Applies To:

Show Versions Show Versions

Manual Chapter: Managing Client-side HTTPS Traffic Using a Self-signed Certificate
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview: Managing client-side HTTPS traffic using a self-signed certificate

When you want to manage HTTP traffic over SSL, you can configure the BIG-IP system to perform the SSL handshake that target web servers typically perform.

A common way to configure the BIG-IP system is to enable client-side SSL, which enables the system to decrypt client requests before forwarding them to a server, and to encrypt server responses before returning them to the client. In this case, you need to install only one SSL key/certificate pair on the BIG-IP system.

This implementation uses a self-signed certificate to authenticate HTTPS traffic.

Task summary

To implement client-side authentication using HTTP and SSL with a self-signed certificate, you perform a few basic configuration tasks.

Task list

Creating a self-signed SSL certificate

If you are configuring the BIG-IP system to manage client-side HTTP traffic, you create a self-signed certificate to authenticate and secure the client-side HTTP traffic. If you are also configuring the system to manage server-side HTTP traffic, you create a second self-signed certificate to authenticate and secure the server-side HTTP traffic.
  1. On the Main tab, click Local Traffic > SSL Certificates. This displays a list of existing SSL certificates.
  2. On the upper-right corner of the screen, click Create.
  3. In the Name field, type a name for the certificate, such as my_clientside_cert or my_serverside_cert.
  4. From the Issuer list, select Self.
  5. In the Common Name field, type either the IP address for the virtual server you will create later on, or a DNS name that resolves to the virtual server’s IP address.
  6. In the Division field, type your company name.
  7. In the Organization field, type your department name.
  8. In the Locality field, type your city name.
  9. In the State or Province field, type your state or province name.
  10. From the Country list, select the name of your country.
  11. In the E-mail Address field, type your email address.
  12. In the Challenge Password field, type a password.
  13. In the Confirm Password field, re-type the password you typed in the Challenge Password field.
  14. In the Key Properties area of the screen, from the Size list, select 1024.
  15. Click Finished.

Creating a custom HTTP profile

An HTTP profile defines the way that you want the BIG-IP system to manage HTTP traffic.
Note: Other HTTP profile types (HTTP Compression and Web Acceleration) enable you to configure compression and cache settings, as required. Use of these profile types is optional.
  1. On the Main tab, click Local Traffic > Profiles > Services > HTTP. The HTTP profile list screen opens.
  2. Click Create. The New Fast L4 Profile screen opens.
  3. In the Name field, type a name for the profile. Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character.
  4. From the Parent Profile list, select http.
  5. Select the Custom check box. The fields in the Settings area become available for configuring.
  6. Modify the settings, as required.
  7. Click Finished.
The custom HTTP profile appears in the list of HTTP profiles.

Creating a custom Client SSL profile

A Client SSL profile enables the BIG-IP system to perform decryption and encryption for client-side SSL traffic.
  1. On the Main tab, click Local Traffic > Profiles > SSL > Client. The SSL Client profile list screen opens.
  2. Click Create. The New Fast L4 Profile screen opens.
  3. In the Name field, type a name for the profile. Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character.
  4. Select clientssl in the Parent Profile list.
  5. Select Advanced in the Configuration area of the screen. This selection allows you to modify additional default settings.
  6. Select the Custom check box for Configuration. The settings in the Configuration area become available for configuring.
  7. Select the Custom check box for Client Authentication. The settings in the Client Authentication area become available for configuring.
  8. Modify the settings, as required.
  9. Select Advanced in the Configuration area of the screen. This selection allows you to modify additional default settings.
  10. Click Finished.
The custom Client SSL profile is listed in the Profiles:SSL:Client list.

Creating a pool to manage HTTP traffic

Use this procedure to create a pool to manage HTTP connections.
  1. On the Main tab, click Local Traffic > Pools. The Pool List screen opens.
  2. Click Create. The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. For the Health Monitors setting, from the Available list, select the http monitor, and click << to move the monitor to the Active list.
  5. From the Load Balancing Method list, select how the system distributes traffic to members of this pool. The default is Round Robin.
  6. For the Priority Group Activation setting, specify how to handle priority groups:
    • Select Disabled to disable priority groups. This is the default option.
    • Select Less than, and in the Available Members field type the minimum number of members that must remain available in each priority group in order for traffic to remain confined to that group.
  7. Using the New Members setting, add each resource that you want to include in the pool:
    1. Type an IP address in the Address field, or select a node address from the Node List.
    2. Type 80 in the Service Port field, or select HTTP from the list.
    3. (Optional) Type a priority number in the Priority field.
    4. Click Add.
  8. Click Finished.
The new pool appears in the Pools list.

Creating a virtual server for client-side HTTPS traffic

You can specify a virtual server to be either a host virtual server or a network virtual server to manage HTTPS traffic.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen displays a list of existing virtual servers.
  2. Click the Create button. The New Virtual Server screen opens.
  3. Type a unique name for the virtual server.
  4. In the Destination setting, in the Address field, type the IP address you want to use for the virtual server. The IP address you type must be available and not in the loopback network.
  5. Type 443 in the Service Port field, or select HTTPS in the list.
  6. From the HTTP Profile list, select the HTTP profile that you previously created.
  7. From the SSL Profile (Client) list, select the Client SSL profile that you previously created.
  8. Click Finished.
The HTTPS virtual server appears in the Virtual Server List screen.

Implementation results

After you complete the tasks in this implementation, the BIG-IP system can authenticate and decrypt HTTPS traffic coming from a client system. The BIG-IP system can also re-encrypt server responses before sending them back to the client.

Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)