For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Tore_F_265730's avatar
Tore_F_265730
Icon for Nimbostratus rankNimbostratus
Jun 24, 2018

F5 monitor with client certificate chain

Hi   I am attempting to set up a monitor with client certificate authentication and I can configure the monitor with the key/cert appropriately, but there does not seem to be a method for sending...
application delivery
BIG-IP
LTM
Simon_Blakely's avatar
Simon_Blakely
Icon for Employee rankEmployee
Jun 25, 2018

You may be able to create your client auth certificate with the appropriate intermediate/root certificates appended. You will need to test this - I'm not sure if it will work.

 

Alternatively, on version 13.1.0.x, you could enable In-TMM Monitoring

 

K11323537: Configuring In-TMM monitoring

 

This new feature allows TMM-based HTTPS monitors to use an existing server-SSL profile to establish SSL/TLS to a pool member.

 

However - this comes with a caveat...

 

Once you enable In-TMM monitors via the db variable, you will need to update all existing HTTPS monitors to use a suitable server-side ssl profile. There is no current migration process from bigd (OpenSSL-based) settings to TMM (F5 crypto) monitor settings, and unmodified HTTPS monitors will fail in the config due to an incompatible cipher string.

 

YMMV