For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

SynACk_128568's avatar
SynACk_128568
Icon for Cirrostratus rankCirrostratus
Aug 19, 2016

Implementing external cryptographic server offload

Hi All,

 

Need your assistance in setting up crypto offload/Keyless SSL between two Bigip.

 

I got a PDF for set up but it does not explain everything .

 

https://support.f5.com/content/kb/en-us/products/big-ip_ltm/manuals/product/bigip-cryptographic-offload-implementation-11-6-0/_jcr_content/pdfAttach/download/file.res/BIG-IP_System__External_Cryptographic_Server_Offload_Implementation.pdf

 

Steps i followed : 1. Create VIP to which client will connect , it will have client-ssl as it will be offloading SSL from backend servers . But what i need to provide in cert and key i guess this should be publiec cert of the website user is trying to access , i tried to just put cert as key for decryption will be in other crypto server BIGIP .But you cannot do this , key needs to be mentioned along with cert in profile.

 

  1. Create server ssl profile and assign it to crypto client created with IP and port which i have opened in destination BIGIP . IP used is management address.

3.Then in destination created clientssl profile and assigned it to crypto server .

 

But it is not working , please if someone has implemented it , can share your views .

 

Best Regards

 

application delivery
BIG-IP
LTM

2 Replies

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Aug 21, 2016

    im not 100% sure this is going to do what you want. from the description you use this to offload the crypto processing, not the place where the crypto material has to reside.