Applies To:

Show Versions Show Versions

Archived Manual Chapter: BIG-IP e-Commerce Controller guide v3.3: Configuring an SSL Accelerator
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

This article has been archived, and is no longer maintained.



2

Configuring an SSL Accelerator



Introducing the SSL Accelerator

The BIG-IP e-Commerce Controller accepts HTTPS connections (HTTP over SSL), connects to a web server, retrieves the page, and then sends the page to the client.

A key component of the SSL Accelerator feature is that the controller can retrieve the web page using an unencrypted HTTP request to the content server. With this feature, you can configure an SSL gateway on the BIG-IP e-Commerce Controller that decrypts HTTP requests that are encrypted with SSL. Decrypting the request offloads SSL processing from the servers to the BIG-IP Controller. This also allows the BIG-IP e-Commerce Controller to use the header of the HTTP request to intelligently control how the request is handled.

When the SSL gateway on the BIG-IP e-Commerce Controller connects to the content server, it uses the original client's IP address and port as its source address and port, so that it appears to be the client (for logging purposes).

Configuring the SSL Accelerator

There are several steps required to set up the SSL Accelerator on the BIG-IP Controller. These steps include:

  • Generating a key and obtaining a certificate
  • Installing certificates from the certification authority (CA)
  • Creating an SSL gateway
  • Enabling, disabling, or deleting a proxy
  • Displaying configuration information for an SSL gateway from the command line

Generating a key and obtaining a certificate

In order to use the SSL Accelerator feature you must obtain a valid x509 certificate from an authorized certification authority (CA). The following list contains some companies that are certification authorities:

  • Verisign (http://www.verisign.com)
  • Digital Signature Trust Company (http://secure.digsigtrust.com)
  • GlobalSign (http://www.globalsign.com)
  • GTE Cybertrust (http://www.cybertrust.gte.com)
  • Entrust (http://www.entrust.net)

    You can generate a key, a temporary certificate, and a certificate request form with the Configuration utility or from the command line.

    We recommend using the Configuration utility for this process. The certification process is generally handled through a web page. Parts of the process require you to cut and paste information from a browser window in the Configuration utility to another browser window on the web site of the certification authority (CA).

Additional information about keys and certificates

You must have a separate certificate for each domain name on each redundant pair of BIG-IP Controllers, regardless of how many non-SSL web servers are load balanced by the BIG-IP Controller.

If you are already running an SSL server you can use your existing keys to generate temporary certificates and request files. However, you must obtain new certificates if the ones you have are not for the following web server types:

  • Apache
  • OpenSSL
  • Stronghold

Warning: The BIG-IP Controller does not support Microsoft Internet Information Server (IIS) certificates. You must generate new certificates for your servers if they currently use IIS certificates.

Generating a key and obtaining a certificate using the Configuration utility

To obtain a valid certificate, you must have a private key. If you do not have a key, you can use the Configuration utility on the BIG-IP Controller to generate a key and a temporary certificate. You can also use the Configuration utility to create a request file you can submit to a certification authority (CA). You must complete three tasks in the Configuration utility to create a key and generate a certificate request:

  • Generate a certificate request
  • Submit the certificate request to a CA and generate a temporary certificate
  • Install the SSL certificate from the CA

    Each of these tasks is described in detail in the following section.

To create a new certificate request using the Configuration utility

  1. In the navigation pane, click Proxies.
    The Proxies screen opens.
  2. On the toolbar, click Create SSL Certificate Request.
    The New SSL Certificate Request screen opens.
  3. In the Key Information section, select a key length and key file name.

    a) Key Length
    Select the key length you want to use for the key. You can choose either 512 or 1024 bytes.

    b) Keyfile Name
    Type the name of the key file. This should be the fully qualified domain name of the server for which you want to request a certificate. You must add the .key file extension to the name.

  4. In the Certificate Information section, type the information specific to your company. This information includes:

    · Country
    Type the two letter ISO code for your country, or select it from the list. For example, the two-letter code for the United States is US.

    · State or Province
    Type the full name of your state or province, or select it from the list. You must enter a state or province.

    · Locality
    Type the city or town name.

    · Organization
    Type the name of your organization.

    · Organizational Unit
    Type the division name or organizational unit.

    · Domain Name
    Type the name of the domain upon which the server is installed.

    · Email Address
    Type the email address of a person who can be contacted about this certificate.

    · Challenge Password
    Type the password you want to use as the challenge password for this certificate. The CA uses the challenge password to verify any changes you make to the certificate at a later date.

    · Retype Password
    Retype the password to verify the password you entered for the challenge password.

  5. Click the Generate Certificate Request button.
    After a short pause, the SSL Certificate Request screen opens.
  6. In the SSL Certificate Request screen, you can start the process of obtaining a certificate from a certification authority and you can generate and install a temporary certificate:

    · Begin the process for obtaining a certificate from CA
    Click the URL of a certification authority (CA) to begin the process of obtaining a certificate for the server. After you select a CA, follow the directions on their web site to submit the certificate request. After your certificate request is approved, and you receive a certificate back from the CA, see Installing certificates from the CA using the Configuration utility, on page 2-9, for information about installing it on the BIG-IP Controller.

    · Generate and install a temporary certificate
    Click the Generate Self-Signed Certificate button to create a self-signed certificate for the server. We recommend that you use the temporary certificate for testing only. You should only take your site live after you receive a properly-signed certificate from a certification authority. When you click this button, a temporary certificate is created and installed on the
    BIG-IP Controller. This certificate is valid for 30 days. This temporary certificate allows you to set up an SSL gateway for the SSL Accelerator while you wait for a CA to return a permanent certificate.

Generating a key and obtaining a certificate from the command line

To obtain a valid certificate, you must have a private key. If you do not have a key, you can use the genconf and genkey utilities on the BIG-IP Controller to generate a key and a temporary certificate. The genkey and gencert utilities automatically generate a request file you can submit to a certification authority (CA). If you have a key, you can use the gencert utility to generate a temporary certificate and request file. These utilities are described in the following list:

  • genconf
    This utility creates a key configuration file that contains specific information about your organization. The genkey utility uses this information to generate a certificate.
  • genkey
    After you run the genconf utility, run this utility to generate a temporary 30-day certificate for testing the SSL Accelerator on the BIG-IP Controller. This utility also creates a request file that you can submit to a certification authority (CA) to obtain a certificate.
  • gencert
    If you already have a key, run this utility to generate a temporary certificate, and to create a request file for the SSL Accelerator.

To generate a key configuration file using the genconf utility

If you do not have a key, you can generate a key and certificate with the genconf and genkey utilities. First, run the genconf utility from the root (/) with the following commands:

cd /

/var/asr/gateway/bin/genconf

The utility prompts you for information about the organization for which you are requesting certification. This information includes:

  • The fully qualified domain name (FQDN) of the server
  • The two letter ISO code for your country
  • The full name of your state or province
  • The city or town name
  • The name of your organization
  • The division name or organizational unit

    For example, Figure 2.1 contains entries for the server my.server.net:

    Figure 2.1 Example entries for the genconf utility

     Common Name (full qualified domain name): my.server.net    
    Country Name (ISO 2 letter code): US
    State or Province Name (full name): WASHINGTON
    Locality Name (city, town, etc.): SEATTLE
    Organization Name (company): MY COMPANY
    Organizational Unit Name (division): WEB UNIT

    After you run the genconf utility, you can run the genkey utility to create a temporary certificate and a request file.

To generate a key using the genkey utility

After you run the genconf utility, you can generate a key with the genkey utility. Type the following command from the root (/) to run the genkey utility:

cd /

/var/asr/gateway/bin/genkey <server_name>

For the <server_name>, type the fully qualified domain name (FQDN) of the server to which the certificate applies. After the utility starts, it prompts you to verify the information created by the genconf utility. After you run this utility, a certification request form is created in the following directory:

/var/asr/gateway/requests/<fqdn>.req

The <fqdn> is the fully qualified domain name of the server. Please contact your certification authority (CA) and follow their instructions for submitting this request form.

In addition to creating a request form you can submit to a certification authority, this utility also generates a temporary certificate. The temporary certificate is located in:

/var/asr/gateway/certs/<fqdn>.cert

The <fqdn> is the fully qualified domain name of the server.

Note that you must copy the key and certificate to the other controller in a redundant system.

This temporary certificate is good for thirty days, after which time you should have a valid certificate from your CA. If you do not have a certificate within 30 days, you can re-run this program.

Warning: Be sure to keep your previous key if you are still undergoing certification. The certificate you receive is valid only with the key that originally generated the request.

To generate a certificate with an existing key using the gencert utility

To generate a temporary certificate and request file to submit to the certification authority using the gencert utility, you must first copy an existing key for a server into the following directory on the BIG-IP Controller:

/var/asr/gateway/private/

After you copy the key into this directory, type the following command at the command line:

cd /

/var/asr/gateway/bin/gencert <server_name>

For the <server_name>, type the fully qualified domain name (FQDN) of the server to which the certificate applies. After the utility starts, it prompts you for various information. After you run this utility, a certification request form is created in the following directory:

/var/asr/gateway/requests/<fqdn>.req

The <fqdn> is the fully qualified domain name of the server. Please contact your certification authority (CA) and follow its instructions for submitting this request form.

Installing certificates from the certification authority (CA)

After you obtain a valid x509 certificate from a certification authority (CA) for the SSL Accelerator, you must copy it onto each BIG-IP Controller in the redundant configuration. You can configure the accelerator with certificates from the Configuration utility or from the command line.

Installing certificates from the CA using the Configuration utility

  1. In the navigation pane, click Proxies.
    The Proxies screen opens.
  2. On the toolbar, click Install SSL Certificate.
    The Install SSL Certificate screen opens.
  3. In the Certfile Name box, type the fully qualified domain name of the server with the file extension .cert. Note that if you generated a temporary certificate when you submitted a request to the CA, you need to select the name of the certificate from the drop down list. This allows you to overwrite the temporary certificate with the certificate from the CA.
  4. Paste the text of the certificate into the Install SSL Certificate window. Make sure you include the Begin Certificate line and the End Certificate line. For an example of a certificate, see Figure 2.2.
  5. Click the Write Certificate File button.

Figure 2.2 An example of a certificate

 -----BEGIN CERTIFICATE-----    
MIIB1DCCAX4CAQAwDQYJKoZIhvcNAQEEBQAwdTELMAkGA1UEBhMCVVMxCzAJBgNV
BAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMRQwEgYDVQQKEwtGNSBOZXR3b3JrczEc
MBoGA1UECxMTUHJvZHVjdCBEZXZlbG9wbWVudDETMBEGA1UEAxMKc2VydmVyLm5l
dDAeFw0wMDA0MTkxNjMxNTlaFw0wMDA1MTkxNjMxNTlaMHUxCzAJBgNVBAYTAlVT
MQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHU2VhdHRsZTEUMBIGA1UEChMLRjUgTmV0
d29ya3MxHDAaBgNVBAsTE1Byb2R1Y3QgRGV2ZWxvcG1lbnQxEzARBgNVBAMTCnNl
cnZlci5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAsfCFXq3Jt+FevxUqBZ9T
Z7nHx9uaF5x9V5xMZYgekjc+LrF/yazhmq4PCxrws3gvJmgpTsh50YJrhJgfs2bE
gwIDAQABMA0GCSqGSIb3DQEBBAUAA0EAd1q6+u/aMaM2qdo7EjWx14TYQQGomYoq
eydlzb/3FOiJAynDXnGnSt+CVvyRXtvmG7V8xJamzkyEpZd4iLacLQ==
-----END CERTIFICATE-----

After the certificate is installed, you can continue with the next step to creating an SSL gateway for the server.

Installing certificates from the CA from the command line

Copy the certificate into the following directory on each BIG-IP Controller in a redundant system:

/var/asr/gateway/certs/

Note: The certificate you receive from the certification authority (CA) should overwrite the temporary certificate generated by genkey or gencert.

If you used the genkey or gencert utilities to generate the request file, a copy of the corresponding key should already be in the following directory on the BIG-IP Controller:

/var/asr/gateway/private/

Warning: The keys and certificates must be in place on both controllers in a redundant system before you configure the SSL Accelerator. You must do this manually; the configuration synchronization utilities do not perform this function.

Create an SSL gateway

After you create the HTTP virtual server for which the SSL Accelerator handles connections, the next step is to create an SSL gateway.

To creating an SSL gateway using the Configuration utility

  1. In the navigation pane, click Proxies.
    The Proxies screen opens.
  2. On the toolbar, click Add Proxy.
    The Add Proxy screen opens.
  3. In the Proxy Address box, type the IP address for the SSL gateway.
  4. In the Proxy Netmask box, type the netmask you want to use for the SSL gateway. If you leave this setting blank, the BIG-IP Controller creates a default based on the network class of the IP address on the external (destination processing) interface. Type a user-defined netmask only if necessary.
  5. In the Proxy Broadcast box, type the broadcast address you want to use for this SSL gateway. The BIG-IP Controller automatically generates a broadcast address if you do not type one. Type a user-defined broadcast address only if necessary.
  6. In the Proxy Port box, type the port number that the proxy server uses, or select a service from the list box. Note that if you select a service, the Configuration utility uses the default port number associated with that service.
  7. For Interface, select the destination processing interface on which you want to create the SSL gateway. Select default to allow the Configuration utility to select the interface based on the network address of the SSL gateway. If you choose None, the BIG-IP Controller does not create an alias and generates no ARPs for the virtual IP address.
  8. In the Destination Address box, type the IP address or host name of the node to which the SSL gateway maps.
  9. In the Destination Port box, type a port name or number, such as port 80 or http, or select the service name from the drop-down list.
  10. In the SSL Certificate box, type the name of the SSL certificate you installed on the BIG-IP Controller. You can select the certificate you want to use from the drop down list.
  11. In the SSL Key box, type the name of the SSL key for the certificate you installed on the BIG-IP Controller. You can select the key from the drop down list. It is important that you select the key used to generate the certificate you selected in the SSL Certificate box.
  12. Click Apply.

Creating an SSL gateway from the command line

Use the following command syntax to create an SSL gateway. Use this syntax if you want to configure a gateway by specifying a bitmask instead of a netmask and broadcast address:

bigpipe proxy <ip>:<port> [/bitmask] [<ifname>] target server <ip>:<port> ssl enable key <key> cert <cert>

Use this syntax if you want to configure a gateway by specifying a netmask and broadcast address instead of a bitmask:

bigpipe proxy <ip>:<port> [<ifname>] netmask <ip> [broadcast <ip>] target server <ip>:<port> ssl enable key <key> cert <cert>

As an example, you can create an SSL gateway, from the command line, that looks like this:

bigpipe proxy 10.1.1.1:443 exp0 { netmask 255.255.255.0 broadcast 10.1.1.255 target server 20.1.1.1:80 ssl enable key my.server.net.key cert my.server.net.cert }

Note that when the configuration is written out in the bigip.conf file, the line ssl enable is automatically added. When the SSL gateway is written in the /etc/bigip.conf file, it looks like this:

Figure 2.3 An example SSL gateway configuration

 proxy 10.1.1.1:443 exp0 {     
netmask 255.255.255.0
broadcast 10.1.1.255
target server 20.1.1.1:80
ssl enable
key my.server.net.key
cert my.server.net.cert
}

Enabling, disabling, or deleting an SSL gateway

After you have created an SSL gateway, you can enable, disable it, or delete it using the Configuration utility or from the command line.

Enabling or disabling an SSL gateway using the Configuration utility

  1. In the navigation pane, click Proxies.
    The Proxies screen opens.
  2. In the Proxies list, select the SSL gateway you want to enable or disable.
    The Proxy Properties screen opens.
  3. In the Proxy Properties screen, clear the Enable check box to disable the Proxy, or check the Enable box to enable the SSL gateway.
  4. Click Apply.

Deleting an SSL gateway using the Configuration utility

  1. In the navigation pane, click Proxies.
    The Proxies screen opens.
  2. In the Proxies list, select the SSL gateway you want to delete.
    The Proxy Properties screen opens.
  3. On the toolbar, click Delete.

Enabling, disabling, or deleting an SSL gateway from the command line

You can enable, disable, or delete an SSL gateway with the following syntax:

bigpipe proxy <ip>:<port> enable

bigpipe proxy <ip>:<port> disable

bigpipe proxy <ip>:<port> delete

For example, if you want to enable the SSL gateway 209.100.19.22:443,you could type the following command:

bigpipe proxy 209.100.19.22:443 enable

If you want to disable the SSL gateway 209.100.19.22:443, type the following command:

bigpipe proxy 209.100.19.22:443 disable

For example, if you want to delete the SSL gateway 209.100.19.22:443, type the following command:

bigpipe proxy 209.100.19.22:443 delete

Displaying the configuration for an SSL gateway from the command line

You can view the configuration information for an SSL gateway from the command line with the show keyword.

Displaying configuration information for an SSL accelerator gateway from the command line

Use the following syntax to view the configuration for the specified SSL gateway:

bigpipe proxy <ip>:<port> show

For example, if you want to view configuration information for the SSL gateway 209.100.19.22:80, type the following command:

bigpipe proxy 209.100.19.22:80 show

Figure 2.4 Output from the bigpipe proxy show command

 SSL PROXY +---> 11.12.1.200:443 -- Originating Address -- Enabled   Unit 1     
| Key File Name balvenie.scotch.net.key
| Cert File Name balvenie.scotch.net.cert
+===> 11.12.1.100:80 -- Destination Address -- Server


SSL PROXY +---> 11.12.1.120:443 -- Originating Address -- Enabled Unit 1
| Key File Name balvenie.scotch.net.key
| Cert File Name balvenie.scotch.net.cert
+===> 11.12.1.111:80 -- Destination Address -- Server
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)