cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.
KevinGallaugher
F5 Employee
F5 Employee

Introduction

SSLO will generate a single set of SSL profiles for use in a topology. It may be useful, especially in an inbound gateway mode, to process traffic to multiple sites, requiring different server certificates. The use case is to employ native BIG-IP SNI switching in SSLO, such that an SSLO topology can select a correct client SSL profile and server certificate based on the incoming SNI.

In this example we have a single web server with multiple IP addresses hosting different web site domains:

en.appserverone.com resides on 10.1.10.90

en.appservertwo.com resides on 10.1.10.91

When an external client requests https://en.appserverone.com we want the SSL Orchestrator to use a specific keypair for the sessions and direct the traffic to 10.1.10.90. When an external client requests https://en.appservertwo.com we want the SSL Orchestrator to use a different keypair for the sessions and direct the traffic to 10.1.10.91.

Configuration Steps

Import Private Keys and Certificates

Create Client SSL Profiles

Create New SSL Configurations

Add the Client SSL Profiles to the Interception Rule

Import the Private Key and Certificate for the different web site domains

From the BIG-IP Configuration Utility go to SSL Orchestrator > Certificates Management > Certificates and Keys.

0EM1T000002KQwI.png

Click Import on the right.

0EM1T000002KQwJ.png

For the Import Type select Key.

0EM1T000002KQwK.png

Give it a name, en.appserverone.com in this example. For the Key Source you can upload a file or paste in the text. We’ll use the Paste option which you can see below. Click Import when done.

0EM1T000002KQwL.png

Click on the Key Name created in the previous step.

0EM1T000002KQwM.png

Click Import.

0EM1T000002KQwN.png

For the Certificate Source you can upload a file or paste in the text. We’ll use the Paste option which you can see below. Click Import when done.

0EM1T000002KQwO.png

Repeat these steps for other web site domains. In this example we will add one more, en.appservertwo.com as you can see below.

0EM1T000002KQwP.png

Create a Client SSL Profile for each certificate/key pair

From the BIG-IP Configuration Utility go to SSL Orchestrator > Components > Profiles > Client SSL.

0EM1T000002KQwQ.png

Click Create on the right.

0EM1T000002KQwR.png

Give it a name, en.appserverone.com in this example. Select the Custom box on the far right then click Add for the Certificate Key Chain.

0EM1T000002KQwS.png

Select the Certificate and Key created previously and click Add. A Passphrase and Chain can be specified if needed. Click Add when done.

0EM1T000002KQwT.png

Select the Advanced option next to Configuration.

0EM1T000002KQwU.png

Scroll down and find the Server Name field. Enter the FQDN that external clients will request, en.appserverone.com in this example.

0EM1T000002KQwV.png

Note: when an external client requests https://en.appserverone.com their TLS Client Hello will contain an extension value for ‘server_name’ field with a value of ‘en.appserverone.com’. We’re instructing SSL Orchestrator to use this Client SSL Profile when it receives this type of request from a client.

Scroll to the bottom and click Finished when done. 

0EM1T000002KQwW.png

Repeat these steps for other web site domains. In this example we will add one more, en.appservertwo.com as you can see below.

0EM1T000002KQwX.png

Create New SSL Configurations

In this example an Incoming L3 Topology already exists. From the Configuration Utility select SSL Orchestrator > Configuration > SSL Configurations.

0EM1T000003LbSs.png

Click Add

0EM1T000003LbSt.png

Give it a name, appserverone in this example. Deselect the check boxes for Forward Proxy and Default SNI.

For the SNI Server Name enter the FQDN, en.appserverone.com in this example

0EM1T000003LbSu.png

For Client-side SSL select the pencil icon to edit the Certificate Key Chains.

0EM1T000003LbSv.png

Use the Drop Down menu to choose the correct Certificate and Key, en.appserverone.com in this example.

0EM1T000003LbSw.png

Click Done

0EM1T000003LbSx.png

Click Save & Next at the bottom.

0EM1T000003LbSy.png

Click Deploy

0EM1T000003LbSz.png

Click OK to the Success message

0EM1T000003LbT0.png

Repeat this step as needed. In this example another SSL Configuration is added for en.appservertwo.com.

Add the Client SSL Profiles to the Interception Rule

From the Configuration Utility select SSL Orchestrator > Configuration > Interceptions Rules.

sslo_L3_inbound.

Select the correct rule, sslo_L3_inbound in this example.

0EM1T000003LbT1.png

Click the pencil icon to edit the rule.

0EM1T000003LbT2.png

Scroll down to the Server SSL Profiles. Select the Server SSL Profiles created previously and click the arrow to move them from Available to Selected.

0EM1T000003LbT3.png

At the bottom click Save & Next.

0EM1T000003LbT4.png

Click Deploy

0EM1T000003LbT5.png

Click OK to the Success message

0EM1T000003LbT6.png

Summary

Congratulations! The configuration is now complete

Version history
Last update:
‎06-Jan-2022 09:48
Updated by:
Contributors