Applies To:
Show Versions
BIG-IP AAM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0
BIG-IP APM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0
BIG-IP Link Controller
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0
BIG-IP Analytics
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0
BIG-IP LTM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0
BIG-IP AFM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0
BIG-IP PEM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0
BIG-IP DNS
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0
BIG-IP ASM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0
Overview: Using a pre-built cipher string
Before the BIG-IP® system can process SSL traffic, you'll need to define the cipher string you want the system to use when negotiating security settings with client or server systems. Typing a raw cipher string on the system is tedious and can easily contain typos. It can also be unsecure, since the cipher string could inadvertently cause the system to negotiate in a way that you didn't intend.
To solve these problems, you can use a pre-built cipher string, known as a cipher group. A pre-built cipher group is a named, pre-built set of partial cipher strings (known as cipher rules) and a set of instructions that the system uses to create the final cipher string for SSL negotiation.
All pre-built cipher groups are available on the BIG-IP system, ready for you to assign to a Client SSL or Server SSL profile. They are:
- /Common/f5-default
- /Common/f5-aes
- /Common/f5-ecc
- /Common/f5-hw_keys
- /Common/f5-secure
For example, this illustration shows the pre-built cipher group /Common/f5-ecc. The contents of this cipher group are the cipher rule of the same name (/Common/f5-ecc), which contains the cipher string ECDHE:ECDHE_ECDSA (not shown). You can see a preview of the resulting cipher string in the Cipher Audit area of the screen:
About BIG-IP cipher support
The BIG-IP® system supports a large set of cipher suites that you can choose from to build the cipher string used for security negotiation.
Supported cipher suites include various combinations of encryption algorithms and authentication mechanisms, including RSA (Rivest Shamir Adleman), DSA (Digital Signature Algorithm), and ECDSA (Elliptic Curve Digital signature Algorithm).
The system includes a default cipher string named DEFAULT, which contains a subset of the cipher suites that the BIG-IP system supports.
Task summary for configuring a pre-built cipher string
There are a few tasks you need to perform to configure a pre-built cipher string that the BIG-IP® system will use for SSL negotiation.
This illustration shows the order that you need to perform these tasks in.
Confirm the ability to use a pre-built cipher string
Before you configure a cipher string for the BIG-IP® system to use in SSL negotiations with client or server systems, you need to determine whether you can use a pre-built cipher group or whether you'll need to create a custom cipher group. You do this by viewing each pre-built cipher group on the system..
-
In the Available Cipher Rules list, find the corresponding cipher rule and click the plus sign to view the cipher suites included in the rule.
For example, this shows the cipher suites included in the pre-built cipher rule named /Common/f5-ecc.
Specify a cipher string within an SSL traffic filter
You specify the cipher string that the BIG-IP system uses to negotiate security settings with a client or server system, by assigning a cipher group to a Client SSL or Server SSL profile.
Activate a cipher string for an application flow
-
For the SSL Profile (Client) and the SSL
Profile (Server) settings, from the
Available list, select the name of the SSL profile
you previously created, and move the name to the Selected
list:
Using the SSL Profile (Server) setting is optional.
