SSL Certificates

Question

I have few vritual servers
&nbsp;www.virtual1.com IP1
&nbsp;www.virtual2.com IP2
&nbsp;www.virtual3.com IP3&nbsp;
&nbsp;All of them are connected to the same pool of servers
&nbsp;pool with member1 and member2&nbsp;
&nbsp;Our application requires SSL on the server side but when we load the SSL on the server (read 443)&nbsp;
&nbsp;virtual2 and virtual3 send the nasty error message that the secure connection is with virtual1&nbsp;
&nbsp;Is there any way to remove the SSL from the servers and send the SSL certificate from BIG IP once the user is connected?&nbsp;
&nbsp;Please comment!.&nbsp;
&nbsp;PS: when I access https://www.virtual1.com I need to see the port 443 in the server side or my application won't work.&nbsp;
&nbsp;Thanks!&nbsp;

hoolio · Answer

I don't understand why clients connecting to www.virtual2.com would get an error for a certificate on www.virtual1.com.  Is the application sending back absolute references to www.virtual1.com's hostname or IP address?&nbsp;
&nbsp;Can you provide more detail on the exact connections that are being made and when the client is getting an error?  If you want to get a more detail on what the client is receiving, try using LiveHttpHeaders for Firefox or IEwatch or HTTPwatch for IE to view the headers and data being sent to the client.&nbsp;
&nbsp;Aaron

gerardo_garcia_ · Answer

My current problem is that the application needs to terminate SSL on the servers.
&nbsp;If don't have that the application does not work.&nbsp;
&nbsp;Let's put it in this way we need to terminate SSL on the servers.
&nbsp;If we load the SSL certificates then we cannot have several virtual[1,2,3..].com without the secuirty pop up window in the browser window.
&nbsp;We are not talking about multiples extensions of the same domain (*.mydomain.com), we are talking about different domains.
&nbsp;virtual1.com
&nbsp;virtual2.com
&nbsp;virtual3.com
&nbsp;In addition, Our application needs the X-Forward header.&nbsp;
&nbsp;We need to send the certificate from the BIG IP to the servers.&nbsp;&nbsp;
&nbsp;Please comment!&nbsp;

hoolio · Answer

Okay... so you don't need an iRule for this.  You can configure a client SSL profile using each of the SSL certifiates/keys, for each virtual server.  This will allow you to decrypt the client to virtual server SSL.  &nbsp;
&nbsp;You can then configure a single server SSL profile and associated that profile with each of the virtual servers.  This will allow BIG-IP to re-encrypt traffic from itself as the client to the servers in the pool.&nbsp;
&nbsp;To insert the X-Forwarded-For header, just enable the option on a new HTTP profile and associate that with the virtual server.&nbsp;
&nbsp;As this doesn't pertain to rules, please read up on these configuration steps in the 9.x Configuration Guide for your version on AskF5.com.  If you have any questions, you can contact F5 support.&nbsp;
&nbsp;Thanks,
&nbsp;Aaron

Forum Discussion

SSL Certificates

Recent Discussions

Big IP DNS Failover

AS3 Limitations

Diameter iRules attachment?

Help needed with iRule (connection closed log )

Use of SSL Decryption.

Related Content

Updating SSL Certificates on BIG-IP using REST API

Implementing SSL Orchestrator - Certificate Considerations

SSL Certificate Report

Thumbprint of the client ssl certificate

Help F5 Transform the BIG-IP Administrator Certification

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS