Forum Discussion
NimbostratusF5 monitor with client certificate chain
Hi
I am attempting to set up a monitor with client certificate authentication and I can configure the monitor with the key/cert appropriately, but there does not seem to be a method for sending the full trust chain with the request like I can with a server profile.
Can I set up a monitor that sends the trust chain with the client certificate during SSL? If so, how can I do this? If you have a link to documentation, that would be great too.
Regards
2 Replies
Simon_BlakelyEmployee
You may be able to create your client auth certificate with the appropriate intermediate/root certificates appended. You will need to test this - I'm not sure if it will work.
Alternatively, on version 13.1.0.x, you could enable In-TMM Monitoring
K11323537: Configuring In-TMM monitoring
This new feature allows TMM-based HTTPS monitors to use an existing server-SSL profile to establish SSL/TLS to a pool member.
However - this comes with a caveat...
Once you enable In-TMM monitors via the db variable, you will need to update all existing HTTPS monitors to use a suitable server-side ssl profile. There is no current migration process from bigd (OpenSSL-based) settings to TMM (F5 crypto) monitor settings, and unmodified HTTPS monitors will fail in the config due to an incompatible cipher string.
YMMV
StephanMantheyNacreous
In addition to the reply of Simon_Blakely I want to add, that with In-TMM monitoring the healthchecks will definitely be send through TMM interfaces only.
Before it was possible, that a healthcheck went out through the MGMT interface in case there was a better route to the node.
With In-TMM monitoring you now have the ability to use SNI (server name indication). Previous TMOS versions required using external monitors to get this done.
