Forum Discussion

Demeter_Luo's avatar
Demeter_Luo
Icon for Nimbostratus rankNimbostratus
Mar 30, 2017

About F5 VE External Cryptographic issue.

Hi Everyone

 

I refer to this guide https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-12-0-0/18.html in my lab.

 

Client -----> BIGIP-1 VE v12.1 (Crypto client) -----> BIGIP-2 VE v12.1( Crypto Server )

 

I used tmsh commany show crypto server have normal output at below.

 

Sys::Crypto Server: my_Crypto_Server

 

Received Packets 156 Received Bytes 6.1K Transmitted Packets 156 Transmitted Bytes 3.8K

 

But client web browser display common name is localhost.localdomain by Crypto client's default clientssl cert,It not by Crypto server's crypto-server-default-clientssl cert.

 

My understanding was that use External Crypto function and its purpose is to use the Crypto server security save and management certificate. The Crypto server is responsible for the final SSL offload function.So I think client browser dispaly certificate should be Crypto server's instead of Crypto client 's localhost.localdomain.

 

Do I understand correctly and How to correctly configured?

 

Many Thanks

 

D.Luo

 

1 Reply

  • Yes, this functionality is for offload the SSL work to another BIGIP device. The main target for that is having a VE for example offloading SSL work to another BIGIP that has a SSL card. I guess your scenario is just for test, because having VE as client and server does not make sense.

     

    Can you provide the relevant part of your configuration?