NimbostratusHi, I am new member in this group. i have a question about https monitor in LTM. How does F5 monitor to pool member when pool member listening port is also secure(Which Cert is it using while monitor the pool member).
NoctilucentIs the server corresponding to your pool member requiring certificate based authentication for incoming connections? If so, you can specify a certificate and key in the HTTPS monitor to use to authenticate the LTM. If not, then the LTM won't be presenting a certificate; only the server will.
CirrusIf its a basic HTTPS monitor which tests TCP 443 reachability, certs doesn't matter. Certificate handshake will come into picture if you are using an advanced monitor where you access traffic thru TCP 443.
Cirrostratusunless your server ask for certificate based authentication , you no need to worry about https monitor. If it required , you need to configure cert and key in monitor
NimbostratusWhich Cert I need to configure (Self cert in client tab in f5) ?????
Cirrostratusit can be anyone which is approved by your CA.
EmployeeWhich Cert I need to configure (Self cert in client tab in f5) ?????
it is client certificate which server requests during ssl handshake.
this is article about client certificate authentication (Client Authentication and How Does Client Authentication Work sections).
SSL Profiles Part 8: Client Authentication by John Wagnon
https://devcentral.f5.com/articles/ssl-profiles-part-8-client-authentication
NimbostratusThanks to Everyone sharing thoughts and good explanation. @Nitass...i have another question By default client cert option is select ignore in BIGIP. Like same We can need to do in server side (Because BIGIP is client for server when it is making a secure connection with bigip in offload time). am i right ??????? If Server is asking for client auth while making a connection from BIGIP to server side when Cert bigip will present to server.....Is it self sign cert ????????What happened if BIGIP and Server have same cert (How communication will happen between them)
EmployeeBy default client cert option is select ignore in BIGIP. Like same We can need to do in server side (Because BIGIP is client for server when it is making a secure connection with bigip in offload time). am i right ?
yes
If Server is asking for client auth while making a connection from BIGIP to server side when Cert bigip will present to server.....Is it self sign cert ?
server is the one who verifies certificate bigip (serverssl) provides. if server accepts self-signed certificate, yes you can use self-signed certificate in serverssl profile.