Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

how to integrate SSL cert with HTTPS post monitor

i have configured following HHTPS post monitor

POST /healthcheck HTTP/1.1\nhost: www.example.com\n\r\n

Response code HTTP/1.1 200 OK

i was given SSL certificate for www.example.com , can anyone tell me on how to integrate SSL cert with HTTPS monitor

Thanks in advance!

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

The HTTPS monitor will accepts a CLIENT certificate and key, which would be used if the monitored server required a client certificate for authentication. If you're web server is simply listening on port 443 SSL and does not require a client certificate, then you shouldn't need to integrate the cert into the HTTPS monitor.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Thanks, Kevin. I have configured HTTPS monitor with SSL certificate alone without Key and it worked fine. even without ssl certificate also monitor is working fine.

Can you tell me, with HTTPS post string.. we need to mention Content type and Content lenght or without these parameters also POST monitor will work?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I have configured HTTPS monitor with SSL certificate alone without Key and it worked fine. even without ssl certificate also monitor is working fine.

You'll probably notice that if you remove the certificate it will still work. This setting is only used when the server requires a client certificate, and as such would also require the private key to function.

Can you tell me, with HTTPS post string.. we need to mention Content type and Content lenght or without these parameters also POST monitor will work?

This depends on the web server, but generally speaking an RFC 2616-compliant POST message would require, at a minimum, the Content-Length and Content-Type headers. The length is the string length of the payload and the type indicates its encoding (usually "application/x-www-form-urlencoded").

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Many thanks for your help, Kevin.

would it be possible to share any sample POST HTTPS monitor to me.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

An HTTPS POST monitor is basically the same as an HTTP POST monitor with the addition of SSL-related functions. I would start out testing with cURL from the command line to make sure you have everything you need. Example:

curl -v http://10.10.10.10/my/uri -d "username=foo&password=bar"

This will produce something like the following:

POST /my/uri HTTP/1.1
User-Agent: curl/7.16.4 (i586-pc-mingw32msvc)...
Host: 10.10.10.10
Accept: */*
Content-Length: 25
Content-Type: application/x-www-form-urlencoded

Once you have a good working POST from the command line, convert that to a single line statement for the monitor this this:

POST /my/uri HTTP/1.1\r\nHost: 10.10.10.10\r\nAccept: */*\r\nContent-Length: 25\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\nusername=foo&password=bar
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Thanks Kevin. you are great help! I can test the curl , as HTTP service is not enabled, only HTTPS is allowed. But, this will help me for writing any HTTP post monitors.

Thanks again!

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Almost forgot. You'll also need the "-k" option in cURL when querying an HTTPS server.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

yes, Kevin.. i have tested with -k and it is cool.

Thank you and have a nice day!

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi again!

Now the end webserver is requesting for SSL cert authentication.. they gave me some self signed cert and key to import on F5. I have imported and mapped to the monitor.. when I run curl command .. it says SSL handshake failure

curl -v -k https://10.10.10.10/healthcheck * About to connect() to 10.10.10.10 port 443 * Trying 10.10.10.10... connected * Connected to 10.10.10.10 (10.10.10.10) port 443 * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSLv2, Client hello (1): SSLv3, TLS handshake, Server hello (2): SSLv3, TLS handshake, CERT (11): SSLv3, TLS handshake, Request CERT (13): SSLv3, TLS handshake, Server finished (14): SSLv3, TLS handshake, CERT (11): SSLv3, TLS handshake, Client key exchange (16): SSLv3, TLS change cipher, Client hello (1): SSLv3, TLS handshake, Finished (20): SSLv3, TLS alert, Server hello (2): error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure * Closing connection #0 curl: (35) error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

App team created some certificate ,key and loaded to webserver , when they install this certificate on one windows machine and run curl .. that is giving 200 OK response.. not sur ewhy LTM is not getting it.

Do you think, we need to have the server cert (tied to URL) mapped to monitor or clinet certificate is good enough.

Also, can you tell me if there is any way to test the curl with these certs.

Many thanks!

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Is the monitor not working with the included cert and key?

The cURL command isn't working because you haven't specified the client certificate and key in the command line:

curl -v --cert [cert file] --key [key file] --cacert [CA cert file] https://10.10.10.10/healthcheck
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Kevin,

Many thanks for your help and apologies for late response.. i have tested with self signed cert and it is working now.

Many thanks again!

0