Manual Chapter :
Managing Client-Side HTTP Traffic Using a CA-Signed RSA Certificate
Applies To:
Show VersionsBIG-IP APM
- 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0
BIG-IP Analytics
- 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0
BIG-IP LTM
- 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0
BIG-IP PEM
- 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0
BIG-IP AFM
- 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0
BIG-IP DNS
- 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0
BIG-IP ASM
- 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0
Managing Client-Side HTTP Traffic Using a CA-Signed RSA Certificate
Overview: Managing client-side HTTP traffic using a CA-signed RSA certificate
When you want to manage HTTP traffic over SSL, you can configure the BIG-IP system to perform the SSL handshake that target web servers normally perform.
A common way to configure the BIG-IP system is to enable client-side SSL, which makes it
possible for the system to decrypt client requests before sending them on to a server, and
encrypt server responses before sending them back to the client. In this case, you need to
install only one SSL key/certificate pair on the BIG-IP system.
This implementation uses a certificate signed by an RSA certificate authority (CA) to
authenticate HTTP traffic.
Task summary
To implement client-side and server-side authentication using HTTP and SSL with a CA-signed
certificate, you perform a few basic configuration tasks.
Task list
Requesting an RSA certificate from a certificate authority
You can generate a request for an RSA digital certificate and then copy or submit
it to a trusted certificate authority for signature.
- On the Main tab, click.The Traffic Certificate Management screen opens.
- ClickCreate.
- In theNamefield, type a unique name for the SSL certificate.
- From theIssuerlist, selectCertificate Authority.
- In theCommon Namefield, type a name.This is typically the name of a web site, such aswww.siterequest.com.
- In theDivisionfield, type your department name.
- In theOrganizationfield, type your company name.
- In theLocalityfield, type your city name.
- In the orState or Provincefield, type your state or province name.
- From theCountrylist, select the name of your country.
- In theE-mail Addressfield, type your email address.
- In theLifetimefield, type a number of days, or retain the default,365.
- In theSubject Alternative Namefield, type a name.This name is embedded in the certificate for X509 extension purposes.By assigning this name, you can protect multiple host names with a single SSL certificate.
- In theChallenge Passwordfield, type a password.
- In theConfirm Passwordfield, re-type the password you typed in theChallenge Passwordfield.
- From theKey Typelist, selectRSA.
- From theSizelist, select a key size, in bits.
- ClickFinished.The Certificate Signing Request screen displays.
- Do one of the following to download the request into a file on your system.
- In theRequest Textfield, copy the certificate.
- ForRequest File, click the button.
- Follow the instructions on the relevant certificate authority web site for either pasting the copied request or attaching the generated request file.
- ClickFinished.The Certificate Signing Request screen displays.
The generated RSA certificate request is submitted to a trusted certificate
authority for signature.
Creating a custom HTTP profile
An HTTP profile defines the way that you want the BIG-IPsystem to manage HTTP traffic.
- On the Main tab, click.The HTTP profile list screen opens.
- ClickCreate.The New HTTP Profile screen opens.
- In theNamefield, type a unique name for the profile.
- From theParent Profilelist, selecthttp.
- Select theCustomcheck box.
- Modify the settings, as required.
- ClickFinished.
The custom HTTP profile now appears in the HTTP profile list screen.
Create a Client SSL profile
You create a Client SSL profile when you want the BIG-IP system to
authenticate and decrypt/encrypt client-side application traffic.
- On the Main tab, click.The Client SSL profile list screen opens.
- ClickCreate.The New Client SSL Profile screen opens.
- Configure all profile settings as needed.
- ClickFinished.
After creating the Client SSL profile and assigning the profile to a virtual server,
the BIG-IP system can apply SSL security to the type of application traffic for which
the virtual server is configured to listen.
Create a pool to process HTTP traffic
You can create a pool of web servers to process HTTP requests.
- On the Main tab, click.The Pool List screen opens.
- ClickCreate.The New Pool screen opens.
- In theNamefield, type a unique name for the pool.
- For theHealth Monitorssetting, from theAvailablelist, select thehttpmonitor and move the monitor to theActivelist.
- From theLoad Balancing Methodlist, select how the system distributes traffic to members of this pool.The default isRound Robin.
- For thePriority Group Activationsetting, specify how to handle priority groups:
- SelectDisabledto disable priority groups. This is the default option.
- SelectLess than, and in theAvailable Membersfield type the minimum number of members that must remain available in each priority group in order for traffic to remain confined to that group.
- Using theNew Memberssetting, add each resource that you want to include in the pool:
- Type an IP address in theAddressfield.
- Type80in theService Portfield, or selectHTTPfrom the list.
- (Optional) Type a priority number in thePriorityfield.
- ClickAdd.
- ClickFinished.
Creating a virtual server for client-side HTTP traffic
You can specify a virtual server to be either a host virtual server or a network
virtual server to manage HTTP traffic over SSL.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- For theDestination Address/Masksetting, confirm that theHostbutton is selected, and type the IP address in CIDR format.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.The IP address you type must be available and not in the loopback network.
- In theService Portfield, type443, or selectHTTPSfrom the list.
- From theHTTP Profilelist, select the HTTP profile that you previously created.
- For theSSL Profile (Client)setting, from theAvailablelist, select the name of the Client SSL profile you previously created and move the name to theSelectedlist.
- In the Resources area, from theDefault Poollist, select the name of the pool that you created previously.
- ClickFinished.
After performing this task, the virtual server appears in the Virtual Server List
screen.
Implementation results
After you complete the tasks in this implementation, the BIG-IP system
can authenticate and decrypt HTTP traffic coming from a client system, using an RSA digital
certificate. The BIG-IP system can also re-encrypt server responses before sending them back to
the client.