Impact when moving from 2048 to 4096 bit RSA keys
Hi, I am trying to determine the impact of moving from 2048 bit RSA keys to 4096 bit RSA keys for a clientside ssl profile and would like to get some details of the impact when doing so. I read that the TPS would drop to 20% of what we would be capable when staying on 2048 bit keys. Assuming unlimited license. How much more latency would we have to face in the handshake process? Is there a list of incompatible clients available? Something like 'Outlook 2007, Firefox 12, ...' How much will the increased keysize strengthen the tls connection assuming we stick to the same cipher? Any other sideeffects? I did also open a F5 support case to this (C2910446 - Analysis of impact when moving from 2048 to 4096 bit RSA keys) but I was wondering if anyone from the community got some interesting ideas/comments to share. Once I get a proper response from F5 support I can share here as well as I think many might be interested. Cheers, Torsten
clientssl profile with ECC certificate needs RSA Certificate
Hello guys, Hope you could support me in the following matther. I have already purchased an ECC wildcard certificate and I wanted to attach it to a virtual server in my BIG IP 4200 LTM box which is running version 12.1.2. Everything went well until I got an error when creating a SSL client profile. It said "010717e3:3: Client SSL profile must have RSA certificate/key pair.", so I investigated and found that it is needed to have a RSA certificate/key in the profile besides the ECC pair. Therefore, I have the following questions about it: Do I need to generate two certificates (one ECC and other RSA) with the same FQDN on them? Is it possible? I am using Entrust to generate my certificates. How could I figure out which one certificate the BIG IP is showing to the client? How does the BIG IP select which certificate to show? Is there any possibility to make the BIG IP allows the creation of an SSL profile which uses an ECC certificate/key? In future releases perhaps? I have performed a couple of tests and it seems like the BIG IP is always showing the RSA certificate. Thanks in advance for your help. Best regards
RSA SECURID FIRST TIME LOGIN WITH APM
We have externals user without Access no other access to our internal resources that the one provided with APM. The authentication they use is RSA SecurID Token. They have been working so far with Juniper solution. But since we moved to F5 APM we have not been able to provide access to new users as the first time Login is not working. Should it work with F5 APM? The fist time login works this way: The first time an RSA OTP user logs in, they need to set a PIN for their token. This PIN is used in addition to the token code as the passcode. The user prepends the 8 character PIN to the token code. 1.Enter LOGIN: 2.Enter PASSCODE: (use token code only - 6 or 8 digit number) 3.Enter New PIN (Exactly 8 alpha-numeric characters, Must include 1 number and 1 letter) 4.Renter New PIN 5.Enter PASSCODE: (after token code has flipped enter PIN+TOKENCODE with no spaces) From this point on PASSCODE: refers to the PIN+TOKENCODE combination. Either 8+8 or 8+6 characters depending on software/hardware token type. If you are prompted for a Next Tokencode during login you will need to wait till your number rolls to the next one and enter it. 1.Enter PASSCODE: Wait for the tokencode to change, then enter the new tokencode : Each Tokencode can only be attempted to be used once and won't work a second time even if you mistype your PIN.
APM with for VMWare View with RSA auth.
So I'm trying to setup APM with VMWare View and RSA. I created SecureID View Client Logon and the user enters their email address and RSA key. Next I have the RS SecureID Auth configured but it looks like it's only passing the user name and not dot the full UPN, stripping off the domain name. RSA rejects the user since it does not have the full email address. ThankssecurID authentication via APM & username/pin/tokencode
Hi, when authenticating against an SecurID server there are 3 things needed: username pin-code token-code there is no documentation around which session variables have to be filled accordingly. there are only 2 session variables mentioned: session.logon.last.username and session.logon.last.password how do I have to fill this 3 pieces of information into those 2 variables ? remember: I do not want to authenticate against 2 different systems like AD AND RSA and send username/password to AD, and username/tokencode to RSA. I want to use RSA SecurID and nothing else. best regards, Florian
using the F5 for RSA Selfserviceconsole on port 7004
Hi out there I am (still) trying to get the RSA selfservice portal published via the F5 on a std SSL port. I have defined a default pool for the RSA server on port 7004 and I am publishing the external server on 443 I have put this irule on my VS running on port 443 and having the default pool for the intern server on port 7004: when HTTP_REQUEST { Disable the stream filter for requests STREAM::disable Remove this header to prevent server from compression response HTTP::header remove Accept-Encoding } when HTTP_RESPONSE { set internal_host "rsa.intern.local:7004" set external_host "rsaselfservice.extern.com" Rewrite the Location header for redirects if { [HTTP::header exists Location] }{ HTTP::header replace Location [string map "$internal_host $external_host" [HTTP::header Location]] } Rewrite the response content using a stream profile if it is text if { [HTTP::header Content-Type] contains "text" } { Set the stream expression with the find/replace strings STREAM::expression "@$internal_host@$external_host@" Enable the stream filter STREAM::enable } } but I get a 302 in return and it looks as if it loops a bit - can some tell me what is wrong with this little simple irule? Is it the response to the client which not gets correct re-written? br /ti
SecurID Authentication Failing on APM 12.1.2
I am having issues with SecurID authentication on a POC APM deployment. My first authentication attempt succeeds but any attempt after that fail with the following error. [root@AKOHDCPOCLTM01:Active:In Sync] config /usr/local/bin/securidtest -p "/config/aaa/ace/Common/rsaama01pakr.bfusa.com" -s 10...* -u username -w ********* ERROR: authentication with 'username' failed in doAuth:SD_Check(): authentication failed, code: 1, state: SECURID_AUTH_STATE_ACCESS_DENIED Test done: total tests: 1, success=0, failure=1 Some fields changed for privacy I can get a single authentication test to work by deleting the 'sdstatus.12' file. RSA is not able to tell me why that makes a difference. Any thoughts on this?rsa pub key authentication when AAA is enabled
Hello, we usually log in to our BIG IP with TACACs, working fine, now we'd like to have a special user, who should authenticate with rsa pub key. question: when I create a user, I can not define a password, I guess because of the AAA-Config, right? So I fear, this would only work, if we disable TACACS. If we configure the root-user with rsa pub key, there's still asking for Password. has anyone such a combination?RSA Self Service iRule no longer works
I upgraded from 11.2 to 11.6 and the RSA secureID selfservice page that was working is no longer working. I have an irule that we are using Code when HTTP_REQUEST { if { [HTTP::header host] eq "PUBLIC.URL.COM" } { HTTP::header replace Host "ACTUAL_SERVER_FQDN:7004" } } when HTTP_RESPONSE { if { [HTTP::header Location] eq "ACTUAL_SERVER_FQDN:7004" } { HTTP::header replace Location [string map -nocase {ACTUAL_SERVER_FQDN:7004 PUBLIC.URL.COM} [HTTP::header value Location]] } } Everything was working great until we upgraded to 11.6. Now it looks like the http response part of the irule isn't working. Any updates to this irule to get it working in 11.6? Thanks!RSA page error
The BIG-IP web logon page does not display prompt text from SecurID RADIUS access-challenge packets. This issue affects new PIN, next Tokencode and on demand authentication flows. When the user starts any of these flows they will only get a text field with no description for what to enter. See image below. Nat