Manual Chapter :
Create a custom
Server SSL profile that supports C3D
Applies To:
Show Versions
BIG-IP AAM
- 14.1.2, 14.1.0
BIG-IP APM
- 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP Analytics
- 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP LTM
- 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP PEM
- 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP AFM
- 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP DNS
- 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP ASM
- 14.1.4, 14.1.3, 14.1.2, 14.1.0
Create a custom
Server SSL profile that supports C3D
With a Server SSL profile, the BIG-IP® system can perform decryption and encryption for
server-side SSL traffic.
For detailed information on how to complete the client
certificate constrained delegation (C3D) configuration and ensure that your custom
server SSL profile is set up properly, see
About client
certificate constrained delegation
before completing your custom profile
setup.- On the Main tab, click .The Server SSL profile list screen opens.
- ClickCreate.The New Server SSL Profile screen opens.
- In theNamefield, type a unique name for the profile.
- From theParent Profilelist, selectserverssl.
- From theConfigurationlist, selectAdvanced.
- Select theCustomcheck box.The settings become available for change.
- From theCertificatelist, select the name of an SSL certificate on the BIG-IP system.If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default certificate name, and ensure that this same certificate name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
- From theKeylist, select the name of an SSL key on the BIG-IP system.If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default key name, and ensure that this same key name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
- In thePass Phrasefield, type a pass phrase that enables access to the certificate/key pair on the BIG-IP system.
- From theChainlist, select the name of an SSL chain on the BIG-IP system.
- For theCipherssetting, specify a cipher group or cipher string by choosing one of these options.If you specified an ECDSA certificate key chain in theCertificate Key Chainsetting, you must include the cipher stringECDHE_ECDSAin the cipher group or cipher string that you specify in theCipherssetting. (At a minimum, you should specify a cipher group or string such asDEFAULT:ECDHE_ECDSA.) This is necessary to ensure successful cipher negotiation when the BIG-IP system is offered an ECDSA-based certificate only.OptionDescriptionCipher GroupSelect an existing cipher group from the list when you want to use a system-defined or custom cipher group to define the ciphers that the BIG-IP system uses for negotiating SSL connections. Here's an example of theCipherssetting where we've selected a custom cipher group that we created earlier.
Cipher StringType a cipher string in the box if you want to manually specify a cipher string instead of selecting a cipher group. For security and performance reasons, consider following these recommendations:- Always append ciphers to theDEFAULTcipher string.
- Type a cipher string that includes the ECC key type, because its shorter length speeds up encryption and decryption while still offering virtually the same level of security.
- Disable ADH ciphers but also include the keywordHIGH. To do this, just include both!ADHand:HIGHin your cipher string.
- For AES, DES, and RC4 encryption types, make sure you specify the DHE key exchange method. DHE usesForward Privacy, which creates a key that it throws away after each session so that the same session key never gets used twice. When you use DHE, make sure that the SSL private key isn't being shared with a monitoring system or a security device like an intrusion detection or prevention system. Also, diagnostic tools likessldumpwon't work when you're using Forward Secrecy.
- Disable EXPORT ciphers by including!EXPORTin the cipher string.
- If you can live with removing support for the SSLv3 protocol version, do it. This protocol version is not secure. Simply include:!SSLv3in any cipher string you type.
Here's an example of theCipherssetting where we have opted to manually type the cipher stringDEFAULT:ECDHE-RSA-AES-128-GCM-SHA256:!ADH:!EXPORT:HIGH:
- In the same area of the screen, configure any other settings as needed.
- Select theCustomcheck box for the Server Authentication area of the screen.The settings become available for change.
- Change or retain the values for all Server Authentication settings as needed.
- If you intend to use OCSP stapling, then from theOCSPlist, select the OCSP object that the BIG-IP system's SSL should use to connect to the OCSP responder and to check the server certificate status. You can click the + icon to open the create-new OCSP object screen.The OCSP stapling object can be added in both forward and reverse proxy configurations. When the serverSSL Forward Proxyproperty is set toEnabled, the forward proxy OCSP object is used to validate and staple the web server's certificate status. When the serverSSL Forward Proxyproperty is set toDisabled, the reverse proxy OCSP object is used to reset the client connection if the web server certificate has been revoked.
- Select theCustomcheck box for the Client Certificate Constrained Delegation section.The settings become available for change.SeeAbout client certificate constrained delegationprior to enabling C3D.
- From theClient Certificate Constrained Delegationsetting, selectAdvanced.
- From theClient Certificate Constrained Delegationlist, selectEnabled.
- From theCA Certificatelist, select the name of the certificate file that is used as the certification authority certificate.
- From theCA Keylist, select the name of the key file that is used as the certification authority key.
- In theCA Passphrasefield, type the passphrase of the key file that is used as the certification authority key.This should be the passphrase corresponding to the specifiedCA Key.
- For theConfirm CA Passphrasefield, type the identical passphrase.
- For theCertificate Lifespanfields, type the lifespan of the certificate generated that is using the SSL client certificate constrained delegation.The default is1day,0hours.
- To define the extensions of the client certificates to be included in the generated certificates, from theCertificate Extensionslist, selectExtensions List.
- For theCertificate Extensions Listsetting, clickDisableorEnableto add or remove available extensions.
- Basic Constraints: Uses basic constraints to indicate whether the certificate belongs to a CA.
- Extended Key Usage: Uses Extended Key Usage, typically on a leaf certificate, to indicate the purpose of the public key contained in the certificate.
- Key Usage: Provides a bitmap specifying the cryptographic operations that may be performed using the public key contained in the certificate; for example, it could indicate that the key should be used for signature but not for enciphering.
- Subject Alternative Name: Allows identities to be bound to the subject of the certificate. These identities may be included in addition to, or in place of, the identity in the subject field of the certificate.
You can also add extensions in theCustom extensionfield. Type in the extension name and clickAdd. - ClickFinished.
To use this profile, you must assign it to a
virtual server. See the
Assigning SSL profiles to a virtual
server
section for detailed information.
