serverside certifcate per server

Question

I have a virtual server with a serverside SSL profile. This serverside SSL profile references a self-signed certificate from the end server. &nbsp;
But F5 LTM is a load balancer so what happens when you have multiple servers. Like a pool of 12 web servers. Do you need to create self signed certificates for all the servers? and essentially create 12 serverside ssl profiles using a irule to determine which serverside profile for which end server?&nbsp;

nitass · Answer

certificate and key in serverssl profile is used when pool member does client certificate authentication. if pool member does not do client certificate authentication, this setting is not needed.&nbsp;
trusted certificate authorities in serverssl profile is used to authenticate pool member's certificate. it is set to none by default which will accept pool member's cerficiate signed by any ca.&nbsp;
sol11220: Overview of the Server SSL profile&nbsp;
http://support.f5.com/kb/en-us/solutions/public/11000/200/sol11220.html&nbsp;

vsevolod_petrov · Answer

You have an option here. While you can use a single serverside certificate in case it fits your needs, but you can also assign specific certificate to any pool you use with that VS or not use SSL at all for another pool. This could be achieved by using an iRule with SSL::profile and SSL::enable (or disable) commands.&nbsp;
https://devcentral.f5.com/wiki/irules.SSL__profile.ashx&nbsp;
https://devcentral.f5.com/wiki/iRules.SSL__disable%20.ashx&nbsp;

joshua_rasnier · Answer

I understand I can have a single serverside profile for the virtual server and I also can select a serverside profile for a specific pool as I do with below rule. 
when SERVER_CONNECTED  {

switch -glob [LB::server pool] {  
"POOL_1" {
    SSL::enable serverside
    SSL::profile "serverssl_pool1"
        } 
    }
}

What I wondering is. If I have three servers for POOL_1. For a self-signed certificate. This certificate would only work for ssl verification between the f5 and the server that produced the self-signed certificate.
So if I need ssl verification between f5 and the three servers. Then essentially I would have three self-signed server certificates. Would I need to then create three server-side profiles for each self-signed server certificate? and use a irule like below? Is there a easier way?
when SERVER_CONNECTED  {

switch -glob [LB::server addr] {  
    "192.168.1.1" {
    SSL::enable serverside
    SSL::profile "server1_pool1"
        } 
    "192.168.1.2" {
    SSL::enable serverside
    SSL::profile "server2_pool1"
        } 
    "192.168.1.3" {
    SSL::enable serverside
    SSL::profile "server3_pool1"
        } 
    }
}

kevin_stewart · Answer

It might be easier to throw it all into a data group. Example:&nbsp;when SERVER_CONNECTED {
    if { [class match [LB::server addr] equals my_ssl_server_dg] } {
        SSL::profile [class match -value [LB::server addr] equals my_ssl_server_dg]
    }
}where "my_ssl_server_dg" is an arbitrary string-based data group that maps the server IP to its corresponding server SSL profile. Like this:&nbsp;10.70.0.1 := test1_serverssl
10.70.0.2 := test2_serverssl
10.70.0.3 := test3_serversslIt doesn't alleviate having to create a separate server SSL profile for each server node, but it makes your code easier to manage. You also don't need the SSL::enable serverside command if you already have a generic server SSL profile applied to the VIP.&nbsp;

Forum Discussion

serverside certifcate per server

4 Replies

Recent Discussions

Advise on setting up IRULE

google autenticator broken barcode

Port Group on F5OS network setting

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Unwinding the Benefits of Investing in White Label Crypto Wallet

Related Content

behavior of SSL::disable serverside

Insert Client Certificate In Serverside HTTP Headers

Server Profile SNI

Log Serverside SNI Value

Check a Virtual Server's SSL Status