fir3net
PPS-Firenetbanner-780.5x190-30-03-17

BigIP F5 LTM - SSL Processing

Introduction

The BigIP F5 provide 2 ways in which SSL is processed. These are :

Client SSL - F5 decrypts the encrypted traffic inbound from the client.
Server SSL - Traffic is re-encrypted by the F5 then routed onto the backend servers.

There are a number of advantages to SSL termination on the F5, which are :

  1. Allows iRules processing and cookie persistence.
  2. SSL Traffic offload from web servers
  3. SSL key exchange and bulk encryption is performed by a single piece of BigIP F5 hardware rather then needing (to install) additional hardware in each webserver.
  4. Centralized certificate management

Configuration

Client SSL

Configuring Client SSL comprises of 3 steps.

  1. Import or generate the SSL certificate and Key
  2. Configure the client ssl-client profile
  3. Configure the Virtual Server

1a. Certificate (Import)

  1. Goto 'Local Traffic | SSL Certificates | Import'.
  2. Select Certificate as the Import Type.
  3. Configure the Certificate Name.
  4. Upload the certificate within the certificate source section.
  5. Click Import.

Note : Certificates should be in either Base-64 encoded or PEM format.

1b. Certificate  (Generate)

  1. Go to 'Local Traffic | SSL Certificates | Create'.
  2. Within the General Properties section enter the name and then complete the Certificate Property fields.
  3. Click finished.

Note : Certificates and keys are synchronized on redundant systems.
Note : The locations for the certificate/keys are:

                  Certificates: /config/ssl/ssl.cert
                  Keys:          /config/ssl/ssl.key

2. Configure Profile

Next you will need to configure the client ssl-client profile.

  1. Goto 'Local Traffic | Profiles | SSL | Client | Create'
  2. Within the General Properties enter the Name and select the Parent Profile as clientssl.
  3. Within the Configuration section select the Certificate and Key.
  4. Click Finished.

3. Configure the Virtual Server

  1. Within the necessary Virtual Server under SSL Profile (Client) select the previously created profile.

Server SSL

If Server SSL is required then select the serverssl profile from the SSL Profile (Server) dropdown menu from within the Virtual Server.

Tags: BIG-IP F5

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001