Simplifying Automation Of Certificate Binding To Load Balancing Applications

Let’s first understand the role ADC automation is playing today

ADC Automation and Management has taken the front seat in all network-driven processes and systems to (a) eliminate operational complexity and (b) for app-centric visibility. As the world increasingly moves to a multi-cloud infrastructure, it is important that ADC automation tools are able to seamlessly integrate with and orchestrate the various services that make up this infrastructure. This includes things like GSLB, DNS, load-balancing, firewall, WAF, certificate, network, ITSM, and notification services.

Our core application delivery automation and orchestration capabilities include the ability to

  • Automate F5 BIG-IP and Ngnix configurations (LB/DNS/WAF)
  • Create/Modify/Decommission LB/DNS/WAF – VIP/WIP/ASM/IPAM, and ITSM business process
  • Business process automation with ITSM Integration (Service Now, BMC Remedy, CA)

SSL Certificates- What is the significance of SSL certificate in a load balancing application?

First, let’s look into some basic concepts: 

a. A listener is a logical component or process that checks for connection requests. The listener configuration is usually set up separately for front-end (client – load balancer) and back-end (load balancer – server) connections, each with a protocol and a port for improved security.  

b. For performance and security reasons, the following protocols are supported by Elastic Load Balancing (ELB):

  • HTTP
  • HTTPS (secure HTTP)
  • TCP
  • SSL (secure TCP)
SSL Certificate in a Load Balancing Application
SSL Certificate in a Load Balancing Application

c. The HTTPS protocol is “using an encryption protocol (SSL protocol) over the HTTP protocol” – to establish security to the information packets. (SSL usually runs on top of TCP.) 

d. The back-end protocol is set up based on the front-end connection protocol. For example, 

If Front end connection uses, Then back-end connection can use
TCP or SSL TCP or SSL
HTTP or HTTPS HTTP or HTTPS

Thus, it is evident that if your front-end listener uses an HTTPS protocol, then the associated load balancer requires an SSL or TLS certificate binding. The load balancer uses the certificate to
        a. Restrict/ Cut off the connection and
        b. Then perform decryption to client requests before sending them to the servers.

The SSL certificate is essentially used:
        a. For the SSL encryption and decryption processes
        b. During an SSL handshake to establish SSL server identity

This blog talks about an Object Definition template to apply a certificate to a load balancer application or, in other words, “binding a certificate to the load balancing application.” 

Gain granular level visibility into your load balancing ecosystem.

How to simplify your company’s automation challenge?

There is an evolving movement to make workplaces and technology more inclusive for all. Automation is a big part of that, but it’s not without its challenges. In order to streamline operations, it is crucial that the team responsible for automation understands how it works. 

  • Identify business relevance: Break it down in a way that is relevant to your business. This might resemble, “We have three types of ADC apps: internal, external, and partner. Here’s the stuff needed to build each one. Now let’s figure out the assembly process, then expose it on the enterprise ticketing system for our CI/CD (Continuous Implementation/ Continuous Development).”
  • Evaluate your critical apps. Determine their ADC components and specifics.
  • Map out the variables to the input of the ADC component definition.
  • Identify what your user input will be.

To summarize, automation prep consists of the following steps: first, get to know your system inside and out. Second, identify where and how automation is possible. Finally, set up an appropriate process for automating what you’ve identified.

Use Case: 

ADC Object Definition for Certificate Binding to a Load Balancing Application

For example, if someone needs a public app that will use the HTTPS protocol, their input and how it maps to the ADC Object Definitionwould look like this:

The user input:

{“appname”: “app1-db”, “domain”: “mybiz.com”}

The SSL client profile:


profile_client_ssl = {
  "name": "sample_client_ssl",
  "partition": "Common",
  "cert": "/Common/""-08DEC21-Qz3Aaj437.crt",
  "chain": "/Common/ca-chain-prod.crt",
  "ciphers": "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES128-GCM-SHA256",
  "defaultsFrom": "/Common/default-clientssl-profile",
  "description": "https://linktoitsm.mybiz.com and https://rqsttkts.mybiz.com",
  "key": "/Common/""-08DEC21-Qz3Aaj437.key",
  "ocspStapling": "disabled",
  "tmOptions": [
    "dont-insert-empty-fragments",
    "no-tlsv1.1",
    "no-sslv2",
    "no-sslv3",
    "no-tlsv1"
  ],
  "sslSignHash": "any",
  "certKeyChain": [
    {
      "name": "-08DEC21-Qz3Aaj437_ca-chain-prod",
      "appService": "none",
      "cert": "/Common/""-08DEC21-Qz3Aaj437.crt",
      "chain": "/Common/ca-chain-prod.crt",
      "key": "/Common/""-08DEC21-Qz3Aaj437.key"
    }
  ]
}

Breaking down the Object Definition: 

  • This Object Definition format is critical to follow before you send the instructions to the ADC. 
  • The Object Definition isn’t something an incoming request or a CISO knows about, but they would identify with the variables. 

Note: The parameters mentioned within these symbols <> are the variables 

  • This Object Definition contains parameters to identify the certificate location and all of the attributes related to binding the cert to the load balancing application. 
  • A user requesting new information should ideally know which variables need to be provided. 
  • However, the ADC to which this information (variables) is being fed needs the entire Object Definition structure as drafted above.  
  • Essentially, this set is defined once and is the same for all applications. Some values are prepopulated, and some may be user-defined attributes or custom attributes. 
  • In short, this Object Definition acts as a Templatization. 
  • For example, it may be considered an automation sequence with the same encryption criteria and F5 but contains a unique Object created per defined attributes. 

Speed up your certificate binding process automation with ADC+ and get real-time SSL/TLS insight to help you secure your Load Balancer/ADC devices and prevent outages. With ADC+, you can get SSL certificates in minutes for all your Load Balancers, allowing you to move away from manual certificate binding processes and save time, reduce costs, and increase convenience for your employees. 

Check out my list of the top 19 problems that you can solve while managing ADC/ load balancers as a full-time Network Engineer.

Tags

  • ADC Automation
  • Load Balancer
  • load balancing application
  • SSL certificate

About the Author

Glenn Gray

Senior Solutions Architect

More From the Author →

Related Articles

What Are The Attacks That SSL Prevents? Mitigate Risks With Automated Certificate Lifecycle Management (CLM)

| 4 Min Read

F5/NGINX Backup and Recovery Done Right

| 9 Min Read

Tale of Expired Certificates: The Spotify Podcast Episode

| 6 Min Read