Manual Chapter : Implementing External Cryptographic Server Offload with BIG-IP Systems

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 14.1.2, 14.1.0

BIG-IP APM

  • 14.1.2, 14.1.0

BIG-IP Analytics

  • 14.1.2, 14.1.0

BIG-IP Link Controller

  • 14.1.2, 14.1.0

BIG-IP LTM

  • 14.1.2, 14.1.0

BIG-IP PEM

  • 14.1.2, 14.1.0

BIG-IP AFM

  • 14.1.2, 14.1.0

BIG-IP DNS

  • 14.1.2, 14.1.0

BIG-IP ASM

  • 14.1.2, 14.1.0
Manual Chapter

Implementing External Cryptographic Server Offload with BIG-IP Systems

Overview: Implementing external cryptographic server offload

You can offload cryptographic operations to an external BIG-IP® system. For example, you can set up an LTM VE instance (the crypto client) to offload cryptographic operations, such as an RSA decryption operation for an SSL handshake, to an external BIG-IP system (the crypto server) that supports crypographic hardware acceleration.

In general, the setup process includes configuring a client BIG-IP system as a crypto client and a server BIG-IP system as a crypto server, and ensures secure communication between the end user, the crypto client, and the crypto server.

Important: Both the crypto client and crypto server must be running BIG-IP software version 11.6.0 or later.
Important: Before you perform the tasks in this implementation, verify that each BIG-IP system has the default device certificate, default.crt, installed on it. For more information about device certificates, see BIG-IP® Digital Certificates: Administration.

This illustration depicts an external cryptographic offload configuration.

Example of external cryptographic server offload

The illustration shows the BIG-IP configuration objects that are required for implementing the external cryptographic server offload feature, as well as the flow of client traffic that occurs. In the illustration, one BIG-IP system includes a virtual server configured with the destination IP address for application traffic coming from a client system. Because the client traffic uses SSL, the BIG-IP system with the virtual server must include a standard Client SSL profile, which causes cryptographic functions to be offloaded from the selected destination server (pool member) to that BIG-IP system.

Once this BIG-IP system has assumed cryptographic functions from the destination server, the BIG-IP system can offload these functions to another BIG-IP system to handle the actual cryptographic processing. To enable the BIG-IP system to offload the cryptographic processing to another BIG-IP system, you must designate the two BIG-IP systems as a crypto client and crypto server, and you must create an SSL profile on each system that is optimized for BIG-IP-to-BIG-IP cryptographic processing (a crypto-optimized Server SSL profile for the BIG-IP crypto client and crypto-optimized Client SSL profile for the BIG-IP crypto server).

Task summary

Creating a Client SSL profile on a client BIG-IP system

You create a Client SSL profile on a client BIG-IP system to authenticate and decrypt/encrypt client-side application traffic.

  1. On the Main tab, click Local Traffic > Profiles > SSL > Client .
    The Client SSL profile list screen opens.
  2. Click Create.
    The New Client SSL Profile screen opens.
  3. Configure all profile settings as needed.
  4. Click Finished.
After you create the Client SSL profile, you assign the profile to a virtual server. The BIG-IP system can apply SSL security to the type of application traffic for which the virtual server is configured to listen.

Creating a pool on a client BIG-IP system

You can create a pool of servers on a client BIG-IP system that you can group together to receive and process traffic.
  1. On the Main tab, click Local Traffic > Pools .
    The Pool List screen opens.
  2. Click Create.
    The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. Using the New Members setting, add each resource that you want to include in the pool:
    1. (Optional) In the Node Name field, type a name for the node portion of the pool member.
    2. In the Address field, type an IP address.
    3. In the Service Port field, type a port number, or select a service name from the list.
    4. (Optional) In the Priority field, type a priority number.
    5. Click Add.
  5. Click Finished.

Creating a virtual server on a client BIG-IP system

A virtual server represents a destination IP address for application traffic on a client BIG-IP system.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click Create.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address/Mask field:
    • If you want to specify a single IP address, confirm that the Host button is selected, and type the IP address in CIDR format.
    • If you want to specify multiple IP addresses, select the Address List button, and confirm that the address list that you previously created appears in the box.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 10.0.0.1 or 10.0.0.0/24, and an IPv6 address/prefix is ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a /32 prefix.
    Note: The IP address or addresses for this field must be on the same subnet as the external self-IP address.
  5. In the Service Port field:
    • If you want to specify a single service port or all ports, confirm that the Port button is selected, and type or select a service port.
    • If you want to specify multiple ports other than all ports, select the Port List button, and confirm that the port list that you previously created appears in the box.
  6. In the Resources area of the screen, from the Default Pool list, select the relevant pool name.
  7. For the SSL Profile (Client) setting, from the Available list, select the name of the Client SSL profile you previously created and move the name to the Selected list.

Creating a Server SSL profile on a client BIG-IP system

With a Server SSL profile, a client BIG-IP system can perform decryption and encryption for server-side SSL traffic.
  1. On the Main tab, click Local Traffic > Profiles > SSL > Server .
    The Server SSL profile list screen opens.
  2. Click Create.
    The New Server SSL Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. Select crypto-client-default-serverssl in the Parent Profile list.
  5. Modify the settings, as required.
  6. Click Finished.

Creating a crypto client object on a client BIG-IP system

You can create a crypto client object to enable a BIG-IP system to act as a crypto client for external cryptographic server offload.
  1. On the Main tab, click System > Crypto Offloading > Crypto Client .
    The Crypto Client screen displays a list of crypto clients configured on the system.
  2. Click Create.
  3. In the Name field, type a unique name for the crypto client object.
  4. In the Address field, type the IP address of the crypto server that you want to use for the crypto server object.
  5. In the Service Port field, type a port number, or select a service name from the list.
  6. In the TCP Profiles field, select tcp.
  7. For the SSL Profiles setting, select the Server SSL profile that you previously created.

Creating a Client SSL profile on a server BIG-IP system

You create a Client SSL profile on a server BIG-IP system to authenticate and decrypt/encrypt application traffic from the client BIG-IP system.

  1. On the Main tab, click Local Traffic > Profiles > SSL > Client .
    The Client SSL profile list screen opens.
  2. Click Create.
    The New Client SSL Profile screen opens.
  3. Select crypto-server-default-clientssl in the Parent Profile list.
  4. Configure all profile settings as needed.
  5. Click Finished.

Creating a crypto server object on a server BIG-IP system

You can create a crypto server object to enable your BIG-IP system to act as a crypto server for external cryptographic server offload.
  1. On the Main tab, click System > Crypto Offloading > Crypto Server .
    The Crypto Server screen displays a list of crypto servers configured on the system.
  2. Click Create.
  3. In the Name field, type a unique name for the crypto server object.
  4. In the Address field, type the IP address you want to use for the crypto server object.
  5. In the Service Port field, type a port number, or select a service name from the list.
  6. In the TCP Profiles field, select tcp.
  7. For the SSL Profiles setting, select the Client SSL profile that you previously created.
  8. Optional: Using the Crypto Client List setting, add the crypto clients that can access the crypto server:
    1. In the Address field, type a crypto client self IP address.
    2. Click Add.

Verifying the crypto client and crypto server

After the client and server BIG-IP systems have processed traffic, you can use tmsh to verify that the crypto client and crypto server systems are functioning properly.
  1. Open the TMOS Shell (tmsh).
    tmsh
  2. Verify that the crypto client is functioning.
    show sys crypto client <crypto_client_name>
    A summary similar to this example displays:
                                  
    --------------------------
    Sys::Crypto Client: crypto_client_name
    --------------------------
      Received Packets      2
      Received Bytes       48
      Transmitted Packets   2
      Transmitted Bytes    40
                               
    
  3. Verify that the crypto server is functioning.
    show sys crypto server <crypto_server_name>
    A summary similar to this example displays:
                                  
    --------------------------
    Sys::Crypto Server: crypto_server_name
    --------------------------
      Received Packets      2
      Received Bytes       40
      Transmitted Packets   2
      Transmitted Bytes    48