Manual Chapter : Securing Client-Side and Server-Side LDAP Traffic

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 13.0.1, 13.0.0

BIG-IP APM

  • 13.0.1, 13.0.0

BIG-IP Link Controller

  • 13.0.1, 13.0.0

BIG-IP Analytics

  • 13.0.1, 13.0.0

BIG-IP LTM

  • 13.0.1, 13.0.0

BIG-IP AFM

  • 13.0.1, 13.0.0

BIG-IP PEM

  • 13.0.1, 13.0.0

BIG-IP DNS

  • 13.0.1, 13.0.0

BIG-IP ASM

  • 13.0.1, 13.0.0
Manual Chapter

Overview: Securing LDAP traffic with STARTTLS encryption

You can configure STARTTLS encryption for Lightweight Directory Access Protocol (LDAP) traffic passing through the BIG-IP® system. LDAP is an industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.

You configure the BIG-IP system for STARTTLS encryption by configuring Client LDAP and Server LDAP profiles to activate the STARTTLS communication protocol for any client or server traffic that allows or requires STARTTLS encryption.

Normally, LDAP traffic between LDAP servers and clients is unencrypted. This creates a privacy issue because LDAP traffic often passes through routers that the servers and clients do not trust, resulting in a third party potentially changing the communications between the server and client. Also, two LDAP systems do not normally authenticate each other. A more secure LDAP server might only allow communications from other known LDAP systems, or the server might act differently with unknown systems.

To mitigate these problems, the BIG-IP system includes two LDAP profiles that you can configure. When you configure a Client LDAP or Server LDAP profile, you can instruct the BIG-IP system to activate the STARTTLS communication protocol for any client or server traffic that allows or requires STARTTLS encryption. The STARTTLS protocol effectively upgrades a plain-text connection to an encrypted connection on the same port (port 389), instead of using a separate port for encrypted communication.

This illustration shows a basic configuration of a BIG-IP system that activates STARTTLS to secure LDAP traffic between a client system and the BIG-IP system, and between the BIG-IP system and an LDAP authentication server.

An LDAP/STARTTLS configuration

Sample BIG-IP configuration for LDAP traffic with STARTTLS activation

Task summary

To configure the BIG-IP ®system to process Lightweight Directory Access Protocol (LDAP) traffic with TLS encryption, you perform a few basic tasks.

Task list

Creating a Client LDAP profile

You perform this task to specify the condition under which the BIG-IP system should activate STARTTLS encryption for client-side traffic destined for a specific virtual server.

  1. On the Main tab, click Local Traffic > Profiles > Services > Client LDAP .
    The Client LDAP list screen displays.
  2. Click Create.
    The New Client LDAP Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. From the Parent Profile list, retain the default value, clientldap.
  5. Select the Custom check box.
  6. From the STARTTLS Activation Mode list, select a value:
    Value Description
    Allow This value activates STARTTLS encryption for any client-side traffic that allows, but does not require, STARTTLS encryption.
    Require This value activates STARTTLS encryption for any client-side traffic that requires STARTTLS encryption. All messages sent to the BIG-IP system prior to STARTTLS activation are rejected with a message stating that a stronger authentication mechanism is required.
    None This value refrains from activating STARTTLS encryption for client-side traffic. Note if you select this value, that you optionally can create an iRule that identifies client-side traffic that requires STARTTLS encryption and then dynamically activates STARTTLS for that particular traffic.
  7. Click Finished.
After you perform this task, the Client LDAP profile appears on the Client LDAP list screen.

Creating a Server LDAP profile

You perform this task to specify the condition under which the BIG-IP system should activate STARTTLS encryption for server-side traffic destined for a specific virtual server.

  1. On the Main tab, click Local Traffic > Profiles > Services > Server LDAP .
    The Server LDAP list screen displays.
  2. Click Create.
    The New Server LDAP Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. From the Parent Profile list, retain the default value, serverldap.
  5. Select the Custom check box.
  6. From the STARTTLS Activation Mode list, select a value:
    Value Description
    Allow This value activates STARTTLS encryption for server-side traffic that allows, but does not require, STARTTLS encryption. In this case, the BIG-IP system only activates STARTTLS for server-side traffic when the BIG-IP system has activated STARTTLS on the client side and the client has acknowledged the activation.
    Require This value activates STARTTLS encryption for any server-side traffic that requires STARTTLS encryption. In this case, the BIG-IP system activates STARTTLS when a successful connection is made.
    None This value refrains from activating STARTTLS encryption for server-side traffic. Note that if you select this value, you can optionally create an iRule that identifies server-side traffic that requires STARTTLS encryption and then dynamically activates STARTTLS for that particular traffic.
  7. Click Finished.
After you perform this task, the Server LDAP profile appears on the Server LDAP list screen.

Creating a custom Client SSL profile

After you have built the cipher string that you want the BIG-IP to use to negotiate client-side SSL connections, you create a custom Client SSL profile. You create the profile when you want the BIG-IP® system to terminate client-side SSL traffic for the purpose of decrypting client-side ingress traffic and encrypting client-side egress traffic. By terminating client-side SSL traffic, the BIG-IP system offloads these decryption/encryption functions from the destination server. When you perform this task, you can specify multiple certificate key chains, one for each key type (RSA, DSA, and ECDSA). This allows the BIG-IP system to negotiate secure client connections using different cipher suites based on the client's preference.
Note: At a minimum, you must specify a certificate key chain that includes an RSA key pair. Specifying certificate key chains for DSA and ECDSA key pairs is optional, although highly recommended.
  1. On the Main tab, click Local Traffic > Profiles > SSL > Client .
    The Client SSL profile list screen opens.
  2. Click Create.
    The New Client SSL Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. From the Parent Profile list, select clientssl.
  5. Select the Custom check box.
    The settings become available for change.
  6. For the Certificate Key Chain setting, click Add.
    1. From the Certificate list, select a certificate name.
      This is the name of a certificate that you installed on the BIG-IP® system. If you have not generated a certificate request nor installed a certificate on the BIG-IP system, and the BIG-IP system is not part of a device service clustering (DSC) configuration, you can specify the name of the existing certificate named default.
      Important: If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default certificate name, and ensure that this same certificate name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
    2. From the Key list, select the name of the key associated with the certificate specified in the previous step.
      This is the name of a key that you installed on the BIG-IP® system. If you have not installed a key on the BIG-IP system, and the BIG-IP system is not part of a device service clustering (DSC) configuration, you can specify the name of the existing key named default.
      Important: If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default key name, and ensure that this same key name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
    3. From the Chain list, select the chain that you want to include in the certificate key chain.
      A certificate chain can contain either a series of public key certificates in Privacy Enhanced Mail (PEM) format or a series of one or more PEM files. A certificate chain can contain certificates for Intermediate certificate Authorities (CAs).
      Note: The default self-signed certificate and the default CA bundle certificate are not appropriate for use as a certificate chain.
    4. For the Passphrase field, type a string that enables access to SSL certificate/key pairs that are stored on the BIG-IP system with password protection.
      This setting is optional. For added security, the BIG-IP system automatically encrypts the pass phrase itself. This pass phrase encryption process is invisible to BIG-IP® system administrative users.
    5. Click Add.
  7. Click Add and repeat the process for all certificate key chains that you want to specify. At a minimum, you must specify an RSA certificate key chain.
    Sample configuration with three key types specified

    Sample configuration with three key types specified

    The result is that all specified key chains appear in the text box.
  8. For the OCSP Stapling setting, select the check box.
    This setting is optional. To enable OCSP stapling, you must first create an OCSP Stapling profile.
  9. For the Notify Certificate Status to Virtual Server setting, select the check box.
    This setting is optional.
  10. For the Ciphers setting, specify a cipher group or cipher string by choosing one of these options.
    Note: If you specified an ECDSA certificate key chain in the Certificate Key Chain setting, you must include the cipher string ECDHE_ECDSA in the cipher group or cipher string that you specify in the Ciphers setting. (At a minimum, you should specify a cipher group or string such as DEFAULT:ECDHE_ECDSA.) This is necessary to ensure successful cipher negotiation when the BIG-IP system is offered an ECDSA-based certificate only.
    Option Description
    Cipher Group

    Select an existing cipher group from the list when you want to use a system-defined or custom cipher group to define the ciphers that the BIG-IP system uses for negotiating SSL connections. Here's an example of the Ciphers setting where we've selected a custom cipher group that we created earlier.

    Cipher String

    Type a cipher string in the box if you want to manually specify a cipher string instead of selecting a cipher group. For security and performance reasons, consider following these recommendations:

    • Always append ciphers to the DEFAULT cipher string.
    • Type a cipher string that includes the ECC key type, because its shorter length speeds up encryption and decryption while still offering virtually the same level of security.
    • Disable ADH ciphers but also include the keyword HIGH. To do this, just include both !ADH and :HIGH in your cipher string.
    • For AES, DES, and RC4 encryption types, make sure you specify the DHE key exchange method. DHE uses Forward Privacy, which creates a key that it throws away after each session so that the same session key never gets used twice. When you use DHE, make sure that the SSL private key isn't being shared with a monitoring system or a security device like an intrusion detection or prevention system. Also, diagnostic tools like ssldump won't work when you're using Forward Secrecy.
    • Disable EXPORT ciphers by including !EXPORT in the cipher string.
    • If you can live with removing support for the SSLv3 protocol version, do it. This protocol version is not secure. Simply include :!SSLv3 in any cipher string you type.

    Here's an example of the Ciphers setting where we have opted to manually type the cipher string DEFAULT:ECDHE-RSA-AES-128-GCM-SHA256:!ADH:!EXPORT:HIGH:

  11. Configure all other profile settings as needed.
  12. Click Finished.
After performing this task, you can see the custom Client SSL profile in the list of Client SSL profiles on the system.
You must also assign the profile to a virtual server.

Creating a custom Server SSL profile

With a Server SSL profile, the BIG-IP® system can perform decryption and encryption for server-side SSL traffic.
  1. On the Main tab, click Local Traffic > Profiles > SSL > Server .
    The Server SSL profile list screen opens.
  2. Click Create.
    The New Server SSL Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. Select serverssl in the Parent Profile list.
  5. From the Configuration list, select Advanced.
  6. Select the Custom check box.
    The settings become available for change.
  7. From the Certificate list, select the name of an SSL certificate on the BIG-IP system.
    Important: If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default certificate name, and ensure that this same certificate name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
  8. From the Key list, select the name of an SSL key on the BIG-IP system.
    Important: If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default key name, and ensure that this same key name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
  9. In the Pass Phrase field, select a pass phrase that enables access to the certificate/key pair on the BIG-IP system.
  10. From the Chain list, select the name of an SSL chain on the BIG-IP system.
  11. For the Ciphers setting, specify a cipher group or cipher string by choosing one of these options.
    Note: If you specified an ECDSA certificate key chain in the Certificate Key Chain setting, you must include the cipher string ECDHE_ECDSA in the cipher group or cipher string that you specify in the Ciphers setting. (At a minimum, you should specify a cipher group or string such as DEFAULT:ECDHE_ECDSA.) This is necessary to ensure successful cipher negotiation when the BIG-IP system is offered an ECDSA-based certificate only.
    Option Description
    Cipher Group

    Select an existing cipher group from the list when you want to use a system-defined or custom cipher group to define the ciphers that the BIG-IP system uses for negotiating SSL connections. Here's an example of the Ciphers setting where we've selected a custom cipher group that we created earlier.

    Cipher String

    Type a cipher string in the box if you want to manually specify a cipher string instead of selecting a cipher group. For security and performance reasons, consider following these recommendations:

    • Always append ciphers to the DEFAULT cipher string.
    • Type a cipher string that includes the ECC key type, because its shorter length speeds up encryption and decryption while still offering virtually the same level of security.
    • Disable ADH ciphers but also include the keyword HIGH. To do this, just include both !ADH and :HIGH in your cipher string.
    • For AES, DES, and RC4 encryption types, make sure you specify the DHE key exchange method. DHE uses Forward Privacy, which creates a key that it throws away after each session so that the same session key never gets used twice. When you use DHE, make sure that the SSL private key isn't being shared with a monitoring system or a security device like an intrusion detection or prevention system. Also, diagnostic tools like ssldump won't work when you're using Forward Secrecy.
    • Disable EXPORT ciphers by including !EXPORT in the cipher string.
    • If you can live with removing support for the SSLv3 protocol version, do it. This protocol version is not secure. Simply include :!SSLv3 in any cipher string you type.

    Here's an example of the Ciphers setting where we have opted to manually type the cipher string DEFAULT:ECDHE-RSA-AES-128-GCM-SHA256:!ADH:!EXPORT:HIGH:

  12. Select the Custom check box for Server Authentication.
  13. Modify the settings, as required.
  14. Click Finished.
To use this profile, you must assign it to a virtual server.

Creating a virtual server and load-balancing pool

You use this task to create a virtual server, as well as a default pool of LDAP servers. The virtual server then listens for and applies the configured STARTTLS activation to client-side or server-side LDAP traffic, or both. Part of creating this virtual server is specifying the names of any client-side and server-side LDAP and SSL profiles that you previously created.

  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address/Mask field, type an address, as appropriate for your network.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 10.0.0.1 or 10.0.0.0/24, and an IPv6 address/prefix is ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP® system automatically uses a /32 prefix.
  5. In the Service Port field, type 389 or select LDAP from the list.
  6. From the Configuration list, select Basic.
  7. For the SSL Profile (Client) setting, in the Available box, select a profile name, and using the Move button, move the name to the Selected box.
  8. From the Client LDAP Profile list, select the Client LDAP profile that you previously created.
  9. From the Server LDAP Profile list, select the Server LDAP profile that you previously created.
  10. In the Resources area of the screen, for the Default Pool setting, click the Create (+) button.
    The New Pool screen opens.
  11. In the Name field, type a unique name for the pool.
  12. In the Resources area, for the New Members setting, select the type of new member you are adding, then type the information in the appropriate fields, and click Add to add as many pool members as you need.
  13. Click Finished to create the pool.
    The screen refreshes, and reopens the New Virtual Server screen. The new pool name appears in the Default Pool list.
  14. Click Finished.
After performing this task, the virtual server applies the custom LDAP and SSL profiles to ingress traffic.

Implementation result

After you have created the required LDAP and SSL profiles and assigned them to a virtual server, the BIG-IP® system listens for client- and server-side LDAP traffic on port 389. The BIG-IP system then activates the STARTTLS method for that traffic to provide SSL security on that same port, before forwarding the traffic on to the specified LDAP server pool.