, you will need to add it:
  • In Local Traffic / SSL Certificates, import the certificate for the CA that will be used to validate the client certificates.
The first example allows requests from only the specified CN’s from the same Org: 1. Setup a new Client SSL Profile that contains the virtual server SSL Certificate. During the creation of this Profile, you will need to set the following values:
  • Configuration = Advanced
  • Trusted Certificate Authorities = “Your_Certificate_Authority”
  • Client Certificate = require
  • Frequency = once
2. Setup a String Data Group containing a list of acceptable CN’s: class my_cn_list { "CN=John Smith" "CN=Amy Black "CN=Jim Beam" "CN=Johnny Walker" } 3. Add this iRule: whenRULE_INIT{ setstatic::org"O=Your Organisation" } whenCLIENTSSL_CLIENTCERT{ # Check if client provided a cert if{[SSL::cert0]eq""}{ # Reset the connection reject }else{ #Example Subject DN: /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith setsubject_dn[X509::subject[SSL::cert0]] log"Client Certificate Received: $subject_dn" #Check if the client certificate contains the correct O and a CN from the list if{([matchclass$subject_dncontainsmy_cn_list])and($subject_dncontains$static::org)}{ #Accept the client cert log"Client Certificate Accepted: $subject_dn" }else{ log"No Matching Client Certificate Was Found Using: $subject_dn" reject } } } The second example selectively requires a client cert with a specific CN based on the URI: 1. Setup a new Client SSL Profile that contains the virtual server SSL Certificate. During the creation of this Profile, you will need to set the following values:
  • Configuration = Advanced
  • Trusted Certificate Authorities = “Your_Certificate_Authority”
  • Client Certificate = request
  • Frequency = once
2. Add one of these iRules, depending on whether you also need to select a pool based on URI: With pool selection: whenRULE_INIT{ setstatic::debug1 } whenCLIENTSSL_CLIENTCERT{ #Example Subject DN: /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith setsubject_dn[X509::subject[SSL::cert0]] if{$subject_dn!=""}{ if{$static::debug}{log"Client Certificate received: $subject_dn"} } } whenHTTP_REQUEST{ if{[HTTP::uri]starts_with"/companyA"}{ if{$subject_dncontains"CN=Company A"}{ poolcompanyA }else{ reject } }elseif{[HTTP::uri]starts_with"/companyB"}{ if{$subject_dncontains"CN=Company B"}{ poolcompanyB }else{ reject } } } Without pool selection: whenRULE_INIT{ setstatic::debug1 } whenCLIENTSSL_CLIENTCERT{ #Example Subject DN: /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith setsubject_dn[X509::subject[SSL::cert0]] if{$subject_dn!=""}{ if{$static::debug}{log"Client Certificate received: $subject_dn"} } } whenHTTP_REQUEST{ if{[HTTP::uri]starts_with"/companyA"}{ if{!($subject_dncontains"CN=Company A")}{ reject } }elseif{[HTTP::uri]starts_with"/companyB"}{ if{!($subject_dncontains"CN=Company B")}{ reject } } }

The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.

Từ khóa » Cn-check