Forum Discussion

dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
Mar 14, 2015

DSC and trust creation

Hi,

 

Probably trivial and not so important but I am not so good is SSL stuff and still curious how it works.

 

Before creating HA we have two (or more) Standalone LTMs (ltm_A and ltm_B). Each one has its own CA and its own its own identity certificate signed by own CA.

 

Then we are adding ltm_B as peer from ltm_A. What exactly is happening here?

 

  1. Is standard SSL handshake with client authentication performed? So ltm_B is sending it's identity cert (as server) and ltm_A sending its identity cert as client?

     

  2. If so how validity of certs is performed - each identity cert is signed by different CA (local to each ltm)

     

  3. Or ltm_a is sending it's CA cert and key to ltm_B first - a bit strange concerning security but maybe it's based only on user and password used when adding another ltm?

     

  4. I can see that after adding to Trust Domain both LTMs have same cert (identical Serial Number for CA certs) listed in Device Trust : Local Domain

     

  5. Then ltm_B is generating new identity cert using passed CA info - because both are usin same CA for signing Identity cert then it's CA check is passed, or ltm_A is receiving CSR from ltm_B and is signing it like any other CA and then it can trust cert presented by ltm_B?

     

Or maybe it's done some other way?

 

If it's more or less like that what is difference when adding other LTM as peer and as Subordinate - only that peer is working as CA for other LTMs and Subordinate can't in fact be used to add another LTM because it is not CA and can't sign another LTM certificate?

 

Piotr

 

application delivery
LTM
security
TMOS

8 Replies

Sort By
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Mar 14, 2015

    is sol13946 useful?

    When the local BIG-IP device attempts to join a device trust with a remote BIG-IP device, the following applies:
   ◦If the local BIG-IP device is added as a peer authority device, the remote BIG-IP device presents a certificate signing request (CSR) to the local device, which then signs the CSR and returns the certificate along with its CA certificate and key.
   ◦If the local BIG-IP device is added as a subordinate (non-authority) device, the remote BIG-IP device presents a CSR to the local device, which then signs the CSR and returns the certificate. The CA certificate and key are not presented to the remote BIG-IP device. The subordinate device is unable to request other devices to join the device trust.

    sol13946: Troubleshooting ConfigSync and device service clustering issues (11.x)

    https://support.f5.com/kb/en-us/solutions/public/13000/900/sol13946.html
  • dragonflymr's avatar
    dragonflymr
    Icon for Cirrostratus rankCirrostratus
    Mar 16, 2015

    Thanks, I should read docs more carefully. What I am not sure about in above is why it states "If the local BIG-IP device is added as a peer authority device". When trust is created another device is added from device we are logged in - so it's local device. It's remote device that is added to trust, so shouldn't it say "If the REMOTE BIG-IP device is added as a peer authority device"?

     

    Piotr

     

    • dragonflymr's avatar
      dragonflymr
      Icon for Cirrostratus rankCirrostratus
      Mar 16, 2015
      It's probably not an issue for F5 pros like you but for newcomer this kind of misleading or not precise definitions really makes life harder when trying to figure out quite new area of knowledge. There is at least few other examples of such info in mentioned SOL. You don't care because it's so obvious for you how things are working but for me that is lost time on figuring out if I don't understand something or info is wrong. BTW, is that make sense to post comments to SOL, I mean is anybody reading such comments? Piotr
    • nitass's avatar
      nitass
      Icon for Employee rankEmployee
      Mar 16, 2015
      i believe askf5 team is reading it. also, (i think) you can open a support case to clarify in just askf5 sol or manual is not clear.
  • dragonflymr's avatar
    dragonflymr
    Icon for Cirrostratus rankCirrostratus
    Mar 16, 2015

    Strange, whatever I tried I am getting empty dialog and spinning cursor "Submitting". Tried from different comps and browsers and result is the same (for new question).