Snapped Shot

Always Watching the All-Seeing Eye

 

An Endless Pile of Technical Cruft

By Brian C. Ledbetter · Monday, May 21. 2007 11:24
My apologies for the relative quiet around here these past few days. I've been tied up at the office putting together an end-to-end demonstration on using Oracle Application Server (eBusiness Suite 11i, actually) with DOD's PKI authentication (which they so lovingly call "CAC cards") for the past week. I'm scheduled to be done on Friday, but we'll see how well that actually works.

If you're a technical weenie, and you ever have the need to do this, the magic for passing a client certificate from an F5 Big-IP load balancer to an Oracle Single Sign-On server, with traffic on the backend server being sent as unencrypted HTTP, follows the break.
I never would've figured this out if it weren't for F5's excellent DevCentral: See these threads for background, and this one (the second iRule down) for a good pointer on how to ensure that no unsecured traffic will ever reach your backend servers:—Which means that you have 100% accountability of the people who are visiting your DOD website, as they'll all be authorized by valid and verified PKI certificates.

I haven't had a chance to get OCSP shaken out and tested yet, since our unit isn't licensed to do it—but it is definitely on the ol' Todo List. I'm also running into problems loading a revocation list (CRL) into our unit as well (since that's the only reliable way I can think of to test certificate validation without OCSP), but hope to have that resolved shortly.

when CLIENTSSL_HANDSHAKE

{

  set cur [SSL::sessionid]

  set ask [session lookup ssl $cur]

  if { $ask eq "" } {

  session add ssl [SSL::sessionid] [SSL::cert 0]}

}



when HTTP_REQUEST

{ 

  HTTP::header replace HTTPS on



  set id [SSL::sessionid]

  set the_cert [session lookup ssl $id]



  if { $the_cert != "" }

  {

     HTTP::header insert SSL-Client-Cert [ join [string trim [string map { 

          "-----BEGIN CERTIFICATE-----" 

          "" 

          "-----END CERTIFICATE-----" ""} 

          [X509::whole $the_cert ] ] ] "" ]



  } else {

     HTTP::respond 200 content "<html><body>

  <h1>Access Denied</h1>

  Access to this resource is denied without a valid

  DOD Common Access Card.  If you do not have one,

  please visit the <a href=\"https://www.cac.mil/Home.do\">Common

  Access</a> website for information on obtaining a CAC

  card.  Otherwise, please insert your CAC card into your

  reader, close this window, and try accessing this website

  again.

</body></html>"

  }

}


Previously: For information on how to make Oracle Application Server read this information, check out my previous pile of technical cruft.
· permalink · Comments (6) · Trackbacks (0)
 
Snap.com Popups

If they're driving you crazy, please click here to disable them on this website.




Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments [RSS]
Display comments as (Linear | Threaded)

Here is what a handful of random people think about this article. But first, the fine print:
The opinions expressed here, even where approved for display, do not necessarily reflect the opinions of this website, the management, or any other entity or organization, with the exception of the Vast Zionist Conspiracy. Those opinions we represent in style, yo. Please keep the language in these comments clean, as this is intended to be a family-friendly, work-friendly website. Comments not compliant with this policy will be edited for content where necessary. Abusive or otherwise illegal comments will be reported to the proper authorities, up to and including the aforementioned Vast Zionist Conspiracy. The Management cannot and will not be held responsible for commenters making a spectacle of themselves, even if The Management are the said commenters in question. In other words, don't take yourself so seriously, folks. We're all here to discuss the news, and more importantly, to have fun. Now go get yourself into some OCD treatment program—you obviously need it if you actually read all of this mess.

JayDee on 2007-05-21 17:06 #1
*Sooooooo.. apparently you're not at work today, huh?
Reply  
Brian C. Ledbetter on 2007-05-21 21:02 #2
*LOL, nope, I got to play "Beltway Bandit" all day. I'll be back in Q-town tomorrow, but I've gotta go back up to McLean later on in the week... Yeesh.

Regards,
Brian
Reply  
JayDee on 2007-05-22 08:44 #3
*Soooooo... why didn't you log on to AIM?
Reply  
Brian C. Ledbetter on 2007-05-22 09:38 #4
*Would you believe that the corporate network I was sitting on is actually more secure than DOD's network?

I don't want to go into details, but I could actually log in to AIM here in Q-town if I were bold enough... or didn't live in fear of being sent to Federal "Pound me in the ..." Prison for trying.

;-)

Regards,
B
Reply  
burch on 2008-03-19 17:01 #5
*Will this iRule for passing a cert work with BigIP version 4.5?
Reply  
Brian C. Ledbetter on 2008-03-19 17:31 #6
*Burch,

It can be made to work, but the syntax of the commands is, if I remember correctly, a lot different between 4.5 and 9 (as far as the actual command naming goes).

As always, devcentral is the best source of information for finding out what works, where...

Regards,
Brian
Reply  

Add Comment

HTML-Tags will be converted to Entities.
Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
BBCode format allowed
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA