Skip to content

Archive

Archive for December, 2013

Lets do some  SSL offload on F5 LTM.

SSL Offload

SSL offloading relieves a Web server of the processing burden of encrypting and/or decrypting traffic sent via SSL, the security protocol that is implemented in every Web browser. The processing is offloaded to a separate device designed specifically to perform SSL acceleration or SSL termination.

BIG-IP Local Traffic Manager with the SSL Acceleration Feature Module performs SSL offloading.

Introduction

The BigIP F5 provide 2 ways in which SSL is processed. These are :

Client SSL – F5 decrypts the encrypted traffic inbound from the client.
Server SSL – Traffic is re-encrypted by the F5 then routed onto the backend servers.

There are a number of advantages to SSL termination on the F5, which are :

  1. Allows iRules processing and cookie persistence.
  2. SSL Traffic offload from web servers
  3. SSL key exchange and bulk encryption is performed by a single piece of BigIP F5 hardware rather then needing (to install) additional hardware in each webserver.
  4. Centralized certificate management

Configuration

Client SSL

Configuring Client SSL comprises of 3 steps.

  1. Import or generate the SSL certificate and Key
  2. Configure the client ssl-client profile
  3. Configure the Virtual Server

1a. Certificate (Import)

  1. Goto ‘Local Traffic | SSL Certificates | Import’.
  2. Select Certificate as the Import Type.
  3. Configure the Certificate Name.
  4. Upload the certificate within the certificate source section.
  5. Click Import.

Note : Certificates should be in either Base-64 encoded or PEM format. It can also be in .crt format, especially when we are copying certificate from one F5 and installing on other F5.

Keys are also copied in the same way.

We only need to click on “Import Type” and select “Key “. And import key from local computer.
1b. Certificate  (Generate)  — This is for CSR generation purpose for CA or for self signed certificates.

  1. Go to ‘Local Traffic | SSL Certificates | Create’.
  2. Within the General Properties section enter the name and then complete the Certificate Property fields.
  3. Click finished.

Note : Certificates and keys are synchronized on redundant systems.
Note : The locations for the certificate/keys are:

Certificates: /config/ssl/ssl.cert
Keys:          /config/ssl/ssl.key

2. Configure Profile

Next we will need to configure the client ssl-client profile.

  1. Goto ‘Local Traffic | Profiles | SSL | Client | Create’
  2. Within the General Properties enter the Name and select the Parent Profile as clientssl and check mark Custom.
  3. Within the Configuration section select the Certificate and Key.
  4. Click Finished.

3. Configure the Virtual Server

  1. Within the necessary Virtual Server under SSL Profile (Client) select the previously created profile.
  2. Also choose HTTP Profile as “http”.
  3. Select “None” for ” SSL Profile (Server) “

Don’t skip this: Just because you have SSL termination enabled on this virtual server, you still need to point it at the correct location. If you’re editing an existing virtual machine, it is probably currently pointing at a pool of servers on port 443. In the case of Apache, it will throw an error page, refusing to serve insecure HTTP pages over a secure port (443). To fix this (or set it up if this is a new virtual machine), click the “Resources” tab on the new virtual machine.

Under the “Load Balancing” section, select the same “Default Pool” option as you are using for your HTTP virtual machine. This makes it so that both HTTP and traffic that was formerly HTTPS come into the same port on your backend servers.

Server SSL

If Server SSL is required then select the serverssl profile from the SSL Profile (Server) dropdown menu from within the Virtual Server.

Getting Started

I am doing F5 related tasks from a longtime however never put on my blog, now i have decided to place all my learnings of F5 inside separate category, that is F5.

F5’s BIG-IP product family comprises purpose-built hardware, modularized software, and virtualized solutions that run the F5 TMOS® operating system. Depending on the appliance selected, one or more BIG-IP product modules can be added to a BIG-IP device to deliver multiple networking functions on a single, unified platform.

In short , F5 BIG-IP LTM main task is,  when a server went down or became overloaded, it directs traffic away from that server to other servers that could handle the load plus lots of additional tasks. For those not familiar with a Big-IP load balancer’s administration, most of the configuration is done via a web interface, accessible via the device’s IP address (https://ipaddress).

F5

The Big-IP Administrative interface

The navigation for the site is located in the left-hand column.

As the title says , we are going to perform Http to https redirection .

Description:- Redirects all traffic to same hostname, same URI over https by issuing a redirect with status 301 (Moved Permanently). You can change the status code to a 302 to issue a non-cacheable redirect.

Apply to HTTP virtual server to redirect all traffic to same hostname (stripping port if it exists), same URI over HTTPS. (Do not apply to shared/wildcard virtual server responding to HTTPS traffic, or infinite redirect will occur. Create separate virtual servers on port 80 and port 443, and apply this iRule ONLY to the port 80 HTTP-only virtual server. No iRule is needed on the port 443 HTTPS virtual server.)

Lets start with creating our IRule first, IRule is tcl based language.

Here # means don’t execute the script , so that we can use for  description purpose.

 #

# sharepoint_apps

#

# Virtual Server: sharepoint_apps_http

#

# Forces users to use HTTPS instead of HTTP

#

# Created 20131220 by Afroz

#

when HTTP_REQUEST {

            switch -glob [string tolower [HTTP::host]] {

                        “afrozahmad.com” {

                                    HTTP::respond 301 “Location” “https://afrozahmad.com[HTTP::uri]”

                                    log local0. “***[IP::client_addr]:[TCP::client_port]:[HTTP::host]:[HTTP::uri]***”

                    }

                }

            }

 

The above Irule is simple , it instructs F5 to redirect traffic coming for http://afrozahmad.com  towards https://afrozahmad.com . Also “log local0” section refers to logging the activity based on ip address, tcp port, http host and uri.

Note:- We need to apply IRULE to virtual server in above case it should be applied to “http” virtual server. IRULE will not work unless applied to virtual server.

SSL

Overview:-

SSL Certificates on the WLC :-

•Internal https server on the WLC is enabled by default for Web Administration & Web Policy (Web Authentication/Passthrough)
•Provides SSL encryption between Wireless clients and WLC to protect Web Authentication credentials.

Problem:-

•End user receives a security warning when triggering the web policy page on the WLC.
•WLC does not have validated public signed certificate. A self-signed certificate (SSC) is installed on the WLC by default.

Solution:-

•Deploy a 3rd party certificate signed by a Public CA.
Requirements:-
•Wireless controller code version 5.1.151.0 or higher.
•OpenSSL 0.9.8 (1.0.0 is not compatible at this time)
•Up to Level 2 certificates are supported on the WLC.
•level 0 : Device Certificate
•level 1 : Device & Root Certificate
•level 2 : Device, intermediate and Root Certificate.
•Level 3 certificates and not currently supported (CSCtk65761)
•Device, Co-intermediate , Intermediate, Root Certificates
•1024 and 2048 bit certificates are currently supported.
•Ask CA what certificates will be provided in chain.

Step-1 Generate a CSR using OpenSSL 0.9.8

1.Install and Open the OPENSSL application
  • If using GnuWin32 OpenSSL for Windows: Open via command line:
  • C:\Program Files\GnuWin32\OpenSSL\bin\openssl.exe
2.Issue the following command
  • OpenSSL>req -new -newkey rsa:2048 -nodes -keyout mykey.pem -out myreq.pem
2.Note:- Either 1024 or 2048 bit requests can be used on WLC.
3.Provide the requested information including Common Name. Common name must match DNS hostname on the virtual interface.
4.Once Completed two files will be created.
  • myreq.pem – This is the request that will be sent to CA.
  • mykey.pem – This is the key file which will be used when certs arrive.

Step-1 Sample Output

The output should look like below.

OpenSSL> req -new -newkey rsa:2048 -nodes -keyout mykey.pem -out myreq.pem -conf
ig “C:\Users\v763807\Desktop\openssl-0.9.8g_win32\openssl-0.9.8g_win32\openssl.c
nf”
Loading ‘screen’ into random state – done
Generating a 2048 bit RSA private key
……………………………………………………………..+++
……………………………………………………………………..
……………………………………………………………………..
……………………………………………………………………..
……………………………………………………………………..
………………………………………………………………+++
writing new private key to ‘mykey.pem’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:FI
State or Province Name (full name) [Some-State]:Finland
Locality Name (eg, city) []:Helsinki
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ABCD
on
Organizational Unit Name (eg, section) []:Network
Common Name (eg, YOUR name) []:guest.afrozahmad.com
Email Address []:admin@afrozahmad.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:hello123       –> We should remember this password, it will be used later in final step.
An optional company name []:
OpenSSL>

Step-2 Obtain certificate from CA

1.Login to  certificate authority’s web portal , in our case “THWATE”. Provide the myreq.pem file when creating a new certificate.
2.Note: If an optional password was used when creating the request, be sure to provide this password to the CA when submitting.
3.Your CA will notify you when your certificate is ready and provide a method to download.
4.When downloading the certificate , ensure that you obtain the following. Copy certificates in a notepad , in below order and name it as “All-certs.pem”.
       1.Device Certificate
       2.Intermediate Certificate
       3.Root Certificate

Step-3 Chaining the Certificates

When we receive the certificate for another entity, we might need to use a certificate chain to obtain the root CA certificate. The certificate chain, also known as the certification path , is a list of certificates used to authenticate an entity. The chain , or path begins with the certificate of that entity and each certificate in the chain is signed by the entity identified by the next certificate in the chain. The chain terminates with a root CA certificate. The root CA certificate is always signed by CA itself. The signature of all certificates in the chain must be verified until the root CA certificate is reached. Below figure  illustrates a certification path from the certificate owner to the root CA, where the chain of trust begins.

Cert Chain

1.Open OpenSSL (via command line) and issue the following commands.
       1.openssl>pkcs12 -export -in All-certs.pem -inkey mykey.pem -out All-certs.p12 -clcerts -passin pass:upm123 -passout pass:upm123
       2.openssl>pkcs12 -in All-certs.p12 -out final-cert.pem -passin pass:upm123 -passout pass:upm123
       3.Note:- In the above commands we must enter a password for the parameters -passin and -passout . The password that is configured for the -passout parameter must match the certpassword parameter that is configured on the WLC. Here password if “hello123”
2.If all successful , we will have a file called “final-cert.pem”. Move this file into our TFTP(L00SRV1083) Root directory.

Step-4 Downloading “final-cert.pem” to the WLC

1.Open our TFTP server and verify that “final-cert.pem” is within the Root directory on the server.
2.Login to the WLC via a Web  GUI and choose the following path:
            1.Web GUI –> Security –> Web Auth –> Certificate :
            2.Check the box : ” Download SSL Certificate“
             3.When ready click “Apply” in the upper right hand corner of the page.

Using DNS to Validate the Common Name

1.Configure WLC’s virtual interface Hostname as the common name found on the certificate. Reboot required.
      1.Example:- wlanguest.upm.com  –> 1.1.1.1 or x.x.x.x
2.On the clients DNS server . Configure a DNS A record  pointing our FQDN to the virtual interface ip address.
           1.Example:- guest.afrozahmad.com  –> 1.1.1.1
           2.Three options when deploying DNS
           3.Client can use an external DNS server (public) . This requires a public A record on “upm.com”
           4.Client can use an internal DNS server within the enterprise. Simply create the A record on the internal servers.
           5.Deploy a DNS server in the DMZ.

Troubleshooting:-

1. OpenSSL does not Generate All-certs.p12 or final-cert.pem:
      1.Verify that All-certs.pem file has the certification in the following order: Device(top), Intermediate (Middle) , Root (Bottom)
       2.Verify that mykey.pem file is the same used to originally create the CSR (myreq.pem)
       3.If an optional password was set within the CSR, ensure that this password was provided to the CA when requesting for the certificate.
2. Certificate Fails to install to install to the WLC
        1.Run the “debug transfer all enable ” command on WLC CLI
        2.Verify that the passin/passout password is used when downloading to the WLC
3. Client still receives security warning after successful installtion:
        1.Browse to the Web Policy page and double click the SSL icon in your browser to view the certificate. Review the certificate path.
FAQs :-
1.Can i install the same certificate on multiple WLCs ?
      1.Yes, the Virtual interface IP address and hostname must be same on all WLCs.
2.If i am using Guest Anchor WLC , where do i need to install the certificate?
      1.The 3rd party SSL certificate is only required on the Anchor WLC.
3.My company has a wildcard SSL certificate. Can i use this with the WLC?
      1.Yes, however please ensure the that the certificate is a level 2 or lower.
4.My certificates are not in .pem format . Can i convert these ?
      1.Yes , we can use OpenSSL to perform the conversion or use following web-based tool:
      2.https://www.sslhopper.com/ssl-convertor.html (External Site)
5.Additional Links: