F5 Logo MyF5
Search
  1. MyF5 Home
  2. BIG-IP System: SSL Administration
  3. Managing Client- and Server-Side HTTP Traffic Using a CA-Signed Certificate
Manual Chapter : Managing Client- and Server-Side HTTP Traffic Using a CA-Signed Certificate

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0

BIG-IP Analytics

  • 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0

BIG-IP LTM

  • 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0

BIG-IP PEM

  • 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0

BIG-IP AFM

  • 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0

BIG-IP DNS

  • 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0

BIG-IP ASM

  • 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0
Manual Chapter

Managing Client- and Server-Side HTTP Traffic Using a CA-Signed Certificate

Overview: Managing client and server HTTP traffic using a CA-signed certificate

One of the ways to configure the BIG-IP system to manage SSL traffic is to enable both client-side and server-side SSL termination:
  • Client-side SSL termination
     makes it possible for the system to decrypt client requests before sending them on to a server, and encrypt server responses before sending them back to the client. This ensures that client-side HTTP traffic is encrypted. In this case, you need to install only one SSL key/certificate pair on the BIG-IP system.
  • Server-side SSL termination
     makes it possible for the system to decrypt and then re-encrypt client requests before sending them on to a server. Server-side SSL termination also decrypts server responses and then re-encrypts them before sending them back to the client. This ensures security for both client- and server-side HTTP traffic. In this case, you need to install two SSL key/certificate pairs on the BIG-IP system. The system uses the first certificate/key pair to authenticate the client, and uses the second pair to request authentication from the server.
This implementation uses a CA-signed certificate to manage HTTP traffic.

Creating a custom HTTP profile

An HTTP profile defines the way that you want the BIG-IPsystem to manage HTTP traffic.
  1. On the Main tab, click
    Local Traffic
    Profiles
    Services
    HTTP
    .
    The HTTP profile list screen opens.
  2. Click
    Create
    .
    The New HTTP Profile screen opens.
  3. In the
    Name
     field, type a unique name for the profile.
  4. From the
    Parent Profile
     list, select
    http
    .
  5. Select the
    Custom
     check box.
  6. Modify the settings, as required.
  7. Click
    Finished
    .
The custom HTTP profile now appears in the HTTP profile list screen.

Task summary

To implement client-side and server-side authentication using HTTP and SSL with a CA-signed certificate, you perform a few basic configuration tasks.

Task list

Requesting a certificate from a certificate authority

You perform this task to generate a certificate signing request (CSR) that can then be submitted to a third-party trusted certificate authority (CA).
F5 Networks recommends that you consult the CA to determine the specific information required for each step in this task.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    .
    The Traffic Certificate Management screen opens.
  2. Click
    Create
    .
  3. In the
    Name
     field, type a unique name for the SSL certificate.
  4. From the
    Issuer
     list, select
    Certificate Authority
    .
  5. In the
    Common Name
     field, type a name.
    This is typically the name of a web site, such as
    www.siterequest.com
    .
  6. In the
    Division
     field, type your department name.
  7. In the
    Organization
     field, type your company name.
  8. In the
    Locality
     field, type your city name.
  9. In the or
    State or Province
     field, type your state or province name.
  10. From the
    Country
     list, select the name of your country.
  11. In the
    E-mail Address
     field, type your email address.
  12. In the
    Lifetime
     field, type a number of days, or retain the default,
    365
    .
  13. In the
    Subject Alternative Name
     field, type a name.
    This name is embedded in the certificate for X509 extension purposes.
    By assigning this name, you can protect multiple host names with a single SSL certificate.
  14. In the
    Challenge Password
     field, type a password.
  15. In the
    Confirm Password
     field, re-type the password you typed in the
    Challenge Password
     field.
  16. From the
    Security Type
     list, select
    NetHSM
    .
  17. From the
    Key Type
     list,
    RSA
     is selected as the default key type.
  18. From the
    Size
     list, select a size, in bits.
  19. Click
    Finished
    .
    The Certificate Signing Request screen displays.
  20. Do one of the following to download the request into a file on your system.
    • In the
      Request Text
       field, copy the certificate.
    • For
      Request File
      , click the button.
  21. Follow the instructions on the relevant certificate authority web site for either pasting the copied request or attaching the generated request file.
  22. Click
    Finished
    .
    The Certificate Signing Request screen displays.
The generated certificate signing request is submitted to a trusted certificate authority for signature.

Create a custom Client SSL profile

You create a custom Client SSL profile when you want the BIG-IP system to terminate client-side SSL traffic for the purpose of:
  • Authenticating and decrypting ingress client-side SSL traffic
  • Re-encrypting egress client-side traffic
By terminating client-side SSL traffic, the BIG-IP system offloads these authentication and decryption/encryption functions from the destination server.
  1. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    Client
    .
    The Client SSL profile list screen opens.
  2. Click
    Create
    .
    The New Client SSL Profile screen opens.
  3. In the
    Name
     field, type a unique name for the profile.
  4. Select
    clientssl
     in the
    Parent Profile
     list.
  5. From the
    Configuration
     list, select
    Advanced
    .
  6. Select the
    Custom
     check box.
    The settings become available for change.
  7. Next to Client Authentication, select the
    Custom
     check box.
    The settings become available.
  8. From the
    Configuration
     list, select
    Advanced
    .
  9. Modify the settings, as required.
  10. Click
    Finished
    .

Create a custom Server SSL profile

Create a custom server SSL profile to support SSL forward proxy.
  1. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    Server
    .
    The Server SSL profile list screen opens.
  2. Click
    Create
    .
    The New Server SSL Profile screen opens.
  3. In the
    Name
     field, type a unique name for the profile.
  4. For
    Parent Profile
    , retain the default selection,
    serverssl
    .
  5. From the
    Configuration
     list, select
    Advanced
    .
  6. Select the
    Custom
     check box.
    The settings become available for change.
  7. From the
    SSL Forward Proxy
     list, select
    Enabled
    .
    You can update this setting later, but only while the profile is not assigned to a virtual server.
  8. From the
    SSL Forward Proxy Bypass
     list, select
    Enabled
     (or retain the default value
    Disabled
    ).
    The values of the
    SSL Forward Proxy Bypass
     settings in the server SSL and the client SSL profiles specified in a virtual server must match. You can update this setting later but only while the profile is not assigned to a virtual server.
  9. Scroll down to the
    Secure Renegotiation
     list and select
    Request
    .
  10. Click
    Finished
    .

Creating a pool to manage HTTPS traffic

You can create a pool (a logical set of devices, such as web servers, that you group together to receive and process HTTPS traffic) to efficiently distribute the load on your server resources.
  1. On the Main tab, click
    Local Traffic
    Pools
    .
    The Pool List screen opens.
  2. Click
    Create
    .
    The New Pool screen opens.
  3. In the
    Name
     field, type a unique name for the pool.
  4. For the
    Health Monitors
     setting, assign
    https
     or
    https_443
     by moving it from the
    Available
     list to the
    Active
     list.
  5. From the
    Load Balancing Method
     list, select how the system distributes traffic to members of this pool.
    The default is
    Round Robin
    .
  6. For the
    Priority Group Activation
     setting, specify how to handle priority groups:
    • Select
      Disabled
       to disable priority groups. This is the default option.
    • Select
      Less than
      , and in the
      Available Members
       field type the minimum number of members that must remain available in each priority group in order for traffic to remain confined to that group.
  7. Use the
    New Members
     setting to add each resource that you want to include in the pool:
    1. In the
      Address
       field, type an IP address.
    2. In the
      Service Port
       field type
      443
       , or select
      HTTPS
       from the list.
    3. (Optional) Type a priority number in the
      Priority
       field.
    4. Click
      Add
      .
  8. Click
    Finished
    .
The HTTPS load balancing pool appears in the Pool List screen.

Creating a virtual server for client-side and server-side HTTPS traffic

You can specify a virtual server to be either a host virtual server or a network virtual server to manage HTTP traffic over SSL.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
     field, type a unique name for the virtual server.
  4. For the
    Destination Address/Mask
     setting, confirm that the
    Host
     button is selected, and type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    10.0.0.1
     or
    10.0.0.0/24
    , and an IPv6 address/prefix is
    ffe1::0020/64
     or
    2001:ed8:77b5:2:10:10:100:42/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
     prefix.
    The IP address you type must be available and not in the loopback network.
  5. Type
    443
     in the
    Service Port
     field, or select
    HTTPS
     from the list.
  6. For the
    HTTP Profile (Client)
     setting, verify that the default HTTP profile,
    http
    , is selected.
  7. For the
    SSL Profile (Client)
     setting, from the
    Available
     list, select the name of the Client SSL profile you previously created and move the name to the
    Selected
     list.
  8. For the
    SSL Profile (Server)
     setting, from the
    Available
     list, select the name of the Server SSL profile you previously created and move the name to the
    Selected
     list.
  9. Click
    Finished
    .
The virtual server now appears in the Virtual Server List screen.

Implementation results

After you complete the tasks in this implementation, the BIG-IP system ensures that SSL authentication and encryption occurs for both client-side and server-side HTTP traffic. The system performs this authentication and encryption according to the values you specify in the Client SSL and Server SSL profiles.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information