Manual Chapter : Create a custom Client SSL profile that supports SM2

Applies To:

Show Versions Show Versions

BIG-IP DNS

  • 14.1.2, 14.1.0

BIG-IP Analytics

  • 14.1.2, 14.1.0

BIG-IP AFM

  • 14.1.2, 14.1.0

BIG-IP PEM

  • 14.1.2, 14.1.0

BIG-IP ASM

  • 14.1.2, 14.1.0

BIG-IP AAM

  • 14.1.2, 14.1.0

BIG-IP Link Controller

  • 14.1.2, 14.1.0

BIG-IP APM

  • 14.1.2, 14.1.0

BIG-IP LTM

  • 14.1.2, 14.1.0
Manual Chapter

Create a custom Client SSL profile that supports SM2

You create a custom Client SSL profile when you want the BIG-IP® system to terminate client-side SSL traffic for the purpose of decrypting client-side ingress traffic and encrypting client-side egress traffic. By terminating client-side SSL traffic, the BIG-IP system offloads these decryption/encryption functions from the destination server. When you perform this task, you can specify multiple certificate key chains, one for each key type (RSA, DSA, and ECDSA). This allows the BIG-IP system to negotiate secure client connections using different cipher suites based on the client's preference.

F5 has added SM2, SM3, and SM4 Cryptographic Algorithm support for the Chinese market. The algorithms were independently developed by the China State Cryptography Administration, where SM2 is the public key algorithm, SM3 is the hash algorithm, and SM4 is the block cipher algorithm. SM2 is based on the Elliptic Curve Discrete Logarithm Problem (ECDLP). Also see the following sections for details importing, exporting, and managing a certificate and key with SM2 license.

Note:

Before you create a customer Client SSL profile that supports SM2, create an SM2 cipher rule and cipher group.

Create an SM2 Cipher Rule

  1. On the Main tab, click Local Traffic > Ciphers > Rules .
    The Ciphers Rules screen opens.
  2. Click Create.
    The New Cipher Rule screen opens.
  3. In the Name field, type a unique name for your SM2 cipher rule.
  4. In the Cipher Suites field, type the following cipher suites string: ECC-SM4-SM3
  5. In the DH Groups field, type the following DH groups string: SM2P256
  6. In the Signature Algorithms field, type the following signature algorithm string:SM2-SM3
  7. Click Finished. You are now ready to create a cipher group.

Create an SM2 Cipher Group

  1. On the Main tab, click Local Traffic > Ciphers > Groups .
    The Ciphers Groups screen opens.
  2. Click Create.
    The New Cipher Group screen opens.
  3. In the Name field, type a unique name for your SM2 cipher group.
  4. In the Group Details area, select the check box next to the SM2 cipher rule from the Available Rules list.
  5. Select the arrows next to the Allow the following field to move the selected SM2 cipher rule to this field.
  6. Click Finished. You are now ready to create your custom Client SSL profile that supports SM2.

Create a Custom Client SSL Profile that supports SM2

  1. On the Main tab, click Traffic > Profiles > SSL > Client .
    he Client SSL profile list screen opens.
  2. Click Create.
    The New Client SSL Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. From the Parent Profile list, select clientssl.
  5. Select the Custom check box.
    The settings become available for change.
  6. From the Configuration list, select Advanced.
  7. For the Mode setting, select the Enabled check box.
  8. or the Certificate Key Chain setting, click Add. For SM2 client profile, select SM2 file type from the Certificate, Key, and Chain lists.
    1. From the Certificate list, select a certificate name. // This is the name of a certificate that you installed on the BIG-IP system. If you have not generated a certificate request nor installed a certificate on the BIG-IP system, and the BIG-IP system is not part of a device service clustering (DSC) configuration, you can specify the name of the existing certificate named default. // Important: If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default certificate name, and ensure that this same certificate name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
    2. From the Key list, select the name of the key associated with the certificate specified in the previous step. // This is the name of a key that you installed on the BIG-IP system. If you have not installed a key on the BIG-IP system, and the BIG-IP system is not part of a device service clustering (DSC) configuration, you can specify the name of the existing key named default. // Important: If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default key name, and ensure that this same key name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
    3. From the Chain list, select the chain that you want to include in the certificate key chain. // A certificate chain can contain either a series of public key certificates in Privacy Enhanced Mail (PEM) format or a series of one or more PEM files. A certificate chain can contain certificates for Intermediate certificate Authorities (CAs). // Note: The default self-signed certificate and the default CA bundle certificate are not appropriate for use as a certificate chain.
    4. For the Passphrase field, type a string that enables access to SSL certificate/key pairs that are stored on the BIG-IP system with password protection. // This setting is optional. For added security, the BIG-IP system automatically encrypts the pass phrase itself. This pass phrase encryption process is invisible to BIG-IP system administrative users.
  9. Click Add
  10. For the Ciphers setting, specify a Cipher Group and select the existing SM2 custom cipher group to define the ciphers that the BIG-IP system uses for negotiating SSL connections.
  11. For the Options List setting, select the following as Enabled Options:
    • GMSSLv1.1
    • No SSL
    • No TLS
    • No DTLS
  12. Click Finished.
After performing this task, you can see the custom Client SSL profile that supports SM2 in the list of Client SSL profiles on the system.