Cisco 11503 Configuration Guide
Cisco 11503 - CSS Content Services Switch Manual
 |
UPC - 746320664958
View all Cisco 11503 manuals
Add to My Manuals
Save this manual to your list of manuals |
Cisco 11503 manual content summary:
- Cisco 11503 | Configuration Guide - Page 1
Cisco Content Services Switch SSL Configuration Guide Software Version 7.40 August 2004 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Text Part Number: OL-5655-01 - Cisco 11503 | Configuration Guide - Page 2
in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0406R) Cisco Content Services Switch SSL Configuration Guide Copyright © 2004, Cisco Systems, Inc. All rights reserved. - Cisco 11503 | Configuration Guide - Page 3
and Information xxv Overview of CSS SSL 1-1 SSL Cryptography Overview 1-1 SSL Public Key Infrastructure Overview 1-2 Confidentiality 1-3 Authentication 1-4 Message Integrity 1-4 SSL Module Cryptography Capabilities 1-6 OL-5655-01 Cisco Content Services Switch SSL Configuration Guide iii - Cisco 11503 | Configuration Guide - Page 4
Pair 3-5 Generating a DSA Key Pair 3-6 Generating Diffie-Hellman Key Parameters 3-7 Using an RSA Key to Generate a Certificate Signing Request 3-8 Generating a Self-Signed Certificate 3-10 Preparing a Global Site Certificate 3-11 Cisco Content Services Switch SSL Configuration Guide iv OL-5655-01 - Cisco 11503 | Configuration Guide - Page 5
Pair Name 4-10 Specifying the Diffie-Hellman Parameter Filename 4-10 Specifying Cipher Suites 4-11 Configuring Client Authentication 4-15 Enabling Client Authentication 4-16 Specifying CA Certificates for Client Certificate Verification 4-16 Cisco Content Services Switch SSL Configuration Guide v - Cisco 11503 | Configuration Guide - Page 6
47 Creating an SSL Service 4-48 Specifying the SSL Acceleration Service Type 4-48 Adding an SSL Proxy List to an SSL Termination Service 4-49 Specifying the SSL Module Slot 4-49 Disabling Keepalive Messages for the SSL Module 4-50 Cisco Content Services Switch SSL Configuration Guide vi OL-5655-01 - Cisco 11503 | Configuration Guide - Page 7
Configuring the Virtual Port 5-6 Configuring the Server IP Address 5-7 Configuring the Server Port 5-7 Configuring SSL Version 5-8 Configuring the Available Cipher Suites 5-8 Configuring SSL Session Cache Timeout 5-9 Configuring 5-16 Cisco Content Services Switch SSL Configuration Guide vii - Cisco 11503 | Configuration Guide - Page 8
Server IP Address 6-8 Configuring the SSL Server Port 6-8 Configuring SSL Version 6-9 Configuring the Available Cipher Suites 6-9 Configuring SSL Session Cache Timeout 6-11 Configuring SSL Session Handshake Renegotiation 6-11 Cisco Content Services Switch SSL Configuration Guide viii OL-5655-01 - Cisco 11503 | Configuration Guide - Page 9
an SSL Proxy List to an SSL Initiation Service 6-26 Specifying the SSL Module Slot 6-26 Configuring the SSL Initiation Service Keepalive Type 6-27 SSL Session ID Cache Size 6-28 Activating the SSL Service 6-28 Suspending the SSL Service 6-29 Cisco Content Services Switch SSL Configuration Guide ix - Cisco 11503 | Configuration Guide - Page 10
- HTTP and Back-End SSL Servers 8-12 SSL Full Proxy Configuration - One SSL Module 8-17 SSL Initiation Configurations 8-21 SSL Tunnel to Four Data Centers 8-21 SSL Tunnel to One Data Center with Server Authentication 8-25 INDEX Cisco Content Services Switch SSL Configuration Guide x OL-5655-01 - Cisco 11503 | Configuration Guide - Page 11
Proxy Configuration - HTTP and Back-End SSL Servers 8-13 Full Proxy Configuration Using a Single SSL Module 8-18 SSL Initiation Between a CSS and Four Data Centers 8-22 SSL Initiation Between a CSS and One Data Center 8-26 OL-5655-01 Cisco Content Services Switch SSL Configuration Guide xi - Cisco 11503 | Configuration Guide - Page 12
Figures Cisco Content Services Switch SSL Configuration Guide xii OL-5655-01 - Cisco 11503 | Configuration Guide - Page 13
Command 7-6 Field Descriptions for the show ssl files Command 7-8 Field Descriptions for the show ssl-proxy-list Command 7-10 Field Descriptions for the show ssl-proxy-list Command 7-10 Field Descriptions for the show ssl crl-record Command 7-14 Cisco Content Services Switch SSL Configuration Guide - Cisco 11503 | Configuration Guide - Page 14
Tables Table 7-10 Table 7-11 Table 7-12 Field Descriptions for the show ssl urlrewrite Command 7-15 Field Descriptions for the show ssl statistics Command 7-17 Field Descriptions for the show ssl flows Command 7-25 Cisco Content Services Switch SSL Configuration Guide xiv OL-5655-01 - Cisco 11503 | Configuration Guide - Page 15
instructions for configuring the SSL features of the Cisco 11500 Series Content Services Switches (CSS). Information in this guide applies to all CSS models except where noted. The CSS software is available in a Standard or optional Enhanced feature set. Proximity Database and Secure Management - Cisco 11503 | Configuration Guide - Page 16
Back-End SSL Configure the CSS and the SSL Acceleration Module to accept SSL encrypted data from a client, decrypt the data to make a load-balancing decision, then reencrypt the data and send it to a back-end SSL server. Cisco Content Services Switch SSL Configuration Guide xvi OL-5655 - Cisco 11503 | Configuration Guide - Page 17
series CSS. This guide provides information for installing, cabling, and powering the Cisco 11500 series CSS. In addition, this guide provides information about CSS specifications, cable pinouts, and hardware troubleshooting. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide xvii - Cisco 11503 | Configuration Guide - Page 18
, including displaying log messages and interpreting sys.log messages • User profile and CSS parameters • SNMP • RMON • XML documents to configure the CSS • CSS scripting language • Offline Diagnostic Monitor (Offline DM) menu xviii Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 19
Title Cisco Content Services Switch Routing and Bridging Configuration Guide Cisco Content Services Switch Content Load-Balancing Configuration Guide Description This guide describes how to perform routing and bridging configuration tasks on the CSS, including: • Management ports, interfaces - Cisco 11503 | Configuration Guide - Page 20
• Firewall load balancing Cisco Content Services Switch Command Reference This reference provides an alphabetical list of all CLI commands including syntax, options, and related commands. Cisco Content Services This guide describes how to use the Device Switch Device Management user interface - Cisco 11503 | Configuration Guide - Page 21
Symbols and Conventions This guide uses the following symbols and conventions to identify different types of information. Caution A caution means that a specific action you take could cause of the list subtopics is unimportant. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide xxi - Cisco 11503 | Configuration Guide - Page 22
• Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387). Cisco Content Services Switch SSL Configuration Guide xxii - Cisco 11503 | Configuration Guide - Page 23
the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL: http://tools.cisco.com/RPF/register/register.do OL-5655-01 Cisco Content Services Switch SSL Configuration Guide - Cisco 11503 | Configuration Guide - Page 24
, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation. xxiv Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 25
troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can access Packet magazine at this URL: http://www.cisco.com/packet OL-5655-01 Cisco Content Services Switch SSL Configuration Guide - Cisco 11503 | Configuration Guide - Page 26
access the Internet Protocol Journal at this URL: http://www.cisco.com/ipj • World-class networking training is available from Cisco. You can view current offerings at this URL: http://www.cisco.com/en/US/learning/index.html xxvi Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 27
SSL module. In this case, the client indicates an SSL version of 3.0 in the version 2.0 ClientHello, which informs the SSL module that the client can support SSL version 3.0. The SSL module returns a version 3.0 ServerHello message. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide - Cisco 11503 | Configuration Guide - Page 28
Configuring SSL Certificates and Keys for details about the supported cipher suites. This section provides an overview on SSL cryptography as implemented through the SSL module in the CSS • Authentication • Message integrity Cisco Content Services Switch SSL Configuration Guide 1-2 OL-5655-01 - Cisco 11503 | Configuration Guide - Page 29
CSS SSL SSL Cryptography Overview Confidentiality Confidentiality means that unintended users cannot view the data. In PKIs, confidentiality is achieved by encrypting the data through a variety of methods. In SSL, specifically . OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 1-3 - Cisco 11503 | Configuration Guide - Page 30
data before transmitting it. A message digest is a function that takes an arbitrary length message and outputs a fixed-length string that is characteristic of the message. Cisco Content Services Switch SSL Configuration Guide 1-4 OL-5655-01 - Cisco 11503 | Configuration Guide - Page 31
1 Overview of CSS SSL SSL Cryptography Overview algorithm, which the recipient can then decode using the sender's public key. SSL supports two different algorithms for a MAC: Message Digest 5 (MD5) and Secure message digest. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 1-5 - Cisco 11503 | Configuration Guide - Page 32
Termination for a list of supported cipher suites and key encryption types. Hash types • SSL MAC-MD5 • SSL MAC-SHA1 See Table 4-1 in Chapter 4, Configuring SSL Termination for a list of supported cipher suites and hash types. Cisco Content Services Switch SSL Configuration Guide 1-6 OL-5655-01 - Cisco 11503 | Configuration Guide - Page 33
on the disk. The CSS stores all certificateand key-related files in a secure location on the disk. When processing connections, the CSS loads the certificates and keys into volatile memory on the SSL module for faster access. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 1-7 - Cisco 11503 | Configuration Guide - Page 34
the data as clear text to the CSS for a decision on load balancing. The CSS transmits the data as clear text to an HTTP server. For more information about SSL termination in the CSS, see Chapter 4, Configuring SSL Termination. Cisco Content Services Switch SSL Configuration Guide 1-8 OL-5655-01 - Cisco 11503 | Configuration Guide - Page 35
Figure 1-1. Figure 1-1 SSL Handshake Without Client Authentication SSL Client SSL Server ClientHello ServerHello Certificate ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec Finished 119227 OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 1-9 - Cisco 11503 | Configuration Guide - Page 36
in the certificate. This ensures that the client possesses the keypair that used to generate the certificate, and is not passing someone else's certificate. However, the CSS can check whether the issuer signature is authentic. 1-10 Cisco Content Services Switch SSL Configuration Guide OL-5655 - Cisco 11503 | Configuration Guide - Page 37
flow from the CSS, the SSL module responds in the reverse direction and sends the encrypted data from the server back to the client. For more information about back-end SSL in the CSS, see Chapter 5, Configuring Back-End SSL. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 1-11 - Cisco 11503 | Configuration Guide - Page 38
in the CSS, see Chapter 6, Configuring SSL Initiation. For more detailed information on the SSL module functions, see the "Processing of SSL Flows by the SSL Module" section in Chapter 8, Examples of CSS SSL Configurations. 1-12 Cisco Content Services Switch SSL Configuration Guide OL-5655 - Cisco 11503 | Configuration Guide - Page 39
CH A P T E R 2 SSL Configuration Quick Starts This chapter provides a quick overview on how to manage SSL certificates in the CSS, create an SSL proxy list for virtual and back-end SSL servers, and add an SSL proxy list to an SSL service. Each step includes the CLI command required to complete - Cisco 11503 | Configuration Guide - Page 40
certificates on the CSS for internal SSL testing. A generated certificate is temporary and expires in 30 days. Table 2-1 RSA Certificate and Key Generation Quick Start Task and Command Example 1. Enter global configuration Cisco Content Services Switch SSL Configuration Guide 2-2 OL-5655-01 - Cisco 11503 | Configuration Guide - Page 41
request to the screen. If you require a global site certificate that allows 128-bit encryption for export-restricted browsers, apply for a StepUp/SGC or chained certificate from the CA. You will receive your certificate in one to seven days. Cisco Content Services Switch SSL Configuration Guide 2-3 - Cisco 11503 | Configuration Guide - Page 42
. Make sure that there is a single new line between the server and intermediate certificates. 10. Save the file. 11. Import the certificate into the CSS using the steps in the "RSA Certificate and Key Import Quick Start" section. Cisco Content Services Switch SSL Configuration Guide 2-4 OL-5655-01 - Cisco 11503 | Configuration Guide - Page 43
Compare the public key in the associated certificate with the public key stored with the associated private key and verify that they are identical. (config) # ssl verify myrsacert1 myrsakey1 Certificate mycert1 matches key mykey1 OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 2-5 - Cisco 11503 | Configuration Guide - Page 44
create a virtual SSL server entry in an SSL proxy list for an RSA certificate and key pair. For information on configuring client authentication, see "Configuring Client Authentication" in Chapter 4, Configuring SSL Termination. Cisco Content Services Switch SSL Configuration Guide 2-6 OL-5655-01 - Cisco 11503 | Configuration Guide - Page 45
.168.3.6 8080 weight 5 7. (Optional) Specify the URL rewrite option for the domain name of the URL to be redirected to avoid nonsecure HTTP 300-series redirects. (config-ssl-proxy-list[ssl_list1])# ssl-server 20 urlrewrite 22 www.mydomain.com Cisco Content Services Switch SSL Configuration Guide 2-7 - Cisco 11503 | Configuration Guide - Page 46
SSL module to encrypt the data and initiate an SSL connection to the server. You must configure back-end SSL with SSL termination. For the SSL termination quick start procedure, see the "SSL Termination Proxy List Quick Start" section. Cisco Content Services Switch SSL Configuration Guide 2-8 OL - Cisco 11503 | Configuration Guide - Page 47
configure the backend-server number port and server-port commands with different port numbers. 6. (Optional) By default, the back-end server supports all available CSS cipher suites. If necessary, assign a specific cipher suite to be used by the back-end SSL server, for example the RSA certificates - Cisco 11503 | Configuration Guide - Page 48
back-end server entry in the SSL proxy list to allow the SSL module to encrypt the data and initiate an SSL connection with the server. Table 2-5 provides an overview of steps required to create an SSL initiation proxy list. 2-10 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 49
-server 1 server-port 40443 Note If you configure the backend-server number ip address and server-ip commands with the same address, configure the backend-server number port and server-port commands with different port numbers. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 2-11 - Cisco 11503 | Configuration Guide - Page 50
server 1 server-ip 192.168.2.3 backend-server 1 server-port 40443 backend-server 1 cipher rsa-with-rc4-128-md5 weight 10 backend-server 1 rsacert myrsacert backend-server 1 rsakey myrsakey backend-server 1 cacert mycert1 active 2-12 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 51
to the service. (config-service[ssl_serv1])# keepalive type none 5. Add the SSL proxy list to the SSL service. (config-service[ssl_serv1])# add ssl-proxy-list ssl_list1 6. Activate the SSL service. (config-service[ssl_serv1])# active OL-5655-01 Cisco Content Services Switch SSL Configuration Guide - Cisco 11503 | Configuration Guide - Page 52
. Save your configuration changes to the running configuration. # copy running-config startup-config 14. Continue to Table 2-7 if your configuration includes back-end SSL or Table 2-8 if your configuration includes SSL initiation. 2-14 Cisco Content Services Switch SSL Configuration Guide OL-5655 - Cisco 11503 | Configuration Guide - Page 53
])# type ssl-accel-backend 3. Configure a virtual IP (VIP) address for the back-end server. The IP address must match the IP address configured for the back-end server. (config-service[ssl_serv2])# vip address 192.168.4.4 OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 2-15 - Cisco 11503 | Configuration Guide - Page 54
.3.6 10. Specify a TCP port number for the content rule. Ensure the port number is the same as the virtual TCP port specified for the back-end SSL entry in the SSL proxy list. (config-owner-content[ssl_backend_rule1]# port 8080 2-16 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 55
none add ssl-proxy-list ssl_list1 active service ssl_serv2 type ssl-accel-backend ip address 192.168.4.4 port 8080 keepalive type ssl keepalive port 443 add ssl-proxy-list ssl_list1 active OWNER owner ssl_owner content ssl_backend_rule1 Cisco Content Services Switch SSL Configuration Guide 2-17 - Cisco 11503 | Configuration Guide - Page 56
Proxy List Quick Start" section. (config-service[ssl_serv1])# ip address 192.168.2.3 4. Configure the service port. The service port must match the SSL initiation back-end server port. (config-service[ssl_serv1])# port 8080 2-18 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 57
example shows the results of entering the commands in Table 2-8. SERVICE service ssl-serv2 type ssl-init ip address 192.168.2.3 port 8080 slot 5 keepalive type ssl keepalive port 40443 add ssl-proxy-list ssl_list1 active OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 2-19 - Cisco 11503 | Configuration Guide - Page 58
[ssl_backend_rule1])# add service ssl_serv2 8. Activate the content rule. (config-owner-content[ssl_backend_rule1])# active 9. Save your configuration changes to the running configuration. # copy running-config startup-config 2-20 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 59
-configuration example shows the results of entering the commands in Table 2-9. OWNER owner ssl_owner content ssl_init_rule1 vip address 192.168.2.3 port 80 url "/*" advanced-balance arrowpoint-cookie add service ssl_serv1 active OL-5655-01 Cisco Content Services Switch SSL Configuration Guide - Cisco 11503 | Configuration Guide - Page 60
Chapter 2 SSL Configuration Quick Starts 2-22 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 61
server certificate originated from the CA. This certificate also can verify that a certificate revocation list (CRL) originated from the CA. This CA certificate includes the CA distinguished name, public key, and digital signature. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide - Cisco 11503 | Configuration Guide - Page 62
modes of the CSS and have strong password policies to protect those user modes. For more information, refer to the Cisco Content Services Switch Command Reference, Chapter 2, CLI Commands, the "(config) username-technician" section. Cisco Content Services Switch SSL Configuration Guide 3-2 OL-5655 - Cisco 11503 | Configuration Guide - Page 63
the CSS to recognize it as a certificate. Verify that the public key in the keypair association matches the public key in the certificate association. Now you can configure the CSS SSL proxy list, service, and content rule. 104548 OL-5655-01 Cisco Content Services Switch SSL Configuration Guide - Cisco 11503 | Configuration Guide - Page 64
-Hellman parameters, and certificates for the CSS, the CSS includes a series of certificate and private key management utilities to generate them Key to Generate a Certificate Signing Request • Generating a Self-Signed Certificate Cisco Content Services Switch SSL Configuration Guide 3-4 OL-5655-01 - Cisco 11503 | Configuration Guide - Page 65
. You can then create a temporary certificate for internal testing until the CA responds to the certificate request and returns the authentic certificate. Each generated key pair must be accompanied by a certificate to work. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 3-5 - Cisco 11503 | Configuration Guide - Page 66
patient this could take a few minutes You must also associate a DSA key pair name with the generated DSA key pair as discussed in the "Associating Certificate and Private Key Files with Names" section of this chapter. Cisco Content Services Switch SSL Configuration Guide 3-6 OL-5655-01 - Cisco 11503 | Configuration Guide - Page 67
password appears in the CSS running configuration as a DES-encoded string. For example, to generate the Diffie-Hellman key parameter list dhparamfile2, enter: (config) # ssl gendh dhparamfile2 512 "passwd123" Please be patient this could take a few minutes OL-5655-01 Cisco Content Services Switch - Cisco 11503 | Configuration Guide - Page 68
BxMKQm94Ym9yb3VnaDEcMBoGA1UEChMTQ2lzY28gU3lzdGVtcywgSW5jLjESMBAG A1UECxMJV2ViIEFkbWluMRYwFAYDVQQDEw13d3cuY2lzY28uY29tMSEwHwYJKoZI hvcNAQkBFhJra3JvZWJlckBjaXNjby5jb20wXDANBgkqhkiG9w0BAQEFAANLADBI Cisco Content Services Switch SSL Configuration Guide 3-8 OL-5655-01 - Cisco 11503 | Configuration Guide - Page 69
private key. While this produces a valid certificate, most browsers flag the certificate as signed by an unrecognized signing authority. To generate a temporary certificate, see the "Generating a Self-Signed Certificate" section. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 3-9 - Cisco 11503 | Configuration Guide - Page 70
• "password" - The password used to encode the certificate file using DES (Data Encryption Standard) before it is stored as a file on the CSS. Encoding the file prevents unauthorized access to the imported certificate and private 3-10 Cisco Content Services Switch SSL Configuration Guide OL-5655 - Cisco 11503 | Configuration Guide - Page 71
CA certificate. The intermediate CA certificate validates the global certificate. You can obtain a VeriSign Intermediate certificate from the following link: http://www.verisign.com/support/install/intermediate.html OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 3-11 - Cisco 11503 | Configuration Guide - Page 72
ssh global command. If SSH access is restricted, or if the license key is not installed, SSH will not accept connections from SSH clients and the copy ssl sftp command will fail, resulting in generation of an error message. 3-12 Cisco Content Services Switch SSL Configuration Guide OL-5655 - Cisco 11503 | Configuration Guide - Page 73
Importing or Exporting Certificates and Private Keys Note For details about configuring Secure Shell Daemon on the CSS, refer to the Cisco Content Services Switch Security Configuration Guide. • On the SFTP server, verify that the server is properly configured so that the user directory points to - Cisco 11503 | Configuration Guide - Page 74
an imported certificate from an Apache/SSL UNIX server. - PKCS12 - Standard from RSA Data Security, Inc. for storing certificates and private keys. For example, an imported certificate from a Microsoft Windows 2000 IIS 5.0 server. 3-14 Cisco Content Services Switch SSL Configuration Guide OL-5655 - Cisco 11503 | Configuration Guide - Page 75
" Connecting Completed successfully For example, to import the rsakey.pem certificate from a remote server to the CSS, enter: # copy ssl sftp ssl_record import rsakey.pem PEM "passwd123" Connecting Completed successfully OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 3-15 - Cisco 11503 | Configuration Guide - Page 76
covers: • Associating a Certificate with a File • Associating an RSA Key Pair with a File • Associating a DSA Key Pair with a File • Associating Diffie-Hellman Parameters with a File • Verifying a Certificate Against a Key Pair 3-16 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 77
no form of the command does not function if the associated certificate is in use by command. Use the no form of the command to remove the association with the file. The syntax for this command is: ssl associate rsakey keyname filename OL-5655-01 Cisco Content Services Switch SSL Configuration Guide - Cisco 11503 | Configuration Guide - Page 78
Files with Names Chapter 3 Configuring SSL Certificates and Keys The variables are: command. For example, to associate the DSA key name mydsakey1 with the imported dsakey.pem, enter: (config) # ssl associate dsakey mydsakey1 dsakey.pem 3-18 Cisco Content Services Switch SSL Configuration Guide - Cisco 11503 | Configuration Guide - Page 79
the association with the file, enter: (config) # no ssl associate dhparam mydhparam1 Note The no form of the command will not function if the associated Diffie-Hellman parameter list is in use by an active SSL proxy list. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 3-19 - Cisco 11503 | Configuration Guide - Page 80
to the file by specifying the no ssl associate command (see the "Associating Certificate and Private Key Files with Names" section). The syntax for this global configuration mode command is: clear ssl file filename password 3-20 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 81
DES when it was originally imported or generated by the CSS. This password must be an exact match or the file cannot be cleared. For example, to remove dsacert.pem from the CSS, enter: # clear ssl file dsacert.pem "passwd123" OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 3-21 - Cisco 11503 | Configuration Guide - Page 82
Associating Certificate and Private Key Files with Names Chapter 3 Configuring SSL Certificates and Keys 3-22 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 83
data and sends the data as clear text to the CSS for a decision on load balancing. The CSS transmits the data as clear text either to an HTTP server or back to the SSL module for encryption to a configured back-end SSL server. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 4-1 - Cisco 11503 | Configuration Guide - Page 84
text string from 1 to 31 characters. For example, to create the SSL proxy list, ssl_list1, enter: (config)# ssl-proxy-list ssl_list1 Create ssl-list , [y/n]: y Cisco Content Services Switch SSL Configuration Guide 4-2 OL-5655-01 - Cisco 11503 | Configuration Guide - Page 85
list, enter: (config-ssl-proxy-list[ssl_list1])# description "This is the SSL list for www.brandnewproducts.com" To remove the description from a specific SSL proxy list, enter: (config-ssl-proxy-list[ssl_list1])# no description OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 4-3 - Cisco 11503 | Configuration Guide - Page 86
proxy list to make modifications to any of the virtual SSL servers in a specific SSL proxy list. Once you have modified the SSL proxy list, suspend the SSL service, activate the SSL proxy list, and then activate the SSL service. Cisco Content Services Switch SSL Configuration Guide 4-4 OL-5655-01 - Cisco 11503 | Configuration Guide - Page 87
the Nagle Algorithm for SSL TCP Connections • Specifying the TCP Buffering for SSL TCP Connections To view configuration information on an SSL proxy list, see Chapter 7, Displaying SSL Configuration Information and Statistics. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 4-5 - Cisco 11503 | Configuration Guide - Page 88
is not accepted and an error message appears indicating host resolution failure. For details on configuring a Domain Name Service, refer to the Cisco Content Services Switch Global Server Load-Balancing Configuration Guide. Cisco Content Services Switch SSL Configuration Guide 4-6 OL-5655-01 - Cisco 11503 | Configuration Guide - Page 89
the added services. If a match is not found, the CSS logs an error message and does not activate the content rule. For example, to specify a virtual port of 444, enter: (config-ssl-proxy-list[ssl_list1])# ssl-server 20 port 444 OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 4-7 - Cisco 11503 | Configuration Guide - Page 90
list, the CSS logs an error message and does not activate the list. For example, to specify a previously defined RSA certificate association named rsacert, enter: (config-ssl-proxy-list[ssl_list1])# ssl-server 20 rsacert myrsacert1 Cisco Content Services Switch SSL Configuration Guide 4-8 OL-5655 - Cisco 11503 | Configuration Guide - Page 91
dsacert, enter: (config-ssl-proxy-list[ssl_list1])# ssl-server 20 dsacert mydsacert1 To remove a DSA certificate association from a specific virtual SSL server, enter: (config-ssl-proxy-list[ssl_list1])# no ssl-server 20 dsacert OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 4-9 - Cisco 11503 | Configuration Guide - Page 92
dsakey ? command. The DSA key pair must already be loaded on the CSS and an association made (see Chapter 3, Configuring SSL Certificates and specific virtual SSL server, enter: (config-ssl-proxy-list[ssl_list1])# no ssl-server 20 dhparam 4-10 Cisco Content Services Switch SSL Configuration Guide - Cisco 11503 | Configuration Guide - Page 93
imported to or generated on the CSS. For example, if you choose all-cipher-suites, you must have an RSA certificate and key, a DSA certificate and key, and a Diffie-Hellman parameter file prior to activating the SSL proxy list. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 4-11 - Cisco 11503 | Configuration Guide - Page 94
for the specific SSL server (and corresponding SSL proxy list). Table 4-1 also lists whether those cipher suites are exportable from the CSS, along with the authentication certificate and encryption key required by the cipher suite. 4-12 Cisco Content Services Switch SSL Configuration Guide OL - Cisco 11503 | Configuration Guide - Page 95
certificate RSA key exchange No RSA certificate RSA key exchange No DSA (DSS) certificate Ephemeral Diffie-Hellman No DSA (DSS) certificate Ephemeral Diffie-Hellman No RSA certificate Ephemeral Diffie-Hellman key exchange OL-5655-01 Cisco Content Services Switch SSL Configuration Guide - Cisco 11503 | Configuration Guide - Page 96
party is authenticated Diffie-Hellman Yes RSA certificate RSA key exchange Yes DSA (DSS) certificate Ephemeral Diffie-Hellman Yes RSA certificate RSA key exchange Yes DSA (DSS) certificate Ephemeral Diffie-Hellman 4-14 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 97
proxy-list ssl-server command. To view SSL counters for client authentication-related activities, use the show ssl statistics command. See Chapter 7, Displaying SSL Configuration Information and Statistics for more information. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 4-15 - Cisco 11503 | Configuration Guide - Page 98
3, Configuring SSL Certificates and Keys. You must configure at least one certificate; however, you can configure a maximum of four certificates. If you try to configure more than four certificates, the CSS displays an error message. 4-16 Cisco Content Services Switch SSL Configuration Guide OL - Cisco 11503 | Configuration Guide - Page 99
mycert1 Configuring a CRL Record When a CA revokes a certificate, the CA places the certificate on a certificate revocation list (CRL) and publishes it for public availability. For the CSS to example.com/crl/clientcert.crl). OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 4-17 - Cisco 11503 | Configuration Guide - Page 100
: (config)# no ssl crl-record mycrl To view configuration information on a CRL, use the show ssl crl-record command. For more information on this command, see Chapter 7, Displaying SSL Configuration Information and Statistics. 4-18 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 101
it may create a security risk. • reject - Resets the CSS default behavior of rejecting the client connection when client authentication fails. For example, enter: (config-ssl-proxy-list[ssl_list1])# ssl-server 20 failure reject OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 4-19 - Cisco 11503 | Configuration Guide - Page 102
failure-url command to remove it, and then reissue the ssl-server number failure-url command to configure the new CSS decrypts the data, the CSS can insert information about the SSL session, and insert the client and server certificate Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 103
. Note If the SSL proxy list and its service are active, suspend the service and then the proxy list before configuring or disabling HTTP header insertion. Afterward, reactivate the SSL proxy list and activate its service. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 4-21 - Cisco 11503 | Configuration Guide - Page 104
.com Description: X.509 Certificate Version Format: Numerical X.509 version (3, 2, or 1), followed by the ASN.1 defined value for X.509 version (2, 1, or 0) in parentheses Example: ClientCert-Certificate-Version: 3 (0x2) 4-22 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 105
Subject Description, Format, and Example Description: Certificate serial number Format: A whole integer value assigned by the certificate authority; this can be any arbitrary integer value , C=US/[email protected], 0=Root OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 4-23 - Cisco 11503 | Configuration Guide - Page 106
alphanumeric characters separated by a colon (:) character. Together with the exponent (e), this modulus forms the public key portion in the RSA certificate Example: ClientCert-RSA-Modulus: + 00:d8:1b:94:de:52:a1:20:51:b1:77 4-24 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 107
the certificate and a digital signature of the hash printed in big-endian format hexadecimal, without leading 0x, and lowercase alphanumeric characters separated by a colon (:) character Example: ClientCert-Signature: 33:75:8e:a4:05:92:65 OL-5655-01 Cisco Content Services Switch SSL Configuration - Cisco 11503 | Configuration Guide - Page 108
-cert Table 4-3 lists the inserted server certificate fields and their descriptions. Depending on how the certificate was generated and what key algorithm was used, all of these fields may not be present for the certificate. 4-26 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 109
Hashing and Encryption Method Format: The md5WithRSAEncryption, sha1WithRSAEncryption, or dsaWithSHA1 algorithm used to sign the certificate and algorithm parameters Example: ServerCert-Signature-Algorithm: md5WithRSAEncryption OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 4-27 - Cisco 11503 | Configuration Guide - Page 110
.com, 0=Root Description: Certificate is not valid after this date Format: A universal time string or generalized time string in the Not After date of the Validity field Example: ServerCert-Not-After: 2003-1-27 23:59.59 UTC 4-28 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 111
RSA certificate. Example: ServerCert-RSA-Modulus: + 00:d8:1b:94:de:52:a1:20:51:b1:77 Description: The public RSA exponent Format: Printed as a whole integer for the RSA algorithm exponent (e) Example: ServerCert-RSA-Exponent: 65537 OL-5655-01 Cisco Content Services Switch SSL Configuration Guide - Cisco 11503 | Configuration Guide - Page 112
certificate and a digital signature of the hash printed in big-endian format hexadecimal, without leading 0x, and lowercase alphanumeric characters and separated by a colon (:) character Example: ServerCert-Signature: 33:75:8e:a4:05:92:65 4-30 Cisco Content Services Switch SSL Configuration Guide - Cisco 11503 | Configuration Guide - Page 113
session information to the back-end server, you can configure the CSS to insert SSL session fields and associated information. service. To configure the insertion of session information, use the ssl-server number http-header session command Cisco Content Services Switch SSL Configuration Guide 4-31 - Cisco 11503 | Configuration Guide - Page 114
suspend the service and then the proxy list before configuring or disabling HTTP header insertion. Afterward, reactivate the SSL proxy list and then activate its service. For example, to add the Acme-SSL prefix to all inserted fields, enter: Cisco Content Services Switch SSL Configuration Guide OL - Cisco 11503 | Configuration Guide - Page 115
". (config-ssl-proxy-list[ssl_list1])# ssl-server 20 http-header static "FRONT-END-HTTPS: on\r\nsession cache: on\r\nvipaddress: www.acme.com" OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 4-33 - Cisco 11503 | Configuration Guide - Page 116
SSL or TLS Version By default, the SSL version is SSL version 3 and TLS version 1. The SSL module sends a ClientHello that has an CSS. Because the CSS cannot reply to a new request on this connection, the browser may display an error. 4-34 Cisco Content Services Switch SSL Configuration Guide - Cisco 11503 | Configuration Guide - Page 117
the user to a nonsecure HTTP URL by rewriting the domain from http:// to https://. By using URL rewrite, all client connections to the Web server will be SSL, ensuring the secure delivery of HTTPS content back to the client. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 4-35 - Cisco 11503 | Configuration Guide - Page 118
number urlrewrite command is: ssl-server number urlrewrite number hostname [sslport port {clearport port}] The options and variables are: • ssl-server number - The number used to identify the virtual SSL server in the SSL proxy list. 4-36 Cisco Content Services Switch SSL Configuration Guide OL - Cisco 11503 | Configuration Guide - Page 119
port (or default port 443 if no port number is specified). Enter a port value from 1 to 65535. The default value is 443. • clearport port - (Optional) Specifies the port used for clear text network traffic. The SSL module .com as follows: Cisco Content Services Switch SSL Configuration Guide 4-37 - Cisco 11503 | Configuration Guide - Page 120
hours, enter: (config-ssl-proxy-list[ssl_list1])# ssl-server 20 session-cache 36000 To reset the SSL session reuse timeout to the default of 300 seconds, enter: (config-ssl-proxy-list[ssl_list1])# no ssl-server 20 session-cache 4-38 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 121
20 handshake timeout 36000 To disable the rehandshake timeout option, enter: (config-ssl-proxy-list[ssl_list1])# no ssl-server 20 handshake timeout OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 4-39 - Cisco 11503 | Configuration Guide - Page 122
SSL module. In this case, turning on SSL rehandshaking can cause SSL sessions to require additional resources to perform handshake renegotiation. If you are operating in a high traffic environment, this may impact overall SSL performance. 4-40 Cisco Content Services Switch SSL Configuration Guide - Cisco 11503 | Configuration Guide - Page 123
milliseconds, enter: (config-ssl-proxy-list[ssl_list1])# ssl-server 20 ssl-queue-delay 400 To reset the delay time to the default of 200 milliseconds, enter: (config-ssl-proxy-list[ssl_list1])# no ssl-server 20 ssl-queue-delay OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 4-41 - Cisco 11503 | Configuration Guide - Page 124
between the CSS SSL module and a client. To configure an SSL timeout seconds command to specify a timeout value that the CSS uses to default of 30 seconds, enter: (config-ssl-proxy-list[ssl_list1])# no ssl-server 20 tcp virtual syn-timeout 4-42 Cisco Content Services Switch SSL Configuration Guide - Cisco 11503 | Configuration Guide - Page 125
number tcp virtual inactivity-timeout seconds command to specify a timeout value that the CSS uses to terminate a TCP connection control over TCP connections between the CSS SSL module and a server. To configure an SSL proxy list virtual 01 Cisco Content Services Switch SSL Configuration Guide 4-43 - Cisco 11503 | Configuration Guide - Page 126
ACK. Use the ssl-server number tcp server syn-timeout seconds command to specify a timeout value that the CSS uses to end a TCP connection with a server that has timeout disabled) to 3600 (1 hour). The default is 240 seconds. 4-44 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 127
-server number tcp server nagle command to disable or reenable the Nagle algorithm for the TCP connection between the server and the SSL module. The syntax for this command is: ssl-server number tcp server nagle enable|disable OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 4-45 - Cisco 11503 | Configuration Guide - Page 128
, enter: (config-ssl-proxy-list[ssl_list1])# ssl-server 20 tcp buffer-share rx 65536 To reset the reset the buffer size to the default of 32768, enter: (config-ssl-proxy-list[ssl_list1])# no ssl-server 20 tcp buffer-share rx 4-46 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 129
, reactivate the SSL proxy list, and then reactivate the SSL service. To view the virtual or back-end SSL servers in a list, use the show ssl-proxy-list (see Chapter 7, Displaying SSL Configuration Information and Statistics). OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 4-47 - Cisco 11503 | Configuration Guide - Page 130
Proxy List to an SSL Termination Service • Specifying the SSL Module Slot • Disabling Keepalive Messages for the SSL Module • Specifying the SSL Session ID Cache Size • Activating the SSL Service • Suspending the SSL Service 4-48 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 131
an SSL Service When creating a service for use with an SSL module, you must identify it as an SSL service for the CSS to recognize it. For additional details on creating a service, refer to the Cisco Content Services Switch Content Load-Balancing Configuration Guide. Enter the SSL service name, from - Cisco 11503 | Configuration Guide - Page 132
for the SCM. Note The CSS supports one active SSL service for each SSL module in the CSS (one SSL service per slot). You can configure more than one SSL service for a slot but only a single SSL service can be active at a time. 4-50 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 133
of keepalive messages for the service. Use the keepalive type none command to instruct the CSS not to send keepalive messages to a service. For details on specifying a keepalive type, refer to the Cisco Content Services Switch Content Load-Balancing Configuration Guide. To disable sending keepalive - Cisco 11503 | Configuration Guide - Page 134
default of 10000 sessions, enter: (config-service[ssl_serv1])# no session-cache-size Activating the SSL Service Once you configure an SSL proxy list service, use the active command to activate the service. Activating a service puts it into the resource pool for load-balancing SSL content requests - Cisco 11503 | Configuration Guide - Page 135
which load-balancing method to use. For a virtual SSL server content rule, ensure that the VIP address and port number configured for the rule match the VIP address and port number for the server entry in the SSL proxy list. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 4-53 - Cisco 11503 | Configuration Guide - Page 136
the content rule. Not all content VIP:Port combinations are configured in an ssl-proxy-list for sslAccel type of service Verify the configured VIP addresses used in the content rule and SSL proxy list, and modify as necessary. When a CSS uses two or more SSL modules, Cisco Systems recommends - Cisco 11503 | Configuration Guide - Page 137
Back-End SSL Overview of Back-End SSL Back-end SSL allows a CSS to initiate a connection with an SSL server. When used with SSL termination, back-end SSL provides a secure end-to-end connection between a client and an SSL server. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 5-1 - Cisco 11503 | Configuration Guide - Page 138
text string from 1 to 31 characters. For example, to create the SSL proxy list, ssl_list1, enter: (config)# ssl-proxy-list ssl_list1 Create ssl-list , [y/n]: y Cisco Content Services Switch SSL Configuration Guide 5-2 OL-5655-01 - Cisco 11503 | Configuration Guide - Page 139
to initiate a connection to a back-end SSL server. You must define a back-end server index number before configuring SSL proxy list parameters. You can define a maximum of 256 back-end SSL servers for a single SSL proxy list. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 5-3 - Cisco 11503 | Configuration Guide - Page 140
Virtual Client Connections Timeout Values • Configuring TCP Server-Side Connection Timeout Values on the SSL Module • Specifying the Nagle Algorithm for SSL TCP Connections • Specifying the TCP buffering for SSL TCP Connections Cisco Content Services Switch SSL Configuration Guide 5-4 OL-5655-01 - Cisco 11503 | Configuration Guide - Page 141
Configuring a Back-End SSL Server Type By default, a back-end SSL server has a type of backend-ssl that allows a CSS to: • Receive encrypted data from a client • Decrypt the data for load balancing 5, Configuring SSL Initiation. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 5-5 - Cisco 11503 | Configuration Guide - Page 142
For example, to configure a port number of 1200, enter: (config-ssl-proxy-list[ssl_list1])# backend-server 1 port 1200 To reset the port to the default value of 80, enter: (config-ssl-proxy-list[ssl_list1])# no backend-server 1 port Cisco Content Services Switch SSL Configuration Guide 5-6 OL-5655 - Cisco 11503 | Configuration Guide - Page 143
the server port number 155, enter: (config-ssl-proxy-list[ssl_list1])# backend-server 1 server-port 155 To reset the port to the default value of 443, enter: (config-ssl-proxy-list[ssl_list1])# no backend-server 1 server-port OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 5-7 - Cisco 11503 | Configuration Guide - Page 144
that are exportable in any version of the software. If you use the default setting or select the all-cipher-suite option, the CSS sends the suites in the same order as they appear in Table 4-1, starting with rsa-with-rc4-128-md5. Cisco Content Services Switch SSL Configuration Guide 5-8 OL-5655-01 - Cisco 11503 | Configuration Guide - Page 145
secret key. By default, the cache timeout is enabled with a timeout of 300 seconds (5 minutes). The timeout value can range from 0 to 72000 (0 seconds to 20 hours). A timeout value of 0 disables the session cache reuse. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 5-9 - Cisco 11503 | Configuration Guide - Page 146
data Use the backend-server number handshake timeout seconds command to specify a maximum timeout value, after which the CSS transmits the SSL handshake message and reestablishes the SSL session. Setting a timeout value 5-10 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 147
syn-timeout seconds command to specify a timeout value that the CSS uses to terminate a TCP connection with a client and the SSL module that has not successfully completed the TCP three-way handshake prior to transferring data. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 5-11 - Cisco 11503 | Configuration Guide - Page 148
timeout value in seconds, from 0 (TCP inactivity timeout disabled) to 3600 (1 hour). The default is 240 seconds. Based on the default parameters for retransmission, the timer value should be larger than 60 seconds (1 minute). 5-12 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 149
server number tcp server syn-timeout seconds command to specify a timeout value that the CSS uses to end a TCP connection with a server that has not successfully completed the TCP three-way handshake prior to transferring data. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 5-13 - Cisco 11503 | Configuration Guide - Page 150
hour). The default is 240 seconds. For example, to configure the TCP inactivity timeout period of 100 seconds for the server-side connection, enter: (config-ssl-proxy-list[ssl_list1])# backend-server 1 tcp server inactivity-timeout 100 5-14 Cisco Content Services Switch SSL Configuration Guide OL - Cisco 11503 | Configuration Guide - Page 151
number tcp server nagle command to disable or reeanble the Nagle algorithm for the TCP connection between the server and the SSL module. The syntax for this command is: backend-server number tcp server nagle enable|disable OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 5-15 - Cisco 11503 | Configuration Guide - Page 152
variable. By default, the buffer size is 65536. The buffer size can range from 16400 to 262144. For example, to set the value to 131072, enter: (config-ssl-proxy-list[ssl_list1])# backend-server 20 tcp buffer-share tx 131072 5-16 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 153
list (see Chapter 7, Displaying SSL Configuration Information and Statistics). Use the suspend command to suspend an active SSL proxy list. To suspend an active SSL proxy list, enter: (config-ssl-proxy-list[ssl_list1])# suspend OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 5-17 - Cisco 11503 | Configuration Guide - Page 154
Type • Adding an SSL Proxy List for a Back-End SSL Server • Configuring an IP Address for a Back-End SSL Service • Configuring the Port Number for a Back-End SSL Service • Activating the SSL Service • Suspending the SSL Service 5-18 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 155
an SSL Service When creating a service for use with an SSL module, you must identify it as an SSL service for the CSS to recognize it. For additional details on creating a service, refer to the Cisco Content Services Switch Content Load-Balancing Configuration Guide. Enter the SSL service name, from - Cisco 11503 | Configuration Guide - Page 156
back to the SSL module for reencryption. By default, the CSS uses the port number of the back-end content rule associated with the service, port 80. If the port number is different from the the back-end HTTP-SSL content rule, use the port command to configure it. Enter the port number as a integer - Cisco 11503 | Configuration Guide - Page 157
load-balancing SSL content requests between the client and the server. Before activating an SSL service: • For a virtual SSL server, you must add an SSL proxy list to an ssl-accel type service before you can activate the service. If no list is configured when you enter the active command, the CSS - Cisco 11503 | Configuration Guide - Page 158
a sticky server to use or load balances a new server for a new client request. For more information on Layer 5 sticky and content rules, refer to the Cisco Content Services Switch Content Load-Balancing Configuration Guide. 5-22 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 159
an SSL module to: • Receive clear text from a client • Load balance the content • Encrypt the clear text • Originate an SSL connection with either an SSL server or another CSS configured with SSL termination (see Chapter 4, Configuring SSL Termination). OL-5655-01 Cisco Content Services Switch SSL - Cisco 11503 | Configuration Guide - Page 160
on the CSS SSL module) related by index entry. An SSL module in the CSS uses the back-end SSL server to initiate the connection to an SSL server. You can define a maximum of 256 back-end SSL servers in a single SSL proxy list. Cisco Content Services Switch SSL Configuration Guide 6-2 OL-5655 - Cisco 11503 | Configuration Guide - Page 161
Delete ssl-list , [y/n]: y Note You cannot delete a given SSL proxy list if any SSL service using that specific SSL proxy list is active. You must first suspend the SSL service to delete the specific SSL proxy list. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 6-3 - Cisco 11503 | Configuration Guide - Page 162
modifications to any of the back-end servers in a specific SSL proxy list. Once you have modified the SSL proxy list, suspend the SSL service, activate the SSL proxy list, and then activate the SSL service to apply the changes. Cisco Content Services Switch SSL Configuration Guide 6-4 OL-5655-01 - Cisco 11503 | Configuration Guide - Page 163
the SSL Module • Specifying the Nagle Algorithm for Client-Side Connections • Specifying the TCP Buffering for SSL TCP Connections • Configuring Client Certificates and Keys • Configuring CA Certificates for Server Authentication OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 6-5 - Cisco 11503 | Configuration Guide - Page 164
1 type initiation To reconfigure the SSL initiation server as a back-end SSL server without having to configure all the back-end server parameters, enter: (config-ssl-proxy-list[ssl_list1])# backend-server 1 type backend-ssl Cisco Content Services Switch SSL Configuration Guide 6-6 OL-5655-01 - Cisco 11503 | Configuration Guide - Page 165
same address, configure the backend-server number port and server-port commands with different port numbers. For example, to configure a port number of 1200, enter: (config-ssl-proxy-list[ssl_list1])# backend-server 1 port 1200 OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 6-7 - Cisco 11503 | Configuration Guide - Page 166
address, configure the backend-server number port and server-port commands with different port numbers. For example, to configure the server port number 155, enter: (config-ssl-proxy-list[ssl_list1])# backend-server 1 server-port 155 Cisco Content Services Switch SSL Configuration Guide 6-8 OL - Cisco 11503 | Configuration Guide - Page 167
Cipher Suites To configure one or more specific cipher suites to be used by the back-end SSL initiation server, use the backend-server number cipher command. By default, all supported hardware accelerated cipher suites are enabled. For a list of all cipher suites that the SSL module supports and the - Cisco 11503 | Configuration Guide - Page 168
1 cipher rsa-with-rc4-128-md5 weight 10 To remove one or more of the configured cipher suites for the SSL initiation back-end server, enter: (config-ssl-proxy-list[ssl_list1])# no backend-server 1 cipher rsa-with-rc4-128-md5 6-10 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 169
kbytes command to force an SSL rehandshake after the exchange of a certain amount of data between the CSS and the back-end SSL server, after which the CSS transmits the SSL handshake message and reestablishes the SSL session. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 6-11 - Cisco 11503 | Configuration Guide - Page 170
seconds command to specify a maximum timeout value, after which the CSS transmits the balance ssl load-balancing method for a Layer 5 content rule to fine-tune the SSL session ID used to stick the client to the server. By default Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 171
tcp virtual syn-timeout seconds command to specify a timeout value that the CSS uses to terminate a TCP connection with a client and the SSL module that has not successfully completed backend-server 1 tcp virtual syn-timeout 0 OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 6-13 - Cisco 11503 | Configuration Guide - Page 172
-proxy-list[ssl_list1])# backend-server 1 tcp virtual inactivity-timeout 0 To reset the timeout to the default value of 240 seconds, enter: (config-ssl-proxy-list[ssl_list1])# no backend-server 1 tcp virtual inactivity-timeout 6-14 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 173
command to disable or reenable the Nagle algorithm for the TCP connection between the client and the SSL module. The syntax for this command over TCP connections between the CSS SSL module and a server. To configure the timeout values of a Cisco Content Services Switch SSL Configuration Guide 6-15 - Cisco 11503 | Configuration Guide - Page 174
number tcp server syn-timeout seconds command to specify a timeout value that the CSS uses to end a TCP connection with default value of 30 seconds, enter: (config-ssl-proxy-list[ssl_list1])# no backend-server 1 tcp server syn-timeout 6-16 Cisco Content Services Switch SSL Configuration Guide - Cisco 11503 | Configuration Guide - Page 175
number tcp server nagle command to disable or reenable the Nagle algorithm for the TCP connection between the server and the SSL module. The syntax for this command is: backend-server number tcp server nagle enable|disable OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 6-17 - Cisco 11503 | Configuration Guide - Page 176
and variable. By default, the buffer size is 65536. The buffer size can range from 16400 to 262144. For example, to set the value to 131072, enter: (config-ssl-proxy-list[ssl_list1])# backend-server 1 tcp buffer-share tx 131072 6-18 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 177
Client Certificate Not Sent counter. Note When the SSL server does not receive the requested client certificate, it may close the connection. The following sections describe how to configure client certificates and keys. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 6-19 - Cisco 11503 | Configuration Guide - Page 178
, enter: (config-ssl-proxy-list[ssl_list1])# backend-server 1 dhparam dhparamfile2 To remove the configured DH parameter file from the SSL proxy list, enter: (config-ssl-proxy-list[ssl_list1])# no backend-server 1 dhparam 6-20 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 179
signature of the CA in the server certificate. Defining a CA certificate in the SSL initiation proxy list indicates to the CSS that you want to verify the server certificate. Note By default, SSL servers are not authenticated. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 6-21 - Cisco 11503 | Configuration Guide - Page 180
use the no form of the command. For example, to remove the mycert1 CA certificate from the ssl_list1 proxy list for SSL initiation back-end server 1, enter: (config-ssl-proxy-list[ssl_list1])# no backend-server 1 cacert mycert1 6-22 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 181
command (see Chapter 7, Displaying SSL Configuration Information and Statistics). Use the suspend command to suspend an active SSL proxy list. To suspend an active SSL proxy list, enter: (config-ssl-proxy-list[ssl_list1])# suspend OL-5655-01 Cisco Content Services Switch SSL Configuration Guide - Cisco 11503 | Configuration Guide - Page 182
the SSL Initiation Service Keepalive Type • SSL Session ID Cache Size • Activating the SSL Service • Suspending the SSL Service Note If you do not configure a service port, the CSS uses the same port number as the content rule. 6-24 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 183
SSL module, you must identify it as an SSL service for the CSS to recognize it. You can create multiple SSL services for use with an SSL initiation content rule. For additional details on creating a service, refer to the Cisco Content Services Switch Content Load-Balancing Configuration Guide. Enter - Cisco 11503 | Configuration Guide - Page 184
a specific SSL module. Use the slot command to specify the slot in the CSS chassis where the SSL module is located. The valid slot entries are: • CSS 11501 - 2 • CSS 11503 - 2 and 3 • CSS 11506 - 2 to 6 Slot 1 is reserved for the SCM. 6-26 Cisco Content Services Switch SSL Configuration Guide OL - Cisco 11503 | Configuration Guide - Page 185
SSL or TCP keepalive type, you need to configure the port used by the keepalive. For more information about these and other CSS keepalives, refer to the Cisco Content Services Switch Content Load-Balancing Configuration Guide. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 6-27 - Cisco 11503 | Configuration Guide - Page 186
load-balancing SSL content requests between the client and the server. Before activating an SSL service: • For an initiation SSL server, you must add an SSL proxy list to an ssl-init type service before you can activate the service. If no list is configured when you enter the active command, the CSS - Cisco 11503 | Configuration Guide - Page 187
CSS to locate a sticky server to use or to load balance a new server for a new client request. For more information on Layer 5 sticky and content rules, refer to the Cisco Content Services Switch Content Load-Balancing Configuration Guide. OL-5655-01 Cisco Content Services Switch SSL Configuration - Cisco 11503 | Configuration Guide - Page 188
. • Ensure that the SSL server is configured to request a client certificate. • Use a sniffer on the back-end connection to verify that the server is requesting a client certificate and that the CSS is sending the certificate. 6-30 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 189
show commands from any mode: • show ssl associate cert - Displays certificate associations • show ssl associate rsakey - Displays RSA key pair associations • show ssl associate dsakey - Displays DSA key pair associations OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 7-1 - Cisco 11503 | Configuration Guide - Page 190
Indicates if the certificate association is used by the SSL proxy list containing the VIP address of the virtual server To display information about a specific certificate association, enter: show ssl associate cert myrsacert1 Cisco Content Services Switch SSL Configuration Guide 7-2 OL-5655-01 - Cisco 11503 | Configuration Guide - Page 191
the size of the RSA key pair used to secure Web transactions. The actual public key on which the certificate was built. One of the base numbers used to generate the key. An array of X509v3 extensions added to the certificate. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 7-3 - Cisco 11503 | Configuration Guide - Page 192
a list of all RSA key associations. Note When you view the contents of a specific key only, specifics on the key size and key type appears. This restriction occurs because the key contents are secure and should not be viewed. Cisco Content Services Switch SSL Configuration Guide 7-4 OL-5655-01 - Cisco 11503 | Configuration Guide - Page 193
specifics on the key size and key type appears. This restriction occurs because the key contents are secure and should not be viewed. To display information about all DSA key associations, enter: (config) # show ssl associate dsakey OL-5655-01 Cisco Content Services Switch SSL Configuration Guide - Cisco 11503 | Configuration Guide - Page 194
To display information about a specific DSA key pair association, enter Command Field Parameter Name File Name Description The name of the Diffie-Hellman parameter association The name of the file containing the Diffie-Hellman parameters Cisco Content Services Switch SSL Configuration Guide - Cisco 11503 | Configuration Guide - Page 195
Name dhparams File Name --------dhparams.pem Used by List -----------no DSA Key Name -----------dsakey File Name --------dsakey.pem Used by List -----------no OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 7-7 - Cisco 11503 | Configuration Guide - Page 196
pair, or Diffie-Hellman parameter file. File types can include DES-encoded, PEM-encoded, or PKCS#12-encoded. The total size (in Kbytes) of the certificate, RSA key pair, DSA key pair, or Diffie-Hellman parameter file. Cisco Content Services Switch SSL Configuration Guide 7-8 OL-5655-01 - Cisco 11503 | Configuration Guide - Page 197
to display its configuration information. This command is available in global, content, owner, service, SuperUser, and User modes. To view general information about all configured SSL proxy lists, enter: # show ssl-proxy-list OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 7-9 - Cisco 11503 | Configuration Guide - Page 198
the virtual SSL server. The total number of back-end servers specified for the SSL proxy list. A unique number for the back-end server. 7-10 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 199
name. The period of time an SSL session ID remains valid before the CSS requires the full SSL handshake to establish a new SSL connection. The specified SSL (version 3.0), TLS (version 1.0), or SSL and TLS protocol in use. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 7-11 - Cisco 11503 | Configuration Guide - Page 200
The TCP port of the back-end content rule through which the back-end HTTP connections are sent. Server The VIP address of the back-end content rule through which the back-end HTTP connections are sent. URL Rewrite Rule(s) 7-12 Cisco Content Services Switch SSL Configuration Guide OL-5655 - Cisco 11503 | Configuration Guide - Page 201
server certificate, and Session Data for SSL connection information. For information on the fields inserted in the header, see Chapter 4, Configuring SSL Termination. Configured static text string inserted in the HTTP request header. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide - Cisco 11503 | Configuration Guide - Page 202
of the CRL record. Name of the CA certificate imported on the CSS. This certificate verifies that the CRL is from the CA. How long the CSS waits before updating the CRL on the CSS. URL where the CSS downloads the latest CRL. 7-14 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 203
for the virtual SSL server. The virtual TCP port for the virtual SSL server. The total number of flows received from the back-end server and evaluated by the SSL module to search for the presence of HTTP 300-series redirects. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 7-15 - Cisco 11503 | Configuration Guide - Page 204
where the CSS is acting as an SSL server. - ssl - Displays counter statistics for the SSL server counter - ssl-proxy-server - Displays counter statistics for the SSL proxy list component that provides SSL termination in the SSL module 7-16 Cisco Content Services Switch SSL Configuration Guide OL - Cisco 11503 | Configuration Guide - Page 205
incoming SSL connections from a client to the SSL module. Handshake completed for Number of times the handshake process was incoming SSL completed for incoming SSL connections from a connections client to the SSL module. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 7-17 - Cisco 11503 | Configuration Guide - Page 206
certificate data Number of times that the CSS inserted server certificate information in the HTTP request header to a back-end server. HTTP header insert of user defined prefix Number of times that the CSS verifications requested. Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 207
available. Hardware Device Timed Out Number of times the cryptography hardware did not complete an acceleration request within the specified time. This function is not currently implemented. This counter should always be 0. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 7-19 - Cisco 11503 | Configuration Guide - Page 208
hash calls Number of MD5 pure hash calls. SHA1 raw hash calls Number of SHA1 pure hash calls. 3-DES calls Number of 3-DES calls. 7-20 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 209
cipher) bytes transmitted by the SSL module. RSA Private Decrypt failures Number of RSA Private Decrypt calls that failed. MAC failures for packets Number of times the MAC could not be verified for received the incoming SSL messages. Cisco Content Services Switch SSL Configuration Guide 7-21 - Cisco 11503 | Configuration Guide - Page 210
a CRL cannot be stored in memory, all incoming client authentications will fail. Session Cache Statistics Handshakes Accepted from Client Number of handshakes that the SSL module accepted from clients. Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 211
Command (continued) Field Description Handshakes Renegotiated Number of handshakes that the SSL module had to renegotiate. Handshakes Completed Number of successful handshakes that the SSL module in the cache. Cached OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 7-23 - Cisco 11503 | Configuration Guide - Page 212
all installed SSL modules. To view SSL flows for all SSL modules in the CSS, enter: # show ssl flows To view SSL flows for a specific SSL module in the CSS chassis (for example, installed in slot 5), enter: # show ssl flows slot 5 7-24 Cisco Content Services Switch SSL Configuration Guide OL-5655 - Cisco 11503 | Configuration Guide - Page 213
yet sending data. This means that an SSL Client Hello message has been received by the CSS but the final finished message still has not been sent. The SSL Flows in Handshake number is a subset of the Active SSL Flows column. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 7-25 - Cisco 11503 | Configuration Guide - Page 214
Showing SSL Flows Chapter 7 Displaying SSL Configuration Information and Statistics 7-26 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 215
both TCP and SSL handshakes. The following example is intended as an overview on the flow process; how the CSS and SSL module translate flows from HTTPS-to-HTTP for inbound packets and from HTTP-to-HTTPS for outbound packets. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 8-1 - Cisco 11503 | Configuration Guide - Page 216
443 2 Payment/checkout session L5/L4 SSL Content Rule L5/L4 HTTP Content Rule Port 80 5 Port 80 3 Port 443 4 Port 80 SSL Acceleration Module M3 M2 M1 CSS 11506 Ethernet connection 78264 ServerABC ServerDEF ServerGHI Cisco Content Services Switch SSL Configuration Guide 8-2 OL-5655-01 - Cisco 11503 | Configuration Guide - Page 217
the stickiness between the client and the SSL module and the cookie maintains the stickiness between the SSL module and the servers. In this way, stickiness can be maintained consistently through the entire web transaction. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 8-3 - Cisco 11503 | Configuration Guide - Page 218
SSL Content Rule Port 80 3 VIP Port 443 L5/L4 SSL Content Rule 4 VIP Port 80 5 Backend SSL VIP Port 80 SSL Acceleration Module M3 M2 M1 6 Backend SSL Server IP Port 443 CSS 11506 Ethernet connection 87587 ServerABC ServerDEF ServerGHI Cisco Content Services Switch SSL Configuration Guide - Cisco 11503 | Configuration Guide - Page 219
to allow access to secure content on your HTTP servers, you may require specification of a different VIP address for the clear-text content rule to place it in the CSS to be seamlessly integrated for secure transactions. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 8-5 - Cisco 11503 | Configuration Guide - Page 220
dhparam dhparams dhparams.pem ssl associate rsakey rsakey rsakey.pem ssl associate cert rsacert rsacert.pem ftp-record ssl_record 161.44.174.127 anonymous des-password deye2gtcld1b6feeeebabfcfagyezc5f / Cisco Content Services Switch SSL Configuration Guide 8-6 OL-5655-01 - Cisco 11503 | Configuration Guide - Page 221
192.168.7.1 protocol tcp port 80 keepalive type http active service serverDEF ip address 192.168.7.2 protocol tcp port 80 keepalive type http active service serverGHI ip address 192.168.7.3 protocol tcp port 80 keepalive type http active Cisco Content Services Switch SSL Configuration Guide 8-7 - Cisco 11503 | Configuration Guide - Page 222
address of 10.1.1.5. The clear-text http-rule will be unreachable from the Internet, which can offer you more flexibility and granularity while allowing the CSS to be seamlessly integrated for secure transactions. Cisco Content Services Switch SSL Configuration Guide 8-8 OL-5655-01 - Cisco 11503 | Configuration Guide - Page 223
rsakey rsakey rsakey.pem ssl associate cert rsacert rsacert.pem ssl associate dhparam dhparams dhparams.pem ftp-record ssl_record 161.44.174.127 anonymous des-password deye2gtcld1b6feeeebabfcfagyezc5f / Cisco Content Services Switch SSL Configuration Guide 8-9 - Cisco 11503 | Configuration Guide - Page 224
8 Examples of CSS SSL Configurations CIRCUIT circuit VLAN1 service serverABC ip address 192.168.7.1 protocol tcp port 80 keepalive type http active service serverDEF ip address 192.168.7.2 protocol tcp port 80 keepalive type http active 8-10 Cisco Content Services Switch SSL Configuration Guide - Cisco 11503 | Configuration Guide - Page 225
service ssl_module2 application ssl advanced-balance ssl active content http-rule vip address 192.168.5.5 protocol tcp port 80 url "/*" add service serverABC add service serverDEF add service serverGHI advanced-balance cookies active OL-5655-01 Cisco Content Services Switch SSL Configuration Guide - Cisco 11503 | Configuration Guide - Page 226
HTTP connection to content rule http-ssl-rule. The CSS directs the clear text data back to SSL module 2. The module terminates the connection, re-encrypts the traffic, and establishes an SSL connection to SSL server ServerDEF. 8-12 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 227
172.16.6.62 Destination = 192.168.4.4 Layer 5 ssl-rule SSL Acceleration Module 1 CSS 11506 ssl-rule-1 87588 SSL Acceleration Module 2 Layer 5 http-rule Source = 172.16.6.58 Source = 172. 192.168.7.3 ServerJKL 192.168.7.4 OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 8-13 - Cisco 11503 | Configuration Guide - Page 228
ssl-server 2 cipher rsa-with-rc4-128-md5 192.28.4.4 8080 active backend-server 3 backend-server 3 ip address 192.168.7.2 backend-server 3 port 8080 backend-server 3 server-ip 192.168.7.2 backend-server 3 rsacert rsacert active 8-14 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 229
service serverDEF type ssl-accel-backend ip address 192.168.7.2 protocol tcp keepalive type ssl keepalive port 443 add ssl-proxy-list test active service serverGHI ip address 192.14.7.3 protocol tcp port 80 keepalive type http active OL-5655-01 Cisco Content Services Switch SSL Configuration Guide - Cisco 11503 | Configuration Guide - Page 230
add service serverABC add service serverGHI advanced-balance cookies active content ssl-rule-1 vip address 192.28.4.4 protocol tcp port 443 add service ssl_module1 add service ssl_module2 application ssl advanced-balance ssl active 8-16 Cisco Content Services Switch SSL Configuration Guide OL - Cisco 11503 | Configuration Guide - Page 231
Chapter 8 Examples of CSS SSL Configurations content http-ssl-rule vip address 192.28.4.4 protocol tcp port 8080 url "/*" add service serverDEF add service serverJKL advanced-balance arrowpoint-cookie active SSL Full Proxy Configuration - One SSL Module An SSL full proxy server is a proxy server - Cisco 11503 | Configuration Guide - Page 232
dhparams dhparams dhparams.pem ssl associate rsakey rsakey rsakey.pem ssl associate cert rsacert rsacert.pem ftp-record ssl_record 161.44.174.127 anonymous des-password deye2gtcld1b6feeeebabfcfagyezc5f / 8-18 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 233
keepalive type none slot 6 add ssl-proxy-list test active service serverABC ip address 192.168.7.1 protocol tcp port 80 keepalive type http active service serverDEF ip address 192.168.7.2 protocol tcp port 80 keepalive type http active Cisco Content Services Switch SSL Configuration Guide 8-19 - Cisco 11503 | Configuration Guide - Page 234
service serverDEF add service serverGHI advanced-balance cookies active GROUP group ssl_module_proxy add destination service serverABC add destination service serverDEF add destination service serverGHI vip address 192.168.7.200 active 8-20 Cisco Content Services Switch SSL Configuration Guide - Cisco 11503 | Configuration Guide - Page 235
you must balance the SSL initiation VIPs and the SSL modules when multiple SSL modules exist (as in this example). • The SSL initiation feature requires that the proxy list be applied to the SSL module via a service of type ssl-init. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide - Cisco 11503 | Configuration Guide - Page 236
(slot 2) Acceleration Module 1 Source = 10.81.27.9 Destination = 192.168.7.10 Clear text CSS 11506 Layer 5 HTTP Rule SSL (slot 3) Acceleration Module 2 Encrypted text password ig5haaufqbnfuarb/tmp INTERFACE interface 1/1 bridge vlan 10 Cisco Content Services Switch SSL Configuration Guide - Cisco 11503 | Configuration Guide - Page 237
of CSS SSL Configurations OL- SERVICE service DC1 type ssl-init ip address 192.168.7.10 protocol tcp port 80 slot 2 keepalive type ssl keepalive port 443 add ssl-proxy-list SSLInit_list active service DC2 type ssl-init ip address 192.168.7.20 Cisco Content Services Switch SSL Configuration Guide - Cisco 11503 | Configuration Guide - Page 238
ssl-proxy-list SSLInit_list active OWNER owner Example content ssl-init protocol tcp vip address 172.16.1.100 port 80 add service DC1 add service DC2 add service DC3 add service DC4 advanced-balance arrowpoint-cookie active 8-24 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 239
SSL module using a service of type ssl-init. • You must obtain the certificate of the CA that issued the SSL server certificate. After you import it and associate it, define the CA certificate as a cacert within the SSL proxy list. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide - Cisco 11503 | Configuration Guide - Page 240
rsakey.pem ssl associate cert rsacert_association rsacert.pem ftp-record acct-ftp 192.168.7.241 root des-password ig5haaufqbnfuarb/tmp ftp-record config 192.168.1.241 root des-password 4f1bxangrgehjgka /users/rclement/ssl-init 8-26 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 241
Examples of CSS SSL Configurations OL- port 443 add ssl-proxy-list SSLInit_list active service DC-SSL2 type ssl-init ip address 192.168.7.10 protocol tcp port 80 slot 3 keepalive type ssl keepalive port 443 add ssl-proxy-list SSLInit_list active Cisco Content Services Switch SSL Configuration Guide - Cisco 11503 | Configuration Guide - Page 242
Chapter 8 Examples of CSS SSL Configurations OWNER owner Example content ssl-init protocol tcp vip address 192.168.7.200 port 80 add service DC-SSL1 add service DC-SSL2 advanced-balance arrowpoint-cookie active 8-28 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 243
algorithm, client-side connection 5-15 TCP nagle algorithm, server-side connection 5-15 virtual client TCP inactivity timeout 5-12 virtual client TCP SYN timeout 5-12 virtual port 5-6 C CA certificate client authentication 4-16 OL-5655-01 Cisco Content Services Switch SSL Configuration Guide IN-1 - Cisco 11503 | Configuration Guide - Page 244
service 2-13 configuring CA certificate for client authentication 4-16 client authentication 4-15 configuring CRL record 4-17 content rule back-end SSL service SSL service 4-52 CRL record assigning 4-19 configuring 4-17 displaying 7-14 IN-2 Cisco Content Services Switch SSL Configuration Guide OL- - Cisco 11503 | Configuration Guide - Page 245
4-20 client certificate information 4-21 display fields 7-13 prefix 4-32 server certificate information 4-25 session information 4-30 static text string 4-32 I importing SSL keys and certificates 3-14 initiation, SSL 6-1 OL-5655-01 Cisco Content Services Switch SSL Configuration Guide IN-3 - Cisco 11503 | Configuration Guide - Page 246
for SSL Acceleration Module 4-50 keepalive, configuring for SSL P password for imported certificates/keys 3-15 Q quick start RSA certificate and key generation 2-2 RSA certificate and server service and content rule 2-17, 2-19, 2-21 IN-4 Cisco Content Services Switch SSL Configuration Guide OL - Cisco 11503 | Configuration Guide - Page 247
keys and certificates 3-4 global site certificate, preparing 3-11 handshake negotiation 4-38 HTTP 300-series redirects 4-34 importing/exporting certificates and keys 3-14 initiation 6-1 key pairs 3-20, 7-4, 7-5, 7-7, 7-8 OL-5655-01 Cisco Content Services Switch SSL Configuration Guide IN-5 - Cisco 11503 | Configuration Guide - Page 248
activating 6-28 service, configuring 6-24 service, creating 6-25 service, suspending 6-29 service IP address, configuring 6-25 session cache timeout, configuring 6-11 session ID cache size 6-28 SSL module slot, specifying 6-26 IN-6 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 - Cisco 11503 | Configuration Guide - Page 249
header insertion 4-32 T TCP FIN message terminating client connection 4-34 TCP nagle algorithm client-side connection 6-15 server-side connection 6-17 terminating client connection 4-34 troubleshooting SSL initiation 6-30 OL-5655-01 Cisco Content Services Switch SSL Configuration Guide IN-7 - Cisco 11503 | Configuration Guide - Page 250
service type 4-48 activating service 4-51, 5-21 cipher suites 4-11 configuration quick start 2-6 configuring content rule 4-52 configuring to a service 4-49 Diffie-Hellman parameter file association 4-10 DSA certificate port 4-7 IN-8 Cisco Content Services Switch SSL Configuration Guide OL-5655-01
-
1 -
2 -
3 -
4 -
5 -
6 -
7 -
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
-
241
-
242
-
243
-
244
-
245
-
246
-
247
-
248
-
249
-
250
 |
 |
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
Tel:
408 526-4000
800 553-NETS (6387)
Fax:
408 526-4100
Cisco Content Services Switch SSL
Configuration Guide
Software Version 7.40
August 2004
Text Part Number: OL-5655-01