Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Multiple SSL certificates in the Server Side

Thiago_Morais
Altostratus
Altostratus

‎12-Jan-2021 13:20

I need help to configure a VS based on the following scenario.

 

1) Each node has a self-assigned certificate based on FQDN (server's hostname)

2) The service is active in one node

3) The other nodes are on standby

4) The connection between F5 and Application Server will be in HTTPS

5) The application will start the service in another node when the active node goes down

 

How I can configure the F5 to use a different certificate based on the application failure (when the monitor failed and the application change to another server)? In the server SSL profile should have the certificates for each server?

 

 

 

Thanks in advance.

TM

 

 

 

 

 

0691T00000BRtfvQAD.png

Labels:
0 Kudos
1 REPLY 1

Stefan_Klotz
Cumulonimbus
Cumulonimbus

‎13-Jan-2021 03:52

Hi Thiago,

in the serverside context the F5 acts as the client and doesn't interest on the validation of the server certificate (name, issuer, date). So you should be fine to simply use the parent serverSSL profile. Only on the clientside you have to use a specific clientSSL profile with an officially signed certificate matching the name of the DNS from your VS.

And regarding the "failover" of the poolmembers I see two options:

  • Only the active member reacts successful on the health-check, so just this member becomes green and gets traffic. In case of an issue with the primary member, the second one becomes active and its monitor gets green.
  • All members react successfully on the health-check, so you need to work with priority groups and must define the same order of the other members (in case there are more than two) as the "failover" within the application would do (if this is hopefully not a dynamic algorithm).

 

Ciao Stefan 🙂

0 Kudos
Copyright © 2023 Khoros, LLC