Manual Chapter : Managing Client-Side HTTP Traffic Using a CA-Signed RSA Certificate

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.1, 17.1.0, 17.0.0

F5 SSL Orchestrator

  • 17.1.1, 17.1.0, 17.0.0

BIG-IP Analytics

  • 17.1.1, 17.1.0, 17.0.0

BIG-IP LTM

  • 17.1.1, 17.1.0, 17.0.0

BIG-IP AFM

  • 17.1.1, 17.1.0, 17.0.0

BIG-IP PEM

  • 17.1.1, 17.1.0, 17.0.0

BIG-IP DNS

  • 17.1.1, 17.1.0, 17.0.0

BIG-IP ASM

  • 17.1.1, 17.1.0, 17.0.0
Manual Chapter

Managing Client-Side HTTP Traffic Using a CA-Signed RSA Certificate

Overview: Managing client-side HTTP traffic using a CA-signed RSA certificate

When you want to manage HTTP traffic over SSL, you can configure the BIG-IP system to perform the SSL handshake that target web servers normally perform.
A common way to configure the BIG-IP system is to enable client-side SSL, which makes it possible for the system to decrypt client requests before sending them on to a server, and encrypt server responses before sending them back to the client. In this case, you need to install only one SSL key/certificate pair on the BIG-IP system.
This implementation uses a certificate signed by an RSA certificate authority (CA) to authenticate HTTP traffic.

Task summary

To implement client-side and server-side authentication using HTTP and SSL with a CA-signed certificate, you perform a few basic configuration tasks.

Task list

Requesting an RSA certificate from a certificate authority

You can generate a request for an RSA digital certificate and then copy or submit it to a trusted certificate authority for signature.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    .
    The Traffic Certificate Management screen opens.
  2. Click
    Create
    .
  3. In the
    Name
    field, type a unique name for the SSL certificate.
  4. From the
    Issuer
    list, select
    Certificate Authority
    .
  5. In the
    Common Name
    field, type a name.
    This is typically the name of a web site, such as
    www.siterequest.com
    .
  6. In the
    Division
    field, type your department name.
  7. In the
    Organization
    field, type your company name.
  8. In the
    Locality
    field, type your city name.
  9. In the or
    State or Province
    field, type your state or province name.
  10. From the
    Country
    list, select the name of your country.
  11. In the
    E-mail Address
    field, type your email address.
  12. In the
    Lifetime
    field, type a number of days, or retain the default,
    365
    .
  13. In the
    Subject Alternative Name
    field, type a name.
    This name is embedded in the certificate for X509 extension purposes.
    By assigning this name, you can protect multiple host names with a single SSL certificate.
  14. In the
    Challenge Password
    field, type a password.
  15. In the
    Confirm Password
    field, re-type the password you typed in the
    Challenge Password
    field.
  16. From the
    Key Type
    list, select
    RSA
    .
  17. From the
    Size
    list, select a key size, in bits.
  18. Click
    Finished
    .
    The Certificate Signing Request screen displays.
  19. Do one of the following to download the request into a file on your system.
    • In the
      Request Text
      field, copy the certificate.
    • For
      Request File
      , click the button.
  20. Follow the instructions on the relevant certificate authority web site for either pasting the copied request or attaching the generated request file.
  21. Click
    Finished
    .
    The Certificate Signing Request screen displays.
The generated RSA certificate request is submitted to a trusted certificate authority for signature.

Creating a custom HTTP profile

An HTTP profile defines the way that you want the BIG-IPsystem to manage HTTP traffic.
  1. On the Main tab, click
    Local Traffic
    Profiles
    Services
    HTTP
    .
    The HTTP profile list screen opens.
  2. Click
    Create
    .
    The New HTTP Profile screen opens.
  3. In the
    Name
    field, type a unique name for the profile.
  4. From the
    Parent Profile
    list, select
    http
    .
  5. Select the
    Custom
    check box.
  6. Modify the settings, as required.
  7. Click
    Finished
    .
The custom HTTP profile now appears in the HTTP profile list screen.

Create a Client SSL profile

You create a Client SSL profile when you want the BIG-IP system to authenticate and decrypt/encrypt client-side application traffic.
  1. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    Client
    .
    The Client SSL profile list screen opens.
  2. Click
    Create
    .
    The New Client SSL Profile screen opens.
  3. Configure all profile settings as needed.
  4. Click
    Finished
    .
After creating the Client SSL profile and assigning the profile to a virtual server, the BIG-IP system can apply SSL security to the type of application traffic for which the virtual server is configured to listen.

Create a pool to process HTTP traffic

You can create a pool of web servers to process HTTP requests.
  1. On the Main tab, click
    Local Traffic
    Pools
    .
    The Pool List screen opens.
  2. Click
    Create
    .
    The New Pool screen opens.
  3. In the
    Name
    field, type a unique name for the pool.
  4. For the
    Health Monitors
    setting, from the
    Available
    list, select the
    http
    monitor and move the monitor to the
    Active
    list.
  5. From the
    Load Balancing Method
    list, select how the system distributes traffic to members of this pool.
    The default is
    Round Robin
    .
  6. For the
    Priority Group Activation
    setting, specify how to handle priority groups:
    • Select
      Disabled
      to disable priority groups. This is the default option.
    • Select
      Less than
      , and in the
      Available Members
      field type the minimum number of members that must remain available in each priority group in order for traffic to remain confined to that group.
  7. Using the
    New Members
    setting, add each resource that you want to include in the pool:
    1. Type an IP address in the
      Address
      field.
    2. Type
      80
      in the
      Service Port
      field, or select
      HTTP
      from the list.
    3. (Optional) Type a priority number in the
      Priority
      field.
    4. Click
      Add
      .
  8. Click
    Finished
    .

Creating a virtual server for client-side HTTP traffic

You can specify a virtual server to be either a host virtual server or a network virtual server to manage HTTP traffic over SSL.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
    field, type a unique name for the virtual server.
  4. For the
    Destination Address/Mask
    setting, confirm that the
    Host
    button is selected, and type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    10.0.0.1
    or
    10.0.0.0/24
    , and an IPv6 address/prefix is
    ffe1::0020/64
    or
    2001:ed8:77b5:2:10:10:100:42/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
    prefix.
    The IP address you type must be available and not in the loopback network.
  5. In the
    Service Port
    field, type
    443
    , or select
    HTTPS
    from the list.
  6. From the
    HTTP Profile
    list, select the HTTP profile that you previously created.
  7. For the
    SSL Profile (Client)
    setting, from the
    Available
    list, select the name of the Client SSL profile you previously created and move the name to the
    Selected
    list.
  8. In the Resources area, from the
    Default Pool
    list, select the name of the pool that you created previously.
  9. Click
    Finished
    .
After performing this task, the virtual server appears in the Virtual Server List screen.

Implementation results

After you complete the tasks in this implementation, the BIG-IP system can authenticate and decrypt HTTP traffic coming from a client system, using an RSA digital certificate. The BIG-IP system can also re-encrypt server responses before sending them back to the client.