Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

iApp template with multiple client_ssl profiles for SNI

Currently the http iApp template doesn't allow you to add multiple client SSL profiles to an application, which is what you need to do when using SNI on the virtual host. I've just been burnt by modifying an app that had strict updates disabled and the virtual server modified by hand to add the required SSL profiles. Rather than rebuild the service by hand, I'd like to modify the template to allow for multiple client SSL profiles.

Has anyone done this for themselves ? I can't find any examples in the current iApps bundle, and the template language is a little daunting.

Thanks in advance,

Robin

0
Rate this Question
Comments on this Question
Comment made 14-Aug-2018 by Marco Bayarena 235

I would like to know too. I have to disable Strict Updates to apply multiple SSL Client Profiles to VIP.

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi, Generally i don't like to change iApp that was published because it needs to be SOT (source of truth), when you disable "Strict updates" and change some properties for Objects created by iApp that's fine, BUT if return to iApp and "Reconfigure" it it's destroying and rewrites the custom changes you maid on its Objects. I know that you can create your own iApp Template BUT it's very complicated. What i love to do if it's Complicated App & need help with the iApp - i creates a Fake iApp (addresses, names etc.) and than creates my own custom objects. To answer you & Marco i would say just uncheck the "Strict Updates" and add Multiple SSL Client Profiles with SNI as much as you want / need. For Multiple SSL Client Profiles to work you SNI Support which you need to do the following : 1. create SSL client profiles for each FQDN, you should enable SNI "Server Name" and put your HOST FQDN there (unique) 2. Only one of the profiles can have the "Default SSL Profile for SNI" & "Require Peer SNI support" Enabled. 3. The client must support the TLS protocol, at the very least version 1.0, and the client & server must negotiate TLS (versus SSL).

Please review the configuration needed on images below... VS Configuration - Image Text Default SNI Client SSL Profile - Image Text App1 SNI Client SSL Profile - Image Text App2 SNI Client SSL Profile - Image Text

Goodluck, Shiran Cohen.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You would think that if the HTTP iApp has a this question: What FQDNs will clients use to access the servers? (you can add multiple) that it would support multiple SSL profiles.

You're right the iApp template looks fairly complicated. I am not sure about how to create one with the ability to add multiple profiles. Is that a feature request type thing?

0
Comments on this Answer
Comment made 14-Aug-2018 by ShiranCohen 198

You right, BUT this Q is for the FQDN which will be used if you select "Create a new health monitor", it will create a custom HTTP monitor with a specific HTTP HOST header contains your FQDN. I also think there is a place to a feature request.

Best Regards, Shiran Cohen.

0
Comment made 14-Aug-2018 by Marco Bayarena 235

That makes sense about the FQDN.

I'll submit a feature request. Thanks.

0