Forum Discussion

Ram_Paranandi's avatar
Ram_Paranandi
Icon for Nimbostratus rankNimbostratus
Mar 02, 2022

How to setup internal virtual server and get TLS 1.3 keys from external virtual server via sideband?

Hi, We have started evaluating LTM and as part of integration for decrypting PFS with BIG-IP VE , I have attempted to create internal virtual server to which a sideband connection from external virt...
application delivery
security
Daniel_Wolf's avatar
Daniel_Wolf
Icon for MVP rankMVP

I'm out. Since you did not further specify your requirements I must assume that you plan do record sensitive data from a production environment. I have a bad feeling about permanently storing such data without any filters.

Ram_Paranandi's avatar
Ram_Paranandi
Icon for Nimbostratus rankNimbostratus
Mar 07, 2022

We don't actually log those keys to disk, we keep them in memory (protected) and process with the traffic mirrored to the device, once done we rollout keys from device memory. Deployment would be like the one described in the article https://devcentral.f5.com/s/articles/lightboard-lesson-perfect-forward-secrecy-inspection-visibility... 
Deployment:

External Client ----> Big IP  ------> Internal Servers

                             External Virtual Server
                                       |
                                       |  TLS 1.3 keys (Sideband TCP)
                                      v
                                 BigIP  Internal Virtual Server   ---------> Pool (HTTP/HTTPS)  ---> Pool Device (HTTP/HTTPS  Internal Detection Device )


In this deployment from External Virtual Server to Internal Virtual Server  the TLS 1.3 keys are shared via TCP sideband, this part is OK and I am able to see that data on the wire.

Now to share keys from Internal Virtual Server to the Pool and Pool device, how do we configure HTTP/HTTPS authentication?