Steps for F5 Configuration

We choose in our example “10.2.3.169” to be for management F5 and 10.2.3.118 to be for Load Balancing. Both IPs on the same interface, this means we will have only one NIC associated with this F5, where “10.2.3.169” is primary private ip and “10.2.3.118” is a secondary private ip.


1. Add Nodes

Login to our F5 interface https://10.2.3.169:8443/ then go to the “Local Traffic” → “Nodes”, here we need to click on “Create” (located in the right side).


Node 1:

NODE1.png


Node 2

node2.png


At the end in Local Traffic → Nodes , we need to have:

Screenshot 2022-09-21 at 12.43.19.png



2. Create Pools

Go in “Local Traffic” → “Pools” and here press “create” button (located in the right side).


2.1 Pool for bops

Screenshot 2022-09-21 at 12.48.29.png


2.2. Pool for dmz

Screenshot 2022-09-21 at 12.50.19.png



2.3. Pool for idp

Screenshot 2022-09-21 at 12.51.47.png

2.3. Pool for ssp

Screenshot 2022-09-21 at 12.55.04.png


2.3. Pool for websec admin

Screenshot 2022-09-21 at 12.56.08.png

2.4. At the end we need to have

Screenshot 2022-09-21 at 12.57.21.png


3. Create two IRules

!!! Before we create the following rules we need to get the “x-ssl-termination-proxy-secret” from haproxy located the webapp. ( /etc/veridiumid/haproxy/haproxy.cfg ) , and we need to replace XXXXXXXXX with our x-ssl-termination-proxy-secret.

Go in “Local Traffic” → “iRules” and here press “create” button (located in the right side).


3.1. Rule 1

Screenshot 2022-09-21 at 13.05.16.png
###Retrieve the client certificate DN
when CLIENTSSL_CLIENTHELLO {
    set dist_name ""
}


###Create the Headers to insert the proxy secret and the client certificate DN.

when HTTP_REQUEST {

    set dist_name [X509::subject [SSL::cert 0]]
    HTTP::header insert "x-ssl-termination-proxy-secret" "pDXXgTsfGZOCwWn"
    HTTP::header insert "X-SSL-Client-DN" $dist_name 

     #log local0. "HERE START"
     #log local0. "$dist_name"
     #log local0. "HERE END"

}


3.2. Rule 2

Screenshot 2022-12-02 at 13.36.09.png
###Retrieve the client certificate DN
when CLIENTSSL_CLIENTHELLO {
    set dist_name ""
}

when CLIENTSSL_CLIENTCERT {
    if {[SSL::cert count] > 0} {
        set dist_name [X509::subject [SSL::cert 0]]
        log local0. "$dist_name"
    }
}

###Create the Headers to insert the proxy secret and the client certificate DN.
when HTTP_REQUEST {
    log local0. "$dist_name"
    HTTP::header insert "x-ssl-termination-proxy-secret" "fGQazLDRzYBfiKQ"
    if { $dist_name != ""} {
        HTTP::header insert "X-SSL-Client-DN" $dist_name 
    }
    
  if { [HTTP::cookie exists "JSESSIONID"] } {
    persist uie [HTTP::cookie "JSESSIONID"]
  }
}

when HTTP_RESPONSE {
  if { [HTTP::cookie exists "JSESSIONID"] } {
    persist add uie [HTTP::cookie "JSESSIONID"]
  }
}


4. Add the Certificates, your service prefered certificate and client-ca.pem from Veridium Server (in our case will be *.veridium-dev.com + the client-ca).

The certificates are located in the WEBAPP in

/etc/veridiumid/haproxy/server.pem for *.veridium-dev.com

/etc/veridiumid/haproxy/client-ca.pem for client-ca


4.1. Add the “RSA Certificate & Key” for wildcard certificate in F5

Go to “System” → “Certificate Management” → “Traffic Certificate Management” → “SSL Certificate List” and click to the “IMPORT” button (located in the right side).

Our file is /etc/veridiumid/haproxy/server.pem, but we need to have the following format:


Screenshot 2022-09-21 at 13.31.33.png



At the end we need to have something like this:

Screenshot 2022-09-21 at 13.36.47.png


4.2. Add the “Certificate Bundle“

Go to “System” → “Certificate Management” → “Traffic Certificate Management” → “SSL Certificate List” and click to the “IMPORT” button (located in the right side).

Our file is /etc/veridiumid/haproxy/client-ca.pem but we need to have the following format:


Screenshot 2022-09-21 at 13.32.31.png




5. SSL Profiles


5.1. Profile for SSL Client

Go to “Local Traffic” → “Profiles” → “SSL” → Client and here we need to create 3 profiles:


5.1.1. Profile wildcard.veridium-dev.com

Screenshot 2022-09-21 at 13.39.45.png
Screenshot 2022-09-21 at 13.40.20.png
Screenshot 2022-09-21 at 13.40.44.png


5.1.2. Profile wildcard.veridium-dev.com-client-ca

Screenshot 2022-09-21 at 13.42.23.png
Screenshot 2022-09-21 at 13.42.36.png
Screenshot 2022-09-21 at 13.40.44.png


5.1.3. Profile wildcard.veridium-dev.com-client-ca-opt

Screenshot 2022-09-21 at 13.43.32.png
Screenshot 2022-09-21 at 13.43.42.png
Screenshot 2022-09-21 at 13.40.44.png


5.1. Profile for SSL Server

Go to “Local Traffic” → “Profiles” → “SSL” → Server and here we need to create 1 profile:

Screenshot 2022-09-21 at 13.46.43.png
Screenshot 2022-09-21 at 13.46.54.png
Screenshot 2022-09-21 at 13.47.01.png


6. SSL Profiles

6.1. Profile for HTTP Profile Client

Go to “Local Traffic” → “Profiles” → “Services” and here we need to create profile “http_reverse“

Screenshot 2022-09-21 at 13.53.38.png
Screenshot 2022-09-21 at 13.54.15.png


6. Policies

Go to “Local Traffic” → “Policies” → “Policy List” and here we need to create the following:


6.1. Policy dev9-webapp-dmz

Screenshot 2022-09-21 at 14.56.26.png

6.2. Policy dev9-webapp-idp

Screenshot 2022-09-22 at 10.56.32.png


6.3. Policy dev9-webapp-ssp

Screenshot 2022-09-21 at 14.59.13.png


6.4. Policy dev9-webapp-websec-admin

Screenshot 2022-09-21 at 14.59.48.png


6.5. Policy dev9-webapp-host

Screenshot 2022-09-21 at 15.00.49.png


Remember!!! After we create a rule we need to publish it. Go in “Local Traffic” → Policies → in the section “Draft Policies“ select the policies/policy and press “Publish”. At the end you will have:

Screenshot 2022-09-21 at 15.04.28.png


7. Virtual Servers

Go to “Local Traffic” → “Virtual Servers” and here we need to create the following virtual servers:


7.1. Virtual Server “webapp-bops“

Screenshot 2022-09-21 at 15.11.27.png
Screenshot 2022-09-21 at 15.11.37.png


Screenshot 2022-09-21 at 15.11.49.png


7.2. Virtual Server “webapp-dmz“

Screenshot 2022-09-21 at 15.11.49.png


Screenshot 2022-09-21 at 15.14.41.png


Screenshot 2022-09-21 at 15.15.00.png


7.3. Virtual Server “webapp-idp“

Screenshot 2022-09-21 at 15.17.51.png
Screenshot 2022-09-21 at 15.18.02.png


Screenshot 2022-09-21 at 15.18.12.png


7.4. Virtual Server “webapp-ssp“

Screenshot 2022-09-21 at 15.20.57.png


Screenshot 2022-09-21 at 15.21.05.png


Screenshot 2022-09-21 at 15.21.14.png


7.5. Virtual Server “webapp-websec-admin“

Screenshot 2022-09-21 at 15.23.47.png
Screenshot 2022-09-21 at 15.23.57.png


Screenshot 2022-09-21 at 15.24.13.png


7.5. Virtual Servers List

At the end we need to have:

Screenshot 2022-09-21 at 15.26.23.png