SSL/TLS and certificate settings for iquery port

Question

(edited to correct the naming/usage of the port)&nbsp;
Hi!&nbsp;
I need to modify the security settings for the iquery port tcp/4353 (TLS versions, ciphers, SSL certificates and certificate chain on bigip running version 12.1.3.4&nbsp;
Securing the management gui is trivial since in tmsh the 'list /sys httpd' lists all methods...but how is this done for port 4353?
We are not (yet) using external iqueries, so it does not matter if the method includes "session breakage" ;-)&nbsp;

jason_nance · Answer

TCP:4353 is the iQuery port, not the iControl port. The REST API is accessed via TCP:443 of the management interface (just like logging into the web UI) and uses the device certificate for https (the same as the web UI).

coleburn_340288 · Answer

Ok, thanks for the clarification!
The question however remains...how can I secure tcp/4353 (TLS versions, Certificate and cert-chain, ciphers, etc.)?&nbsp;

jason_nance · Answer

iQuery also uses your device certificate/key. You manage that in the web UI under "System" -> "Device Certificates" (in 12.x - newer versions of Big IP use "System" -> "Certificate Management" -> "Device Certificate Management").

anesh · Answer

TLS versions and ciphers cannot be controlled for iQuery, check this K55736054 ,
Iquery uses Device certificates to establish trust relationship between devices, check this K16951115&nbsp;

Forum Discussion

SSL/TLS and certificate settings for iquery port

4 Replies

Recent Discussions

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Stable Firmware for F5

Related Content

F5 ICAP over SSL/TLS (Secure ICAP) with F5 ASM/AWAF Antivirus Protection feature

TLS Fingerprinting to profile SSL/TLS clients without decryption

CLIENT_HELLO SSL TLS version insert

Automating ACMEv2 Certificate Management on BIG-IP

F5 Server SSL Profile using TLS 1.0 instead of TLS 1.2