Forum Discussion

Deee-blue_14536's avatar
Deee-blue_14536
Icon for Nimbostratus rankNimbostratus
Mar 08, 2015

Client and server ssl cert location when redirecting to a second VIP (LTM)

Hi All,

 

I have a setup using a SAN cert which holds multiple URLs pointing to a single public IP address. I plan on having traffic hit a vip and then being filtered by url to a second tier of vips, one for each url. This is a requirement in the design. I've tested using the client and server Certs on the primary vip and this seems to work. I just want to be sure the client cert should sit on the primary vip and not the secondary vip as the snat address is allocated to secondary vip so I guess the connection to the server is from the secondary vip. Does the secondary vip inherit the SSL config from the primary vip? Is anything else like IRules inherited from the primary vip? The server ssl cert is the F5 default cert.

 

Thanks in advance

 

application delivery
deployment
LTM

3 Replies

Sort By
  • Michael_Jenkins's avatar
    Michael_Jenkins
    Icon for Cirrostratus rankCirrostratus
    Mar 08, 2015

    Since you're having multiple hosts go to the same VIP, you'll need to have the client cert (your SAN) on the primary VIP, so it can offload the SSL. You could also have the SAN cert on your secondary VIPs and a default cert as the serverssl cert on your primary VIP if you wanted to secure communication to the secondary VIPs (though since it's internal to the device, I don't think that it would matter since the traffic never leaves the BIG-IP between those two).

     

    Regarding inheritance, the VIPs would be set up separately, so they'll each have their own iRules, profiles, etc... Basically they're configurations will be completely separate.

     

  • neil_t_66364's avatar
    neil_t_66364
    Icon for Nimbostratus rankNimbostratus
    Mar 08, 2015

    Thanks Michael, from what you've said I'll have the client cert on the primary and the default server side cert on the secondary. That will give me ssl from client to server. Please correct me if what I've said is wrong. Thanks for your advice.

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Mar 09, 2015

    i understand on primary vs, san certificate on clientssl and default on serverssl. on secondary vs, default on both clientssl and serverssl.

    default clientssl can be used on secondary vs because on primary vs, server certificate in default serverssl is set to ignore, so it does not ao server authentication (i.e. not checking server certificate from secondary vs).

    Ignore: The Ignore setting is the default setting. The BIG-IP system ignores certificates from the server and never authenticates the server.

    sol14806: Overview of the Server SSL profile (11.x)

    https://support.f5.com/kb/en-us/solutions/public/14000/800/sol14806.html