Sunday, February 8, 2015

F5 101 my prep

Starting with Blueprint

http://www.f5.com/pdf/certification/exams/blueprint-app-delivery-fundamentals-exam.pdf

Posted by at No comments:

Monday, January 6, 2014

Adding bigIP LTM in GTM as server


Posted by at No comments:

Monday, November 25, 2013

Prober

http://support.f5.com/kb/en-us/products/big-ip_gtm/manuals/product/gtm_config_10_2/gtm_probing.html
Posted by at No comments:

Monday, October 28, 2013

About MAC masquerade addresses

About MAC masquerade addresses

http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-device-service-clustering-11-4-0/8.html

A MAC masquerade address is a unique, floating Media Access Control (MAC) address that you create and control. You can assign one MAC masquerade address to each traffic group on a BIG-IP® device. By assigning a MAC masquerade address to a traffic group, you indirectly associate that address with any floating IP addresses (services) associated with that traffic group. With a MAC masquerade address per traffic group, a single VLAN can potentially carry traffic and services for multiple traffic groups, with each service having its own MAC masquerade address.
A primary purpose of a MAC masquerade address is to minimize ARP communications or dropped packets as a result of a failover event. A MAC masquerade address ensures that any traffic destined for the relevant traffic group reaches an available device after failover has occurred, because the MAC masquerade address floats to the available device along with the traffic group. Without a MAC masquerade address, on failover the sending host must relearn the MAC address for the newly-active device, either by sending an ARP request for the IP address for the traffic or by relying on the gratuitous ARP from the newly-active device to refresh its stale ARP entry.
The assignment of a MAC masquerade address to a traffic group is optional. Also, there is no requirement for a MAC masquerade address to reside in the same MAC address space as that of the BIG-IP device.
Posted by at No comments:

Tuesday, October 15, 2013

Monitors on F5

https://devcentral.f5.com/articles/monitoring-tcp-applications-01

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip9_3config/BIG_IP_LTM_9_3_Config_Guide-13-1.html?sr=1
Posted by at No comments:

Wednesday, September 25, 2013

Openssl commands


Some Useful Openssl Commands
http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip9_0cli/BIG_IP9_0XCLIGuide2-5-1.html

 Read content of a cert:

 openssl x509 -text -in server.crt

Read content of a CSR:
openssl req -in server.csr -noout –text

Check a key to see if a key has a password:
openssl rsa -in keyfile.key    [if it prompts for a password, the key was created with a password]

Check if a cert and key match:
The md5sum from both the below commands should be same for them to be a pair

openssl x500 -noout -modulus -in server.crt | openssl md5
openssl rsa -noout -modulus -in keyfile.key | openssl md5

Creating a self signed ssl certificates:
Create a private key:
openssl genrsa -des3 -out server.key  2048   [we can chose to use a password or not while creating key,  
                                                      if password  is not required, just click enter and don’t input any password] 


Generating  a certificate signing request (CSR):                          
openssl req -new -key server.key -out server.csr
               
It prompts for the following:
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, application’s name or your server's hostname) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Creating the certificate:
openssl x509 -req -days <no.of days> -in server.csr -signkey server.key -out server.crt

Example:  If a certificate valid for one year is needed the relevant command would be as under:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Testing an SSL connection with openssl:
If there is a VIP or a server ip configured on a port with ssl certifcates attached to it, telnet cannot be used to test content on it (for checking ECV monitors) like normal http VIPs/server IPs. In these cases openssl can be used, thus:
openssl s_client –connect <ip>:<port>
This will open an SSL connection to the client reading the certificate in it. At the prompt we can input the GET string, HOST string etc., to test the content on the VIP/server ip.

 --------------------------------------------------------------------------------------------------------------------------

Getting the certificate dates

echo | openssl s_client -connect remotedeposit-cit2.bankofamerica.com:443 2>/dev/null | openssl x509 -noout -dates
or  

curl -kv https://abc.example.com 2>&1 | grep expire

  


Posted by at No comments:

GUI | https is giving error on F5

you can try restarting the httpd and tomcat services by running the following commands:

# bigstart stop httpd

# bigstart restart tomcat

# bigstart start httpd
Posted by at No comments:
Subscribe to: Posts (Atom)