Configure SSL-based header insertion 编辑

Because the Citrix ADC appliance offloads all SSL-related processing from the servers, the servers receive only HTTP traffic. In some circumstances, the server needs certain SSL information. For example, security audits of recent SSL transactions require the client subject name (contained in an X509 certificate) to be logged on the server.

Such data can be sent to the server by inserting it into the HTTP header as a name-value pair. You can do one of the following:

• Insert the entire client certificate, if necessary, a hash (also known as a fingerprint or thumbprint) of the entire client certificate.
• Insert only the specific fields from the certificate, such as the subject, serial number, issuer, signature, SSL session ID, cipher suite.
• Insert the not-before or not-after date used to determine certificate validity.

You can enable SSL-based insertion for HTTP-based SSL virtual servers and services only. You cannot apply it to TCP-based SSL virtual servers and services. Also, client authentication must be enabled on the SSL virtual server, because the inserted values are taken from the client certificate that is presented to the virtual server for authentication.

To configure SSL-based header insertion, first create an SSL action for each specific set of information to be inserted, and then create policies that identify the connections for which you want to insert the information. As you create each policy, specify the action that you want associated with the policy. Then, bind the policies to the SSL virtual servers that receive the SSL traffic.

The following example uses default syntax policies. In the following example, a control policy (ctrlpol) is created to perform client authentication if a request is received for the URL /testsite/file5.html. A data policy (datapol) is created to perform an action (act1) if client authentication is successful. An SSL action (act1) is added to insert the certificate details and issuer’s name in the request before forwarding the request. For other URLs, client authentication is disabled. The policies are then bound to an SSL virtual server (ssl_vserver) that receives the SSL traffic.

Command-line example of configuring SSL-based header insertion

Example:

add ssl action act1 -clientCert ENABLED -certHeader mycert -clientcertissuer ENABLED -certIssuerHeader myissuer

add ssl policy datapol -rule HTTP.REQ.URL.EQ("/testsite/file5.html") -action act1

add ssl policy ctrlpol -rule HTTP.REQ.URL.EQ("/testsite/file5.html") -action CLIENTAUTH

bind ssl vserver ssl_vserver -policyName ctrlpol -priority 1

bind ssl vserver ssl_vserver -policyName datapol -priority 1

Done
<!--NeedCopy-->