Applies To:

Show Versions Show Versions

Manual Chapter: Authenticating with SSL Certificates Signed by a Third Party
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

11 
Secure Sockets Layer (SSL) authentication is an encryption protocol that systems employ when communicating across wide-area networks. In such networks, it is important for each system to verify the authenticity of the credentials of any other system with which it needs to exchange data. With SSL authentication, this verification process occurs with the use of a specialized file, called a certificate, which the two systems exchange. The systems then verify the authenticity of the certificate, typically through the use of a Certificate Authority server, which both systems have previously verified.
SSL supports multiple levels of authentication. At level 0, certificates are verified by the system to which they belong. These types of certificates are also known as self-signed certificates. At level 1, a certificate must be authenticated by a separate Certificate Authority server. These levels increase until level 9, with each level adding an additional Certificate Authority server which can verify the authenticity of other servers. These multiple levels of authentication are also referred to as certificate chains, and allow for a tiered verification system that ensures that only authorized communications between servers occurs.
When you install BIG-IP software, whether it is a Global Traffic Manager, Local Traffic Manager, or Link Controller system, it includes a self-signed SSL certificate. A self-signed certificate is an authentication mechanism that is created and authenticated by the system on which it resides. These certificates allow different BIG-IP systems to ensure that they are authorized to communicate with other BIG-IP systems on the network.
If your network includes one or more certificate authority (CA) servers, then you might want to install SSL certificates signed by a third party on a BIG-IP system. For you to implement this configuration, you must ensure that each BIG-IP system has the appropriate certificates so that it can authenticate communications with other BIG-IP systems. In addition, you must also modify two settings:
This setting determines the number of CA servers (often referred to as the authentication chain) that the gtmd agent can traverse to validate the authenticity of another BIG-IP system. You can access this setting through the Configuration utility.
This variable determines the number of CA servers that the big3d agent can traverse to validate the authenticity of another BIG-IP system. You access this setting through the command line.
To see how you can use certificates signed by a third party with BIG-IP systems such as Global Traffic Manager and Link Controller systems, consider the fictional company SiteRequest. The network at SiteRequest includes two Global Traffic Managers. In addition, SiteRequest uses its own Certificate Authority server to generate and authenticate SSL certificates for its servers. In this scenario, SiteRequest wants to replace the self-signed certificates of their Global Traffic Manager systems with the companys own SSL certificates.
The following procedures describe how to install the new certificate on each Global Traffic Manager. To accomplish this, you must complete the following tasks on each system:
Set the Big3d.CertificateDepth variable.
For the purposes of this implementation, assume that you already have a signed certificate/key pair and the root certificate from the CA server. Also, the following procedures assume that these Global Traffic Manager systems are already synchronized. For more information on how to synchronize Global Traffic Manager systems, see Chapter 6, Adding New Global Traffic Managers to a Synchronization Group.
For this procedure, you need to perform the following steps on only one Global Traffic Manager. The system then synchronizes these settings with any other Global Traffic Manager systems in its synchronization group.
1.
On the Main tab of the navigation pane, expand System and then click General Properties.
3.
For the Certificate Depth setting, type 1.
Note: If you have multiple levels of CA servers in your network, you increase this setting for each level.
4.
Click Update.
The first step in using your own certificates with Global Traffic Manager is to append the root certificate of your CA server to the existing certificate file for the gtmd agent.
For this procedure, you need to perform the following steps on only one Global Traffic Manager. The system then synchronizes these settings with any other Global Traffic Manager systems in its synchronization group.
Note: In this procedure, you must import the certificate into the Configuration utility. Before you start this procedure, ensure that you have this certificate available.
1.
On the Main tab of the navigation pane, expand Global Traffic and click Servers.
2.
On the menu bar, click Trusted Server Certificates.
3.
Click Import.
4.
From the Import Method list, select Replace.
5.
In the Certificate Source box, select the Upload File option and then use the Browse button to navigate and select the root certificate file.
6.
Click Import.
While the Certificate Depth setting handles the number of certificate levels the gtmd agent can use, it does not affect the big3d agent. To modify the certificate depth for the big3d agent, you must set the bigpipe variable, Big3d.CertificateDepth.
The next step in using your own certificates with Global Traffic Manager is to add to the root certificate of your CA server for the big3d agent. Again, you must have the root certificate available, or copied, as you must paste this certificate into the Configuration utility.
1.
On the Main tab of the navigation pane, expand System and then click Device Certificates.
2.
On the menu bar, click Trusted Server Certificates.
3.
Click Import.
4.
From the Import Method list, select Replace.
5.
In the Certificate Source box, select the Upload File option and then use the Browse button to navigate and select the root certificate file.
6.
Click Import.
The final step in using your own certificates with Global Traffic Manager is to import the third-party device certificate to the system configuration. Again, you must have the root certificate available, or copied, as you must paste this certificate into the Configuration utility.
1.
On the Main tab of the navigation pane, expand System and then click Device Certificates.
2.
Click Import.
3.
From the Import Type list, select Certificate and Key.
The screen refreshes to provide with options to add a new certificate and key.
4.
In the Certificate Source box, select the Upload File option and then use the Browse button to navigate and select the device certificate file.
5.
In the Key Source box, select the Upload File option and then use the Browse button to navigate and select the device key file.
6.
Click Import.
If the certificate was installed correctly, these commands displays a continuous stream of information on the console window.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)