Applies To:Show Versions
BIG-IP versions 1.x - 4.x
SSL Proxy Selective Re-encryption
Selective re-encryption at the pool level
One of the functions of the SSL proxy is to handle encryption and decryption tasks that are normally performed by a web server as part of processing a client request. When configured as a client-side-only proxy, the proxy decrypts incoming requests before sending them on in plain text to the target server. When the SSL-to-Server feature is enabled, the proxy provides an additional level of security by re-encrypting the request before sending it on to the target server.
SSL proxy server-side re-encryption at the pool level allows you to override the re-encryption option for selected pools. This is useful for configurations that include a local pool that does not require server side re-encryption and a remote fallback pool that requires server-side re-encryption. In order for selective re-encryption to function correctly, the pool must be referenced by a proxy that has server-side re-encryption enabled. For information on setting up server-side re-encryption on a proxy, see the BIG-IP Reference Guide.
To configure selective re-encryption for a pool using the Configuration utility
Follow these steps to configure SSL server-side re-encryption on a pool using the Configuration utility. SSL server-side re-encryption is enabled by default.
- In the navigation pane, click Pools.
The Pools screen opens.
- In the Pool Name list, click the pool name for which you want to set up SSL server-side re-encryption.
This displays the properties of that pool.
- Check the Enable ServerSSL box to enable SSL server-side re-encryption. Clear the Enable ServerSSL box to disable this feature.
To configure selective re-encryption for a pool from the command line
The serverssl option enables and disables the server-side re-encryption feature for the pool being defined. SSL re-encryption is enabled by default for all server-side connections. If this option is set to disable, server-side re-encryption is disabled on the target pool even when server-side re-encryption is enabled on the proxy.
To configure server-side re-encryption for a pool from the command line, type the bigpipe pool command, using the appropriate arguments, as follows:
bp pool <pool_name> serverssl <enable | disable>
To view the status of server-side re-encryption for a pool from the command line, type the following bigpipe pool command:
bp pool <pool_name> serverssl show