Applies To:
Show Versions
BIG-IP versions 1.x - 4.x
- 4.1.1 PTF-06, 4.1.1 PTF-05, 4.1.1 PTF-04, 4.1.1 PTF-03, 4.1.1 PTF-02, 4.1.1 PTF-01, 4.1.1, 4.1.0
1
Configuring an SSL Accelerator
Introducing the SSL Accelerator
The SSL Accelerator feature allows the BIG-IP to accept HTTPS connections (HTTP over SSL), connect to a web server, retrieve the page, and then send the page to the client.
A key component of the SSL Accelerator feature is that the BIG-IP can retrieve the web page using an unencrypted HTTP request to the content server. With the SSL Accelerator feature, you can configure an SSL gateway on the BIG-IP that decrypts HTTP requests that are encrypted with SSL. Decrypting the request offloads SSL processing from the servers to the BIG-IP and also allows the BIG-IP to use the header of the HTTP request to intelligently control how the request is handled. (Requests to the servers can optionally be re-encrypted to maintain security on the server side of the BIG-IP as well, using a feature called SSL-to-server.)
When the SSL gateway on the BIG-IP connects to the content server, it uses the original client's IP address and port as its source address and port, so that it appears to be the client (for logging purposes).
This chapter describes the following features of the BIG-IP SSL Accelerator:
- Configuring the SSL Accelerator
- Using SSL -to-server
Note: All products except the BIG-IP LB Controller, BIG-IP FireGuard Controller, and the BIG-IP Cache Controller support this configuration.
Figure 1.1 An incoming SSL connection received by an SSL Accelerator configured on BIG-IP
Configuring the SSL Accelerator
There are several steps required to set up the SSL Accelerator on the BIG-IP. These steps include:
- Generating a key and obtaining a certificate
- Configuring the BIG-IP with the certificate and key
- Creating the gateway for the SSL Accelerator
Generating a key and obtaining a certificate
In order to use the SSL Accelerator feature you must obtain a valid x509 certificate from an authorized certificate authority (CA). The following list contains some companies that are certificate authorities:
- Verisign (http://www.verisign.com)
- Digital Signature Trust Company (http://secure.digsigtrust.com)
- GlobalSign (http://www.globalsign.com)
- GTE Cybertrust (http://www.cybertrust.gte.com)
- Entrust (http://www.entrust.net)
You can generate a key, a temporary certificate, and a certificate request form with the Configuration utility or from the command line.
Note that we recommend using the Configuration utility for this process. The certification process is generally handled through a web page. Parts of the process require you to cut and paste information from a browser window in the Configuration utility to another browser window on the web site of the CA.
Additional information about keys and certificates
You must have a separate certificate for each domain name on each e-Commerce unit, regardless of how many non-SSL web servers proxies you configure.
If you are already running an SSL server, you can use your existing keys to generate temporary certificates and request files. However, you must obtain new certificates if the ones you have are not for the following web server types:
- Apache + OpenSSL
- Stronghold
Generating a key and obtaining a certificate using the Configuration utility
To obtain a valid certificate, you must have a private key. If you do not have a key, you can use the Configuration utility on the BIG-IP to generate a key and a temporary certificate. You can also use the Configuration utility to create a request file you can submit to a certificate authority (CA). You must complete three tasks in the Configuration utility to create a key and generate a certificate request.
- Generate a certificate request
- Submit the certificate request to a CA and generate a temporary certificate
- Install the SSL certificate from the CA
Each of these tasks is described in detail in the following paragraphs.
To create a new certificate request using the Configuration utility
- In the navigation pane, click Proxies.
The Proxies screen opens. - Click the Create SSL Certificate Request tab.
The New SSL Certificate Request screen opens. - In the Key Information section, select a key length and key file name.
- Key Length
Select the key length you want to use for the key. You can choose 512, 1024, 2048 or 4096 bits. - Keyfile Name
Type in the name of the key file. This should be the fully qualified domain name of the server for which you want to request a certificate. You must add the .key file extension to the name.
- Key Length
- In the Certificate Information section, type the information specific to your company. This information includes:
- Country
Type the two letter ISO code for your country, or select it from the list. For example, the two-letter code for the United States is US. - State or Province
Type the full name of your state or province, or select it from the list. You must enter a state or province. - Locality
Type the city or town name. - Organization
Type the name of your organization. - Organizational Unit
Type the division name or organizational unit. - Domain Name
Type the name of the domain upon which the server is installed. - Email Address
Type the email address of a person who can be contacted about this certificate. - Challenge Password
Type the password you want to use as the challenge password for this certificate. The CA uses the challenge password to verify any changes you make to the certificate at a later date. - Retype Password
Retype the password you entered for the challenge password.
- Country
- Click the Generate Certificate Request button.
After a short pause, the SSL Certificate Request screen opens. - Use the SSL Certificate Request screen, to start the process of obtaining a certificate from a CA, and then to generate and install a temporary certificate.
- Begin the process for obtaining a certificate from CA
Click on the URL of a CA to begin the process of obtaining a certificate for the server. After you select a CA, follow the directions on their web site to submit the certificate request. After your certificate request is approved, and you receive a certificate back from the CA, see To install certificates from the CA using the Configuration utility, on page 1-8, for information about installing it on the BIG-IP. - Generate and install a temporary certificate
Click the Generate Self-Signed Certificate button to create a self-signed certificate for the server. We recommend that you use the temporary certificate for testing only. You should take your site live only after you receive a properly-signed certificate from a certificate authority. When you click this button, a temporary certificate is created and installed on the
BIG-IP. This certificate is valid for 10 years. This temporary certificate allows you to set up an SSL gateway for the SSL Accelerator while you wait for a CA to return a permanent certificate.
- Begin the process for obtaining a certificate from CA
Generating a key and obtaining a certificate from the command line
To obtain a valid certificate, you must have a private key. If you do not have a key, you can use the genconf and genkey utilities on the BIG-IP to generate a key and a temporary certificate. The genkey and gencert utilities automatically generate a request file that you can submit to a certificate authority (CA). If you have a key, you can use the gencert utility to generate a temporary certificate and request file.
These utilities are described in the following list:
- genconf
This utility creates a key configuration file that contains specific information about your organization. The genkey utility uses this information to generate a certificate. - genkey
After you run the genconf utility, run this utility to generate a temporary 10-year certificate for testing the SSL Accelerator on the BIG-IP. This utility also creates a request file that you can submit to a certificate authority (CA) to obtain a certificate. - gencert
If you already have a key, run this utility to generate a temporary certificate and request file for the SSL Accelerator.
To generate a key configuration file using the genconf utility
If you do not have a key, you can generate a key and certificate with the genconf and genkey utilities. First, run the genconf utility from the root (/) with the following commands:
/usr/local/bin/genconf
The utility prompts you for information about the organization for which you are requesting certification. This information includes:
For example, Figure 1.2 contains entries for the server my.server.net.
Figure 1.2 Example entries for the genconf utility
Common Name (full qualified domain name): my.server.net
Country Name (ISO 2 letter code): US
State or Province Name (full name): WASHINGTON
Locality Name (city, town, etc.): SEATTLE
Organization Name (company): MY COMPANY
Organizational Unit Name (division): WEB UNIT
To generate a key using the genkey utility
After you run the genconf utility, you can generate a key with the genkey utility. Type the following command from the root (/) to run the genkey utility:
cd /usr/local/bin/genkey <server_name>
For the <service_name>, type the FQDN of the server to which the certificate applies. After the utility starts, it prompts you to verify the information created by the genconf utility. After you run this utility, a certificate request form is created in the following directory:
/config/bigconfig/ssl.csr/<fqdn>.req
The <fqdn> is the fully qualified domain name of the server. Please contact your CA and follow their instructions for submitting this request form.
In addition to creating a request form that you can submit to a certificate authority, this utility also generates a temporary certificate. The temporary certificate is located in:
/config/bigconfig/ssl.crt/<fqdn>.crt
The <fqdn> is the fully qualified domain name of the server.
This temporary certificate is good for ten years, but for an SSL proxy you should have a valid certificate from your CA.
Warning: Be sure to keep your previous key if you are still undergoing certification. The certificate you receive is valid only with the key that originally generated the request.
To generate a certificate with an existing key using the gencert utility
To generate a temporary certificate and request file to submit to the certificate authority with the gencert utility, you must first copy an existing key for a server into the following directory on the BIG-IP:
/config/bigconfig/ssl.key/
After you copy the key into this directory, type the following command at the command line:
cd /
/user/local/bin/gencert <server_name>
For the <server_name>, type the FQDN of the server to which the certificate applies. After the utility starts, it prompts you for various information. After you run this utility, a certificate request form is created in the following directory:
/config/bigconfig/ssl.crt/<fqdn>.req
The <fqdn> is the fully qualified domain name of the server. Please contact your certificate authority (CA) and follow their instructions for submitting this request form.
Installing certificates from the certificate authority (CA)
You can configure the accelerator with certificates using the Configuration utility or from the command line.
To install certificates from the CA using the Configuration utility
- In the navigation pane, click Proxies.
The Proxies screen opens. - On Proxies screen, click the Install SSL Certificate Request tab.
The Install SSL Certificate screen opens. - In the Certfile Name box, type the fully qualified domain name of the server with the file extension .crt. If you generated a temporary certificate when you submitted a request to the CA, you can select the name of the certificate from the drop down list. This allows you to overwrite the temporary certificate with the certificate from the CA.
- Paste the text of the certificate into the Install SSL Certificate window. Make sure you include the BEGIN CERTIFICATE line and the END CERTIFICATE line. For an example of a certificate, see Figure 1.3.
- Click the Write Certificate File button to install the certificate.
Figure 1.3 An example of a certificate
-----BEGIN CERTIFICATE-----
MIIB1DCCAX4CAQAwDQYJKoZIhvcNAQEEBQAwdTELMAkGA1UEBhMCVVMxCzAJBgNV
BAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMRQwEgYDVQQKEwtGNSBOZXR3b3JrczEc
MBoGA1UECxMTUHJvZHVjdCBEZXZlbG9wbWVudDETMBEGA1UEAxMKc2VydmVyLm5l
dDAeFw0wMDA0MTkxNjMxNTlaFw0wMDA1MTkxNjMxNTlaMHUxCzAJBgNVBAYTAlVT
MQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHU2VhdHRsZTEUMBIGA1UEChMLRjUgTmV0
d29ya3MxHDAaBgNVBAsTE1Byb2R1Y3QgRGV2ZWxvcG1lbnQxEzARBgNVBAMTCnNl
cnZlci5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAsfCFXq3Jt+FevxUqBZ9T
Z7nHx9uaF5x9V5xMZYgekjc+LrF/yazhmq4PCxrws3gvJmgpTsh50YJrhJgfs2bE
gwIDAQABMA0GCSqGSIb3DQEBBAUAA0EAd1q6+u/aMaM2qdo7EjWx14TYQQGomYoq
eydlzb/3FOiJAynDXnGnSt+CVvyRXtvmG7V8xJamzkyEpZd4iLacLQ==
-----END CERTIFICATE-----After the certificate is installed, you can continue with the next step in creating an SSL gateway for the server.
To install certificates from the CA using the command line
Copy the certificate into the following directory on the BIG-IP:
/config/bigconfig/ssl.crt/
Note: The certificate you receive from the certificate authority (CA) should overwrite the temporary certificate generated by genkey or gencert.
If you used the genkey or gencert utilities to generate the request file, a copy of the corresponding key should already be in the following directory on the BIG-IP:
/config/bigconfig/ssl.key/
Creating an SSL gateway
After you create the HTTP virtual server for which the SSL Accelerator handles connections, the next step is to create three SSL gateways. This section also contains information about managing an SSL gateway.
To create an SSL gateway using the Configuration utility
- In the navigation pane, click Proxies.
The Proxies screen opens. - Click the ADD button.
The Add Proxy screen opens. - In the Add Proxy screen, configure the attributes you want to use with the proxy. For additional information about configuring a proxy, click the Help button.
To create an SSL gateway from the command line
Use the following command syntax to create an SSL gateway:
b proxy <ip>:<service> [<unit id>] target <server | virtual> <ip>:<service> clientssl enable clientssl key <clientssl_key> clientssl cert <clientssl_cert>
For example, you can create three SSL gateways from the command line that looks like this:
b proxy 20.1.1.1:443 \
target server 10.1.1.20:80 \
clientssl enable \
clientssl key my.server.net.key \
clientssl cert my.server.net.crt
b proxy 20.1.1.2:443 \
target server 10.1.1.21:80 \
clientssl enable \
clientssl key my.server.net.key \
clientssl cert my.server.net.crt
b proxy 20.1.1.3:443 \
target server 10.1.1.22:80 \
clientssl enable \
clientssl key my.server.net.key \
clientssl cert my.server.net.crt
Using SSL-to-server
SSL Acceleration offloads SSL from the server to the BIG-IP. In some situations, security requirements demand that traffic on the internal VLAN (that is, behind the virtual server) be encrypted as well, or more exactly, re-encrypted. This server-side re-encryption requires that the servers handle the final SSL processing, but SSL acceleration is still obtained because the process is faster than allowing SSL client connections directly to the servers. (This is because session keys are re-used and because more efficient ciphers are used for the server-side SSL connections.) Figure 1.4 shows the SSL Accelerator configuration of Figure 1.1 with SSL-to-server added. Note that the only diagrammatic difference is that both client-side and server-side traffic are now labeled SSL and the virtual server is now configured for service 443.
Figure 1.4 An incoming SSL connection with SSL-to-server
Configuring an SSL Accelerator with SSL-to-server
Since SSL-to-server is typically used together with standard, client-side SSL acceleration, configuring SSL-to-server involves the same tasks used in the preceding solution (Configuring the SSL Accelerator, on page 1-2), with the following exceptions:
- The servers must be equipped and enabled for SSL processing.
- For the proxy or proxies, you must enable server-side SSL as well as the standard client-side SSL.
Optionally, you may configure a second certificate on the proxy to authenticate it to the servers as a trusted client.
Configuring the proxy for server-side SSL
To configure the proxy for server-side SSL, perform the steps in Creating an SSL gateway, on page 1-9, but specify 20.1.1.10.443 as the target virtual server and enable the serverssl attribute in addition to the ssl attribute. Entered from the command line, this would be accomplished as follows:
b proxy 20.1.1.1:443 \
target server 10.1.1.20:443 \
clientssl enable \
clientssl key my.server.net.key \
clientssl cert my.server.net.crt \
serverssl enable
b proxy 20.1.1.2:443 \
target server 20.1.1.21:443 \
clientssl enable \
clientssl key my.server.net.key \
clientssl cert my.server.net.crt
b proxy 20.1.1.3:443 \
target server 10.1.1.22:443 \
clientssl enable \
clientssl key my.server.net.key \
clientssl cert my.server.net.crt
Optionally, you may specify a key file and a certificate file for the proxy as a client. This is done as follows:
b proxy 10.1.1.1:443 \
target server 10.1.1.20:443 \
clientssl enable \
clientssl key my.server.net.key \
clientssl cert my.server.net.crt \
serverssl enable \
serverssl key my.client.net.key \
serverssl cert my.client.net.key
