NetScaler appliance offloads all SSL-related processing from the servers, the
servers receive only HTTP traffic. In some circumstances, the server needs
certain SSL information. For example, security audits of recent SSL
transactions require the client subject name (contained in an X509 certificate)
to be logged on the server.
Such data can be
sent to the server by inserting it into the HTTP header as a name-value pair.
You can insert the entire client certificate, if required, or only the specific
fields from the certificate, such as the subject, serial number, issuer,
certificate hash, SSL session ID, cipher suite, or the not-before or not-after
date used to determine certificate validity.
You can enable
SSL-based insertion for HTTP-based SSL virtual servers and services only. You
cannot apply it to TCP-based SSL virtual servers and services. Also, client
authentication must be enabled on the SSL virtual server, because the inserted
values are taken from the client certificate that is presented to the virtual
server for authentication.
SSL-based header insertion, first create an SSL action for each specific set of
information to be inserted, and then create policies that identify the
connections for which you want to insert the information. As you create each
policy, specify the action that you want associated with the policy. Then, bind
the policies to the SSL virtual servers that will receive the SSL traffic.
example uses default syntax policies. In the following example, a control
policy (ctrlpol) is created to perform client authentication if a request is
received for the URL /testsite/file5.html. A data policy (datapol) is created
to perform an action (act1) if client authentication is successful, and an SSL
action (act1) is added to insert the certificate details and issuer's name in
the request before forwarding the request. For other URLs, client
authentication is disabled. The policies are then bound to an SSL virtual
server (ssl_vserver) that receives the SSL traffic.