Manual Chapter : BIG-IP Solutions Guide v4.6.2: Configuring an SSL Accelerator

Applies To:

Show Versions Show Versions

BIG-IP versions 1.x - 4.x

  • 4.6.2
Manual Chapter


11

Configuring an SSL Accelerator


Introducing the SSL Accelerator

The SSL Accelerator feature allows the BIG-IP system to accept HTTPS connections (HTTP over SSL), connect to a web server, retrieve the page, and then send the page to the client.

A key component of the SSL Accelerator feature is that the BIG-IP system can retrieve the web page using an unencrypted HTTP request to the content server. With the SSL Accelerator feature, you can configure an SSL proxy on the BIG-IP system that decrypts HTTP requests that are encrypted with SSL. Decrypting the request offloads SSL processing from the servers to the BIG-IP system, and also allows the BIG-IP system to use the header of the HTTP request to intelligently control how the request is handled. (Requests to the servers can optionally be re-encrypted to maintain security on the server side of the BIG-IP system as well, using a feature called SSL-to-server.)

When the SSL proxy on the BIG-IP system connects to the content server, and address translation is not enabled, the proxy uses the original client's IP address and port as its source address and port. In doing so, the proxy appears to be the client, for logging purposes.

This chapter describes the following features of the BIG-IP SSL Accelerator:

  • Configuring an SSL Accelerator
  • Using an SSL Accelerator scalable configuration
  • Using SSL-to-server

Note


If you have FIPS-140 security modules installed in the BIG-IP system, you must initialize the security world before you configure the SSL Accelerator for encrypted traffic. For more information, see the Platform Guide: 520/540, Chapter 2, Configuring the FIPS-140 Hardware , available on the Software and Documentation CD.

Note


All products except the BIG-IP LoadBalancer, BIG-IP FireGuard Controller, and the BIG-IP Cache Controller support this configuration.


Figure 11.1 An incoming SSL connection received by an SSL Accelerator configured on the BIG-IP system

Configuring the SSL Accelerator

There are several tasks required to set up the SSL Accelerator on the BIG-IP system. These tasks include:

  • Generating a key and obtaining a certificate
  • Configuring the BIG-IP system with the certificate and key
  • Creating a pool for the HTTP servers
  • Creating an HTTP virtual server
  • Creating the proxy for the SSL Accelerator

Generating a key and obtaining a certificate

In order to use the SSL Accelerator feature, you must obtain a valid x509 certificate from an authorized certificate authority (CA).

Note


If you have FIPS-140 hardware installed in the BIG-IP system, see the Platform Guide: 520/540, Chapter 2, Configuring the FIPS-140 Hardware , available on the Software and Documentation CD, for instructions on how to generate a key and obtain a certificate.

The following list contains some companies that are certificate authorities:

  • Verisign (http://www.verisign.com)
  • Digital Signature Trust Company (http://secure.digsigtrust.com)
  • GlobalSign (http://www.globalsign.com)
  • GTE Cybertrust (http://www.cybertrust.gte.com)
  • Entrust (http://www.entrust.net)

You can generate a key, a temporary certificate, and a certificate request form using either the Key Management System (KMS) within the Configuration utility, or the bigpipe proxy command.

Note that we recommend using the Configuration utility for this process. The certification process is generally handled through a web page. Parts of the process require you to cut and paste information from a browser window in the Configuration utility to another browser window on the web site of the CA.

Additional information about keys and certificates

You must have a separate certificate for each domain name on each BIG-IP system or redundant pair of BIG-IP units, regardless of how many non-SSL web servers are load balanced by the BIG-IP system.

If you are already running an SSL server, you can use your existing keys to generate temporary certificates and request files. However, you must obtain new certificates if the ones you have are not for the following web server types:

  • Apache + OpenSSL
  • Stronghold

Generating a key and obtaining a certificate using the Configuration utility

To obtain a valid certificate, you must have a private key. If you do not have a key, you can use the Configuration utility on the BIG-IP system to generate a key and a temporary certificate. You can also use the Configuration utility to create a request file you can submit to a certificate authority (CA). You must complete three tasks in the Configuration utility to create a key and generate a certificate request.

  • Generate a certificate request
  • Submit the certificate request to a CA and generate a temporary certificate
  • Install the SSL certificate from the CA

Each of these tasks is described in detail in the following paragraphs.

To create a new certificate request using the Configuration utility

  1. In the navigation pane, click Proxies.
    The Proxies screen opens.
  2. Select the Cert Admin tab.
  3. Click the Generate New Key Pair/Certificate Request button.
  4. In the Key Information section, select a key length and key file name.

    • Key Length
      Select the key length you want to use for the key. You can select 512, 1024, 2048 or 4096 bits.
    • Key Identifier
      Type in the name of the key file. This should be the fully qualified domain name of the server for which you want to request a certificate. You must add the .key file extension to the name.
  5. In the Certificate Information section, type the information specific to your company. This information includes:
    • Country
      Type the two letter ISO code for your country, or select it from the list. For example, the two-letter code for the United States is US.
    • State or Province
      Type the full name of your state or province, or select it from the list. You must enter a state or province.
    • Locality
      Type the city or town name.
    • Organization
      Type the name of your organization.
    • Organizational Unit
      Type the division name or organizational unit.
    • Domain Name
      Type the name of the domain upon which the server is installed.
    • Email Address
      Type the email address of a person who can be contacted about this certificate.
    • Challenge Password
      Type the password you want to use as the challenge password for this certificate. The CA uses the challenge password to verify any changes you make to the certificate at a later date.
    • Retype Password
      Retype the password you entered for the challenge password.
  6. Click the Generate Key Pair/Certificate Request button.
    After a short pause, the Generate Certificate Request screen opens.
  7. Use the Generate Certificate Request screen to start the process of obtaining a certificate from a CA, and then to generate and install a temporary certificate.

    • Begin the process for obtaining a certificate from CA
      Click the URL of a CA to begin the process of obtaining a certificate for the server. After you select a CA, follow the directions on their web site to submit the certificate request. After your certificate request is approved, and you receive a certificate back from the CA, see To install certificates from the CA using the Configuration utility , for information about installing it on the BIG-IP system.
    • Generate and install a temporary certificate
      Click the Generate Self-Signed Certificate button to create a self-signed certificate for the server. We recommend that you use the temporary certificate for testing only. You should take your site live only after you receive a properly-signed certificate from a certificate authority. When you click this button, a temporary certificate is created and installed on the BIG-IP system. This certificate is valid for 10 years. This temporary certificate allows you to set up an SSL proxy for the SSL Accelerator while you wait for a CA to return a permanent certificate.

Generating a key and obtaining a certificate from the command line

To obtain a valid certificate, you must have a private key. If you do not have a key, you can use the genconf and genkey utilities on the BIG-IP system to generate a key and a temporary certificate. The genkey and gencert utilities automatically generate a request file that you can submit to a certificate authority (CA). If you have a key, you can use the gencert utility to generate a temporary certificate and request file.

These utilities are described in the following list:

  • genconf
    This utility creates a key configuration file that contains specific information about your organization. The genkey utility uses this information to generate a certificate.
  • genkey
    After you run the genconf utility, run this utility to generate a temporary 10-year certificate for testing the SSL Accelerator on the BIG-IP system. This utility also creates a request file that you can submit to a certificate authority (CA) to obtain a certificate.
  • gencert
    If you already have a key, run this utility to generate a temporary certificate and request file for the SSL Accelerator.

To generate a key configuration file using the genconf utility

If you do not have a key, you can generate a key and certificate with the genconf and genkey utilities. First, run the genconf utility with the following commands:

/usr/local/bin/genconf

The utility prompts you for information about the organization for which you are requesting certification. This information includes:

  • The fully qualified domain name (FQDN) of the server. Note that this FQDN must be RFC1034/1035-compliant, and cannot be more than 63 characters long (this is an x509 limitation).
  • The two-letter ISO code for your country
  • The full name of your state or province
  • The city or town name
  • The name of your organization
  • The division name or organizational unit

For example, Figure 11.2 contains entries for the server my.server.net.


Figure 11.2 Example entries for the genconf utility


Common Name (full qualified domain name): my.server.net
Country Name (ISO 2 letter code): US
State or Province Name (full name): WASHINGTON
Locality Name (city, town, etc.): SEATTLE
Organization Name (company): MY COMPANY
Organizational Unit Name (division): WEB UNIT

To generate a key using the genkey utility

After you run the genconf utility, you can generate a key with the genkey utility. Type the following command to run the genkey utility:

/usr/local/bin/genkey <server_name>

For the <server_name>, type the FQDN of the server to which the certificate applies. After the utility starts, it prompts you to verify the information created by the genconf utility. After you run this utility, a certificate request form is created in the following directory:

/config/bigconfig/ssl.csr/<fqdn>.csr

The <fqdn> is the fully qualified domain name of the server. Please contact your certificate authority (CA) and follow their instructions for submitting this request form.

In addition to creating a request form that you can submit to a certificate authority, this utility also generates a temporary certificate. The temporary certificate is located in:

/config/bigconfig/ssl.crt/<fqdn>.crt

The <fqdn> is the fully qualified domain name of the server.

Note that the keys and certificates are copied to the other BIG-IP system in a redundant system when you synchronize the configurations. For more information about synchronizing configurations, see the BIG-IP Reference Guide , Chapter 13, Configuring a Redundant System .

This temporary certificate is good for ten years, but for an SSL proxy you should have a valid certificate from your CA.

Warning


Be sure to keep your previous key if you are still undergoing certification. The certificate you receive is valid only with the key that originally generated the request.

To generate a certificate with an existing key using the gencert utility

To generate a temporary certificate and request file to submit to the certificate authority with the gencert utility, you must first copy an existing key for a server into the following directory on the BIG-IP system:

/config/bigconfig/ssl.key/

After you copy the key into this directory, type the following command at the command line:

/usr/local/bin/gencert <server_name>

For the <server_name>, type the FQDN of the server to which the certificate applies. After the utility starts, it prompts you for various information. After you run this utility, a certificate request form is created in the following directory:

/config/bigconfig/ssl.crt/<fqdn>.csr

The <fqdn> is the fully qualified domain name of the server. Please contact your certificate authority (CA) and follow their instructions for submitting this request form.

Installing certificates from the certificate authority (CA)

After you obtain a valid x509 certificate from a certificate authority (CA) for the SSL Accelerator, you must copy it onto each BIG-IP unit in the redundant system. You can configure the accelerator with certificates using the Configuration utility or from the command line.

To install certificates from the CA using the Configuration utility

  1. In the navigation pane, click Proxies.
    The Proxies screen opens.
  2. Select the Cert Admin tab.
  3. In the Key List column, locate the key pair for which you want to install a certificate.
  4. In the Certificate ID column, click the name of the certificate you want to install.
    The the properties page for that certificate displays.
  5. Click the Install Certificate button
  6. Provide the requested information for either Option 1 or Option 2.
  7. Click the Install Certificate button.

Figure 11.3 shows an example of a certificate.


Figure 11.3 An example of a certificate


-----BEGIN CERTIFICATE-----
MIIB1DCCAX4CAQAwDQYJKoZIhvcNAQEEBQAwdTELMAkGA1UEBhMCVVMxCzAJBgNV
BAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMRQwEgYDVQQKEwtGNSBOZXR3b3JrczEc
MBoGA1UECxMTUHJvZHVjdCBEZXZlbG9wbWVudDETMBEGA1UEAxMKc2VydmVyLm5l
dDAeFw0wMDA0MTkxNjMxNTlaFw0wMDA1MTkxNjMxNTlaMHUxCzAJBgNVBAYTAlVT
MQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHU2VhdHRsZTEUMBIGA1UEChMLRjUgTmV0
d29ya3MxHDAaBgNVBAsTE1Byb2R1Y3QgRGV2ZWxvcG1lbnQxEzARBgNVBAMTCnNl
cnZlci5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAsfCFXq3Jt+FevxUqBZ9T
Z7nHx9uaF5x9V5xMZYgekjc+LrF/yazhmq4PCxrws3gvJmgpTsh50YJrhJgfs2bE
gwIDAQABMA0GCSqGSIb3DQEBBAUAA0EAd1q6+u/aMaM2qdo7EjWx14TYQQGomYoq
eydlzb/3FOiJAynDXnGnSt+CVvyRXtvmG7V8xJamzkyEpZd4iLacLQ==
-----END CERTIFICATE-----

To install certificates from the CA from the command line

Copy the certificate into the following directory on each BIG-IP unit in a redundant system:

/config/bigconfig/ssl.crt/

Note


The certificate you receive from the certificate authority (CA) should overwrite the temporary certificate generated by genkey or gencert.

If you used the genkey or gencert utilities to generate the request file, a copy of the corresponding key should already be in the following directory on the BIG-IP system:

/config/bigconfig/ssl.key/

Warning


In a redundant system, the keys and certificates must be in place on both BIG-IP units before you configure the SSL Accelerator. To do this, you must synchronize the configurations in the redundant system; see the BIG-IP BIG-IP Reference Guide , Chapter 13, Configuring a Redundant System .

Creating a pool for the HTTP servers

After you configure the BIG-IP system with the certificates and keys, the next step is to create a pool containing the HTTP servers for which the SSL Accelerator handles connections.

To create the pools using the Configuration utility

  1. In the navigation pane, click Pools.
    The Pools screen opens.
  2. Click the ADD button.
    The Add Pool screen opens.
  3. For each pool, enter the pool name and member addresses in the Add Pool screen. (For additional information about configuring a pool, click the Help button.)

    Configuration note

    For this example, you create an HTTP pool named http_pool that would contain the following members:

    10.1.1.20:80

    10.1.1.21:80

    10.1.1.22:80


To define the pool from the command line

To define a pool from the command line, use the following syntax:

b pool <pool_name> { member <member_definition> member <member_definition> }

For example, to create the pools http_pool and ssl_pool from the command line, type the following command:

b pool http_pool { member 10.1.1.20:80 member 10.1.1.21:80 member 10.1.1.22:80 }


Creating an HTTP virtual server

The next task in configuring the SSL Accelerator is to create a virtual server that references the HTTP pool. For example, create a virtual server 20.1.1.10:80, that references a pool of HTTP servers named http_pool.

To create an HTTP virtual server using the Configuration utility

  1. In the navigation pane, click Virtual Severs.
    The Virtual Servers screen opens.
  2. Click the ADD button.
    The Add Virtual Server screen opens.
  3. For each virtual server, enter the virtual server address and pool name. (For additional information about configuring a virtual server, click the Help button.)

    Configuration note

    For this example, you would create a virtual server using the pool http_pool.


To create an HTTP virtual server from the command line

After you have defined a pool that contains the HTTP servers, use the following syntax to create a virtual server that references the pool:

b virtual <virt ip>:<service> use pool <pool_name>

For example, if you want to create a virtual server 20.1.1.10:80, that references a pool of HTTP servers named http_pool, you would type the following command:

b virtual 20.1.1.10:80 use pool http_pool

After you create the virtual server that references the pool of HTTP servers, you can create an SSL proxy. The following section describes how to create an SSL proxy.


Creating an SSL proxy

After you create the HTTP virtual server for which the SSL Accelerator handles connections, the next step is to create a client-side SSL proxy. This section also contains information about managing an SSL proxy.

To create an SSL proxy using the Configuration utility

  1. In the navigation pane, click Proxies.
    The Proxies screen opens.
  2. Click the ADD button.
    The Add Proxy screen opens.
  3. In the Add Proxy screen, configure the attributes you want to use with the proxy. For additional information about configuring a proxy, click the Help button.

To create an SSL proxy from the command line

Use the following command syntax to create an SSL proxy:

b proxy <ip>:<service> \

target <server | virtual> <ip>:<service> \

clientssl enable \

clientssl key <clientssl_key> \

clientssl cert <clientssl_cert>

For example, you can create an SSL proxy from the command line that looks like this:

b proxy 10.1.1.1:443 \

target virtual 20.1.1.10:80 \

clientssl enable \

clientssl key my.server.net.key \

clientssl cert my.server.net.crt


Introducing the SSL Accelerator scalable configuration

This section explains how to set up a scalable one-armed SSL Accelerator configuration. This configuration is useful for any enterprise that handles a large amount of encrypted traffic.

With this configuration, you can easily add BIG-IP e-Commerce Controllers to keep up with expanding SSL content, or a growing array of SSL content servers without adding more BIG-IP units.

Figure 11.4 shows a scalable configuration. The configuration includes a BIG-IP system; the BIG-IP e-Commerce Controllers Accelerator1, Accelerator2, Accelerator3, and Accelerator4; and the server array Server1, Server2, Server3, and Server4.

The following sections refer to Figure 11.4 as an example of how you can set up such a configuration.

Note


The IP addresses shown in these configurations are examples only. When implementing your configuration, choose IP addresses that are consistent with your network or networks.


Figure 11.4 An SSL Accelerator scalable configuration


Creating the scalable SSL Accelerator configuration

To implement the scalable configuration, you must configure the BIG-IP system that load balances the servers and SSL Accelerators, each SSL Accelerator, and each node that handles connections from the SSL Accelerator.

First, complete the following tasks on the BIG-IP system that you want to use to load balance connections to the SSL Accelerators:

  • Create two load balancing pools
    One pool load balances HTTP connections using the IP addresses of the web servers, the other pool load balances SSL connections to the SSL Accelerators.
  • Create virtual servers
    Create virtual servers that reference the load balancing pools. Create one virtual server for the pool load balancing the SSL connections to the accelerators, and another virtual server for the pool that load balances the HTTP connections to the servers. Disable external VLAN for the HTTP virtual server to prevent clients from making a direct connection, bypassing the SSL accelerators.
  • Enable service 80 and service 443
    Enable service 80 and service 443 on the BIG-IP system.
  • Set the idle connection timer
    Set the idle connection timer for service 443.

Next, complete the following tasks for the SSL Accelerators:

  • Set up SSL proxies
    Set up an SSL proxy for each accelerator
  • Enable service 443
    Enable service 443 for encrypted traffic.

Configuring the BIG-IP system that load balances the SSL Accelerators

To configure the BIG-IP system that load balances the SSL Accelerators, complete the following tasks on the BIG-IP system. This section describes how to complete each task.

  • Create two load balancing pools. One pool load balances HTTP connections using the IP addresses of the web servers, the other pool load balances SSL connections from the SSL Accelerator proxies.
  • Create virtual servers that reference the load balancing pools.
  • Enable port 80 and port 443 on the BIG-IP system.

Creating load balancing pools

You need to create two pools, a pool to load balance connections using the IP addresses of the content server nodes, and a pool to load balance the SSL proxys.

To create the pools using the Configuration utility

  1. In the navigation pane, click Pools.
    The Pools screen opens.
  2. Click the Add button.
    The Add Pool screen opens.
  3. For each pool, enter the pool name and member addresses in the Add Pool screen. (For additional information about configuring a pool, click the Help button.)

    Configuration notes

    For this example, create an HTTP pool named http_virtual. This pool contains the following members:
    Server1 (10.3.0.11)
    Server2 (10.3.0.12)
    Server3 (10.3.0.13)
    Server4 (10.3.0.14)

    For this example, you could create an SSL accelerator pool named ssl_proxys. This pool contains the following members:
    accelerator1 (10.1.0.111)
    accelerator2 (10.1.0.112)
    accelerator3 (10.1.0.113)
    accelerator4 (10.1.0.114)

To define a pool from the command line

To define a pool from the command line, use the following syntax:

b pool <pool_name> { member <member_definition> ... member <member_definition>}

For example, if you want to create the pool http_virtual and the pool ssl_proxys, you would type the following commands:

b pool http_virtual { \

member 10.3.0.11:80 \

member 10.3.0.12:80 \

member 10.3.0.13:80 \

member 10.3.0.14:80 }

b pool ssl_proxys { \

member 10.1.0.111:443 \

member 10.1.0.112:443 \

member 10.1.0.113:443 \

member 10.1.0.114:443 }

Creating the virtual servers

Create a virtual server that references the pool that is load balancing the SSL connections, and another virtual server that references the pool that load balances the HTTP connections through the SSL Accelerator proxies.

To define a standard virtual server that references a pool using the Configuration utility

  1. In the navigation pane, click Virtual Servers.
  2. Click the Add button.
    The Add Virtual Server screen opens.
  3. For each virtual server, enter the virtual server address and pool name. (For additional information about configuring a virtual server, click the Help button.)

    Configuration notes

    To create the configuration described in Figure 11.4 , create a virtual server 192.168.200.30 on port 443 that references the pool of SSL accelerators.

    To create the configuration described in Figure 11.4 , create a virtual server 192.168.200.30 on port 80 that references the pool of content servers.

To define the virtual servers from the command line

To define a standard virtual server from the command line, use the following syntax:

b virtual <virt_IP>:<service> use pool <pool_name>

Note that you can use host names in place of IP addresses, and that you can use standard service names in place of port numbers.

To create the virtual servers for the configuration in Figure 11.4 , you would type the following commands:

b virtual 192.168.200.30:443 use pool ssl_proxys

b virtual 192.168.200.30:80 use pool http_virtual \

vlans external disable

Enabling ports 80 and 443 on the BIG-IP system

For security reasons, the BIG-IP ports do not accept traffic until you enable them. In this configuration, the BIG-IP system accepts traffic on port 443 for SSL, and on port 80 for HTTP. For this configuration to work, you must enable port 80 and port 443.

Use the following command to enable these ports:

b service 80 443 tcp enable

Setting the idle connection timer for port 443

In this configuration, you should set the idle connection timer to clean up closed connections on port 443. You need to set an appropriate idle connection time-out value, in seconds, so that valid connections are not disconnected, and closed connections are cleaned up in a reasonable time.

To set the idle connection timeout using the Configuration utility

  1. In the navigation pane, click Virtual Servers.
  2. In the Virtual Servers list, click the virtual server you configured for SSL connections.
    The Virtual Server Properties screen opens.
  3. Click the Virtual Service Properties tab.
    The Virtual Service Properties screen opens.
  4. In the Idle connection timeout TCP (seconds) box, type a timeout value for TCP connections. You can use the default setting of 1005, unless you are creating a client-side SSL proxy, in which case you should specify a value of 10.
  5. Click Apply.

To set the idle connection time-out from the command line

To set the idle connection time-out, type the following command:

b service <service> timeout tcp <timeout>

The <timeout> value is the number of seconds a connection is allowed to remain idle before it is terminated. You can use the default setting of 1005, unless you are creating a client-side SSL proxy, in which case you should specify a value of 10.

The <service> value is the port on the wildcard virtual server for which you are configuring out-of-path routing.

Configuring the SSL Accelerators

The next step in the process is to configure the SSL Accelerators. Complete the following tasks on each SSL Accelerator:

  • Set up an SSL proxy for each e-Commerce Controller
  • Enable port 443
  • Set the idle connection timer for port 443

Setting up an SSL proxy for each e-Commerce Controller

The first task you must complete on the SSL Accelerator is to set up a client-side proxy for each e-Commerce Controller with the HTTP virtual server as target server.

To create an SSL proxy using the Configuration utility
  1. In the navigation pane, click Proxies.
    The Proxies screen opens.
  2. Click the Add button.
    The Add Proxy screen opens.
  3. In the Proxy Type section, click the SSL check box.
  4. In the Add Proxy screen, configure the attributes you want to use with the proxy. For additional information about configuring a Proxy, click the Help button or see the BIG-IP Reference Guide .

    Configuration note

    For this example, create the following proxies on Accelerator1, Accelerator2, Accelerator3, and Accelerator4, respectively: 10.1.0.111:443, 10.1.0.112:443, 10.1.0.113:443, and 10.1.0.114:443.


To create an SSL proxy from the command line

Use the following command syntax to create an SSL proxy:

b proxy <ip>:<service> target server <ip>:<service> clientssl enable clientssl key <clientssl_key> clientssl cert <clientssl_cert>

For example, to create the SSL proxys accelerator1, accelerator2, accelerator3 and accelerator4, you would use the following commands on these four e-Commerce Controllers, respectively. Note that the target for each proxy is the HTTP virtual server 192.168.200.30:80. For accelerator1, type the following command:

b proxy 10.1.0.111:443 \

target server 192.168.200.30:80 \

clientssl enable \

clientssl key my.server.net.key \

clientssl cert my.server.net.crt

In this example, to complete the configuration for accelerator2, type the following command:

b proxy 10.1.0.112:443 \

target server 192.168.200.30:80 \

clientssl enable \

clientssl key my.server.net.key \

clientssl cert my.server.net.crt

In this example, to complete the configuration for accelerator3, type the following command:

b proxy 10.1.0.113:443 \

target server 192.168.200.30:80 \

clientssl enable \

clientssl key my.server.net.key \

clientssl cert my.server.net.crt

In this example, to complete the configuration for accelerator4, type the following command:

b proxy 10.1.0.114:443 \

target server 192.168.200.30:80 \

clientssl enable \

clientssl key my.server.net.key \

clientssl cert my.server.net.crt


Enabling port 443

For security reasons, the ports on the SSL Accelerators do not accept traffic until you enable them. In this configuration, the SSL Accelerator accepts traffic on port 443 for SSL. For this configuration to work, you must enable port 443. Use the following command to enable this port:

b service 443 tcp enable


Using SSL-to-server

As described so far, SSL acceleration offloads SSL from the server to the BIG-IP system. In some situations, security requirements demand that traffic on the internal VLAN (that is, behind the virtual server) be encrypted as well, or more exactly, re-encrypted. This server-side re-encryption requires that the servers handle the final SSL processing, but SSL acceleration is still obtained because the process is faster than allowing SSL client connections directly to the servers. (This is because session keys are re-used and because more efficient ciphers are used for the server-side SSL connections.) Figure 11.5 shows the SSL Accelerator configuration of Figure 11.1 with SSL-to-server added. Note that the only diagrammatic difference is that both client-side and server-side traffic are now labeled SSL, and the virtual server is now configured for service 443.


Figure 11.5 An incoming SSL connection with SSL-to-server


Configuring an SSL Accelerator with SSL-to-server

Since SSL-to-server is typically used together with standard, client-side SSL acceleration, configuring SSL-to-server involves the same tasks used in the preceding solutions ( Configuring the SSL Accelerator and Introducing the SSL Accelerator scalable configuration ), with the following exceptions:

  • The servers must be equipped and enabled for SSL processing.
  • In most cases, you will want to configure the server pool and virtual server as HTTPS rather than HTTP and change the proxy targets accordingly.
  • For the proxy or proxies, you must enable server-side SSL.

    Optionally, you may configure a second certificate on the proxy to authenticate it to the servers as a trusted client.

    Note


    Enabling the SSL-to-Server feature without enabling a client-side SSL proxy is not recommended.

Configuring a server pool and virtual server for HTTPS

To configure the server pool and virtual server for HTTPS for the non-scalable configuration, simply perform the steps in Creating a pool for the HTTP servers and Creating an HTTP virtual server , only rename the pool https_pool and substitute service 443 for service 80 for both the nodes and for the virtual server. (Also, give the virtual server a different IP address.) If you use the command line, you accomplish these tasks as follows:

b pool https_pool { \

member 10.1.1.20:443 \

member 10.1.1.21:443 \

member 10.1.1.22:443 }

b virtual 20.1.1.1:443 use pool https_pool

To configure the server pool members and virtual server for HTTPS for the scalable configuration, perform the steps in Creating load balancing pools , only rename the pool https_virtual and substitute service 443 for service 80 for all nodes and for the virtual server. If you use the command line, you accomplish these tasks as follows:

b pool https_virtual { \

member 10.3.0.11:443 \

member 10.3.0.12:443 \

member 10.3.0.13:443 \

member 10.3.0.14:443 }

b pool ssl_proxys { \

member 10.1.0.111:443 \

member 10.1.0.112:443 \

member 10.1.0.113:443 \

member 10.1.0.114:443 }

b virtual 192.168.200.30:443 use pool ssl_proxys

b virtual 192.168.200.40:443 use pool https_virtual

Configuring the proxy for server-side SSL

To configure the proxy for server-side SSL for the non-scalable configuration, perform the steps in Creating an SSL proxy , specifying the serverssl enable attribute in addition to the clientssl enable attribute. Also, when specifying the target virtual server, it is recommended that you configure the target virtual server as HTTPS instead of HTTP. If you use the command line, you accomplish these tasks as follows:

b proxy 20.1.1.1:443 \

target virtual 20.1.1.10:443 \

clientssl enable \

clientssl key my.server.net.key \

clientssl cert my.server.net.crt \

serverssl enable

Optionally, you may specify a key file and a certificate file for the proxy as a client. This is done as follows:

b proxy 20.1.1.1:443 \

target virtual 20.1.1.10:443 \

clientssl enable \

clientssl key my.server.net.key \

clientssl cert my.server.net.crt \

serverssl enable \

serverssl key my.client.net.key \

serverssl cert my.client.net.key

Additional configuration options

Whenever a BIG-IP system is configured, you have a number of options: