Forum Discussion
NimbostratusHTTPS Monitor Questions
CirrocumulusHi DH
HTTPS Monitor allows you to establish a TLS connection with back-end server.
By default, no certificate verification is done on BIG-IP so basically if TLS handshake works fine and the receive string is what we configured as expected response, monitor should be marked as UP.
If you want BIG-IP to verify server's certificate then you can attach a Server SSL profile to your HTTPS monitor and then on Server Authentication, change Server Certificate to Require and add a file with your trusted CAs (who will verify server’s certificate identity) to Trusted Certificate Authorities.
Trusted Certificate Authorities is a single certificate file (*.crt) with one Root CA or concatenated file with 2 or more Root CAs to confirm server certificate (seen in server-side Certificate message) is trusted by BIG-IP.
Notice that BIG-IP has a pre-defined bundle (ca-bundle.crt) which contains a list of well-known trusted Root CAs similar to the ones in browsers like Firefox:
root@(v13)(cfg-sync In Sync)(Peer Time Out of Sync)(/Common)(tmos)# modify ltm profile server-ssl myserverssl2 ca-file ca?
Configuration Items:
ca-bundle.crtIf you need to do client authentication, i.e. Server to authenticate BIG-IP as a client, you can additionally add a Certificate and Key to Client Certificate Constrained Delegation section.
Hope that's clear enough.
Rodrigo
