Applies To:

Show Versions Show Versions

Manual Chapter: Authenticating with SSL Certificates Signed by a Third Party
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

12 
The BIG-IP® Global Traffic Manager system uses an encryption protocol, Secure Sockets Layer (SSL) authentication, to verify the authenticity of the credentials of any other system with which it needs to exchange data. For example, a Global Traffic Manager system might send a request to a Local Traffic Manager system that attempts to authenticate the request, and after authenticating the request sends a response back to the Global Traffic Manager system that in turn attempts to authenticate the response.
With SSL authentication, this verification process occurs with the use of a specialized file, called a certificate, which the two systems exchange. The systems then verify the authenticity of the certificate, typically through the use of a Certificate Authority (CA) server, which both systems have previously verified.
At level 0, certificates are verified by the system to which they belong. These types of certificates are also known as self-signed certificates.
At level 1, certificates are authenticated by a CA server that is separate from the system.
At levels 2 - 9, certificates are authenticated by additional CA servers, which verify the authenticity of other servers. These multiple levels of authentication are referred to as certificate chains, and allow for a tiered verification system that ensures that only authorized communications occur between servers.
When you install BIG-IP® software, it includes a self-signed SSL certificate. A self-signed certificate is an authentication mechanism that is created and authenticated by the system on which it resides. These certificates allow BIG-IP systems to ensure that they are authorized to communicate with other BIG-IP systems on the network.
If your network includes one or more CA servers, you can install on each BIG-IP system SSL certificates that are signed by a third party. To configure multiple level system certificate authentication, you must:
Import to each BIG-IP system the certificates that are necessary to authenticate communications with other BIG-IP systems. In addition, you must also modify the following two settings.
Set the Certificate Depth for the gtmd agent
This setting determines the number of CA servers (often referred to as the authentication chain) that the gtmd agent can traverse to validate the authenticity of another BIG-IP system. You can access this setting through the Configuration utility.
Set the Big3d.CertificateDepth variable
This variable determines the number of CA servers that the big3d agent can traverse to validate the authenticity of another BIG-IP system. You access this setting through the command line.
Important: The specified number of certificate levels (certificate depth) that the gtmd agent can traverse must match the specified number for the big3d agent. For example, if the Certificate Depth setting for the gtmd agent is set to 2, then the Big3d.CertificateDepth variable for the big3d agent must also be set to 2.
For more information about SSL certificates, see the TMOS® Management Guide for BIG-IP® Systems.
To see how you can use certificates signed by a third party with a BIG-IP® Global Traffic Manager, consider the fictional company SiteRequest. The network at SiteRequest includes two Global Traffic Manager systems. In addition, SiteRequest uses its own CA server to generate and authenticate SSL certificates for its servers. In this scenario, SiteRequest wants to replace the self-signed certificates of their Global Traffic Manager systems with the companys own SSL certificates.
The following procedures describe how to install the new certificate on each Global Traffic Manager. To accomplish this, you must complete the following tasks on each system:
Set the Big3d.CertificateDepth variable.
For the purposes of this implementation, assume that you already have a signed certificate/key pair and the root certificate from the CA server. A root certificate is a special instance of a certificate chain for which the certificate depth is 1.
The following tasks assume that these Global Traffic Manager systems are already synchronized. For more information on how to synchronize Global Traffic Manager systems, see Chapter 6, Ensuring Correct Synchronization When Adding a New Global Traffic Manager.
Important: If you have a Local Traffic Manager system that you want to be able to communicate with the Global Traffic Manager systems, you must also configure the Local Traffic Manager. For more information, see Configuring SSL authentication for a BIG-IP system that includes a Local Traffic Manager.
The first task to set up the Global Traffic Manager to use a third-party certificate signed by a CA server is to replace the existing certificate file for the gtmd agent with the root certificate of your CA server.
For this task, perform the following procedure on only one Global Traffic Manager in a synchronization group. The system automatically synchronizes these settings with the other Global Traffic Manager systems in the group.
Important: In this procedure, you must import the root certificate from your CA server into the Configuration utility. Before you start this procedure, ensure that you have this certificate available.
1.
On the Main tab of the navigation pane, expand Global Traffic and click Servers.
2.
On the menu bar, click Trusted Server Certificates.
3.
Click Import.
4.
From the Import Method list, select Replace.
5.
In the Certificate Source area, select the Upload File option and then use the Browse button to navigate and select the root certificate file.
6.
Click Import.
Because, in the previous task, you replaced the certificate file of the gtmd agent with the root certificate of the CA server, you must change the certificate depth for the gtmd agent to 1.
For this task, you perform the following procedure on only one Global Traffic Manager. The system then synchronizes these settings with any other Global Traffic Manager systems in its synchronization group.
1.
On the Main tab of the navigation pane, expand System and then click Configuration.
3.
For the Certificate Depth setting, type 1.
4.
Click Update.
The next task to set up the Global Traffic Manager to use a third-party certificate signed by a CA server is to import the root certificate of the CA server for the big3d agent. For this task, perform the following procedure on all Global Traffic Manager systems.
1.
On the Main tab of the navigation pane, expand System and then click Device Certificates.
2.
On the menu bar, click Trusted Device Certificates.
3.
Click Import.
4.
From the Import Method list, select Replace.
5.
In the Certificate Source box, select the Upload File option and then use the Browse button to navigate and select the root certificate file.
6.
Click Import.
While the Certificate Depth setting handles the number of certificate levels the gtmd agent can use, it does not affect the big3d agent. To modify the certificate depth for the big3d agent, you must set the bigpipe variable, Big3d.CertificateDepth.
2.
At the command line, type the following:
b db Big3d.CertificateDepth 1
The final task is to import the device certificate signed by the CA server. For this task, perform the following procedure on all Global Traffic Manager systems.
1.
On the Main tab of the navigation pane, expand System and then click Device Certificates.
2.
Click Import.
3.
From the Import Type list, select Certificate and Key.
The screen refreshes and provides options to add a new certificate and key.
4.
In the Certificate Source area, select the Upload File option and then use the Browse button to navigate and select the certificate signed by the CA server.
5.
In the Key Source area, select the Upload File option and then use the Browse button to navigate and select the device key file.
6.
Click Import.
If the certificate was installed correctly, these commands display a continuous stream of information on the console window.
To see how you can use a certificate chain to allow multiple Global Traffic Manager systems to communicate with one another, we again consider the fictional company SiteRequest. This time the network at SiteRequest includes two Global Traffic Manager systems that are already part of the same synchronization group. For more information on how to synchronize Global Traffic Manager systems, see Chapter 6, Ensuring Correct Synchronization When Adding a New Global Traffic Manager.
Besides using its own CA server to generate and authenticate SSL certificates for its servers, the company also uses additional CA servers for this purpose. In this scenario, SiteRequest wants to add a certificate chain to the self-signed certificates of their Global Traffic Manager systems.
For the purposes of this implementation, you must first create a file containing a certificate chain that consists of the certificates from each of the additional CA servers that the company uses. Then import this file into the gtmd and big3d agents as shown in Importing a certificate chain for the gtmd agent, and Importing the certificate chain for the big3d agent.
Then you complete the following tasks on only one of the Global Traffic Manager systems in the synchronization group. These changes are automatically propagated to the other Global Traffic Manager systems in the group.
Set the Big3d.CertificateDepth variable.
The first task in configuring a certificate chain for a BIG-IP system is to replace the existing certificate with the file containing the certificate chain for the gtmd agent. To do this, perform the following two procedures. First create a certificate chain file, and then import the certificate chain onto the Global Traffic Manager system.
2.
Still using a text editor, copy an individual certificate from its own certificate file and paste the certificate into the file you created in step 1.
When you are finished, you should have a certificate chain file that contains all certificates that you want to include in the certificate chain.
Important: Before you perform the following procedure, ensure that the file containing the certificate chain is accessible from the Global Traffic Manager system that you want to configure.
1.
On the Main tab of the navigation pane, expand Global Traffic and click Servers.
2.
On the menu bar, click Trusted Server Certificates.
3.
Click Import.
4.
From the Import Method list, select Replace.
5.
In the Certificate Source area, select the Upload File option and then use the Browse button to navigate and select the certificate chain file.
6.
Click Import.
For this task, perform the following procedure on only one Global Traffic Manager. The system then synchronizes these settings with all other Global Traffic Manager systems in the synchronization group.
1.
On the Main tab of the navigation pane, expand System and then click Configuration.
3.
For the Certificate Depth setting, type 2.
Note: If you have multiple levels of CA servers in your network, you increase this setting for each level.
4.
Click Update.
The certificate depth must be the same for the gtmd and big3d agents. As shown in the previous procedure, the Certificate Depth setting in the Configuration utility handles the number of certificate levels the gtmd agent can use. However, to modify the certificate depth for the big3d agent, you must set the bigpipe variable, Big3d.CertificateDepth.
2.
At the command line, type the following:
b db Big3d.CertificateDepth 2
The next task in configuring a certificate chain for a BIG-IP system is to replace the existing certificate with the file containing the certificate chain for the big3d agent.
Important: Before you start this procedure, make sure that the file containing the certificate chain is accessible from all of the Global Traffic Managers that you want to configure.
1.
On the Main tab of the navigation pane, expand System and then click Device Certificates.
2.
On the menu bar, click Trusted Device Certificates.
3.
Click Import.
4.
From the Import Method list, select Replace.
5.
In the Certificate Source area, select the Upload File option and then use the Browse button to navigate and select the certificate chain file.
6.
Click Import.
The final task in configuring a certificate chain is to import a device certificate signed by the last CA in the certificate chain. For this task, perform the following procedure on all Global Traffic Manager systems.
1.
On the Main tab of the navigation pane, expand System and then click Device Certificates.
2.
Click Import.
3.
From the Import Type list, select Certificate and Key.
4.
In the Certificate Source area, select the Upload File option and then use the Browse button to navigate and select the device certificate.
5.
In the Key Source area, select the Upload File option and then use the Browse button to navigate and select the device key file.
6.
Click Import.
At this point, you can verify that you installed the certificate chain correctly by running the following commands on each Global Traffic Manager system:
If you installed the certificate chain correctly, these commands display a continuous stream of information in the console window.
Configuring SSL authentication for a BIG-IP system that includes a Local Traffic Manager
If you are configuring SSL authentication for a BIG-IP system that includes a Local Traffic Manager system, you must configure the Local Traffic Manager system so that it can communicate with the Global Traffic Manager system using SSL authentication.
Before you import SSL certificates to a Local Traffic Manager. You must perform the following tasks for the big3d agent on each Local Traffic Manager system:
Replace the self-signed certificate for the big3d agent on the Local Traffic Manager with a root certificate or a certificate chain.
You want to replace the self-signed certificates on the Local Traffic Manager systems with certificates that the CA server has generated.
The remainder of this chapter describes how to configure SSL certificates on a Local Traffic Manager system for the purpose of communicating with Global Traffic Manager systems.
For BIG-IP systems to communicate successfully, the specified number of certificate levels that the big3d agent on the Local Traffic Manager can traverse must match the number of certificate levels that the gtmd agent on the Global Traffic Manager can traverse. For example, if the Certificate Depth setting for gtmd is set to 2, then the Big3d.CertificateDepth variable for big3d must also be set to 2. For more information about setting the certificate depth for the gtmd agent, see Setting the certificate depth for the gtmd agent.
2.
At the command line, type the following:
b db Big3d.CertificateDepth <integer>
Important: After you configure the certificate depth for the big3d agent, you must import either a root certificate or a certificate chain, but not both.
You can replace the existing self-signed certificate for the big3d agent by importing either the root certificate of a CA server or a certificate chain.
1.
On the Main tab of the navigation pane, expand System and then click Device Certificates.
2.
On the menu bar, click Trusted Device Certificates.
3.
Click Import.
4.
From the Import Method list, select Replace.
5.
In the Certificate Source area, select the Upload File option and then use the Browse button to navigate to and select the root certificate file.
6.
Click Import.
If you choose to import a certificate chain, you need to first create a certificate chain file, and then import the entire certificate chain on to the Local Traffic Manager system.
2.
Still using a text editor, copy an individual certificate from its own certificate file and paste the certificate into the file you created in step 1.
Important: Before you perform the following procedure, ensure that the file containing the certificate chain is accessible from all of the Local Traffic Manager systems that you want to configure.
1.
On the Main tab of the navigation pane, expand System, and then click Device Certificates.
2.
On the menu bar, click Trusted Device Certificates.
3.
Click Import.
4.
From the Import Method list, select Replace.
5.
In the Certificate Source area, select the Upload File option and then use the Browse button to navigate and select the certificate chain file that you created in the previous the procedure, To create a certificate chain file for the Local Traffic Manager.
6.
Click Import.
The final task in configuring a certificate chain is to import a device certificate signed by the last CA in the certificate chain. For this task, perform the following procedure on all Local Traffic Manager systems.
1.
On the Main tab of the navigation pane, expand System and then click Device Certificates.
2.
Click Import.
3.
From the Import Type list, select Certificate and Key.
4.
In the Certificate Source area, select the Upload File option and then use the Browse button to navigate and select the device certificate.
5.
In the Key Source area, select the Upload File option and then use the Browse button to navigate and select the device key file.
6.
Click Import.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)