Product Documentation

Configuring a Common Name on an SSL Service or Service Group for Server Certificate Authentication

Sep 01, 2016
In end-to-end encryption with server authentication enabled, you can include a common name in the configuration of an SSL service or service group. The name that you specify is compared to the common name in the server certificate during an SSL handshake. If the two names match, the handshake is successful. If the common names do not match, the common name specified for the service or service group is compared to values in the subject alternative name (SAN) field in the certificate. If it matches one of those values, the handshake is successful. This configuration is especially useful if there are, for example, two servers behind a firewall and one of the servers spoofs the identity of the other. If the common name is not checked, a certificate presented by either server is accepted if the IP address matches.
Note: Only domain name, URL, and email ID DNS entries in the SAN field are compared.

To configure common-name verification for an SSL service or service group by using the command line interface

At the command prompt, type the following commands to specify server authentication with common-name verification and verify the configuration:

  1. To configure common name in a service, type:
    • set ssl service <serviceName> -commonName <string> -serverAuth ENABLED
    • show ssl service <serviceName>
  2. To configure common name in a service group, type:
    • set ssl serviceGroup <serviceGroupName> -commonName <string> -serverAuth ENABLED
    • show ssl serviceGroup <serviceGroupName>

Example

 
> set ssl service svc1 -commonName xyz.com -serverAuth ENABLED 
 Done 
> show ssl service svc1 
	Advanced SSL configuration for Back-end SSL Service svc1: 
	DH: DISABLED 
	Ephemeral RSA: DISABLED 
	Session Reuse: ENABLED		Timeout: 300 seconds 
	Cipher Redirect: DISABLED 
	SSLv2 Redirect: DISABLED 
	Server Auth: ENABLED	Common Name: www.xyz.com  
	SSL Redirect: DISABLED 
	Non FIPS Ciphers: DISABLED 
	SNI: DISABLED 
	SSLv2: DISABLED	SSLv3: ENABLED	TLSv1: ENABLED 
 
1)	CertKey Name: cacert	CA Certificate		OCSPCheck: Optional 
 
1)	Cipher Name: ALL 
	Description: Predefined Cipher Alias 
 Done 
 

To configure common-name verification for an SSL service or service group by using the configuration utility

  1. Navigate to Traffic Management > Load Balancing > Services or Navigate to Traffic Management > Load Balancing > Service Groups, and open a service or service group.
  2. In the SSL Parameters section, select Enable Server Authentication, and specify a common name.