Forum Discussion
Jason_Peery_467
Nimbostratus
NimbostratusNewbie and Certs
So I realize I don't know as much as I thought I did about how certs work, or how they work with F5, and am hitting a point of frustration beyond which I don't know how to deal with, so I was wondering if anyone could point me to a good book, or some resource I can check out that would help me understand all this? I'm really at a loss how BigIP deals with certs, creating them, keys, and combining, etc. Everything I try to do on the BigIP errors with some cryptic message I don't understand, and then I get stuck on some red-herring trail of web searches to try to figure it out. You get the point, I've got my boss on my back to do stuff I am not even sure the F5 can do, but I need to get past this whole cert deal first. Basically, I am trying to use a wildcard cert from a CA on the client side, then use a self-signed cert on the server/back-end side. The documentation is lacking at best, and there's nothing I've been able to find that deals with errors, and how to resolve the weird stuff BigIP tells me. Essentially we want all our traffic to go through the BigIP, then according to the subdomain let the BigIP funnel the traffic to the appropriate application resource.
I'm really trying to not be biased and upset with this product, I think it will do what we want, I just need to get up to speed on my understanding and was wondering what other newbie folks have done to figure this bugger out? Isn't there a "Certs for Dummies" book out there?? :)
Thanks in advance!
Jason
hooleylistCirrostratus
Hi Jason,
For general SSL PKI architecture you could try some of these links:
http://en.wikipedia.org/wiki/Public_key_infrastructure
http://www.sslshopper.com/public-key-infrastructure-pki-overview.html
http://www.symantec.com/connect/articles/introduction-openssl-part-three-pki-public-key-infrastructure
Sorry it's been frustrating for you. If you already have a wildcard cert and key for a subdomain like *.example.com, you should be able import it via the GUI under Local Traffic | SSL certificates. Also import just the root cert you used to generate the wildcard server cert/key. Then create a client SSL profile referencing the wildcard server cert and key and the root cert. Create an HTTP pool with any HTTP server that LTM can reach. Test this to make sure the clientside SSL piece is working.
Once you have that working, create an HTTPS pool for each set of the actual servers you want to load balance to. These pools should probably be specific to the subdomain the client requests for the web application those servers serve content for. Add a server SSL profile to the virtual server to that LTM will re-encrypt the serverside traffic. Add just one of the HTTPS pools to the virtual server. Test to make sure that requests for that specific subdomain work to that pool.
Once you have that working, create an iRule like the following:when HTTP_REQUEST { Select an HTTPS pool based on the subdomain the client requests Save the HTTP host set to lowercase set host [string tolower [HTTP::host]] Check if this is a subdomain if { $host ends_with ".example.com"}{ Check the subdomain switch [getfield $host . 1] { www { host header is www.example.com pool www_pool } app1 { host header is app1.example.com pool app1_pool } app2 { host header is app2.example.com pool app2_pool } app3 - app4 - app5 { host header is app3, app4 or app5.example.com pool app3_pool } default { host header is something else pool default_pool } } } }
If you get stuck with this either reply here or email me (aaron at f5 dot com) and I'll see if I can help.
Aaron
Jason_Peery_467Sweet, thanks! I'll check it out, think this is exactly what I was looking for. I know I didn't pull the root cert into the wildcard, so that may be what's messing things up. Will try to work it through tomorrow morning - thanks again!
JP