Manual Chapter : BIG-IP 4.6 Features Guide:SSL Proxy Selective Re-encryption

Applies To:

Show Versions Show Versions

BIG-IP versions 1.x - 4.x

  • 4.6.0
Manual Chapter

2

SSL Proxy Selective Re-encryption


Selective re-encryption at the pool level

One of the functions of the SSL proxy is to handle encryption and decryption tasks that are normally performed by a web server as part of processing a client request. When configured as a client-side-only proxy, the proxy decrypts incoming requests before sending them on in plain text to the target server. When the SSL-to-Server feature is enabled, the proxy provides an additional level of security by re-encrypting the request before sending it on to the target server.

SSL proxy server-side re-encryption at the pool level allows you to override the re-encryption option for selected pools. This is useful for configurations that include a local pool that does not require server side re-encryption and a remote fallback pool that requires server-side re-encryption. In order for selective re-encryption to function correctly, the pool must be referenced by a proxy that has server-side re-encryption enabled. For information on setting up server-side re-encryption on a proxy, see the BIG-IP Reference Guide.

To configure selective re-encryption for a pool using the Configuration utility

Follow these steps to configure SSL server-side re-encryption on a pool using the Configuration utility. SSL server-side re-encryption is enabled by default.

  1. In the navigation pane, click Pools.
    The Pools screen opens.
  2. In the Pool Name list, click the pool name for which you want to set up SSL server-side re-encryption.
    This displays the properties of that pool.
  3. Check the Enable ServerSSL box to enable SSL server-side re-encryption. Clear the Enable ServerSSL box to disable this feature.

To configure selective re-encryption for a pool from the command line

The serverssl option enables and disables the server-side re-encryption feature for the pool being defined. SSL re-encryption is enabled by default for all server-side connections. If this option is set to disable, server-side re-encryption is disabled on the target pool even when server-side re-encryption is enabled on the proxy.

To configure server-side re-encryption for a pool from the command line, type the bigpipe pool command, using the appropriate arguments, as follows:

bp pool <pool_name> serverssl <enable | disable>

To view the status of server-side re-encryption for a pool from the command line, type the following bigpipe pool command:

bp pool <pool_name> serverssl show