cancel
Showing results for 
Search instead for 
Did you mean: 

F5 monitor with client certificate chain

Tore_F_265730
Nimbostratus
Nimbostratus

Hi

 

I am attempting to set up a monitor with client certificate authentication and I can configure the monitor with the key/cert appropriately, but there does not seem to be a method for sending the full trust chain with the request like I can with a server profile.

 

Can I set up a monitor that sends the trust chain with the client certificate during SSL? If so, how can I do this? If you have a link to documentation, that would be great too.

 

Regards

 

2 REPLIES 2

Simon_Blakely
F5 Employee
F5 Employee

You may be able to create your client auth certificate with the appropriate intermediate/root certificates appended. You will need to test this - I'm not sure if it will work.

 

Alternatively, on version 13.1.0.x, you could enable In-TMM Monitoring

 

K11323537: Configuring In-TMM monitoring

 

This new feature allows TMM-based HTTPS monitors to use an existing server-SSL profile to establish SSL/TLS to a pool member.

 

However - this comes with a caveat...

 

Once you enable In-TMM monitors via the db variable, you will need to update all existing HTTPS monitors to use a suitable server-side ssl profile. There is no current migration process from bigd (OpenSSL-based) settings to TMM (F5 crypto) monitor settings, and unmodified HTTPS monitors will fail in the config due to an incompatible cipher string.

 

YMMV

 

In addition to the reply of @Simon_Blakely I want to add,  that with In-TMM monitoring the healthchecks will definitely be send through TMM interfaces only.

Before it was possible, that a healthcheck went out through the MGMT interface in case there was a better route to the node.

With In-TMM monitoring you now have the ability to use SNI (server name indication). Previous TMOS versions required using external monitors to get this done.