For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Doug_104173's avatar
Doug_104173
Icon for Nimbostratus rankNimbostratus
Sep 07, 2010

Load Balancing SSL LDAP requests

Has anyone load balanced client requests over ssl through a BigIP to a pool of redhat directory servers? I would like to make a master and slave pair highly available behind my BigIP loadbalancers bu...
config
design
Jason_Keating's avatar
Jason_Keating
Icon for Altostratus rankAltostratus
Sep 08, 2010
The way I see it, you would have to generate 2 certificates on the load balancer, one to give to the client making the request, the other you would install into the Directory Server which would serve as a node in a pool on the big IP.

 

 

The cert for the node should result from a private key and csr on the node subsequently signed by a CA the LTM trusts. Of course its possible to skin this cat many different ways by exporting private keys etc but I'd keep it simple and stick to best practice.

 

 

Assuming you have the client_ssl profile running and only the server_ssl side to sort out check your CN matches the name resolved for the node and that the LTM trusts the signatory. Oh, and use 'openssl s_client' for debugging ssl client connections, it will save you hours and hours and hours of time.