Manual Chapter : Managing Client- and Server-Side HTTP Traffic Using a CA-Signed Certificate

Applies To:

Show Versions Show Versions

BIG-IP DNS

  • 13.1.1, 13.1.0

BIG-IP Analytics

  • 13.1.1, 13.1.0

BIG-IP AFM

  • 13.1.1, 13.1.0

BIG-IP PEM

  • 13.1.1, 13.1.0

BIG-IP ASM

  • 13.1.1, 13.1.0

BIG-IP AAM

  • 13.1.1, 13.1.0

BIG-IP Link Controller

  • 13.1.1, 13.1.0

BIG-IP APM

  • 13.1.1, 13.1.0

BIG-IP LTM

  • 13.1.1, 13.1.0
Manual Chapter

Overview: Managing client and server HTTP traffic using a CA-signed certificate

One of the ways to configure the BIG-IP system to manage SSL traffic is to enable both client-side and server-side SSL termination:

  • Client-side SSL termination makes it possible for the system to decrypt client requests before sending them on to a server, and encrypt server responses before sending them back to the client. This ensures that client-side HTTP traffic is encrypted. In this case, you need to install only one SSL key/certificate pair on the BIG-IP system.
  • Server-side SSL termination makes it possible for the system to decrypt and then re-encrypt client requests before sending them on to a server. Server-side SSL termination also decrypts server responses and then re-encrypts them before sending them back to the client. This ensures security for both client- and server-side HTTP traffic. In this case, you need to install two SSL key/certificate pairs on the BIG-IP system. The system uses the first certificate/key pair to authenticate the client, and uses the second pair to request authentication from the server.

This implementation uses a CA-signed certificate to manage HTTP traffic.

Task summary

To implement client-side and server-side authentication using HTTP and SSL with a CA-signed certificate, you perform a few basic configuration tasks.

Task list

Requesting a certificate from a certificate authority

You perform this task to generate a certificate signing request (CSR) that can then be submitted to a third-party trusted certificate authority (CA).
Note: F5 Networks recommends that you consult the CA to determine the specific information required for each step in this task.
  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management .
    The Traffic Certificate Management screen opens.
  2. Click Create.
  3. In the Name field, type a unique name for the SSL certificate.
  4. From the Issuer list, select Certificate Authority.
  5. In the Common Name field, type a name.
    This is typically the name of a web site, such as www.siterequest.com.
  6. In the Division field, type your department name.
  7. In the Organization field, type your company name.
  8. In the Locality field, type your city name.
  9. In the or State or Province field, type your state or province name.
  10. From the Country list, select the name of your country.
  11. In the E-mail Address field, type your email address.
  12. In the Lifetime field, type a number of days, or retain the default, 365.
  13. In the Subject Alternative Name field, type a name.
    This name is embedded in the certificate for X509 extension purposes.
    By assigning this name, you can protect multiple host names with a single SSL certificate.
  14. In the Challenge Password field, type a password.
  15. In the Confirm Password field, re-type the password you typed in the Challenge Password field.
  16. From the Security Type list, select NetHSM.
  17. From the Key Type list, RSA is selected as the default key type.
  18. From the Size list, select a size, in bits.
  19. Click Finished.
    The Certificate Signing Request screen displays.
  20. Do one of the following to download the request into a file on your system.
    • In the Request Text field, copy the certificate.
    • For Request File, click the button.
  21. Follow the instructions on the relevant certificate authority web site for either pasting the copied request or attaching the generated request file.
  22. Click Finished.
    The Certificate Signing Request screen displays.
The generated certificate signing request is submitted to a trusted certificate authority for signature.

Creating a custom HTTP profile

An HTTP profile defines the way that you want the BIG-IP®system to manage HTTP traffic.
Note: Other HTTP profile types (HTTP Compression and Web Acceleration) enable you to configure compression and cache settings, as required. Use of these profile types is optional.
  1. On the Main tab, click Local Traffic > Profiles > Services > HTTP .
    The HTTP profile list screen opens.
  2. Click Create.
    The New HTTP Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. From the Parent Profile list, select http.
  5. Select the Custom check box.
  6. Modify the settings, as required.
  7. Click Finished.
The custom HTTP profile now appears in the HTTP profile list screen.

Creating a custom Client SSL profile

After you have built the cipher string that you want the BIG-IP® to use to negotiate client-side SSL connections, you create a custom client SSL profile. You create the profile when you want the BIG-IP® system to terminate client-side SSL traffic for the purpose of decrypting client-side ingress traffic and encrypting client-side egress traffic. By terminating client-side SSL traffic, the BIG-IP system offloads these decryption/encryption functions from the destination server. When you perform this task, you can specify multiple certificate key chains, one for each key type (RSA, DSA, and ECDSA). This allows the BIG-IP system to negotiate secure client connections using different cipher suites based on the client's preference.
Note: At a minimum, you must specify a certificate key chain that includes an RSA key pair. Specifying certificate key chains for DSA and ECDSA key pairs is optional, although highly recommended.
Note: For detailed information on how to complete the client certificate constrained delegation (C3D) configuration and ensure that your custom client SSL profile is set up properly, see About client certificate constrained delegation before completing your custom profile setup.
  1. On the Main tab, click Local Traffic > Profiles > SSL > Client .
    The Client SSL profile list screen opens.
  2. Click Create.
    The New Client SSL Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. From the Parent Profile list, select clientssl.
  5. Select the Custom check box.
    The settings become available for change.
  6. From the Configuration list, select Advanced.
  7. For the Mode setting, select the Enabled check box.
  8. For the Certificate Key Chain setting, click Add.
    1. From the Certificate list, select a certificate name.
      This is the name of a certificate that you installed on the BIG-IP® system. If you have not generated a certificate request nor installed a certificate on the BIG-IP system, and the BIG-IP system is not part of a device service clustering (DSC) configuration, you can specify the name of the existing certificate named default.
      Important: If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default certificate name, and ensure that this same certificate name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
    2. From the Key list, select the name of the key associated with the certificate specified in the previous step.
      This is the name of a key that you installed on the BIG-IP® system. If you have not installed a key on the BIG-IP system, and the BIG-IP system is not part of a device service clustering (DSC) configuration, you can specify the name of the existing key named default.
      Important: If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default key name, and ensure that this same key name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
    3. From the Chain list, select the chain that you want to include in the certificate key chain.
      A certificate chain can contain either a series of public key certificates in Privacy Enhanced Mail (PEM) format or a series of one or more PEM files. A certificate chain can contain certificates for Intermediate certificate Authorities (CAs).
      Note: The default self-signed certificate and the default CA bundle certificate are not appropriate for use as a certificate chain.
    4. For the Passphrase field, type a string that enables access to SSL certificate/key pairs that are stored on the BIG-IP system with password protection.
      This setting is optional. For added security, the BIG-IP system automatically encrypts the pass phrase itself. This pass phrase encryption process is invisible to BIG-IP® system administrative users.
    5. Click Add.
  9. In the Certificate Key Chain setting, click Add again, and repeat the process for all certificate key chains that you want to specify.
    At a minimum, you must specify an RSA certificate key chain.
    The result is that all specified key chains appear in the text box.
  10. To enable OCSP stapling, select theOCSP Stapling check box.
    To enable OCSP stapling, you must first create an OCSP Stapling profile. See Creating an OCSP stapling profile for detailed steps.
  11. If you want to Notify Certificate Status to Virtual Server, select the check box.
  12. For the Ciphers setting, specify a cipher group or cipher string by choosing one of these options.
    Note: If you specified an ECDSA certificate key chain in the Certificate Key Chain setting, you must include the cipher string ECDHE_ECDSA in the cipher group or cipher string that you specify in the Ciphers setting. (At a minimum, you should specify a cipher group or string such as DEFAULT:ECDHE_ECDSA.) This is necessary to ensure successful cipher negotiation when the BIG-IP system is offered an ECDSA-based certificate only.
    Option Description
    Cipher Group

    Select an existing cipher group from the list when you want to use a system-defined or custom cipher group to define the ciphers that the BIG-IP system uses for negotiating SSL connections. Here's an example of the Ciphers setting where we've selected a custom cipher group that we created earlier.

    Cipher String

    Type a cipher string in the box if you want to manually specify a cipher string instead of selecting a cipher group. For security and performance reasons, consider following these recommendations:

    • Always append ciphers to the DEFAULT cipher string.
    • Type a cipher string that includes the ECC key type, because its shorter length speeds up encryption and decryption while still offering virtually the same level of security.
    • Disable ADH ciphers but also include the keyword HIGH. To do this, just include both !ADH and :HIGH in your cipher string.
    • For AES, DES, and RC4 encryption types, make sure you specify the DHE key exchange method. DHE uses Forward Privacy, which creates a key that it throws away after each session so that the same session key never gets used twice. When you use DHE, make sure that the SSL private key isn't being shared with a monitoring system or a security device like an intrusion detection or prevention system. Also, diagnostic tools like ssldump won't work when you're using Forward Secrecy.
    • Disable EXPORT ciphers by including !EXPORT in the cipher string.
    • If you can live with removing support for the SSLv3 protocol version, do it. This protocol version is not secure. Simply include :!SSLv3 in any cipher string you type.

    Here's an example of the Ciphers setting where we have opted to manually type the cipher string DEFAULT:ECDHE-RSA-AES-128-GCM-SHA256:!ADH:!EXPORT:HIGH:

  13. For the Client Authentication area, select the Custom check box.
  14. For Client Certificate list, specify whether you want to ignore, require, or request the client certificate authentication.
  15. If you are enabling C3D, from the Trusted Certificate Authorities list, you must select a trusted CA bundle.
  16. Select the Custom check box for the Client Certificate Constrained Delegation area.
    The settings become available for change.
    Note: See About client certificate constrained delegation prior to enabling C3D.
  17. For the Client Certificate Constrained Delegation setting, select Enabled.
  18. From the OCSP list, select the object that the BIG-IP system's SSL should use to connect to the OCSP responder and check the client certificate status.
    You can click the + icon to open the create-new OCSP object screen. See Creating an OCSP stapling profile for detailed steps.
  19. For the Unknown OCSP Response Control list, specify the action the system takes when the OCSP object returns an unknown status:
    • If you want the connection to be dropped, retain the default value Drop.
    • If you want the connection to ignore the unknown status and continue, Select Ignore.
  20. Click Finished.
After performing this task, you can see the custom Client SSL profile in the list of Client SSL profiles on the system.
To use this profile, you must assign it to a virtual server. See Assigning SSL profiles to a virtual server for detailed information.

Creating a custom Server SSL profile

With a Server SSL profile, the BIG-IP® system can perform decryption and encryption for server-side SSL traffic.
Note: For detailed information on how to complete the client certificate constrained delegation (C3D) configuration and ensure that your custom server SSL profile is set up properly, see About client certificate constrained delegation before completing your custom profile setup.
  1. On the Main tab, click Local Traffic > Profiles > SSL > Server .
    The Server SSL profile list screen opens.
  2. Click Create.
    The New Server SSL Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. From the Parent Profile list, select serverssl.
  5. From the Configuration list, select Advanced.
  6. Select the Custom check box.
    The settings become available for change.
  7. From the Certificate list, select the name of an SSL certificate on the BIG-IP system.
    Important: If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default certificate name, and ensure that this same certificate name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
  8. From the Key list, select the name of an SSL key on the BIG-IP system.
    Important: If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default key name, and ensure that this same key name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
  9. In the Pass Phrase field, type a pass phrase that enables access to the certificate/key pair on the BIG-IP system.
  10. From the Chain list, select the name of an SSL chain on the BIG-IP system.
  11. For the Ciphers setting, specify a cipher group or cipher string by choosing one of these options.
    Note: If you specified an ECDSA certificate key chain in the Certificate Key Chain setting, you must include the cipher string ECDHE_ECDSA in the cipher group or cipher string that you specify in the Ciphers setting. (At a minimum, you should specify a cipher group or string such as DEFAULT:ECDHE_ECDSA.) This is necessary to ensure successful cipher negotiation when the BIG-IP system is offered an ECDSA-based certificate only.
    Option Description
    Cipher Group

    Select an existing cipher group from the list when you want to use a system-defined or custom cipher group to define the ciphers that the BIG-IP system uses for negotiating SSL connections. Here's an example of the Ciphers setting where we've selected a custom cipher group that we created earlier.

    Cipher String

    Type a cipher string in the box if you want to manually specify a cipher string instead of selecting a cipher group. For security and performance reasons, consider following these recommendations:

    • Always append ciphers to the DEFAULT cipher string.
    • Type a cipher string that includes the ECC key type, because its shorter length speeds up encryption and decryption while still offering virtually the same level of security.
    • Disable ADH ciphers but also include the keyword HIGH. To do this, just include both !ADH and :HIGH in your cipher string.
    • For AES, DES, and RC4 encryption types, make sure you specify the DHE key exchange method. DHE uses Forward Privacy, which creates a key that it throws away after each session so that the same session key never gets used twice. When you use DHE, make sure that the SSL private key isn't being shared with a monitoring system or a security device like an intrusion detection or prevention system. Also, diagnostic tools like ssldump won't work when you're using Forward Secrecy.
    • Disable EXPORT ciphers by including !EXPORT in the cipher string.
    • If you can live with removing support for the SSLv3 protocol version, do it. This protocol version is not secure. Simply include :!SSLv3 in any cipher string you type.

    Here's an example of the Ciphers setting where we have opted to manually type the cipher string DEFAULT:ECDHE-RSA-AES-128-GCM-SHA256:!ADH:!EXPORT:HIGH:

  12. Select the Custom check box for Server Authentication.
    The settings become available for change.
  13. From the Frequency list, select either once or always.
  14. From the OCSP list, select the OCSP object that the BIG-IP system's SSL should use to connect to the OCSP responder and to check the server certificate status. You can click the + icon to open the create-new OCSP object screen.
    The OCSP stapling object can be added in both forward and reverse proxy configurations. When the server SSL Forward Proxy property is set to Enabled, the forward proxy OCSP object is used to validate and staple the web server's certificate status. When the server SSL Forward Proxy property is set to Disabled, the reverse proxy OCSP object is used to reset the client connection if the web server certificate has been revoked.
  15. Modify the other settings in this area of the screen as required.
  16. Select the Custom check box for the Client Certificate Constrained Delegation section.
    The settings become available for change.
    Note: See About client certificate constrained delegation prior to enabling C3D.
  17. From the Client Certificate Constrained Delegation setting, select Advanced.
  18. From the Client Certificate Constrained Delegation list, select Enabled.
  19. From the CA Certificate list, select the name of the certificate file that is used as the certification authority certificate.
  20. From the CA Key list, select the name of the key file that is used as the certification authority key.
  21. In the CA Passphrase field, type the passphrase of the key file that is used as the certification authority key.
    Note: This should be the passphrase corresponding to the specified CA Key.
  22. For the Confirm CA Passphrase field, type the identical passphrase.
  23. For the Certificate Lifespan fields, type the lifespan of the certificate generated that is using the SSL client certificate constrained delegation.
    The default is 1 day, 0 hours.
  24. To define the extensions of the client certificates to be included in the generated certificates, from the Certificate Extensions list, select Extensions List.
  25. For the Certificate Extensions List setting, click Disable or Enable to add or remove available extensions.
    • Basic Constraints: Uses basic constraints to indicate whether the certificate belongs to a CA.
    • Extended Key Usage: Uses Extended Key Usage, typically on a leaf certificate, to indicate the purpose of the public key contained in the certificate.
    • Key Usage: Provides a bitmap specifying the cryptographic operations that may be performed using the public key contained in the certificate; for example, it could indicate that the key should be used for signature but not for enciphering.
    • Subject Alternative Name: Allows identities to be bound to the subject of the certificate. These identities may be included in addition to, or in place of, the identity in the subject field of the certificate.

    You can also add extensions in the Custom extension field. Type in the extension name and click Add.

  26. Click Finished.
To use this profile, you must assign it to a virtual server. See the Assigning SSL profiles to a virtual server section for detailed information.

Creating a pool to manage HTTPS traffic

You can create a pool (a logical set of devices, such as web servers, that you group together to receive and process HTTPS traffic) to efficiently distribute the load on your server resources.
  1. On the Main tab, click Local Traffic > Pools .
    The Pool List screen opens.
  2. Click Create.
    The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. For the Health Monitors setting, assign https or https_443 by moving it from the Available list to the Active list.
  5. From the Load Balancing Method list, select how the system distributes traffic to members of this pool.
    The default is Round Robin.
  6. For the Priority Group Activation setting, specify how to handle priority groups:
    • Select Disabled to disable priority groups. This is the default option.
    • Select Less than, and in the Available Members field type the minimum number of members that must remain available in each priority group in order for traffic to remain confined to that group.
  7. Use the New Members setting to add each resource that you want to include in the pool:
    1. In the Address field, type an IP address.
    2. In the Service Port field type 443 , or select HTTPS from the list.
    3. (Optional) Type a priority number in the Priority field.
    4. Click Add.
  8. Click Finished.
The HTTPS load balancing pool appears in the Pool List screen.

Creating a virtual server for client-side and server-side HTTPS traffic

You can specify a virtual server to be either a host virtual server or a network virtual server to manage HTTP traffic over SSL.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address field, type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 10.0.0.1 or 10.0.0.0/24, and an IPv6 address/prefix is ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP® system automatically uses a /32 prefix.
    Note: The IP address you type must be available and not in the loopback network.
  5. Type 443 in the Service Port field, or select HTTPS from the list.
  6. For the HTTP Profile setting, verify that the default HTTP profile, http, is selected.
  7. For the SSL Profile (Client) setting, from the Available list, select the name of the Client SSL profile you previously created and move the name to the Selected list.
  8. For the SSL Profile (Server) setting, from the Available list, select the name of the Server SSL profile you previously created and move the name to the Selected list.
  9. Click Finished.
The virtual server now appears in the Virtual Server List screen.

Implementation results

After you complete the tasks in this implementation, the BIG-IP® system ensures that SSL authentication and encryption occurs for both client-side and server-side HTTP traffic. The system performs this authentication and encryption according to the values you specify in the Client SSL and Server SSL profiles.