When you want to manage HTTP traffic over SSL, you can configure the BIG-IP® system to perform the SSL handshake that target web servers normally perform.
A common way to configure the BIG-IP system is to enable client-side SSL, which makes it possible for the system to decrypt client requests before sending them on to a server, and encrypt server responses before sending them back to the client. In this case, you need to install only one SSL key/certificate pair on the BIG-IP system.
This implementation uses a certificate signed by an RSA certificate authority (CA) to authenticate HTTP traffic.
To implement client-side authentication using HTTP and SSL with a certificate signed by a certificate authority, you perform a few basic configuration tasks.
Sample configuration with three key types specified
Select an existing cipher group from the list when you want to use a system-defined or custom cipher group to define the ciphers that the BIG-IP system uses for negotiating SSL connections. Here's an example of the Ciphers setting where we've selected a custom cipher group that we created earlier.
Type a cipher string in the box if you want to manually specify a cipher string instead of selecting a cipher group. For security and performance reasons, consider following these recommendations:
Here's an example of the Ciphers setting where we have opted to manually type the cipher string DEFAULT:ECDHE-RSA-AES-128-GCM-SHA256:!ADH:!EXPORT:HIGH:
After you complete the tasks in this implementation, the BIG-IP® system can authenticate and decrypt HTTP traffic coming from a client system, using an RSA digital certificate. The BIG-IP system can also re-encrypt server responses before sending them back to the client.