Forum Discussion
NimbostratusImplement LTM Local TLS Proxy Server Between Oracle and OITS
Hi,
We have an issue where an oracle application needs to talks to an external url and uses a SHA-1 certificate. In less than a month they will be changing to only accept SHA-2 certificates but the database server on premise does not support SHA-1. So we would be looking at something like moving the external url to f5 and have the oracle db server forward requests to the f5 un-encrypted, then forward the request using the SHA-2 cert they will give us on the F5 to the external application. Below is the recommendation from the vendor:
Implement Local TLS Proxy Server Between Oracle and OITS. As provided in an e-mail from TR Systems Operations resources “Technically they could implement a local TLS Proxy server between us and oracle and let the TLS proxy handle the SHA2 conversion and give them whatever protocol they want, if any… They could just go non-encrypted from the TLS to oracle…. Solves a lot of problems with very little work.”
Is this something that can be done on the F5?
All help is appreciated.
Thanks
2 Replies
- Kevin_Stewart
Employee
If I may add, and if I'm understanding your scenario, this should be completely possible. The BIG-IP is a full proxy, so everything layer 4 and above can be controlled independently on both sides of the proxy. What I think you're asking is if you can perform different types of encryption on either side, and that's absolutely possible. You can independently support separate SSL/TLS protocols, ciphers, key exchanges, encryption and hmac key strengths.
- Good day Joseph. May I please ask you to provide a rough diagram and list of the components in your scenario, as well as the type of traffic you are referring to, on either side of the F5 BIG-IP.
