Lab 1.8 - Implement Dynamic Certificate Injection

In this section, we will use the HTTP Connector to retrieve a user’s certificate from Active Directory and use it in the BIG-IP Certificate minting process.

Task - Create an HTTP Connector Transport

  1. Navigate to Access >> Authentication >> HTTP Connector >> HTTP Connector Transport and click the + (plus symbol)

    image54

  2. Enter Name demo-http-connector

  3. Select prebuilt-dns-resolver from the DNS Resolver dropdown

  4. Select prebuilt-adpiadmin-serverssl from the Server SSL Profile

  5. Click Save

    image55

Task - Create a HTTP Connector Request

  1. Navigate to Access >> Authentication >> HTTP Connector >> HTTP Connector Request and click the + (plus symbol)

    image56

  2. Enter name get-cert

  3. Select demo-http-connector from the dropdown

  4. Enter URL https://adapi.f5lab.local:8443/aduser/cert?useridentity=%{perflow.username}

  5. Enter GET for the Method

  6. Select Parse for the Response Action

  7. Click Save

    image57

Task - Create a Per-Request Policy

  1. Navigate to Access >> Profiles/Policies >> Per-Request Policies and click the + (plus symbol)

    image58

  2. Enter the name certsso_prp

  3. Select the Language English

  4. Click Finished

    image59

  5. Click edit under Per-Request Policy

    image60

  6. Click Add New Subroutine

    image61

  7. Enter the name Request Cert

  8. Click Save

    image62

  9. Expand the subroutine by click the + (plus symbol)

    image63

  10. Click the + (plus symbol) on the fallback branch.

    image64

  11. Click the General Purpose tab

  12. Select HTTP Connector

  13. Click Add Item

    image65

  14. Select get-cert drop the dropdown

    image66

  15. Click Edit Terminals

    image67

  16. Click Add Terminal

    image68

  17. Change the name for the default branch to Fail

  18. Change the default branch text to Red

  19. Enter the name Success for the new branch

  20. Change the color of the new branch to Success

    image69

  21. Click the Fail terminal at the end of the Successful branch

    image70

  22. Select the Success terminal

  23. Click Save

    image71

  24. Click the + (plus symbol) on the successful branch

    image72

  25. Click the Assignment tab

  26. Select Variable Assign

  27. Click Add Item

    image73

  28. Click Add new entry

  29. Click change

    image74

  30. Enter session.ssl.cert.whole for the Custom Variable

  31. Select Session Variable from the dropdown

  32. Enter subsession.http_connector.body.certificate for the Session Variable

  33. Click Finished

    image75

  34. Click Save

    image76

  35. Click the + (plus symbol) located between Start and Allow in the policy

    image77

  36. Click the Subroutines tab

  37. Select the Request Cert subroutine

  38. Click Add Item

    image78

  39. Click the + (plus symbol) on the success branch of Request Cert

    image79

  40. Click the General Purpose tab

  41. Select irule Event

  42. Click Add Item

Note

This iRule event triggers the code from the previously attached iRule. This iRule must be used when inserting a certificate using C3D in a per-request policy.

1
2
3
4
5
when ACCESS_PER_REQUEST_AGENT_EVENT {
   set cert [ACCESS::session data get {session.ssl.cert.whole}]
   log local0. "My cert: $cert"
   SSL::c3d cert [X509::pem2der $cert]
}

image80

  1. Enter lab for the ID
  2. Click Save

image81

Task - Attach the PRP to the mTLS Virtual Server

  1. Navigate to Local Traffic >> Virtual Servers. Click Virtual Server List

image82

  1. Click mtls_vs

image83

  1. Navigate to the Access Policy section and select certsso_prp from the Per-Request Policy dropdown
  2. Click Update

image84