Certificate Issue : unable to find valid certification path to requested target
Hello, We deployed a staging e-payment application, using a Virtual Server with these properties : port : https protocol profile : mptcp-mobile-optimized HTTP Profile : XFF SSL Profile : 2 certificates - The issued certificate & a second certificate with Default SSL Profile for SNI SNAT Pool : ip in the same subnet as nodes. Pool : 2 pool members with port 7010 I'm using public certificates (signed by CA Verisign G5 & CA Symantec G4) the web page is displayed correctly, & SSL checks says all is ok (tested with "; & ";) the actual issue is that transaction doesn't pass over https (in http it works fine) here's the error message relived from client side : -An exception occured in HTTPProcess sendMessage. Exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. - doPost exception encountered. Exception: java.lang.NullPointerException. can you support us please?
SSL off-loading and secure WebSocket
Hi, We have a Big-IP load balancer, and we are planning to publish a web application that uses secure WebSockets (WSS). We are a little bit concerned about how the load balancer is going to handle this situation, because the SSL offloading. Is there anything special we have to configure or taken care off? Clients will send an HTTPS request with a WebSocket handshake, that includes the HTTP headers "Upgrade:websocket" and "Connection:Upgrade". Will the load balancer populate those headers to the web server? Will the load balancer understand that those connections are persistent and non-HTTP? Thanks.
SSL Offloading for BlueCoat explicit proxy
Hello. A client's BlueCoat proxy is falling short on resources. It performs SSL interception so it can inspect the whole packet. Given this, they've asked if and how to configure the F5 so it offloads the SSL, thus having the client part of the proxied connection in plain text (from the proxy's POV). The scenario looks something like this: Client --- -->[F5]------>[BC]----->[F5]------>Internet (The BlueCoat speaking HTTPS with servers is not resource intensive). I have struggled with the SSL intercept iApp, and SSL orchestrator. With SSLO, navigation works, however it seems to not be offloading SSL. Anything is helpful. Thanks!
SSL offload verification
Dear All, I have just finished configuring SSL offload (client---HTTPS---F5-----HTTPS----Server), so i had to configure both client and server ssl profile. I had to use the same certificate for offloading in front end as well as backend. I want what is the best practice in this scenario should we use different certificates for client-ssl and server-ssl ? Is there any we can verifiy ssl offloading through packet traces ? (e.g. client to F5 (SSL) session and then F5 to Server (SSL) session and so on the reply from server to F5 and then forwarding to the client from F5 ? Regards, Akhtar
Using LTM to SSL Offload a APM Server
Hi All, Trying to solve a performance issue with a APM policy in front of a Jira based site. Everything works, but using APM and a Webtop slows down the Jira site quite significantly (2-3 times slower). A suggestion was to use two virtual servers. One to as a basic SSL offload that then passes off to the APM running with a http only interface. I have done the configuration of APM and can access Jira directly through http. Now, when I create another VS listening on 443, with a SSL Client profile, the server does not respond to requests. With a tcpdump I can see the client connection being established, but when the F5 tries to connect to itself there is no traffic. Running a tcpdump I can see the F5 self-ip doing a ARP request for the APM based VS, but getting no response. So the F5 is trying to find a server, but does not know that it needs to talk to itself. Tried to use a loopback address (e.g. 127.0.0.99) but the GUI won't let me. Also played with SNAT options but does not seem to make a difference. Sure it would be possible using two different F5's, but dont have that option. I am sure I read somewhere about a known issue with trying to load balance a VS running on itself, but can't seem to find any reference to it. Any guidance appreciated. Regards, JasonCrypto Client's clientssl profile config issue(External Crypto )
Hi Everyone Who has configured external crypto function ? Crypto Client's clientssl profile cert&key and Crypto Server's crypto-server-default-clientssl profile cert&key is the same? This guide “https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-12-0-0/18.html” is not very clear about the certificate requirements. Many thanks D.LuoSAN SSL Certificates on F5 LTM
Hello, I have a requirement to offload MS Exchange 2013 (OWA) traffic on F5 LTM. We now need to go for CA signed certificate. As per the F5 documentation LTM supports only SAN certificates not SNI. but I am confused in selecting the certificates from below link. I want to know which certificate I should go for. https://www.thawte.com/ssl/index.html Note: we currently have two domains for which SSL offloading is needed. www.xyz.com mail.xyz.com Regards, AkhtarSSL offload and HTTPs persistence
Hi, Currently i have HTTP clients accessing two Servers in a pool behind an F5. I need persistence towards the two Servers and im using a Persistence Profile with HTTP iRule . Now the customer wants to use HTTPS Clients towards the two Servers which will have HTTPS ports configured. As i want to keep persistence towards the two Servers i understand from reading other posts here that i need to offload SSL in F5 so decrypt, run HTTP Persistence iRule and then encrypt again. Am i correct in that thinking? Im wondering about the way to implement this on F5. Both Servers will have the same SSL cert/key. To make this work do i create a VS with type "standard" and then create a Client and Server SSL Profile using the SSL cert/key from the Servers? As regards the iRule, do i need to modify the rule below replacing HTTP with HTTPS or leave it as is?
Full proxy not working when try to use SSL offload + HTTP-to-HTTPS redirect
Hi Everyone I've some question about Full proxy with SSL offload. My scenario is I've web application which run on port 80. And then I try to make it to HTTPS for all path by using F5 LTM policie which redirect all HTTP request to HTTPS and perform SSL offload. Problem is application doesn't working properly after do that. I'm not sure why it's not working. From concept of Full proxy, This should working with no problem because F5 have isolate client-side and server-side (server-side still send traffic on port 80) . At first I think it due to HTML hardcode on application but it's not correct due to F5 still send traffic on port 80 the same as before. Is there any concern when using HTTP-to-HTTPS redirect + SSL offload ? Thank you