When a company decides to terminate all incoming HTTPS requests on the F5 prior to establishing new SSL connections to the backend systems such case DataPower, the F5 will need to pass the client SSL certificate to the downstream systems for further security validation.
A common way to pass down the client SSL certificate is to inject it to the HTTP header X-Client-Cert. The value of X-Client-Cert will be the base64 encode of the X.509 client certificate.
In DataPower, we can validate the client in AAA
- create a new Processing MetaData object named X509Client Metadata Category: Custom Header Metadata Item: X509Client Custom Data Source: X-Client-Cert
- create a AAA to validate the client certificate
- Identity Extraction tab check Processing metadata select X509Client
- Authentication tab Method: Custom template Custom URL: X509Check.xsl
- X509Check.xsl sample code to validate the client cert against a crypto validation credential object named ‘ValCredObj’
<xsl:template match="/">
<xsl:variable name="x509value" select="//X509Client"/>
<xsl:variable name="cert">
<input>
<subject><xsl:value-of select="concat('cert:',$x509value)"/></subject>
</input>
</xsl:variable>
<xsl:variable name="result">
<xsl:copy-of select="dp:validate-certificate($cert,'ValCredObj')" />
</xsl:variable>
<xsl:choose>
<xsl:when test="$result/error">
<xsl:message dp:priority="debug"><xsl:copy-of select="$result"/></xsl:message>
<dp:reject><xsl:value-of select="$result/error"/></dp:reject>
</xsl:when>
<xsl:otherwise>
<xsl:copy-of select="." />
</xsl:otherwise>
</xsl:choose>
</xsl:template>