Security Guide (Supporting ADX v03.1.00) Instruction Manual
Brocade Virtual ADX Security Guide 141
53-1003250-01
Configuration examples for SSL Termination Mode
6
Define client certificate insertion mode and prefix
The client certificate insertion mode and prefix can be optionally configured within a CSW policy as
described in the following. To configure the client insertion mode, use the default rewrite
request-insert command as shown.
Virtual ADX(config)#csw-policy cswp1
Virtual ADX(config-csw-cswp1)#default rewrite request-insert client-cert
Syntax: [no] default rewrite request-insert client-cert [entire-chain | leaf-cert | wellknown-fields]
Selecting the entire-chain parameter directs the Brocade Virtual ADX to insert the entire chain
including the leaf certificate in BASE64 encoded form. This is the default mode.
Selecting the leaf-cert parameter directs the Brocade Virtual ADX to insert only the leaf certificate
in BASE64 encoded form, even though the certificate chain is present.
If the wellknown-fields parameter is selected the important information of the client certificate is
retrieved and inserted as the HTTP headers, in plain text. If this mode is chosen, the following
headers are inserted: "Client-Cert-Version", "Client-Cert-Serial", "Client-Cert-Start", "Client-Cert-End",
"Client-Cert-Subject", "Client-Cert-Subject-CN", "Client-Cert-SubjectAlt-CN", "Client-Cert-Issuer" and
"Client-Cert-Issuer-CN".
You can add a prefix to the default HTTP names using the default rewrite request-insert
certheader-prefix command. In the following example, the prefix "SSL" added to the HTTP header
"Client-Cert" would become "SSL-Client-Cert".
Virtual ADX(config)#csw-policy cswp1
Virtual ADX(config-csw-cswp1)#default rewrite request-insert client-cert
certheader-prefix "SSL"
Syntax: [no] default rewrite request-insert client-cert certheader-prefix prefix
The value specified by the prefix variable is added to the default HTTP name.
The HTTP header names are shown in Table 15.
TABLE 15 HTTP Header Names and Descriptions
Header Names Descriptions
Client-Cert The entire client certificate chain or the leaf certificate.
Client-Cert-Version Version of the client certificate.
Client-Cert-Serial Serial number of the client certificate.
Client-Cert-Start Date certificate not valid before.
Client-Cert-End Date certificate not valid after.
Client-Cert-Subject Subject's distinguished name.
Client-Cert-Subject-CN Subject's common name.
Client-Cert-Subject-Alt-CN Subject's alternative name.
Client-Cert-Issuer Issuer's distinguished name.
Client-Cert-Issuer-CN Issuer's common name.