HTTPS Monitor Questions

Question

How is certificate verification done? Will monitor fail if server has invalid certificate?&nbsp;I am trying to setup a HTTPS Monitor for a website. In Postman I have tested the the 'GET" as follows 'https://XXXXXXX.com/YYYYYYYYYY/ZZZZZZ HTTP/1.1
Host:xxxxxxxxxx.com
Connection: Close

' It successfully returns a Status of 200 OK&nbsp;I have created the following Monitor in F5. This is a Production site so want to double-check accuracy for monitor before applying.&nbsp;Send String - https://xxxxxxxx.com/yyyyyyyy/zzzzzz HTTP/1.1
Host: xxxxxxxxxx.com
Connection: Close

&nbsp;Receive String - 200 OK&nbsp;Should the above Monitor work or should I change something in it before testing further on F5?&nbsp;Any comments would be appreciated.

rodrigo_albuque · Answer

Hi DHHTTPS Monitor allows you to establish a TLS connection with back-end server.By default, no certificate verification is done on BIG-IP so basically if TLS handshake works fine and the receive string is what we configured as expected response, monitor should be marked as UP.If you want BIG-IP to verify server's certificate then you can attach a Server SSL profile to your HTTPS monitor and then on Server Authentication, change Server Certificate to Require and add a file with your trusted CAs (who will verify server’s certificate identity) to Trusted Certificate Authorities.Trusted Certificate Authorities is a single certificate file (*.crt) with one Root CA or concatenated file with 2 or more Root CAs to confirm server certificate (seen in server-side&nbsp;Certificate&nbsp;message) is trusted by BIG-IP.Notice that BIG-IP has a pre-defined bundle (ca-bundle.crt) which contains a list of well-known trusted Root CAs similar to the ones in browsers like Firefox:root@(v13)(cfg-sync In Sync)(Peer Time Out of Sync)(/Common)(tmos)# modify ltm profile server-ssl myserverssl2 ca-file ca?
Configuration Items:
 ca-bundle.crtIf you need to do client authentication, i.e. Server to authenticate BIG-IP as a client, you can additionally add a Certificate and Key to Client Certificate Constrained Delegation section.Hope that's clear enough.Rodrigo

Forum Discussion

HTTPS Monitor Questions

Recent Discussions

Unable to install firmware OS and drop at 10%

Statistics ›› Analytics : HTTP : Overview

How to Renew F5 Device Certificate

F5 ASM CEF Sending Logs in Specific TimeZone

Inquiry About the "ast-api-discovery" Repository

Related Content

Health monitor question

HTTP Monitor

HTTPS SNI Monitoring How-to

HTTP / HTTPS syntax Monitor check from CLI

HTTP Monitor cURL Basic GET

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS