Manual Chapter : Create a custom Client SSL profile that supports SM2

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 14.1.3, 14.1.2, 14.1.0

BIG-IP APM

  • 14.1.3, 14.1.2, 14.1.0

BIG-IP Analytics

  • 14.1.3, 14.1.2, 14.1.0

BIG-IP LTM

  • 14.1.3, 14.1.2, 14.1.0

BIG-IP PEM

  • 14.1.3, 14.1.2, 14.1.0

BIG-IP AFM

  • 14.1.3, 14.1.2, 14.1.0

BIG-IP DNS

  • 14.1.3, 14.1.2, 14.1.0

BIG-IP ASM

  • 14.1.3, 14.1.2, 14.1.0
Manual Chapter

Create a custom Client SSL profile that supports SM2

You create a custom Client SSL profile when you want the BIG-IP® system to terminate client-side SSL traffic for the purpose of decrypting client-side ingress traffic and encrypting client-side egress traffic. By terminating client-side SSL traffic, the BIG-IP system offloads these decryption/encryption functions from the destination server. When you perform this task, you can specify multiple certificate key chains, one for each key type (RSA, DSA, and ECDSA). This allows the BIG-IP system to negotiate secure client connections using different cipher suites based on the client's preference.
F5 has added SM2, SM3, and SM4 Cryptographic Algorithm support for the Chinese market. The algorithms were independently developed by the China State Cryptography Administration, where SM2 is the public key algorithm, SM3 is the hash algorithm, and SM4 is the block cipher algorithm. SM2 is based on the Elliptic Curve Discrete Logarithm Problem (ECDLP). Also see the following sections for details importing, exporting, and managing a certificate and key with SM2 license.
Before you create a customer Client SSL profile that supports SM2, create an SM2 cipher rule and cipher group.
  1. Create an SM2 Cipher Rule
  2. On the Main tab, click
    Local Traffic
    Ciphers
    Rules
    .
    The Ciphers Rules screen opens.
  3. Click
    Create
    .
    The New Cipher Rule screen opens.
  4. In the
    Name
    field, type a unique name for your SM2 cipher rule.
  5. In the
    Cipher Suites
    field, type the following cipher suites string:
    ECC-SM4-SM3
  6. In the
    DH Groups
    field, type the following DH groups string:
    SM2P256
  7. In the
    Signature Algorithms
    field, type the following signature algorithm string:
    SM2-SM3
  8. Click
    Finished
    . You are now ready to create a cipher group.
  9. Create an SM2 Cipher Group
  10. On the Main tab, click
    Local Traffic
    Ciphers
    Groups
    .
    The Ciphers Groups screen opens.
  11. Click
    Create
    .
    The New Cipher Group screen opens.
  12. In the
    Name
    field, type a unique name for your SM2 cipher group.
  13. In the
    Group Details
    area, select the check box next to the SM2 cipher rule from the
    Available Rules
    list.
  14. Select the arrows next to the
    Allow the following
    field to move the selected SM2 cipher rule to this field.
  15. Click
    Finished
    . You are now ready to create your custom Client SSL profile that supports SM2.
  16. Create a Custom Client SSL Profile that supports SM2
  17. On the Main tab, click
    Traffic
    Profiles
    SSL
    Client
    .
    he Client SSL profile list screen opens.
  18. Click
    Create
    .
    The New Client SSL Profile screen opens.
  19. In the
    Name
    field, type a unique name for the profile.
  20. From the
    Parent Profile
    list, select
    clientssl
    .
  21. Select the
    Custom
    check box.
    The settings become available for change.
  22. From the
    Configuration
    list, select
    Advanced
    .
  23. For the
    Mode
    setting, select the
    Enabled
    check box.
  24. or the
    Certificate Key Chain
    setting, click
    Add
    . For SM2 client profile, select
    SM2
    file type from the Certificate, Key, and Chain lists.
    1. From the
      Certificate
      list, select a certificate name. // This is the name of a certificate that you installed on the BIG-IP system. If you have not generated a certificate request nor installed a certificate on the BIG-IP system, and the BIG-IP system is not part of a device service clustering (DSC) configuration, you can specify the name of the existing certificate named default. // Important: If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default certificate name, and ensure that this same certificate name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
    2. From the
      Key
      list, select the name of the key associated with the certificate specified in the previous step. // This is the name of a key that you installed on the BIG-IP system. If you have not installed a key on the BIG-IP system, and the BIG-IP system is not part of a device service clustering (DSC) configuration, you can specify the name of the existing key named default. // Important: If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default key name, and ensure that this same key name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
    3. From the
      Chain
      list, select the chain that you want to include in the certificate key chain. // A certificate chain can contain either a series of public key certificates in Privacy Enhanced Mail (PEM) format or a series of one or more PEM files. A certificate chain can contain certificates for Intermediate certificate Authorities (CAs). // Note: The default self-signed certificate and the default CA bundle certificate are not appropriate for use as a certificate chain.
    4. For the
      Passphrase
      field, type a string that enables access to SSL certificate/key pairs that are stored on the BIG-IP system with password protection. // This setting is optional. For added security, the BIG-IP system automatically encrypts the pass phrase itself. This pass phrase encryption process is invisible to BIG-IP system administrative users.
  25. Click
    Add
  26. For the
    Ciphers
    setting, specify a
    Cipher Group
    and select the existing
    SM2
    custom cipher group to define the ciphers that the BIG-IP system uses for negotiating SSL connections.
  27. For the
    Options List
    setting, select the following as Enabled Options:
    • GMSSLv1.1
    • No SSL
    • No TLS
    • No DTLS
  28. Click
    Finished
    .
After performing this task, you can see the custom Client SSL profile that supports SM2 in the list of Client SSL profiles on the system.