Forum Discussion
CirrostratusChanging the Managment Login to Port 636
Good Morning,
So changing my auth for managing my LTMs from Port 389 to Secure port 636.
First Step enabled SSL
Tested login works it's encrypted over TLS
2 question is about enabling the SSL CA Certificate , i have root cert on the F5 that the AD server has own its box.
3. SSL Check Peer What does this do..
I have enabled SSL CA Certificate with the cert , and enabled SSL Check Peer . I am able to login.
Typically, when you enable the "SSL Check Peer" option (which essentially tells the BIG-IP to verify the chain of trust of the LDAPS server certificate), then for the "SSL CA Certificate" option, you should select a Root CA certificate / bundle that is able to chain back from the LDAPS server certificate.
If the SSL certificate on the LDAPS server is signed by a public certificate authority (e.g. Digicert, Sectigo), then you should be able to just select the pre-installed "ca-bundle.crt" (as it contains the root CA certificates of the most popular public CAs). However, if the SSL certificate on the LDAPS server is signed by your own internal CA or is self signed, then you should upload the corresponding internal Root CA / self signed certificate to the BIG-IP and then select that for the "SSL CA Certificate" option.
Hi Brandon,
SSL Check Peer determines whether or not you want the F5 BIG-IP (acting as the SSL client) to verify the SSL certificate of the LDAP server.SSL Check Peer
Specifies whether the system checks an SSL peer, as a result of which the system requires and verifies the server certificate. The default value is disabled.
BrandonThanks for the answer on SSL Peer Check.
One last question login works wether i have chosen a SSL CA Certificate or Left it as none. To me I would have to choose a Cert?
Typically, when you enable the "SSL Check Peer" option (which essentially tells the BIG-IP to verify the chain of trust of the LDAPS server certificate), then for the "SSL CA Certificate" option, you should select a Root CA certificate / bundle that is able to chain back from the LDAPS server certificate.
If the SSL certificate on the LDAPS server is signed by a public certificate authority (e.g. Digicert, Sectigo), then you should be able to just select the pre-installed "ca-bundle.crt" (as it contains the root CA certificates of the most popular public CAs). However, if the SSL certificate on the LDAPS server is signed by your own internal CA or is self signed, then you should upload the corresponding internal Root CA / self signed certificate to the BIG-IP and then select that for the "SSL CA Certificate" option.
