BigIP F5 LTM - SSL Processing
The BigIP F5 provide 2 ways in which SSL is processed. These are :
Client SSL - F5 decrypts the encrypted traffic inbound from the client.
Server SSL - Traffic is re-encrypted by the F5 then routed onto the backend servers.
There are a number of advantages to SSL termination on the F5, which are :
- Allows iRules processing and cookie persistence.
- SSL Traffic offload from web servers
- SSL key exchange and bulk encryption is performed by a single piece of BigIP F5 hardware rather then needing (to install) additional hardware in each webserver.
- Centralized certificate management
Configuring Client SSL comprises of 3 steps.
- Import or generate the SSL certificate and Key
- Configure the client ssl-client profile
- Configure the Virtual Server
1a. Certificate (Import)
- Goto 'Local Traffic | SSL Certificates | Import'.
- Select Certificate as the Import Type.
- Configure the Certificate Name.
- Upload the certificate within the certificate source section.
- Click Import.
Note : Certificates should be in either Base-64 encoded or PEM format.
1b. Certificate (Generate)
- Go to 'Local Traffic | SSL Certificates | Create'.
- Within the General Properties section enter the name and then complete the Certificate Property fields.
- Click finished.
Note : Certificates and keys are synchronized on redundant systems.
Note : The locations for the certificate/keys are:
2. Configure Profile
Next you will need to configure the client ssl-client profile.
- Goto 'Local Traffic | Profiles | SSL | Client | Create'
- Within the General Properties enter the Name and select the Parent Profile as clientssl.
- Within the Configuration section select the Certificate and Key.
- Click Finished.
3. Configure the Virtual Server
- Within the necessary Virtual Server under SSL Profile (Client) select the previously created profile.
If Server SSL is required then select the serverssl profile from the SSL Profile (Server) dropdown menu from within the Virtual Server.
Tags: BIG-IP F5