Manual Chapter : Managing Client and Server HTTPS Traffic using a Self-signed Certificate

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP APM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP GTM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP Link Controller

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP Analytics

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP LTM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP AFM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP PEM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP ASM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

Managing Client and Server HTTPS Traffic using a Self-signed Certificate

Overview: Managing client and server HTTPS traffic using a self-signed certificate

One of the ways to configure the BIG-IP system to manage SSL traffic is to enable both client-side and server-side SSL termination:

  • Client-side SSL termination makes it possible for the system to decrypt client requests before sending them on to a server, and encrypt server responses before sending them back to the client. This ensures that client-side HTTPS traffic is encrypted. In this case, you need to install only one SSL key/certificate pair on the BIG-IP system.
  • Server-side SSL termination makes it possible for the system to decrypt and then re-encrypt client requests before sending them on to a server. Server-side SSL termination also decrypts server responses and then re-encrypts them before sending them back to the client. This ensures security for both client- and server-side HTTPS traffic. In this case, you need to install two SSL key/certificate pairs on the BIG-IP system. The system uses the first certificate/key pair to authenticate the client, and uses the second pair to request authentication from the server.

This implementation uses a self-signed certificate to authenticate HTTPS traffic.

Task summary

To implement client-side and server-side authentication using HTTP and SSL with a self-signed certificate, you perform a few basic configuration tasks.

Task list

Creating a self-signed SSL certificate

If you are configuring the BIG-IP system to manage client-side HTTP traffic, you create a self-signed certificate to authenticate and secure the client-side HTTP traffic. If you are also configuring the system to manage server-side HTTP traffic, you create a second self-signed certificate to authenticate and secure the server-side HTTP traffic.
  1. On the Main tab, click System > File Management > SSL Certificate List .
    The SSL Certificate List screen opens.
  2. Click Create.
  3. In the Name field, type a unique name for the SSL certificate.
  4. From the Issuer list, select Self.
  5. In the Common Name field, type a name.
  6. In the Division field, type your company name.
  7. In the Organization field, type your department name.
  8. In the Locality field, type your city name.
  9. In the State or Province field, type your state or province name.
  10. From the Country list, select the name of your country.
  11. In the E-mail Address field, type your email address.
  12. In the Lifetime field, type a number of days, or retain the default, 365.
  13. In the Subject Alternative Name field, type a name.
    This name is embedded in the certificate for X509 extension purposes.
    By assigning this name, you can protect multiple host names with a single SSL certificate.
  14. From the Key Type list, select a key type.
    Possible values are: RSA, DSA, and ECDSA.
  15. From the Size or Curve Name list, select either a size, in bits, or a curve name.
  16. Click Finished.

Creating a custom HTTP profile

An HTTP profile defines the way that you want the BIG-IP®system to manage HTTP traffic.
Note: Other HTTP profile types (HTTP Compression and Web Acceleration) enable you to configure compression and cache settings, as required. Use of these profile types is optional.
  1. On the Main tab, click Local Traffic > Profiles > Services > HTTP .
    The HTTP profile list screen opens.
  2. Click Create.
    The New HTTP Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. From the Parent Profile list, select http.
  5. Select the Custom check box.
  6. Modify the settings, as required.
  7. Click Finished.
The custom HTTP profile now appears in the HTTP profile list screen.

Creating a custom Client SSL profile

You create a custom Client SSL profile when you want the BIG-IP® system to terminate client-side SSL traffic for the purpose of:
  • Authenticating and decrypting ingress client-side SSL traffic
  • Re-encrypting egress client-side traffic
By terminating client-side SSL traffic, the BIG-IP system offloads these authentication and decryption/encryption functions from the destination server.
  1. On the Main tab, click Local Traffic > Profiles > SSL > Client .
    The Client profile list screen opens.
  2. Click Create.
    The New Client SSL Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. Select clientssl in the Parent Profile list.
  5. From the Configuration list, select Advanced.
  6. Select the Custom check box.
    The settings become available for change.
  7. Select the Custom check box for Client Authentication.
    The settings become available.
  8. From the Configuration list, select Advanced.
  9. Modify the settings, as required.
  10. Click Finished.

Creating a custom Server SSL profile

With an Server SSL profile, the BIG-IP® system can perform decryption and encryption for server-side SSL traffic.
  1. On the Main tab, click Local Traffic > Profiles > SSL > Server .
    The SSL Server profile list screen opens.
  2. Click Create.
    The New Server SSL Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. Select serverssl in the Parent Profile list.
  5. From the Configuration list, select Advanced.
  6. Select the Custom check box.
    The settings become available for change.
  7. Select the Custom check box for Server Authentication.
  8. Modify the settings, as required.
  9. Click Finished.
The custom Server SSL profile is listed in the Profiles:SSL:Server list.

Creating a pool to manage HTTPS traffic

You can create a pool (a logical set of devices, such as web servers, that you group together to receive and process HTTPS traffic) to efficiently distribute the load on your server resources.
  1. On the Main tab, click Local Traffic > Pools .
    The Pool List screen opens.
  2. Click Create.
    The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. Assign the https or https_443 health monitor from the Available list by moving it to the Active list.
  5. From the Load Balancing Method list, select how the system distributes traffic to members of this pool.
    The default is Round Robin.
  6. For the Priority Group Activation setting, specify how to handle priority groups:
    • Select Disabled to disable priority groups. This is the default option.
    • Select Less than, and in the Available Members field type the minimum number of members that must remain available in each priority group in order for traffic to remain confined to that group.
  7. Add each resource that you want to include in the pool using the New Members setting:
    1. Type an IP address in the Address field.
    2. Type 443 in the Service Port field, or select HTTPS from the list.
    3. (Optional) Type a priority number in the Priority field.
    4. Click Add.
  8. Click Finished.
The HTTPS load balancing pool now appears in the Pool List screen.

Creating a virtual server for client-side and server-side HTTPS traffic

You can specify a virtual server to be either a host virtual server or a network virtual server to manage HTTPS traffic.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. For the Destination setting, in the Address field, type the IP address you want to use for the virtual server.
    The IP address you type must be available and not in the loopback network.
  5. Type 443 in the Service Port field, or select HTTPS from the list.
  6. For the HTTP Profile setting, verify that the default HTTP profile, http, is selected.
  7. For the SSL Profile (Client) setting, from the Available list, select the name of the Client SSL profile you previously created, and using the Move button, move the name to the Selected list.
  8. For the SSL Profile (Server) setting, from the Available list, select the name of the Server SSL profile you previously created, and using the Move button, move the name to the Selected list.
  9. Click Finished.
The HTTPS virtual server now appears in the Virtual Server List screen.

Implementation results

After you complete the tasks in this implementation, the BIG-IP® system ensures that SSL authentication and encryption occurs for both client-side and server-side HTTP traffic. The system performs this authentication and encryption according to the values you specify in the Client SSL and Server SSL profiles.