Manual Chapter : Implementing External Cryptographic Server Offload with BIG-IP Systems

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0

BIG-IP Analytics

  • 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0

BIG-IP LTM

  • 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0

BIG-IP PEM

  • 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0

BIG-IP AFM

  • 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0

BIG-IP DNS

  • 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0

BIG-IP ASM

  • 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0
Manual Chapter

Implementing External Cryptographic Server Offload with BIG-IP Systems

Overview: Implementing external cryptographic server offload

You can offload cryptographic operations to an external BIG-IP system. For example, you can set up an LTM VE instance (the crypto client) to offload cryptographic operations, such as an RSA decryption operation for an SSL handshake, to an external BIG-IP system (the crypto server) that supports crypographic hardware acceleration.
In general, the setup process includes configuring a client BIG-IP system as a crypto client and a server BIG-IP system as a crypto server, and ensures secure communication between the end user, the crypto client, and the crypto server.
Both the crypto client and crypto server must be running BIG-IP software version 11.6.0 or later.
Before you perform the tasks in this implementation, verify that each BIG-IP system has the default device certificate,
default.crt
, installed on it. For more information about device certificates, see
BIG-IP Digital Certificates: Administration
.
This illustration depicts an external cryptographic offload configuration.
Example of external cryptographic server offload
The illustration shows the BIG-IP configuration objects that are required for implementing the external cryptographic server offload feature, as well as the flow of client traffic that occurs. In the illustration, one BIG-IP system includes a virtual server configured with the destination IP address for application traffic coming from a client system. Because the client traffic uses SSL, the BIG-IP system with the virtual server must include a standard Client SSL profile, which causes cryptographic functions to be offloaded from the selected destination server (pool member) to that BIG-IP system.
Once this BIG-IP system has assumed cryptographic functions from the destination server, the BIG-IP system can offload these functions to another BIG-IP system to handle the actual cryptographic processing. To enable the BIG-IP system to offload the cryptographic processing to another BIG-IP system, you must designate the two BIG-IP systems as a crypto client and crypto server, and you must create an SSL profile on each system that is optimized for BIG-IP-to-BIG-IP cryptographic processing (a crypto-optimized Server SSL profile for the BIG-IP crypto client and crypto-optimized Client SSL profile for the BIG-IP crypto server).

Creating a Client SSL profile on a client BIG-IP system

You create a Client SSL profile on a client BIG-IP system to authenticate and decrypt/encrypt client-side application traffic.
  1. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    Client
    .
    The Client SSL profile list screen opens.
  2. Click
    Create
    .
    The New Client SSL Profile screen opens.
  3. Configure all profile settings as needed.
  4. Click
    Finished
    .
After you create the Client SSL profile, you assign the profile to a virtual server. The BIG-IP system can apply SSL security to the type of application traffic for which the virtual server is configured to listen.

Creating a pool on a client BIG-IP system

You can create a pool of servers on a client BIG-IP system that you can group together to receive and process traffic.
  1. On the Main tab, click
    Local Traffic
    Pools
    .
    The Pool List screen opens.
  2. Click
    Create
    .
    The New Pool screen opens.
  3. In the
    Name
    field, type a unique name for the pool.
  4. Using the
    New Members
    setting, add each resource that you want to include in the pool:
    1. (Optional) In the
      Node Name
      field, type a name for the node portion of the pool member.
    2. In the
      Address
      field, type an IP address.
    3. In the
      Service Port
      field, type a port number, or select a service name from the list.
    4. (Optional) In the
      Priority
      field, type a priority number.
    5. Click
      Add
      .
  5. Click
    Finished
    .

Creating a virtual server on a client BIG-IP system

A virtual server represents a destination IP address for application traffic on a client BIG-IP system.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
    field, type a unique name for the virtual server.
  4. In the
    Destination Address/Mask
    field:
    • If you want to specify a single IP address, confirm that the
      Host
      button is selected, and type the IP address in CIDR format.
    • If you want to specify multiple IP addresses, select the
      Address List
      button, and confirm that the address list that you previously created appears in the box.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    10.0.0.1
    or
    10.0.0.0/24
    , and an IPv6 address/prefix is
    ffe1::0020/64
    or
    2001:ed8:77b5:2:10:10:100:42/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
    prefix.
    The IP address or addresses for this field must be on the same subnet as the external self-IP address.
  5. In the
    Service Port
    field:
    • If you want to specify a single service port or all ports, confirm that the
      Port
      button is selected, and type or select a service port.
    • If you want to specify multiple ports other than all ports, select the
      Port List
      button, and confirm that the port list that you previously created appears in the box.
  6. In the Resources area of the screen, from the
    Default Pool
    list, select the relevant pool name.
  7. For the
    SSL Profile (Client)
    setting, from the
    Available
    list, select the name of the Client SSL profile you previously created and move the name to the
    Selected
    list.

Creating a Server SSL profile on a client BIG-IP system

With a Server SSL profile, a client BIG-IP system can perform decryption and encryption for server-side SSL traffic.
  1. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    Server
    .
    The Server SSL profile list screen opens.
  2. Click
    Create
    .
    The New Server SSL Profile screen opens.
  3. In the
    Name
    field, type a unique name for the profile.
  4. Select
    crypto-client-default-serverssl
    in the
    Parent Profile
    list.
  5. Modify the settings, as required.
  6. Click
    Finished
    .

Creating a crypto client object on a client BIG-IP system

You can create a crypto client object to enable a BIG-IP system to act as a crypto client for external cryptographic server offload.
  1. On the Main tab, click
    System
    Crypto Offloading
    Crypto Client
    .
    The Crypto Client screen displays a list of crypto clients configured on the system.
  2. Click
    Create
    .
  3. In the
    Name
    field, type a unique name for the crypto client object.
  4. In the
    Address
    field, type the IP address of the crypto server that you want to use for the crypto server object.
  5. In the
    Service Port
    field, type a port number, or select a service name from the list.
  6. In the
    TCP Profiles
    field, select
    tcp
    .
  7. For the
    SSL Profiles
    setting, select the Server SSL profile that you previously created.

Creating a Client SSL profile on a server BIG-IP system

You create a Client SSL profile on a server BIG-IP system to authenticate and decrypt/encrypt application traffic from the client BIG-IP system.
  1. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    Client
    .
    The Client SSL profile list screen opens.
  2. Click
    Create
    .
    The New Client SSL Profile screen opens.
  3. Select
    crypto-server-default-clientssl
    in the
    Parent Profile
    list.
  4. Configure all profile settings as needed.
  5. Click
    Finished
    .

Creating a crypto server object on a server BIG-IP system

You can create a crypto server object to enable your BIG-IP system to act as a crypto server for external cryptographic server offload.
  1. On the Main tab, click
    System
    Crypto Offloading
    Crypto Server
    .
    The Crypto Server screen displays a list of crypto servers configured on the system.
  2. Click
    Create
    .
  3. In the
    Name
    field, type a unique name for the crypto server object.
  4. In the
    Address
    field, type the IP address you want to use for the crypto server object.
  5. In the
    Service Port
    field, type a port number, or select a service name from the list.
  6. In the
    TCP Profiles
    field, select
    tcp
    .
  7. For the
    SSL Profiles
    setting, select the Client SSL profile that you previously created.
  8. Using the
    Crypto Client List
    setting, add the crypto clients that can access the crypto server:
    1. In the
      Address
      field, type a crypto client self IP address.
    2. Click
      Add
      .

Verifying the crypto client and crypto server

After the client and server BIG-IP systems have processed traffic, you can use
tmsh
to verify that the crypto client and crypto server systems are functioning properly.
  1. Open the TMOS shell (
    tmsh
    ).
    tmsh
  2. Verify that the crypto client is functioning.
    show sys crypto client <crypto_client_name>
    A summary similar to this example displays:
    -------------------------- Sys::Crypto Client: crypto_client_name -------------------------- Received Packets 2 Received Bytes 48 Transmitted Packets 2 Transmitted Bytes 40
  3. Verify that the crypto server is functioning.
    show sys crypto server <crypto_server_name>
    A summary similar to this example displays:
    -------------------------- Sys::Crypto Server: crypto_server_name -------------------------- Received Packets 2 Received Bytes 40 Transmitted Packets 2 Transmitted Bytes 48