Forum Discussion

Nimbostratus

Oct 17, 2013

serverside certifcate per server

I have a virtual server with a serverside SSL profile. This serverside SSL profile references a self-signed certificate from the end server. But F5 LTM is a load balancer so what happens when y...

BIG-IP Access Policy Manager (APM)

deployment

security

Kevin_Stewart

Employee

Oct 22, 2013

It might be easier to throw it all into a data group. Example:

when SERVER_CONNECTED {
    if { [class match [LB::server addr] equals my_ssl_server_dg] } {
        SSL::profile [class match -value [LB::server addr] equals my_ssl_server_dg]
    }
}

where "my_ssl_server_dg" is an arbitrary string-based data group that maps the server IP to its corresponding server SSL profile. Like this:

10.70.0.1 := test1_serverssl
10.70.0.2 := test2_serverssl
10.70.0.3 := test3_serverssl

It doesn't alleviate having to create a separate server SSL profile for each server node, but it makes your code easier to manage. You also don't need the SSL::enable serverside command if you already have a generic server SSL profile applied to the VIP.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)