how to integrate SSL cert with HTTPS post monitor

The HTTPS monitor will accepts a CLIENT certificate and key, which would be used if the monitored server required a client certificate for authentication. If you're web server is simply listening on port 443 SSL and does not require a client certificate, then you shouldn't need to integrate the cert into the HTTPS monitor.

Thanks, Kevin. I have configured HTTPS monitor with SSL certificate alone without Key and it worked fine. even without ssl certificate also monitor is working fine.

Can you tell me, with HTTPS post string.. we need to mention Content type and Content lenght or without these parameters also POST monitor will work?

I have configured HTTPS monitor with SSL certificate alone without Key and it worked fine. even without ssl certificate also monitor is working fine.

You'll probably notice that if you remove the certificate it will still work. This setting is only used when the server requires a client certificate, and as such would also require the private key to function.

Can you tell me, with HTTPS post string.. we need to mention Content type and Content lenght or without these parameters also POST monitor will work?

This depends on the web server, but generally speaking an RFC 2616-compliant POST message would require, at a minimum, the Content-Length and Content-Type headers. The length is the string length of the payload and the type indicates its encoding (usually "application/x-www-form-urlencoded").

Many thanks for your help, Kevin.

would it be possible to share any sample POST HTTPS monitor to me.

An HTTPS POST monitor is basically the same as an HTTP POST monitor with the addition of SSL-related functions. I would start out testing with cURL from the command line to make sure you have everything you need. Example:

curl -v http://10.10.10.10/my/uri -d "username=foo&password=bar"

This will produce something like the following:

POST /my/uri HTTP/1.1
User-Agent: curl/7.16.4 (i586-pc-mingw32msvc)...
Host: 10.10.10.10
Accept: */*
Content-Length: 25
Content-Type: application/x-www-form-urlencoded

Once you have a good working POST from the command line, convert that to a single line statement for the monitor this this:

POST /my/uri HTTP/1.1\r\nHost: 10.10.10.10\r\nAccept: */*\r\nContent-Length: 25\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\nusername=foo&password=bar

Thanks Kevin. you are great help! I can test the curl , as HTTP service is not enabled, only HTTPS is allowed. But, this will help me for writing any HTTP post monitors.

Thanks again!

Almost forgot. You'll also need the "-k" option in cURL when querying an HTTPS server.

yes, Kevin.. i have tested with -k and it is cool.

Thank you and have a nice day!

Hi again!

Now the end webserver is requesting for SSL cert authentication.. they gave me some self signed cert and key to import on F5. I have imported and mapped to the monitor.. when I run curl command .. it says SSL handshake failure

curl -v -k https://10.10.10.10/healthcheck * About to connect() to 10.10.10.10 port 443 * Trying 10.10.10.10... connected * Connected to 10.10.10.10 (10.10.10.10) port 443 * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSLv2, Client hello (1): SSLv3, TLS handshake, Server hello (2): SSLv3, TLS handshake, CERT (11): SSLv3, TLS handshake, Request CERT (13): SSLv3, TLS handshake, Server finished (14): SSLv3, TLS handshake, CERT (11): SSLv3, TLS handshake, Client key exchange (16): SSLv3, TLS change cipher, Client hello (1): SSLv3, TLS handshake, Finished (20): SSLv3, TLS alert, Server hello (2): error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure * Closing connection 0 curl: (35) error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

App team created some certificate ,key and loaded to webserver , when they install this certificate on one windows machine and run curl .. that is giving 200 OK response.. not sur ewhy LTM is not getting it.

Do you think, we need to have the server cert (tied to URL) mapped to monitor or clinet certificate is good enough.

Also, can you tell me if there is any way to test the curl with these certs.

Many thanks!

Is the monitor not working with the included cert and key?

The cURL command isn't working because you haven't specified the client certificate and key in the command line:

curl -v --cert [cert file] --key [key file] --cacert [CA cert file] https://10.10.10.10/healthcheck