Home » Cisco Manuals » Bridges & Routers » Cisco CSS-11154-AC » Manual Viewer

Cisco CSS-11154-AC Configuration Guide - Page 95

Supporting Other Secure Protocols, Example: Configuring a Secure Mail Server, Supporting FIPS

Add to My Manuals
Save this manual to your list of manuals

Page 95 highlights

Chapter 4 Using the Configuration Manager Supporting Other Secure Protocols Supporting Other Secure Protocols Along with SSL, Cisco Secure Content Accelerator devices can support other secure protocols using TLS v1.0, SSL v2.0, and SSL v3.0. IMAPS, POP3S, NNTPS, and LDAPS are some examples. The steps below show how to configure the SSL appliance for setting up a secure server to process only POP3S (S-POP) mail. Example: Configuring a Secure Mail Server Note The steps in this example are abbreviated to show only relevant changes from the standard SSL server setup. 1. Initiate a management session as described above. Enter Privileged and Configuration modes. Enter a default router. Enter SSL Configuration mode. 2. Enter Server Configuration mode and create a server named mySecureMail. Assign an IP address and netmask. Assign port 995 for monitoring for POP3S (S-POP) connections and port 110 for sending clear text. Assign the appropriate key, certificate, and security policy. Return to Privileged mode. (config-ssl[myDevice])# server mySecureMail create (config-ssl-server[myServer])# sslport 995 (config-ssl-server[myServer])# remoteport 110 (config-ssl-server[myServer])# finished SCA# 3. Save the configuration to flash memory. If not saved, the configuration is lost during a power cycle or when the reload command is used. SCA# write flash SCA# Supporting FIPS Refer to Chapter 6, FIPS Operation, for instructions to use the Secure Content Accelerator in FIPS-compliant operation mode. 78-13124-06 Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-27

Section	Page
Cover Page	1
Contents	5
List of Figures	25
List of Tables	29
About This Guide	31
How to Use This Guide	31
Symbols and Conventions	33
Obtaining Documentation	35
Cisco.com	35
Documentation CD-ROM	35
Ordering Documentation	35
Documentation Feedback	36
Obtaining Technical Assistance	37
Cisco.com	37
Technical Assistance Center	37
Cisco TAC Website	38
Cisco TAC Escalation Center	39
Obtaining Additional Publications and Information	39
1 Overview	41
Product Overview	42
Secure Content Accelerator Versions	43
2 Installing the Hardware and Software	45
Site Requirements	46
Required Tools and Equipment	46
Shipment Contents	46
Unpacking the Secure Content Accelerator	47
Installing the Hardware	47
Installing as a Free-Standing Unit	48
Installing as a Rack-Mounted Unit	49
Panel Descriptions	49
Identifying SCA Models	52
Connecting to Power	52
Connecting to Ethernet	53
3 Using the QuickStart Wizard	55
Before You Begin	56
Initiating a Management Session	56
Serial Management and IP Address Assignment	56
Telnet	57
Starting the QuickStart Wizard	58
Using the QuickStart Wizard	59
Using the QuickStart Wizard with a Configured Appliance	68
4 Using the Configuration Manager	69
Overview	70
Configuration Security	71
Passwords	71
Access Lists	71
Factory Default Reset Password	72
Before You Begin	72
Initiating a Management Session	73
Serial Management and IP Address Assignment	73
Telnet	74
Configuring the Device	74
Example: Setting up Basic Device Parameters	75
Example: Setting up a Secure Server	76
Example: Setting up a Backend Server	78
Example: Setting up a Reverse-Proxy Server	79
Example: Configuring Secure URL Rewrite	80
Example: Configuring SNTP Servers	82
Example: Restricting Access using an Access List	83
Configuring an Ethernet Interface	84
Example: Saving a Configuration File	85
Step-Up Certificates and Server-Gated Cryptography	85
Configuring Certificate Groups	86
Example: Configuring a Certificate Group	86
Example: Importing Certificate Groups	88
Using Client and Server Certificate Authentication	89
Example: Configuring Server Certificate Authentication	89
Example: Configuring Client Certificate Authentication	91
Generating Keys and Certificates	92
Example: Generating an RSA Key	92
Example: Generating a Certificate	92
Supporting SNMP	93
Example: Configuring SNMP	93
Supporting RIP	94
Example: Configuring RIP	94
Supporting Other Secure Protocols	95
Example: Configuring a Secure Mail Server	95
Supporting FIPS	95
Working with Syslogs	96
Disabling SSL Versions	96
Enabling Keepalives	97
Setting the Idle-Timeout	99
5 Graphical User Interface Reference	101
Overview	102
Browser and System Support	102
Enabling Web Management	102
Restricting Access to Web Management	103
Starting the GUI	103
Configuring for Client-Side Access	104
Administrative Time Out	105
Web Management User Interface	105
General Configuration Examples	107
Example: Setting the Device Name (Hostname)	107
Example: Resetting the IP Address	108
Example: Configuring an Ethernet Interface	109
Example: Enabling RIP	110
Example: Adding a Route to the Routing Table	111
Example: Working with Syslogs	113
Example: Restricting Access using an Access List	114
Example: Reloading (Rebooting) the Appliance	117
Example: Setting an Enable Password	118
Example: Configuring SNMP	119
SSL Configuration Examples	122
Example: Setting up a Secure Server	122
Example: Creating and Using Certificate Groups	135
Example: Supporting Other Secure Protocols	137
Example: Generating an RSA Private Key	138
Example: Generating a Self-Signed Certificate	142
Example: Importing a PKCS#7 Certificate Group	146
Example: Importing a PKCS#12 Certificate Group	147
Running the Secure Server Wizard	148
6 FIPS Operation	149
FIPS Capabilities	150
Using FIPS Mode	150
Creating a Server in FIPS Mode	153
Command Changes	155
Unavailable Commands	155
Differing Command Behaviors	155
Returning to Normal Operation	157
More Information	158
A Specifications	159
Electrical Specifications	160
Environmental Specifications	160
Physical Specifications	161
B Deployment Examples	163
Single Device	164
Load Balancing	164
Use with the CSS	166
In-Line	166
One-Armed Non-Transparent Proxy	172
One-Armed Transparent Proxy	181
Connecting the Device to a Terminal Server	192
Web Site Changes	192
Transparent Local-Listen	193
C Command Summary	195
Input Data Format Specification	196
Text Conventions	196
Editing and Completion Features	197
Command Hierarchy	199
Configuration Security	200
Passwords	200
Access Lists	201
Factory Default Reset Password	201
Methods to Manage the Device	201
Initiating a Management Session	203
Serial Management and IP Address Assignment	203
Telnet	204
Command Listing	204
Top Level Command Set	225
Non-Privileged Command Set	225
clear screen	225
cls	225
enable	225
exit	226
help	226
monitor	227
paws	227
ping	227
quit	228
set monitor-interval	228
show arp	229
show copyrights	229
show cpu	229
show date	230
show device	230
show dns	231
show flows	231
show history	231
show interface	232
show interface errors	232
show interface statistics	233
show ip domain-name	234
show ip name-server	234
show ip routes	235
show ip statistics	235
show keepalive-monitor	235
show log	236
show memory	236
show messages	236
show netstat	237
show password	237
show password access	237
show password enable	238
show password idle-timeout	238
show processes	238
show rdate-server	239
show rip	239
show route	239
show sessions	240
show sntp	240
show sntp-server	240
show ssl	241
show ssl cert	241
show ssl certgroup	242
show ssl errors	243
show ssl key	248
show ssl secpolicy	248
show ssl server	249
show ssl session-stats	250
show ssl statistics	252
show ssl tcp-tuning	254
show syslog	255
show system-resources	255
show telnet	256
show terminal	256
show timezone	256
show version	257
show web-management	257
terminal baud	257
terminal history	258
terminal length	259
terminal pager	259
terminal reset	260
terminal width	260
traceroute	261
Privileged Command Set	262
clear interface statistics	262
clear ip routes	262
clear ip statistics	263
clear line	263
clear log	263
clear messages	264
clear ssl session-stats	264
clear ssl statistics	264
configure	265
copy running-configuration	265
copy running-configuration startup-configuration	266
copy startup-configuration	266
copy startup-configuration running-configuration	267
copy to flash	267
copy to running-configuration	268
copy to startup-configuration	268
disable	269
erase running-configuration	269
erase startup-configuration	269
fips enable	270
quick-start	270
refresh	271
reload	271
show access-list	271
show diagnostic-report	272
show running-configuration	273
show snmp	273
show startup-configuration	274
write flash	275
write memory	275
write messages	276
write network	276
write terminal	277
Configuration Command Set	278
access-list	278
clock	279
end	280
exit	280
finished	280
help	281
hostname	281
interface	282
ip address	282
ip domain-name	283
ip name-server	283
ip route	284
ip route default	285
keepalive-monitor	285
mode one-port	286
mode pass-thru	286
password	286
rdate-server	287
registration-code	288
rip	288
no snmp	289
snmp access-list	290
snmp contact	291
snmp default community	291
snmp enable	292
snmp location	293
snmp trap-host	294
snmp trap-type enterprise	295
snmp trap-type generic	296
sntp interval	297
sntp server	298
ssl	298
syslog	299
telnet access-list	300
telnet enable	301
telnet port	301
timezone	302
web-mgmt access-list	302
web-mgmt enable	303
web-mgmt port	304
Interface Configuration Command Set	305
auto	305
duplex	305
end	305
finished	306
help	306
speed	306
SSL Configuration Command Set	307
backend-server	307
cert	308
certgroup	309
end	310
exit	310
finished	310
gencsr	310
help	311
import pkcs12	312
import pkcs7	312
key	313
reverse-proxy-server	314
secpolicy	315
server	316
tcp-tuning	316
Backend Server Configuration Command Set	318
activate	318
certgroup serverauth	318
end	319
exit	319
finished	319
help	320
info	320
ip address	320
keepalive enable	321
keepalive frequency	321
keepalive maxfailure	322
localport	322
log-url	323
remoteport	323
secpolicy	324
serverauth domain-name	325
serverauth enable	325
serverauth ignore	326
session-cache enable	326
session-cache size	327
session-cache timeout	327
sslv2 enable	328
sslv3 enable	328
suspend	329
tcp-tuning	329
tlsv1 enable	330
transparent	330
urlrewrite	331
Certificate Configuration Command Set	332
binhex	332
der	332
end	333
exit	333
finished	333
help	333
info	334
pem	334
pem-paste	334
Certificate Group Configuration Command Set	336
cert	336
end	336
exit	337
finished	337
help	337
info	338
Key Configuration Command Set	339
binhex	339
der	339
end	340
exit	340
finished	340
genrsa	340
help	341
info	342
net-iis	342
pem	342
pem-paste	343
Reverse-Proxy Server Configuration Command Set	344
activate	344
certgroup serverauth	344
end	345
exit	345
finished	346
help	346
info	346
localport	347
log-url	347
secpolicy	348
serverauth enable	349
serverauth ignore	349
session-cache enable	350
session-cache size	350
session-cache timeout	351
sslv2 enable	351
sslv3 enable	352
suspend	352
tcp-tuning	353
tlsv1 enable	353
urlrewrite	354
Security Policy Configuration Command Set	355
crypto	355
end	357
exit	357
finished	358
help	358
info	358
Server Configuration Command Set	359
activate	359
cert	359
certgroup chain	360
certgroup clientauth	361
clientauth enable	361
clientauth error	362
clientauth verifydepth	363
end	364
ephemeral error	364
ephrsa	365
exit	365
finished	365
help	366
httpheader	366
info	369
ip address	369
keepalive enable	370
keepalive frequency	370
keepalive maxfailure	371
key	371
localport	372
log-url	372
remoteport	373
secpolicy	374
session-cache enable	375
session-cache size	375
session-cache timeout	376
sharedcipher error	376
sslport	377
sslv2 enable	377
sslv3 enable	378
suspend	378
tcp-tuning	379
tlsv1 enable	379
transparent	380
urlrewrite	381
TCP Tuning Configuration Command Set	383
2msltime	383
delay-ack	384
finwt2time	385
keepalive	385
keepalive-cnt	386
keepalive-intv	387
max-rexmit	387
maxrt	388
maxseg	388
mtu	389
nodelay	390
nopush	390
probe-max	391
probe-min	392
push-all	393
rto-def	393
rto-max	394
rto-min	395
slow-start	396
stdurg	396
ts	397
wnd-scale	398
D MiniMax Command Summary	399
Text Conventions	400
Getting Help	401
Examples	402
Configuring Basic Device Parameters	402
Installing a Firmware Image (Netcat)	403
Installing a Firmware Image (Xmodem)	404
Extracting a Device Configuration	406
Resetting the Environment to Factory Defaults	407
Command Set	409
? (question mark)	409
baud	409
boot	409
cat	409
do	410
eaddr	410
env	411
help	412
hinv	412
ifconfig	412
ip	412
ls	413
netstat	413
printenv	413
rdate-server	413
reboot	414
resetenv	414
rm	414
sbridge	414
show	415
version	416
zap	416
E Troubleshooting	417
Troubleshooting the Hardware	418
F SSL Introduction	425
Introduction to SSL	426
Port Blocking Mechanism	426
Before You Begin	428
Using Existing Keys and Certificates	428
Apache mod_SSL	429