Forum Discussion

srinidhi12's avatar
srinidhi12
Icon for Cirrostratus rankCirrostratus
Feb 22, 2023

F5 HTTP API Request

Hi All,

Does the F5 server support an HTTP option (instead of HTTPS and TLS) for accessing the API, if yes please let me know how to configure for HTTP connection instead of https. 

 

Thanks!

  • Gajji's avatar
    Gajji
    Icon for Cirrostratus rankCirrostratus

    If your infosec team does allow it, you can do it


    Log in to the F5 server's management interface.
    "Virtual Server" -> virtual server that you want to configure.- >"Resources" tab.
    ->click on the pool that the virtual server->Click on the "Members" tab->
    Click on the member that you want to configure for HTTP.

    Under "Node Properties," change the "Port" to 80 (for HTTP) instead of the default 443 (for HTTPS).
    Click "Update" to save the changes.


    Once you have made this change, the F5 server will allow HTTP connections to the API on the specified port.

  • Hi all,

    AndyBaba, Gajji: where did you get the idea this is a Virtual Server issue, and not a F5 management API issue?

    srinidhi12, can you confirm the doubt above? I saw you made a different post about an SSL error, but let's go first with this question. We'll get to the SSL error eventually.

    /Mike

  • Mike757yes, I have an issue with HTTPS connection to the API through java, as I am getting SSL error even after importing the certificate. 

    I am checking if there is an option to connect to the API without encrypted communication(with HTTP)

     

    • Mike757's avatar
      Mike757
      Icon for MVP rankMVP

      Hey, srinidhi12 

      I saw another user (TimRiker) helping you on the other post, and I'm inclined to repeat his answer: if you're using a self-signed certificate, you have to add that very certificate to Java's trust store. If you're using a certificate signed by a private CA, you need to add the root (and possibly the rest of the chain) to the trust store.

      See if this link will help, and if you imported the management certificate in this way: https://connect2id.com/blog/importing-ca-root-cert-into-jvm-trust-store

      I would also recommend that you verify the certificate you're receiving from F5 is the one you're expecting. You can do that with a traffic capture on your java client machine, or in F5 itself with:

      # tcpdump -nni mgmt host <IP of java client> -s 0 -w <filename>

      This assumes you're connecting to the management interface, normally called "mgmt"; you can confirm that with "ifconfig". Break the tcpdump with Ctrl-C, and then download the file with SCP, open in wireshark, confirm SSL handshake includes what you expected.

      /Mike

      • srinidhi12's avatar
        srinidhi12
        Icon for Cirrostratus rankCirrostratus

        Hi, thanks for the response.

        I have imported the device certificate in my Java keystore.

        Just wanted to know if only the certificate is enough or do I need "key" to access the server from java.

         

        Thanks!

         

  • Hi srinidhi12,

    No, you must never import private keys when dealing only with trust. Keys are used for encryption/decryption, not for trust. In this case it seems you're using a self-signed certificate for F5 management, so it's like a special case of a Root CA establishing the trust for itself (by definition, a Root CA is self-signed).

    But... reading between the lines in your question makes me believe things are not working yet. Or are they?

    If not, I would suggest the procedure in my previous post: get a traffic capture, confirm the certificate your java machine is getting from the F5 box is the one you are expecting to see there. Or in other words, if that certificate is signed by the one you have imported into java trust store.

    /Mike

    • srinidhi12's avatar
      srinidhi12
      Icon for Cirrostratus rankCirrostratus

      Thanks Mike757 

      for now the certificate is recognised by Java, but during the https connection request, I get the below error in the SSL verification:

      javax.net.ssl.SSLPeerUnverifiedException: Hostname 10.10.10.10 not verified:

      (10.10.10.10 -F5 management IP)

      Now I have a query that if any other step is required to verify the hostname.

  • Hi, I just have a query that, if the device certificate will have the management IP details, 

    looks like the HTTPS request is failing due to the missing IP address info in the certificate.

  • The Device certificate has the CN as "localhost.localdomain" where the hostname is 10.10.10.10. This causing the hostname verification to fail.Can anyone please let me know is there an issue with the certificate?

  • Hi, srinidhi12

    Indeed, the default management certificate does not include a SAN for the management IP. In your place, I would replace the management certificate with one for which you can control the trust chain. Tipically this would be an Active Directory CA chain, or similar PKI.

    If you don't have a proper PKI available you can try a "light" version, like TinyCA (which is a simple graphical interface for openssl). Or pure openssl commands if you're into that!

    Either way, you must import the CA trust chain into java trust store. If you want to use the IP address to access your F5 system, don't forget to add something like "IP:10.10.10.10" to the SAN field of the certificate.

    /Mike