Manual Chapter :
Managing Client-Side HTTP Traffic Using a CA-Signed Elliptic Curve DSA Certificate
Applies To:
Show VersionsBIG-IP AAM
- 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
BIG-IP APM
- 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
BIG-IP Analytics
- 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
BIG-IP Link Controller
- 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
BIG-IP LTM
- 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
BIG-IP PEM
- 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
BIG-IP AFM
- 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
BIG-IP DNS
- 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
BIG-IP ASM
- 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Managing Client-Side HTTP Traffic Using a CA-Signed Elliptic Curve DSA Certificate
Overview: Managing client-side HTTP traffic using a CA-signed, ECC-based certificate
When you configure the BIG-IP system to decrypt client-side HTTP requests
and encrypt the server responses, you can optionally configure the BIG-IP system to use the
Elliptic Curve Digital Signature Algorithm (ECDSA) as part of the BIG-IP system's certificate key
chain. The
result is that the BIG-IP system performs the SSL handshake usually performed by target web
servers, using an ECDSA key type in the certificate key chain.
This particular implementation uses a certificate signed by a certificate authority (CA).
Task summary
To implement client-side and server-side authentication using HTTP and SSL with a CA-signed
certificate, you perform a few basic configuration tasks.
Task list
Requesting a CA-signed certificate that contains an ECDSA key type
You can generate a certificate that includes an Elliptic Curve Digital Signature Algorithm (ECDSA) key type, and then copy it or submit it to a trusted certificate authority for signature.
- On the Main tab, click.The Traffic Certificate Management screen opens.
- ClickCreate.
- In theNamefield, type a unique name for the SSL certificate.
- From theIssuerlist, selectCertificate Authority.
- In theCommon Namefield, type a name.This is typically the name of a web site, such aswww.siterequest.com.
- In theDivisionfield, type your department name.
- In theOrganizationfield, type your company name.
- In theLocalityfield, type your city name.
- In the orState or Provincefield, type your state or province name.
- From theCountrylist, select the name of your country.
- In theE-mail Addressfield, type your email address.
- In theLifetimefield, type a number of days, or retain the default,365.
- In theSubject Alternative Namefield, type a name.This name is embedded in the certificate for X509 extension purposes.By assigning this name, you can protect multiple host names with a single SSL certificate.
- In theChallenge Passwordfield, type a password.
- In theConfirm Passwordfield, re-type the password you typed in theChallenge Passwordfield.
- From theKey Typelist, selectECDSA.
- From theCurvelist, select an elliptic curve:prime256v1Creates a key that is 256 bits in lengthsecp384r1Creates a key that is 384 bits in lengthsecp521r1Creates a key that is 521 bits in lengthIn general, longer keys can impact performance but are more secure. Shorter keys result in better performance but are less secure.
- Do one of the following to download the request into a file on your system.
- In theRequest Textfield, copy the certificate.
- ForRequest File, click the button.
- Follow the instructions on the relevant certificate authority web site for either pasting the copied request or attaching the generated request file.
- ClickFinished.The Certificate Signing Request screen displays.
The generated certificate is submitted to a trusted certificate authority for signature.
Creating a custom HTTP profile
An HTTP profile defines the way that you want the BIG-IPsystem to manage HTTP traffic.
- On the Main tab, click.The HTTP profile list screen opens.
- ClickCreate.The New HTTP Profile screen opens.
- In theNamefield, type a unique name for the profile.
- From theParent Profilelist, selecthttp.
- Select theCustomcheck box.
- Modify the settings, as required.
- ClickFinished.
The custom HTTP profile now appears in the HTTP profile list screen.
Create a custom Client SSL profile
You create a custom Client SSL profile when you want the BIG-IP system to terminate client-side SSL traffic for the purpose of:
- Authenticating and decrypting ingress client-side SSL traffic
- Re-encrypting egress client-side traffic
- On the Main tab, click.The Client SSL profile list screen opens.
- ClickCreate.The New Client SSL Profile screen opens.
- In theNamefield, type a unique name for the profile.
- Selectclientsslin theParent Profilelist.
- Select theProxy SSLcheck box (the rest of the UI will collapse following this setting).
- Optionally, select theProxy SSL Passthroughcheck box.This option is often not needed. Review the Knowledge Center article K13385: Overview of the Proxy SSL feature for guidelines on when to enable this setting and its implications.
- Configure theCertificate Key Chain.TheCertificateandKeyunder ClientSSL profile are not used inProxy SSL(since the client and the server will eventually verify each other). F5 recommends leaving the default F5 cert/key pair.
- ClickFinished.
Create a pool to process HTTP traffic
You can create a pool of web servers to process HTTP requests.
- On the Main tab, click.The Pool List screen opens.
- ClickCreate.The New Pool screen opens.
- In theNamefield, type a unique name for the pool.
- For theHealth Monitorssetting, from theAvailablelist, select thehttpmonitor and move the monitor to theActivelist.
- From theLoad Balancing Methodlist, select how the system distributes traffic to members of this pool.The default isRound Robin.
- For thePriority Group Activationsetting, specify how to handle priority groups:
- SelectDisabledto disable priority groups. This is the default option.
- SelectLess than, and in theAvailable Membersfield type the minimum number of members that must remain available in each priority group in order for traffic to remain confined to that group.
- Using theNew Memberssetting, add each resource that you want to include in the pool:
- Type an IP address in theAddressfield.
- Type80in theService Portfield, or selectHTTPfrom the list.
- (Optional) Type a priority number in thePriorityfield.
- ClickAdd.
- ClickFinished.
Creating a virtual server for client-side HTTP traffic
You can specify a virtual server to be either a host virtual server or a network
virtual server to manage HTTP traffic over SSL.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- For theDestination Address/Masksetting, confirm that theHostbutton is selected, and type the IP address in CIDR format.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.The IP address you type must be available and not in the loopback network.
- In theService Portfield, type443, or selectHTTPSfrom the list.
- From theHTTP Profilelist, select the HTTP profile that you previously created.
- For theSSL Profile (Client)setting, from theAvailablelist, select the name of the Client SSL profile you previously created and move the name to theSelectedlist.
- In the Resources area, from theDefault Poollist, select the name of the pool that you created previously.
- ClickFinished.
After performing this task, the virtual server appears in the Virtual Server List
screen.
Implementation results
After you complete the tasks in this implementation, the BIG-IP system
encrypts client-side ingress HTTP traffic using an SSL certificate key chain. The BIG-IP system
also re-encrypts server responses before sending the responses back to the client.
The certificate in the certificate key chain includes an Elliptic Curve Digital Signature
Algorithm (ECDSA) key and certificate.