Manual Chapter :
Securing Client-Side and Server-Side LDAP Traffic
Applies To:
Show VersionsBIG-IP APM
- 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0
BIG-IP Analytics
- 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0
BIG-IP LTM
- 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0
BIG-IP PEM
- 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0
BIG-IP AFM
- 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0
BIG-IP DNS
- 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0
BIG-IP ASM
- 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0
Securing Client-Side and Server-Side LDAP Traffic
Overview: Securing LDAP traffic with STARTTLS encryption
You can configure STARTTLS encryption for Lightweight Directory Access
Protocol (LDAP) traffic passing through the BIG-IP system.
LDAP
is an industry standard application protocol for accessing and maintaining
distributed directory information services over an Internet Protocol (IP) network.You configure the BIG-IP system for STARTTLS encryption by configuring
Client LDAP and Server LDAP profiles to activate the STARTTLS communication protocol for
any client or server traffic that allows or requires STARTTLS encryption.
Normally, LDAP traffic between LDAP servers and clients is unencrypted.
This creates a privacy issue because LDAP traffic often passes through routers that the
servers and clients do not trust, resulting in a third party potentially changing the
communications between the server and client. Also, two LDAP systems do not normally
authenticate each other. A more secure LDAP server might only allow communications from
other known LDAP systems, or the server might act differently with unknown systems.
To mitigate these problems, the BIG-IP system includes two LDAP profiles
that you can configure. When you configure a Client LDAP or Server LDAP profile, you can
instruct the BIG-IP system to activate the STARTTLS communication protocol for any client
or server traffic that allows or requires STARTTLS encryption. The
STARTTLS
protocol effectively upgrades a plain-text
connection to an encrypted connection on the same port (port 389), instead of using a
separate port for encrypted communication.This illustration shows a basic configuration of a BIG-IP system that
activates STARTTLS to secure LDAP traffic between a client system and the BIG-IP system,
and between the BIG-IP system and an LDAP authentication server.
Task summary
for securing client-side and server-side LDAP traffic
To configure the BIG-IP ®system to process Lightweight Directory Access
Protocol (LDAP) traffic with TLS encryption, you perform a few basic tasks.
Creating a Client
LDAP profile
You perform this task to specify the condition under which the
BIG-IP system should activate STARTTLS encryption for client-side traffic destined
for a specific virtual server.
- On the Main tab, click.The Client LDAP list screen opens.
- ClickCreate.The New Client LDAP Profile screen opens.
- In theNamefield, type a unique name for the profile.
- From theParent Profilelist, retain the default value,clientldap.
- Select theCustomcheck box.
- From theSTARTTLS Activation Modelist, select a value:ValueDescriptionAllowThis value activates STARTTLS encryption for any client-side traffic that allows, but does not require, STARTTLS encryption.RequireThis value activates STARTTLS encryption for any client-side traffic that requires STARTTLS encryption. All messages sent to the BIG-IP system prior to STARTTLS activation are rejected with a message stating that a stronger authentication mechanism is required.NoneThis value refrains from activating STARTTLS encryption for client-side traffic. Note if you select this value, that you optionally can create an iRule that identifies client-side traffic that requires STARTTLS encryption and then dynamically activates STARTTLS for that particular traffic.
- ClickFinished.
After you perform this task, the Client LDAP profile appears on the Client LDAP list
screen.
Creating a Server LDAP profile
You perform this task to specify the condition under which the BIG-IP system should
activate STARTTLS encryption for server-side traffic destined for a specific virtual
server.
- On the Main tab, click.The Server LDAP list screen opens.
- ClickCreate.The New Server LDAP Profile screen opens.
- In theNamefield, type a unique name for the profile.
- From theParent Profilelist, retain the default value,serverldap.
- Select theCustomcheck box.
- From theSTARTTLS Activation Modelist, select a value:ValueDescriptionAllowThis value activates STARTTLS encryption for server-side traffic that allows, but does not require, STARTTLS encryption. In this case, the BIG-IP system only activates STARTTLS for server-side traffic when the BIG-IP system has activated STARTTLS on the client side and the client has acknowledged the activation.RequireThis value activates STARTTLS encryption for any server-side traffic that requires STARTTLS encryption. In this case, the BIG-IP system activates STARTTLS when a successful connection is made.NoneThis value refrains from activating STARTTLS encryption for server-side traffic. Note that if you select this value, you can optionally create an iRule that identifies server-side traffic that requires STARTTLS encryption and then dynamically activates STARTTLS for that particular traffic.
- ClickFinished.
After you perform this task, the Server LDAP profile appears on the Server LDAP list
screen.
Create a custom Client SSL profile
You create a custom Client SSL profile when you want the BIG-IP system to terminate client-side SSL traffic for the purpose of:
- Authenticating and decrypting ingress client-side SSL traffic
- Re-encrypting egress client-side traffic
- On the Main tab, click.The Client SSL profile list screen opens.
- ClickCreate.The New Client SSL Profile screen opens.
- In theNamefield, type a unique name for the profile.
- Selectclientsslin theParent Profilelist.
- From theConfigurationlist, selectAdvanced.
- Select theCustomcheck box.The settings become available for change.
- Next to Client Authentication, select theCustomcheck box.The settings become available.
- From theConfigurationlist, selectAdvanced.
- Modify the settings, as required.
- ClickFinished.
Create a custom Server SSL profile
Create a custom server SSL profile to support SSL forward proxy.
- On the Main tab, click.The Server SSL profile list screen opens.
- ClickCreate.The New Server SSL Profile screen opens.
- In theNamefield, type a unique name for the profile.
- ForParent Profile, retain the default selection,serverssl.
- From theConfigurationlist, selectAdvanced.
- Select theCustomcheck box.The settings become available for change.
- From theSSL Forward Proxylist, selectEnabled.You can update this setting later, but only while the profile is not assigned to a virtual server.
- From theSSL Forward Proxy Bypasslist, selectEnabled(or retain the default valueDisabled).The values of theSSL Forward Proxy Bypasssettings in the server SSL and the client SSL profiles specified in a virtual server must match. You can update this setting later but only while the profile is not assigned to a virtual server.
- Scroll down to theSecure Renegotiationlist and selectRequest.
- ClickFinished.
Creating a virtual server and load-balancing pool
You use this task to create a virtual server, as
well as a default pool of LDAP servers. The virtual server then listens for and applies
the configured STARTTLS activation to client-side or server-side LDAP traffic, or both.
Part of creating this virtual server is specifying the names of any client-side and
server-side LDAP and SSL profiles that you previously created.
- You use this task to create a virtual server, as well as a default pool of LDAP servers. The virtual server then listens for and applies the configured STARTTLS activation to client-side or server-side LDAP traffic, or both. Part of creating this virtual server is specifying the names of any client-side and server-side LDAP and SSL profiles that you previously created.The Virtual Server List screen opens.
- Click theCreatebutton.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- In theDestination Address/Maskfield, type an address, as appropriate for your network.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.
- In theService Portfield, type389or selectLDAPfrom the list.
- From theConfigurationlist, selectBasic.
- For theSSL Profile (Client)setting, in theAvailablebox, select a profile name, and using the Move button, move the name to theSelectedbox.
- From theClient LDAP Profilelist, select the Client LDAP profile that you previously created.
- From theServer LDAP Profilelist, select the Server LDAP profile that you previously created.
- In the Resources area of the screen, for theDefault Poolsetting, click theCreate (+)button.The New Pool screen opens.
- In theNamefield, type a unique name for the pool.
- In the Resources area, for theNew Memberssetting, select the type of new member you are adding, then type the information in the appropriate fields, and clickAddto add as many pool members as you need.
- ClickFinishedto create the pool.The screen refreshes, and reopens the New Virtual Server screen. The new pool name appears in theDefault Poollist.
- ClickFinished.
After you have created the required LDAP and SSL profiles and assigned them to a
virtual server, the BIG-IP system listens for client- and server-side LDAP traffic on
port 389. The BIG-IP system then activates the STARTTLS method for that traffic to
provide SSL security on that same port, before forwarding the traffic on to the
specified LDAP server pool.
Implementation result
After you have created the required LDAP and SSL profiles and assigned them to a virtual server,
the BIG-IP® system listens for client- and server-side LDAP traffic on port 389. The BIG-IP
system then activates the STARTTLS method for that traffic to provide SSL security on that same
port, before forwarding the traffic on to the specified LDAP server pool.