Page 1 Cisco Content Services Switch SSL Configuration Guide Software Version 7.40 August 2004 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Text Part Number: OL-5655-01...
Page 2 CCSP, the Cisco Square Bridge logo, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP,...
Page 3: Table Of Contents
Obtaining Additional Publications and Information Overview of CSS SSL C H A P T E R SSL Cryptography Overview SSL Public Key Infrastructure Overview Confidentiality Authentication Message Integrity SSL Module Cryptography Capabilities Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 4 Generating an RSA Key Pair Generating a DSA Key Pair Generating Diffie-Hellman Key Parameters Using an RSA Key to Generate a Certificate Signing Request Generating a Self-Signed Certificate 3-10 Preparing a Global Site Certificate 3-11 Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 5 Specifying the DSA Key Pair Name 4-10 Specifying the Diffie-Hellman Parameter Filename 4-10 Specifying Cipher Suites 4-11 Configuring Client Authentication 4-15 Enabling Client Authentication 4-16 Specifying CA Certificates for Client Certificate Verification 4-16 Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 6 Specifying the SSL Acceleration Service Type 4-48 Adding an SSL Proxy List to an SSL Termination Service 4-49 Specifying the SSL Module Slot 4-49 Disabling Keepalive Messages for the SSL Module 4-50 Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 7 Specifying a TCP SYN Timeout Value for a Server-Side Connection 5-13 Specifying a TCP Inactivity Timeout for a Server-Side Connection 5-14 Specifying the Nagle Algorithm for SSL TCP Connections 5-15 Specifying the TCP buffering for SSL TCP Connections 5-16 Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 8 Configuring the SSL Server IP Address Configuring the SSL Server Port Configuring SSL Version Configuring the Available Cipher Suites Configuring SSL Session Cache Timeout 6-11 Configuring SSL Session Handshake Renegotiation 6-11 Cisco Content Services Switch SSL Configuration Guide viii OL-5655-01...
Page 9 Adding an SSL Proxy List to an SSL Initiation Service 6-26 Specifying the SSL Module Slot 6-26 Configuring the SSL Initiation Service Keepalive Type 6-27 SSL Session ID Cache Size 6-28 Activating the SSL Service 6-28 Suspending the SSL Service 6-29 Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 10 SSL Full Proxy Configuration — One SSL Module 8-17 SSL Initiation Configurations 8-21 SSL Tunnel to Four Data Centers 8-21 SSL Tunnel to One Data Center with Server Authentication 8-25 N D E X Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 11 Full Proxy Configuration Using a Single SSL Module 8-18 Figure 8-7 SSL Initiation Between a CSS and Four Data Centers 8-22 Figure 8-8 SSL Initiation Between a CSS and One Data Center 8-26 Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 12 Figures Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 13 Table 7-7 Field Descriptions for the show ssl-proxy-list Command 7-10 Table 7-8 Field Descriptions for the show ssl-proxy-list Command 7-10 Table 7-9 Field Descriptions for the show ssl crl-record Command 7-14 Cisco Content Services Switch SSL Configuration Guide xiii OL-5655-01...
Page 14 Table 7-10 Field Descriptions for the show ssl urlrewrite Command 7-15 Table 7-11 Field Descriptions for the show ssl statistics Command 7-17 Table 7-12 Field Descriptions for the show ssl flows Command 7-25 Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 15: Preface
Preface This guide provides instructions for configuring the SSL features of the Cisco 11500 Series Content Services Switches (CSS). Information in this guide applies to all CSS models except where noted. The CSS software is available in a Standard or optional Enhanced feature set.
Page 16: Audience
Configure the CSS and the SSL Acceleration Module to accept SSL encrypted data from a client, decrypt the data to make a load-balancing decision, then reencrypt the data and send it to a back-end SSL server. Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 17: Related Documentation
Release Note for the This release note provides information on Cisco 11500 Series operating considerations, caveats, and command Content Services Switch line interface (CLI) commands for the Cisco 11500 series CSS. Cisco 11500 Series This guide provides information for installing, Content Services Switch cabling, and powering the Cisco 11500 series CSS.
Page 18 User profile and CSS parameters • SNMP • RMON • XML documents to configure the CSS • CSS scripting language • • Offline Diagnostic Monitor (Offline DM) menu Cisco Content Services Switch SSL Configuration Guide xviii OL-5655-01...
Page 19 • Source groups • • Loads for services Dynamic Feedback Protocol (DFP) • Owners • Content rules • Sticky parameters • HTTP header load balancing • Content caching • Content replication • Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 20 Cisco Content Services This guide describes how to use the Device Switch Device Management user interface, an HTML-based Management User’s Guide Web-based application that you use to configure and manage your CSS. Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 21: Symbols And Conventions
An alphabetical list indicates that the order of the secondary list items is important. A bulleted list indicates that the order of the list topics is unimportant. • An indented list indicates that the order of the list subtopics is – unimportant. Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 22: Obtaining Documentation
Obtaining Documentation Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems. Cisco.com You can access the most current Cisco documentation at this URL: http://www.cisco.com/univercd/home/home.htm...
Page 23: Documentation Feedback
The website is available 24 hours a day, 365 days a year at this URL: http://www.cisco.com/techsupport Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL: http://tools.cisco.com/RPF/register/register.do...
Page 24: Submitting A Service Request
For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
Page 25: Obtaining Additional Publications And Information
Visit Cisco Marketplace, the company store, at this URL: http://www.cisco.com/go/marketplace/ The Cisco Product Catalog describes the networking products offered by • Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL: http://cisco.com/univercd/cc/td/doc/pcat/ •...
Page 26 Preface Obtaining Additional Publications and Information iQ Magazine is the quarterly publication from Cisco Systems designed to • help growing companies learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions.
Page 27: Chapter 1 Overview Of Css Ssl
SSL module. In this case, the client indicates an SSL version of 3.0 in the version 2.0 ClientHello, which informs the SSL module that the client can support SSL version 3.0. The SSL module returns a version 3.0 ServerHello message. Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 28: Ssl Public Key Infrastructure Overview
Internet-based e-business applications. These elements include: Confidentiality • Authentication • Message integrity • Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 29: Confidentiality
(shared) key. The most common key agreement algorithm is the Diffie-Hellman algorithm. Diffie-Hellman depends on certain parameters to generate the shared key that is calculated and exchanged between the client and the server. Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 30: Authentication
A message digest is a function that takes an arbitrary length message and outputs a fixed-length string that is characteristic of the message. Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 31 (DSS). DSA and DSS can be used interchangeably. DSS uses the same crypto-math as Diffie-Hellman and requires parameters similar to Diffie-Hellman to generate keys. Additionally, DSS is restricted for use only with the Secure Hash Algorithm 1 (SHA-1) message digest. Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 32: Ssl Module Cryptography Capabilities
Hash types SSL MAC-MD5 • • SSL MAC-SHA1 Table 4-1 Chapter 4, Configuring SSL Termination for a list of supported cipher suites and hash types. Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 33: Overview Of The Ssl Module Functions In The Css
3 MB of storage space on the disk. The CSS stores all certificate- and key-related files in a secure location on the disk. When processing connections, the CSS loads the certificates and keys into volatile memory on the SSL module for faster access. Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 34: Ssl Termination
CSS for a decision on load balancing. The CSS transmits the data as clear text to an HTTP server. For more information about SSL termination in the CSS, see Chapter 4, Configuring SSL Termination. Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 35: Client Authentication
During a typical SSL handshake between a client and a server, the client does not send a certificate as shown in Figure 1-1. Figure 1-1 SSL Handshake Without Client Authentication SSL Client SSL Server ClientHello ServerHello Certificate ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec Finished Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 36: Figure 1-2 Ssl Handshake With Client Authentication
This ensures that the client possesses the keypair that used to generate the certificate, and is not passing someone else’s certificate. However, the CSS can check whether the issuer signature is authentic. Cisco Content Services Switch SSL Configuration Guide 1-10 OL-5655-01...
Page 37: Back-End Ssl
On the outbound flow from the CSS, the SSL module responds in the reverse direction and sends the encrypted data from the server back to the client. For more information about back-end SSL in the CSS, see Chapter 5, Configuring Back-End SSL. Cisco Content Services Switch SSL Configuration Guide 1-11 OL-5655-01...
Page 38: Ssl Initiation
Chapter 6, Configuring SSL Initiation. For more detailed information on the SSL module functions, see the “Processing of SSL Flows by the SSL Module” section in Chapter 8, Examples of CSS SSL Configurations. Cisco Content Services Switch SSL Configuration Guide 1-12 OL-5655-01...
Page 39: Chapter 2 Ssl Configuration Quick Starts
To configure SSL initiation, perform the following quick start procedures: SSL Initiation Proxy List Quick Start, Table 2-5 SSL Initiation Service Quick Start, Table 2-8 SSL Initiation Content Rule Quick Start, Table 2-9 Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 40: Rsa Certificate And Key Generation Quick Start
(config) # ssl genrsa CSSrsakey1 1024 “passwd123” Please be patient this could take a few minutes Associate the generated RSA key pair with a file. (config) # ssl associate rsakey myrsakey1 CSSrsakey1 Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 41 Country Name (2 letter code) [US]US State or Province (full name) [SomeState]New York Locality Name (city) [SomeCity]Albany Organization Name (company name) [Acme Inc]Cisco Systems, Inc. Organizational Unit Name (section) [Web Administration]Web Admin Common Name (your domain name) [www.acme.com]www.cisco.com Email address [webadmin@acme.com]webadmin@cisco.com...
Page 42 Make sure that there is a single new line between the server and intermediate certificates. Save the file. Import the certificate into the CSS using the steps in the “RSA Certificate and Key Import Quick Start” section. Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 43: Rsa Certificate And Key Import Quick Start
Compare the public key in the associated certificate with the public key stored with the associated private key and verify that they are identical. (config) # ssl verify myrsacert1 myrsakey1 Certificate mycert1 matches key mykey1 Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 44: Ssl Proxy List Quick Start
SSL server entry in an SSL proxy list for an RSA certificate and key pair. For information on configuring client authentication, see “Configuring Client Authentication” Chapter 4, Configuring SSL Termination. Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 45: Table 2-3 Ssl Termination Proxy List Quick Start
192.168.3.6 8080 weight 5 (Optional) Specify the URL rewrite option for the domain name of the URL to be redirected to avoid nonsecure HTTP 300-series redirects. (config-ssl-proxy-list[ssl_list1])# ssl-server 20 urlrewrite 22 www.mydomain.com Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 46: Back-End Ssl Proxy List Quick Start
SSL connection to the server. You must configure back-end SSL with SSL termination. For the SSL termination quick start procedure, see the “SSL Termination Proxy List Quick Start” section. Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 47: Table 2-4 Back-End Ssl Proxy List Quick Start
If necessary, assign a specific cipher suite to be used by the back-end SSL server, for example the RSA certificates and keys: (config-ssl-proxy-list[ssl_list1])# backend-server 1 cipher rsa-export-with-rc4-40-md5 Activate the completed SSL proxy list. (config-ssl-proxy-list[ssl_list1])# active Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 48: Ssl Initiation Proxy List Quick Start
SSL proxy list to allow the SSL module to encrypt the data and initiate an SSL connection with the server. Table 2-5 provides an overview of steps required to create an SSL initiation proxy list. Cisco Content Services Switch SSL Configuration Guide 2-10 OL-5655-01...
Page 49: Table 2-5 Ssl Initiation Proxy List Quick Start
(config-ssl-proxy-list[ssl_list1])# backend-server 1 server-port 40443 If you configure the backend-server number ip address and server-ip Note commands with the same address, configure the backend-server number port and server-port commands with different port numbers. Cisco Content Services Switch SSL Configuration Guide 2-11 OL-5655-01...
Page 50 1 port 8080 backend-server 1 server-ip 192.168.2.3 backend-server 1 server-port 40443 backend-server 1 cipher rsa-with-rc4-128-md5 weight 10 backend-server 1 rsacert myrsacert backend-server 1 rsakey myrsakey backend-server 1 cacert mycert1 active Cisco Content Services Switch SSL Configuration Guide 2-12 OL-5655-01...
Page 51: Ssl Service And Content Rule Quick Start
Disable the CSS from sending keepalive messages to the service. (config-service[ssl_serv1])# keepalive type none Add the SSL proxy list to the SSL service. (config-service[ssl_serv1])# add ssl-proxy-list ssl_list1 Activate the SSL service. (config-service[ssl_serv1])# active Cisco Content Services Switch SSL Configuration Guide 2-13 OL-5655-01...
Page 52 Save your configuration changes to the running configuration. # copy running-config startup-config Continue to Table 2-7 if your configuration includes back-end SSL or Table 2-8 if your configuration includes SSL initiation. Cisco Content Services Switch SSL Configuration Guide 2-14 OL-5655-01...
Page 53: Back-End Ssl Service And Content Rule Quick Start
Specify ssl-accel-backend as the service type. (config-service[ssl_serv2])# type ssl-accel-backend Configure a virtual IP (VIP) address for the back-end server. The IP address must match the IP address configured for the back-end server. (config-service[ssl_serv2])# vip address 192.168.4.4 Cisco Content Services Switch SSL Configuration Guide 2-15 OL-5655-01...
Page 54 Specify a TCP port number for the content rule. Ensure the port number is the same as the virtual TCP port specified for the back-end SSL entry in the SSL proxy list. (config-owner-content[ssl_backend_rule1]# port 8080 Cisco Content Services Switch SSL Configuration Guide 2-16 OL-5655-01...
Page 55 192.168.4.4 port 8080 keepalive type ssl keepalive port 443 add ssl-proxy-list ssl_list1 active !*************************** OWNER *************************** owner ssl_owner content ssl_backend_rule1 Cisco Content Services Switch SSL Configuration Guide 2-17 OL-5655-01...
Page 56: Ssl Initiation Service Quick Start
See the “SSL Initiation Proxy List Quick Start” section. (config-service[ssl_serv1])# ip address 192.168.2.3 Configure the service port. The service port must match the SSL initiation back-end server port. (config-service[ssl_serv1])# port 8080 Cisco Content Services Switch SSL Configuration Guide 2-18 OL-5655-01...
Page 57 The following running-configuration example shows the results of entering the commands in Table 2-8. !************************** SERVICE ************************** service ssl-serv2 type ssl-init ip address 192.168.2.3 port 8080 slot 5 keepalive type ssl keepalive port 40443 add ssl-proxy-list ssl_list1 active Cisco Content Services Switch SSL Configuration Guide 2-19 OL-5655-01...
Page 58: Ssl Initiation Content Rule Quick Start
Add the SSL service to the content rule. (config-owner-content[ssl_backend_rule1])# add service ssl_serv2 Activate the content rule. (config-owner-content[ssl_backend_rule1])# active Save your configuration changes to the running configuration. # copy running-config startup-config Cisco Content Services Switch SSL Configuration Guide 2-20 OL-5655-01...
Page 59 The following running-configuration example shows the results of entering the commands in Table 2-9. !*************************** OWNER *************************** owner ssl_owner content ssl_init_rule1 vip address 192.168.2.3 port 80 url “/*” advanced-balance arrowpoint-cookie add service ssl_serv1 active Cisco Content Services Switch SSL Configuration Guide 2-21 OL-5655-01...
Page 60 Chapter 2 SSL Configuration Quick Starts Cisco Content Services Switch SSL Configuration Guide 2-22 OL-5655-01...
Page 61: Chapter 3 Configuring Ssl Certificates And Keys
CA. This certificate also can verify that a certificate revocation list (CRL) originated from the CA. This CA certificate includes the CA distinguished name, public key, and digital signature. Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 62 CSS and have strong password policies to protect those user modes. For more information, refer to the Cisco Content Services Switch Command Reference, Chapter 2, CLI Commands, the “(config) username-technician” section.
Page 63: Figure 3-1 Ssl Key And Server Certificate Configuration Overview
CSS to recognize it as a certificate. Verify that the public key in the keypair association matches the public key in the certificate association. Now you can configure the CSS SSL proxy list, service, and content rule. Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 64: Generating Certificates And Private Keys In The Css
Generating an RSA Key Pair • Generating a DSA Key Pair • Generating Diffie-Hellman Key Parameters • Using an RSA Key to Generate a Certificate Signing Request • Generating a Self-Signed Certificate • Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 65: Generating An Rsa Key Pair
You can then create a temporary certificate for internal testing until the CA responds to the certificate request and returns the authentic certificate. Each generated key pair must be accompanied by a certificate to work. Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 66: Generating A Dsa Key Pair
Please be patient this could take a few minutes You must also associate a DSA key pair name with the generated DSA key pair as discussed in the “Associating Certificate and Private Key Files with Names” section of this chapter. Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 67: Generating Diffie-Hellman Key Parameters
DES-encoded string. For example, to generate the Diffie-Hellman key parameter list dhparamfile2, enter: (config) # ssl gendh dhparamfile2 512 “passwd123” Please be patient this could take a few minutes Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 68: Using An Rsa Key To Generate A Certificate Signing Request
Country Name (2 letter code) [US]US State or Province (full name) [SomeState]New York Locality Name (city) [SomeCity]Albany Organization Name (company name) [Acme Inc]Cisco Systems, Inc. Organizational Unit Name (section) [Web Administration]Web Admin Common Name (your domain name) [www.acme.com]www.cisco.com Email address [webadmin@acme.com]webadmin@cisco.com...
Page 69 While this produces a valid certificate, most browsers flag the certificate as signed by an unrecognized signing authority. To generate a temporary certificate, see the “Generating a Self-Signed Certificate” section. Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 70: Generating A Self-Signed Certificate
“password” - The password used to encode the certificate file using DES • (Data Encryption Standard) before it is stored as a file on the CSS. Encoding the file prevents unauthorized access to the imported certificate and private Cisco Content Services Switch SSL Configuration Guide 3-10 OL-5655-01...
Page 71: Preparing A Global Site Certificate
Country Name (2 letter code) [US]US State or Province (full name) [SomeState]New York Locality Name (city) [SomeCity]Albany Organization Name (company name) [Acme Inc]Cisco Systems, Inc. Organizational Unit Name (section) [Web Administration]Web Admin Common Name (your domain name) [www.acme.com]www.cisco.com Email address [webadmin@acme.com]webadm@cisco.com...
Page 72: Importing Or Exporting Certificates And Private Keys
Private Keys in the CSS” section. To transfer these files, Cisco Systems recommends that you use a secure encrypted transport mechanism between the CSS and the remote server. The CSS supports the Secure Shell protocol (SSHv2), which provides secure encryption communications between two hosts over an insecure network.
Page 73: Keys
CSS disk. For details about using the ftp-record command to create an SFTP or FTP record file to use when accessing the server from the CSS, refer to the Cisco Content Services Switch Administration Guide.
Page 74: Transferring Certificates And Private Keys To The Css
- The type of protocol used to transfer the certificate and private key • file. The valid entries are sftp or ftp. Cisco Systems recommends the SFTP protocol for the transport mechanism because it provides the most security. ftp_record - The name of the previously-created FTP record containing the •...
Page 75 # copy ssl sftp ssl_record import rsacert.pem PEM “passwd123” Connecting Completed successfully For example, to import the rsakey.pem certificate from a remote server to the CSS, enter: # copy ssl sftp ssl_record import rsakey.pem PEM “passwd123” Connecting Completed successfully Cisco Content Services Switch SSL Configuration Guide 3-15 OL-5655-01...
Page 76: Associating Certificate And Private Key Files With Names
Associating an RSA Key Pair with a File • Associating a DSA Key Pair with a File • Associating Diffie-Hellman Parameters with a File • Verifying a Certificate Against a Key Pair • Cisco Content Services Switch SSL Configuration Guide 3-16 OL-5655-01...
Page 77: Associating A Certificate With A File
Use the no form of the command to remove the association with the file. The syntax for this command is: ssl associate rsakey keyname filename Cisco Content Services Switch SSL Configuration Guide 3-17 OL-5655-01...
Page 78: Associating A Dsa Key Pair With A File
128 characters. To see a list of imported or generated DSA keys, use the ssl associate dsakey keyname ? command. For example, to associate the DSA key name mydsakey1 with the imported dsakey.pem, enter: (config) # ssl associate dsakey mydsakey1 dsakey.pem Cisco Content Services Switch SSL Configuration Guide 3-18 OL-5655-01...
Page 79: Associating Diffie-Hellman Parameters With A File
(config) # no ssl associate dhparam mydhparam1 The no form of the command will not function if the associated Diffie-Hellman Note parameter list is in use by an active SSL proxy list. Cisco Content Services Switch SSL Configuration Guide 3-19 OL-5655-01...
Page 80: Verifying A Certificate Against A Key Pair
(see the “Associating Certificate and Private Key Files with Names” section). The syntax for this global configuration mode command is: clear ssl file filename password Cisco Content Services Switch SSL Configuration Guide 3-20 OL-5655-01...
Page 81 CSS. This password must be an exact match or the file cannot be cleared. For example, to remove dsacert.pem from the CSS, enter: # clear ssl file dsacert.pem “passwd123” Cisco Content Services Switch SSL Configuration Guide 3-21 OL-5655-01...
Page 82 Chapter 3 Configuring SSL Certificates and Keys Associating Certificate and Private Key Files with Names Cisco Content Services Switch SSL Configuration Guide 3-22 OL-5655-01...
Page 83: Configuring Ssl Termination
CSS for a decision on load balancing. The CSS transmits the data as clear text either to an HTTP server or back to the SSL module for encryption to a configured back-end SSL server. Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 84: Creating An Ssl Proxy List
SSL proxy list. Enter the SSL proxy list name as an unquoted text string from 1 to 31 characters. For example, to create the SSL proxy list, ssl_list1, enter: (config)# ssl-proxy-list ssl_list1 Create ssl-list <ssl_list1>, [y/n]: y Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 85: Adding A Description To An Ssl Proxy List
For example, to add a description to the ssl_list1 SSL proxy list, enter: (config-ssl-proxy-list[ssl_list1])# description “This is the SSL list for www.brandnewproducts.com” To remove the description from a specific SSL proxy list, enter: (config-ssl-proxy-list[ssl_list1])# no description Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 86: Configuring Virtual Ssl Servers For An Ssl Proxy List
SSL proxy list to make modifications to any of the virtual SSL servers in a specific SSL proxy list. Once you have modified the SSL proxy list, suspend the SSL service, activate the SSL proxy list, and then activate the SSL service. Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 87 Specifying the Nagle Algorithm for SSL TCP Connections Specifying the TCP Buffering for SSL TCP Connections • To view configuration information on an SSL proxy list, see Chapter 7, Displaying SSL Configuration Information and Statistics. Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 88: Creating An Ssl Server Index
VIP address setting is not accepted and an error message appears indicating host resolution failure. For details on configuring a Domain Name Service, refer to the Cisco Content Services Switch Global Server Load-Balancing Configuration Guide. Cisco Content Services Switch SSL Configuration Guide...
Page 89: Specifying A Virtual Port
CSS logs an error message and does not activate the content rule. For example, to specify a virtual port of 444, enter: (config-ssl-proxy-list[ssl_list1])# ssl-server 20 port 444 Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 90: Assigning Certificate, Key, And Cipher Suites For Server Authentication
RSA certificate association, when you activate the SSL proxy list, the CSS logs an error message and does not activate the list. For example, to specify a previously defined RSA certificate association named rsacert, enter: (config-ssl-proxy-list[ssl_list1])# ssl-server 20 rsacert myrsacert1 Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 91: Specifying The Rsa Key Pair Name
For example, to specify a previously defined DSA certificate association named dsacert, enter: (config-ssl-proxy-list[ssl_list1])# ssl-server 20 dsacert mydsacert1 To remove a DSA certificate association from a specific virtual SSL server, enter: (config-ssl-proxy-list[ssl_list1])# no ssl-server 20 dsacert Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 92: Specifying The Dsa Key Pair Name
To specify a previously defined Diffie-Hellman parameter file association, enter: (config-ssl-proxy-list[ssl_list1])# ssl-server 20 dhparam mydhparams1 To remove a Diffie-Hellman parameter file association from a specific virtual SSL server, enter: (config-ssl-proxy-list[ssl_list1])# no ssl-server 20 dhparam Cisco Content Services Switch SSL Configuration Guide 4-10 OL-5655-01...
Page 93: Specifying Cipher Suites
CSS. For example, if you choose all-cipher-suites, you must have an RSA certificate and key, a DSA certificate and key, and a Diffie-Hellman parameter file prior to activating the SSL proxy list. Cisco Content Services Switch SSL Configuration Guide 4-11 OL-5655-01...
Page 94 (and corresponding SSL proxy list). Table 4-1 also lists whether those cipher suites are exportable from the CSS, along with the authentication certificate and encryption key required by the cipher suite. Cisco Content Services Switch SSL Configuration Guide 4-12 OL-5655-01...
Page 95: Table 4-1 Ssl Cipher Suites Supported By The Css
RSA certificate RSA key exchange rsa-with-3des-ede-cbc-sha RSA certificate RSA key exchange dhe-dss-with-des-cbc-sha DSA (DSS) certificate Ephemeral Diffie-Hellman dhe-dss-with-3des-ede-cbc-sha DSA (DSS) certificate Ephemeral Diffie-Hellman dhe-rsa-with-des-cbc-sha RSA certificate Ephemeral Diffie-Hellman key exchange Cisco Content Services Switch SSL Configuration Guide 4-13 OL-5655-01...
Page 96 Neither party is Diffie-Hellman authenticated rsa-export1024-with-des-cbc-sha RSA certificate RSA key exchange dhe-dss-export1024-with-des-cbc-sha DSA (DSS) certificate Ephemeral Diffie-Hellman rsa-export1024-with-rc4-56-sha RSA certificate RSA key exchange dhe-dss-export1024-with-rc4-56-sha DSA (DSS) certificate Ephemeral Diffie-Hellman Cisco Content Services Switch SSL Configuration Guide 4-14 OL-5655-01...
Page 97: Configuring Client Authentication
To view client authentication configuration information, use the show ssl-proxy-list ssl-server command. To view SSL counters for client authentication-related activities, use the show ssl statistics command. See Chapter 7, Displaying SSL Configuration Information and Statistics for more information. Cisco Content Services Switch SSL Configuration Guide 4-15 OL-5655-01...
Page 98: Enabling Client Authentication
You must configure at least one certificate; however, you can configure a maximum of four certificates. If you try to configure more than four certificates, the CSS displays an error message. Cisco Content Services Switch SSL Configuration Guide 4-16 OL-5655-01...
Page 99: Configuring A Crl Record
• 31 characters and no spaces. url - The URL where the CRL is located. Enter a string with a maximum of • 168 characters and no spaces (for example, http://www.example.com/crl/clientcert.crl). Cisco Content Services Switch SSL Configuration Guide 4-17 OL-5655-01...
Page 100 (config)# no ssl crl-record mycrl To view configuration information on a CRL, use the show ssl crl-record command. For more information on this command, see Chapter 7, Displaying SSL Configuration Information and Statistics. Cisco Content Services Switch SSL Configuration Guide 4-18 OL-5655-01...
Page 101: Assigning A Crl Record To The Virtual Ssl Server
If you configure the ignore option, it may create a security risk. • reject - Resets the CSS default behavior of rejecting the client connection when client authentication fails. For example, enter: (config-ssl-proxy-list[ssl_list1])# ssl-server 20 failure reject Cisco Content Services Switch SSL Configuration Guide 4-19 OL-5655-01...
Page 102: Configuring Http Header Insertion
HTTP header insertion only occurs on the first HTTP request for a persistent Note HTTP 1.1 connection. Subsequent requests within the same TCP connection are sent unmodified. For HTTP 1.0, in which persistence is not implemented, all HTTP requests contain the inserted header. Cisco Content Services Switch SSL Configuration Guide 4-20 OL-5655-01...
Page 103: Inserting Client Certificate Information
If the SSL proxy list and its service are active, suspend the service and then the Note proxy list before configuring or disabling HTTP header insertion. Afterward, reactivate the SSL proxy list and activate its service. Cisco Content Services Switch SSL Configuration Guide 4-21 OL-5655-01...
Page 104: Table 4-2 Client Certificate Fields Inserted In The Http Header
Description: X.509 Certificate Version Format: Numerical X.509 version (3, 2, or 1), followed by the ASN.1 defined value for X.509 version (2, 1, or 0) in parentheses Example: ClientCert-Certificate-Version: 3 (0x2) Cisco Content Services Switch SSL Configuration Guide 4-22 OL-5655-01...
Page 105 (:) character Example: ClientCert-DSA-Public-Key: 00:d8:1b:94:de:52:a1:20:51:b1:77 ClientCert-Subject Description: X.509 subject’s distinguished name Format: String of characters representing the subject that owns the private key being certified Example: ClientCert-Subject: CN=Example, ST=Virginia, C=US/Email=ca@example.com, 0=Root Cisco Content Services Switch SSL Configuration Guide 4-23 OL-5655-01...
Page 106 0x, and lowercase alphanumeric characters separated by a colon (:) character. Together with the exponent (e), this modulus forms the public key portion in the RSA certificate Example: ClientCert-RSA-Modulus: + 00:d8:1b:94:de:52:a1:20:51:b1:77 Cisco Content Services Switch SSL Configuration Guide 4-24 OL-5655-01...
Page 107 Format: Secure hash of the other fields in the certificate and a digital signature of the hash printed in big-endian format hexadecimal, without leading 0x, and lowercase alphanumeric characters separated by a colon (:) character Example: ClientCert-Signature: 33:75:8e:a4:05:92:65 Cisco Content Services Switch SSL Configuration Guide 4-25 OL-5655-01...
Page 108 Depending on how the certificate was generated and what key algorithm was used, all of these fields may not be present for the certificate. Cisco Content Services Switch SSL Configuration Guide 4-26 OL-5655-01...
Page 109: Table 4-3 Server Certificate Fields Inserted In The Http Header
Example: ServerCert-Serial-Number: 2 ServerCert-Data-Signature-Algorithm Description: X.509 Hashing and Encryption Method Format: The md5WithRSAEncryption, sha1WithRSAEncryption, or dsaWithSHA1 algorithm used to sign the certificate and algorithm parameters Example: ServerCert-Signature-Algorithm: md5WithRSAEncryption Cisco Content Services Switch SSL Configuration Guide 4-27 OL-5655-01...
Page 110 Description: Certificate is not valid after this date Format: A universal time string or generalized time string in the Not After date of the Validity field Example: ServerCert-Not-After: 2003-1-27 23:59.59 UTC Cisco Content Services Switch SSL Configuration Guide 4-28 OL-5655-01...
Page 111 RSA certificate. Example: ServerCert-RSA-Modulus: + 00:d8:1b:94:de:52:a1:20:51:b1:77 ServerCert-RSA-Exponent Description: The public RSA exponent Format: Printed as a whole integer for the RSA algorithm exponent (e) Example: ServerCert-RSA-Exponent: 65537 Cisco Content Services Switch SSL Configuration Guide 4-29 OL-5655-01...
Page 112 Format: Secure hash of the other fields in the certificate and a digital signature of the hash printed in big-endian format hexadecimal, without leading 0x, and lowercase alphanumeric characters and separated by a colon (:) character Example: ServerCert-Signature: 33:75:8e:a4:05:92:65 Cisco Content Services Switch SSL Configuration Guide 4-30 OL-5655-01...
Page 113: Inserting Session Information
Format: The OpenSSL version name of the cipher suite negotiated during this session Example: Session-Cipher-Name: EXP1024-RC4-SHA Session-Cipher-Key-Size Description: Symmetric cipher key size Format: Whole integer representing the length in bytes of the public key Example: Session-Cipher-Key-Size: 128 Cisco Content Services Switch SSL Configuration Guide 4-31 OL-5655-01...
Page 114: Adding A Prefix To The Fields Inserted In The Http Header
HTTP header insertion. Afterward, reactivate the SSL proxy list and then activate its service. For example, to add the Acme-SSL prefix to all inserted fields, enter: Cisco Content Services Switch SSL Configuration Guide 4-32 OL-5655-01...
Page 115: Inserting A Static Text String
The \r\n characters that terminate the lines use 4 of the 199 characters. The following example shows the insertion of three strings, "FRONT-END-HTTPS: on", "session cache: on", and "vip address: www.acme.com". (config-ssl-proxy-list[ssl_list1])# ssl-server 20 http-header static “FRONT-END-HTTPS: on\r\nsession cache: on\r\nvipaddress: www.acme.com” Cisco Content Services Switch SSL Configuration Guide 4-33 OL-5655-01...
Page 116: Specifying Ssl Or Tls Version
Close-Notify alert. The browser may attempt to reuse the connection even though it appears to be closed to the CSS. Because the CSS cannot reply to a new request on this connection, the browser may display an error. Cisco Content Services Switch SSL Configuration Guide 4-34 OL-5655-01...
Page 117: Specifying Secure Url Rewrite
By using URL rewrite, all client connections to the Web server will be SSL, ensuring the secure delivery of HTTPS content back to the client. Cisco Content Services Switch SSL Configuration Guide 4-35 OL-5655-01...
Page 118 [sslport port {clearport port}] The options and variables are: ssl-server number - The number used to identify the virtual SSL server in the • SSL proxy list. Cisco Content Services Switch SSL Configuration Guide 4-36 OL-5655-01...
Page 119 80 for the clear text port): (config-ssl-proxy-list[ssl_list1])# ssl-server 20 urlrewrite 1 *.acme.com (config-ssl-proxy-list[ssl_list1])# ssl-server 20 urlrewrite 2 *.acme.com Or, you could include the wildcard asterisk (*) character for the HTTP URLs www.acmesales.com and www.acmeservices.com as follows: Cisco Content Services Switch SSL Configuration Guide 4-37 OL-5655-01...
Page 120: Specifying Ssl Session Cache Timeout
(entering a value of 0), the full SSL handshake occurs for each new connection between the client and the SSL module. Cisco Systems does not recommend specifying a zero value for the ssl-server Note number session-cache seconds command. A non-zero value ensures that the SSL session ID is reused to improve CSS performance.
Page 121: Specifying Ssl Session Handshake Renegotiation
For example, to configure an SSL rehandshake message after a timeout value of 10 hours has elapsed, enter: (config-ssl-proxy-list[ssl_list1])# ssl-server 20 handshake timeout 36000 To disable the rehandshake timeout option, enter: (config-ssl-proxy-list[ssl_list1])# no ssl-server 20 handshake timeout Cisco Content Services Switch SSL Configuration Guide 4-39 OL-5655-01...
Page 122 In this case, turning on SSL rehandshaking can cause SSL sessions to require additional resources to perform handshake renegotiation. If you are operating in a high traffic environment, this may impact overall SSL performance. Cisco Content Services Switch SSL Configuration Guide 4-40 OL-5655-01...
Page 123: Configuring The Delay Time For Ssl Queued Data
For example, to configure a delay time value of 400 milliseconds, enter: (config-ssl-proxy-list[ssl_list1])# ssl-server 20 ssl-queue-delay 400 To reset the delay time to the default of 200 milliseconds, enter: (config-ssl-proxy-list[ssl_list1])# no ssl-server 20 ssl-queue-delay Cisco Content Services Switch SSL Configuration Guide 4-41 OL-5655-01...
Page 124: Specifying Ssl Tcp Client-Side Connection Timeout Values
For example, to configure a TCP SYN timeout of 30 minutes (1800 seconds), enter: (config-ssl-proxy-list[ssl_list1])# ssl-server 20 tcp virtual syn-timeout 1800 To reset the TCP SYN timeout to the default of 30 seconds, enter: (config-ssl-proxy-list[ssl_list1])# no ssl-server 20 tcp virtual syn-timeout Cisco Content Services Switch SSL Configuration Guide 4-42 OL-5655-01...
Page 125: Specifying Ssl Tcp Server-Side Connection Timeout Values
To configure an SSL proxy list virtual SSL server for termination of a TCP connection with the server, see the following sections: Specifying a TCP SYN Timeout Value (Server-Side Connection) • Specifying a TCP Inactivity Timeout Value (Server-Side Connection) • Cisco Content Services Switch SSL Configuration Guide 4-43 OL-5655-01...
Page 126 TCP connection with a server when there is little or no activity occurring on the connection. Enter a TCP inactivity timeout value in seconds, from 0 (TCP inactivity timeout disabled) to 3600 (1 hour). The default is 240 seconds. Cisco Content Services Switch SSL Configuration Guide 4-44 OL-5655-01...
Page 127: Specifying The Nagle Algorithm For Ssl Tcp Connections
Use the ssl-server number tcp server nagle command to disable or reenable • the Nagle algorithm for the TCP connection between the server and the SSL module. The syntax for this command is: ssl-server number tcp server nagle enable|disable Cisco Content Services Switch SSL Configuration Guide 4-45 OL-5655-01...
Page 128: Specifying The Tcp Buffering For Ssl Tcp Connections
65536, enter: (config-ssl-proxy-list[ssl_list1])# ssl-server 20 tcp buffer-share rx 65536 To reset the reset the buffer size to the default of 32768, enter: (config-ssl-proxy-list[ssl_list1])# no ssl-server 20 tcp buffer-share rx Cisco Content Services Switch SSL Configuration Guide 4-46 OL-5655-01...
Page 129: Activating And Suspending An Ssl Proxy List
SSL service, reactivate the SSL proxy list, and then reactivate the SSL service. To view the virtual or back-end SSL servers in a list, use the show ssl-proxy-list (see Chapter 7, Displaying SSL Configuration Information and Statistics). Cisco Content Services Switch SSL Configuration Guide 4-47 OL-5655-01...
Page 130: Configuring A Service For Ssl Termination
Specifying the SSL Module Slot • Disabling Keepalive Messages for the SSL Module • Specifying the SSL Session ID Cache Size • Activating the SSL Service • Suspending the SSL Service • Cisco Content Services Switch SSL Configuration Guide 4-48 OL-5655-01...
Page 131: Creating An Ssl Service
Add the SSL proxy list to an SSL service. • Use the type command to specify the SSL acceleration service type. For details on specifying an SSL service type, refer to the Cisco Content Services Switch Content Load-Balancing Configuration Guide. To specify the SSL acceleration service type, enter:...
Page 132: Adding An Ssl Proxy List To An Ssl Termination Service
The CSS supports one active SSL service for each SSL module in the CSS (one SSL service per slot). You can configure more than one SSL service for a slot but only a single SSL service can be active at a time. Cisco Content Services Switch SSL Configuration Guide 4-50 OL-5655-01...
Page 133: Disabling Keepalive Messages For The Ssl Module
Use the keepalive type none command to instruct the CSS not to send keepalive messages to a service. For details on specifying a keepalive type, refer to the Cisco Content Services Switch Content Load-Balancing Configuration Guide.
Page 134: Activating The Ssl Service
The SSL proxy list added to the service must be active before you can activate • the service. If the list is suspended, the CSS logs the following error message and does not activate the service. No ssl-lists on service, service not activated Cisco Content Services Switch SSL Configuration Guide 4-52 OL-5655-01...
Page 135: Suspending The Ssl Service
For a virtual SSL server content rule, ensure that the VIP address and port number configured for the rule match the VIP address and port number for the server entry in the SSL proxy list. Cisco Content Services Switch SSL Configuration Guide 4-53 OL-5655-01...
Page 136 Verify the configured VIP addresses used in the content rule and SSL proxy list, and modify as necessary. When a CSS uses two or more SSL modules, Cisco Systems recommends that you use stickiness based on SSL version 3 session ID for a Layer 5 content rule. For...
Page 137: Configuring Back-End Ssl
Back-end SSL allows a CSS to initiate a connection with an SSL server. When used with SSL termination, back-end SSL provides a secure end-to-end connection between a client and an SSL server. Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 138: Creating An Ssl Proxy List
SSL proxy list. Enter the SSL proxy list name as an unquoted text string from 1 to 31 characters. For example, to create the SSL proxy list, ssl_list1, enter: (config)# ssl-proxy-list ssl_list1 Create ssl-list <ssl_list1>, [y/n]: y Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 139: Adding A Description To An Ssl Proxy List
SSL server. You must define a back-end server index number before configuring SSL proxy list parameters. You can define a maximum of 256 back-end SSL servers for a single SSL proxy list. Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 140 Configuring TCP Virtual Client Connections Timeout Values • Configuring TCP Server-Side Connection Timeout Values on the SSL • Module Specifying the Nagle Algorithm for SSL TCP Connections • Specifying the TCP buffering for SSL TCP Connections • Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 141: Creating A Back-End Ssl Server In An Ssl Proxy List
For example, to reconfigure SSL initiation server 1 as a back-end SSL server in SSL proxy list ssl_list3, enter: (config-ssl-proxy-list[ssl_list3])# backend-server 1 type backend-ssl For information about SSL initiation, see Chapter 5, Configuring SSL Initiation. Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 142: Configuring The Vip Address For An Ssl Back-End Server
For example, to configure a port number of 1200, enter: (config-ssl-proxy-list[ssl_list1])# backend-server 1 port 1200 To reset the port to the default value of 80, enter: (config-ssl-proxy-list[ssl_list1])# no backend-server 1 port Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 143: Configuring The Server Ip Address
For example, to configure the server port number 155, enter: (config-ssl-proxy-list[ssl_list1])# backend-server 1 server-port 155 To reset the port to the default value of 443, enter: (config-ssl-proxy-list[ssl_list1])# no backend-server 1 server-port Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 144: Configuring Ssl Version
If you use the default setting or select the all-cipher-suite option, the CSS sends the suites in the same order as they appear in Table 4-1, starting with rsa-with-rc4-128-md5. Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 145: Configuring Ssl Session Cache Timeout
By default, the cache timeout is enabled with a timeout of 300 seconds (5 minutes). The timeout value can range from 0 to 72000 (0 seconds to 20 hours). A timeout value of 0 disables the session cache reuse. Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 146: Configuring Ssl Session Handshake Renegotiation
Use the backend-server number handshake timeout seconds command to specify a maximum timeout value, after which the CSS transmits the SSL handshake message and reestablishes the SSL session. Setting a timeout value Cisco Content Services Switch SSL Configuration Guide 5-10 OL-5655-01...
Page 147: Configuring Tcp Virtual Client Connections Timeout Values
CSS uses to terminate a TCP connection with a client and the SSL module that has not successfully completed the TCP three-way handshake prior to transferring data. Cisco Content Services Switch SSL Configuration Guide 5-11 OL-5655-01...
Page 148 Enter a TCP inactivity timeout value in seconds, from 0 (TCP inactivity timeout disabled) to 3600 (1 hour). The default is 240 seconds. Based on the default parameters for retransmission, the timer value should be larger than 60 seconds (1 minute). Cisco Content Services Switch SSL Configuration Guide 5-12 OL-5655-01...
Page 149: Configuring Tcp Server-Side Connection Timeout Values On The Ssl Module
Use the backend-server number tcp server syn-timeout seconds command to specify a timeout value that the CSS uses to end a TCP connection with a server that has not successfully completed the TCP three-way handshake prior to transferring data. Cisco Content Services Switch SSL Configuration Guide 5-13 OL-5655-01...
Page 150: Specifying A Tcp Inactivity Timeout For A Server-Side Connection
3600 (1 hour). The default is 240 seconds. For example, to configure the TCP inactivity timeout period of 100 seconds for the server-side connection, enter: (config-ssl-proxy-list[ssl_list1])# backend-server 1 tcp server inactivity-timeout 100 Cisco Content Services Switch SSL Configuration Guide 5-14 OL-5655-01...
Page 151: Specifying The Nagle Algorithm For Ssl Tcp Connections
Use the backend-server number tcp server nagle command to disable or reeanble the Nagle algorithm for the TCP connection between the server and the SSL module. The syntax for this command is: backend-server number tcp server nagle enable|disable Cisco Content Services Switch SSL Configuration Guide 5-15 OL-5655-01...
Page 152: Specifying The Tcp Buffering For Ssl Tcp Connections
By default, the buffer size is 65536. The buffer size can range from 16400 to 262144. For example, to set the value to 131072, enter: (config-ssl-proxy-list[ssl_list1])# backend-server 20 tcp buffer-share tx 131072 Cisco Content Services Switch SSL Configuration Guide 5-16 OL-5655-01...
Page 153: Activating And Suspending An Ssl Proxy List
To view the virtual or back-end SSL servers in a list, use the show ssl-proxy-list (see Chapter 7, Displaying SSL Configuration Information and Statistics). Use the suspend command to suspend an active SSL proxy list. To suspend an active SSL proxy list, enter: (config-ssl-proxy-list[ssl_list1])# suspend Cisco Content Services Switch SSL Configuration Guide 5-17 OL-5655-01...
Page 154: Configuring A Service For Back-End Ssl
• Configuring an IP Address for a Back-End SSL Service • Configuring the Port Number for a Back-End SSL Service • Activating the SSL Service • Suspending the SSL Service • Cisco Content Services Switch SSL Configuration Guide 5-18 OL-5655-01...
Page 155: Creating An Ssl Service
When creating a service for use with an SSL module, you must identify it as an SSL service for the CSS to recognize it. For additional details on creating a service, refer to the Cisco Content Services Switch Content Load-Balancing Configuration Guide.
Page 156: Configuring An Ip Address For A Back-End Ssl Service
SSL proxy list for the back-end server. For example, to configure a port number of 55, enter: (config-service[server1])# port 55 To reset the port number of the back-end content rule, enter: (config-service[server1])# no port Cisco Content Services Switch SSL Configuration Guide 5-20 OL-5655-01...
Page 157: Activating The Ssl Service
No modifications may be made to an active SSL proxy list. If modifications are necessary, first suspend the ssl service to make changes to the SSL proxy list entries. To activate service ssl_serv1, enter: (config-service[ssl_serv1])# active Cisco Content Services Switch SSL Configuration Guide 5-21 OL-5655-01...
Page 158: Suspending The Ssl Service
For more information on Layer 5 sticky and content rules, refer to the Cisco Content Services Switch Content Load-Balancing Configuration Guide.
Page 159: Configuring Ssl Initiation
Load balance the content • Encrypt the clear text • Originate an SSL connection with either an SSL server or another CSS • configured with SSL termination (see Chapter 4, Configuring SSL Termination). Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 160: Figure 6-2 Ssl Initiation With A Second Css Running Ssl Termination
An SSL module in the CSS uses the back-end SSL server to initiate the connection to an SSL server. You can define a maximum of 256 back-end SSL servers in a single SSL proxy list. Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 161: Creating An Ssl Initiation Proxy List
You cannot delete a given SSL proxy list if any SSL service using that specific SSL proxy list is active. You must first suspend the SSL service to delete the specific SSL proxy list. Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 162: Adding A Description To An Ssl Initiation Proxy List
SSL proxy list. Once you have modified the SSL proxy list, suspend the SSL service, activate the SSL proxy list, and then activate the SSL service to apply the changes. Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 163 Configuring TCP Server-Side Connection Timeout Values on the SSL Module Specifying the Nagle Algorithm for Client-Side Connections • Specifying the TCP Buffering for SSL TCP Connections • Configuring Client Certificates and Keys • • Configuring CA Certificates for Server Authentication Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 164: Creating A Back-End Server In An Ssl Initiation Proxy List
(config-ssl-proxy-list[ssl_list1])# backend-server 1 type initiation To reconfigure the SSL initiation server as a back-end SSL server without having to configure all the back-end server parameters, enter: (config-ssl-proxy-list[ssl_list1])# backend-server 1 type backend-ssl Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 165: Configuring An Ip Address For The Ssl Initiation Server
Note with the same address, configure the backend-server number port and server-port commands with different port numbers. For example, to configure a port number of 1200, enter: (config-ssl-proxy-list[ssl_list1])# backend-server 1 port 1200 Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 166: Configuring The Ssl Server Ip Address
Note with the same address, configure the backend-server number port and server-port commands with different port numbers. For example, to configure the server port number 155, enter: (config-ssl-proxy-list[ssl_list1])# backend-server 1 server-port 155 Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 167: Configuring Ssl Version
Chapter 4, Configuring SSL Termination. These values match those defined for SSL version 3.0 and TLS version 1.0. Table 4-1 also lists those Cipher suites that are exportable in any version of the software. Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 168 For example, to set a weight of 10 to a cipher suite, enter: (config-ssl-proxy-list[ssl_list1])# backend-server 1 cipher rsa-with-rc4-128-md5 weight 10 To remove one or more of the configured cipher suites for the SSL initiation back-end server, enter: (config-ssl-proxy-list[ssl_list1])# no backend-server 1 cipher rsa-with-rc4-128-md5 Cisco Content Services Switch SSL Configuration Guide 6-10 OL-5655-01...
Page 169: Configuring Ssl Session Cache Timeout
SSL rehandshake after the exchange of a certain amount of data between the CSS and the back-end SSL server, after which the CSS transmits the SSL handshake message and reestablishes the SSL session. Cisco Content Services Switch SSL Configuration Guide 6-11 OL-5655-01...
Page 170 For example, to configure a 30-second timeout of an SSL session rehandshake, enter: (config-ssl-proxy-list[ssl_list1])# backend-server 1 handshake timeout To reset the timeout to 0, disable the rehandshake timeout period for the back-end server by entering: (config-ssl-proxy-list[ssl_list1])# no backend-server 1 handshake timeout Cisco Content Services Switch SSL Configuration Guide 6-12 OL-5655-01...
Page 171: Configuring Tcp Virtual Client Connections Timeout Values
To configure the TCP SYN timeout of 100 seconds, enter: (config-ssl-proxy-list[ssl_list1])# backend-server 1 tcp virtual syn-timeout 100 To disable the timeout, set the value to 0: (config-ssl-proxy-list[ssl_list1])# backend-server 1 tcp virtual syn-timeout 0 Cisco Content Services Switch SSL Configuration Guide 6-13 OL-5655-01...
Page 172 To disable the timeout, set the value to 0: (config-ssl-proxy-list[ssl_list1])# backend-server 1 tcp virtual inactivity-timeout 0 To reset the timeout to the default value of 240 seconds, enter: (config-ssl-proxy-list[ssl_list1])# no backend-server 1 tcp virtual inactivity-timeout Cisco Content Services Switch SSL Configuration Guide 6-14 OL-5655-01...
Page 173: Specifying The Nagle Algorithm For Client-Side Connections
Specifying a TCP SYN Timeout Value for a Server-Side Connection • Specifying a TCP Inactivity Timeout for a Server-Side Connection • Specifying the Nagle Algorithm for Server-Side Connections • Cisco Content Services Switch SSL Configuration Guide 6-15 OL-5655-01...
Page 174: Specifying A Tcp Syn Timeout Value For A Server-Side Connection
To disable the timeout, set the value to 0: (config-ssl-proxy-list[ssl_list1])# backend-server 1 tcp server syn-timeout 0 To reset the timeout to the default value of 30 seconds, enter: (config-ssl-proxy-list[ssl_list1])# no backend-server 1 tcp server syn-timeout Cisco Content Services Switch SSL Configuration Guide 6-16 OL-5655-01...
Page 175: Specifying A Tcp Inactivity Timeout For A Server-Side Connection
Use the backend-server number tcp server nagle command to disable or reenable the Nagle algorithm for the TCP connection between the server and the SSL module. The syntax for this command is: backend-server number tcp server nagle enable|disable Cisco Content Services Switch SSL Configuration Guide 6-17 OL-5655-01...
Page 176: Specifying The Tcp Buffering For Ssl Tcp Connections
By default, the buffer size is 65536. The buffer size can range from 16400 to 262144. For example, to set the value to 131072, enter: (config-ssl-proxy-list[ssl_list1])# backend-server 1 tcp buffer-share tx 131072 Cisco Content Services Switch SSL Configuration Guide 6-18 OL-5655-01...
Page 177: Configuring Client Certificates And Keys
Requested Client Certificate Not Sent counter. When the SSL server does not receive the requested client certificate, it may close Note the connection. The following sections describe how to configure client certificates and keys. Cisco Content Services Switch SSL Configuration Guide 6-19 OL-5655-01...
Page 178: Configuring The Rsa Certificate Name
For example, to configure a DH parameter file named dhparamfile2, enter: (config-ssl-proxy-list[ssl_list1])# backend-server 1 dhparam dhparamfile2 To remove the configured DH parameter file from the SSL proxy list, enter: (config-ssl-proxy-list[ssl_list1])# no backend-server 1 dhparam Cisco Content Services Switch SSL Configuration Guide 6-20 OL-5655-01...
Page 179: Configuring The Dsa Certificate Name
CA in the server certificate. Defining a CA certificate in the SSL initiation proxy list indicates to the CSS that you want to verify the server certificate. By default, SSL servers are not authenticated. Note Cisco Content Services Switch SSL Configuration Guide 6-21 OL-5655-01...
Page 180 To remove a CA certificate from an SSL proxy list, use the no form of the command. For example, to remove the mycert1 CA certificate from the ssl_list1 proxy list for SSL initiation back-end server 1, enter: (config-ssl-proxy-list[ssl_list1])# no backend-server 1 cacert mycert1 Cisco Content Services Switch SSL Configuration Guide 6-22 OL-5655-01...
Page 181: Activating And Suspending An Ssl Proxy List
(see Chapter 7, Displaying SSL Configuration Information and Statistics). Use the suspend command to suspend an active SSL proxy list. To suspend an active SSL proxy list, enter: (config-ssl-proxy-list[ssl_list1])# suspend Cisco Content Services Switch SSL Configuration Guide 6-23 OL-5655-01...
Page 182: Configuring A Service For Ssl Initiation
• Activating the SSL Service • Suspending the SSL Service • If you do not configure a service port, the CSS uses the same port number as the Note content rule. Cisco Content Services Switch SSL Configuration Guide 6-24 OL-5655-01...
Page 183: Creating An Ssl Service
CSS to recognize it. You can create multiple SSL services for use with an SSL initiation content rule. For additional details on creating a service, refer to the Cisco Content Services Switch Content Load-Balancing Configuration Guide. Enter the SSL service name from 1 to 31 characters.
Page 184: Adding An Ssl Proxy List To An Ssl Initiation Service
The valid slot entries are: CSS 11501 - 2 • CSS 11503 - 2 and 3 • CSS 11506 - 2 to 6 • Slot 1 is reserved for the SCM. Cisco Content Services Switch SSL Configuration Guide 6-26 OL-5655-01...
Page 185: Configuring The Ssl Initiation Service Keepalive Type
If you configure either the SSL or TCP keepalive type, you need to configure the Note port used by the keepalive. For more information about these and other CSS keepalives, refer to the Cisco Content Services Switch Content Load-Balancing Configuration Guide. Cisco Content Services Switch SSL Configuration Guide...
Page 186: Ssl Session Id Cache Size
No modifications may be made to an active SSL proxy list. If modifications are necessary, first suspend the SSL service to make changes to the SSL proxy list entries. To activate service ssl_serv1, enter: (config-service[ssl_serv1])# active Cisco Content Services Switch SSL Configuration Guide 6-28 OL-5655-01...
Page 187: Suspending The Ssl Service
The information in the rule enables the CSS to locate a sticky server to use or to load balance a new server for a new client request. For more information on Layer 5 sticky and content rules, refer to the Cisco Content Services Switch Content Load-Balancing Configuration Guide.
Page 188: Troubleshooting Ssl Initiation
Ensure that the SSL server is configured to request a client certificate. • Use a sniffer on the back-end connection to verify that the server is requesting • a client certificate and that the CSS is sending the certificate. Cisco Content Services Switch SSL Configuration Guide 6-30 OL-5655-01...
Page 189: Displaying Ssl Configuration Information And Statistics
- Displays certificate associations • show ssl associate rsakey - Displays RSA key pair associations • show ssl associate dsakey - Displays DSA key pair associations • Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 190: Showing Ssl Certificates
Indicates if the certificate association is used by the SSL proxy list containing the VIP address of the virtual server To display information about a specific certificate association, enter: show ssl associate cert myrsacert1 Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 191: Table 7-2 Field Descriptions For The Show Ssl Associate Cert Certname Command
The actual public key on which the certificate was built. Exponent One of the base numbers used to generate the key. X509v3 Extensions An array of X509v3 extensions added to the certificate. Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 192: Showing Ssl Rsa Private Keys
When you view the contents of a specific key only, specifics on the key size and Note key type appears. This restriction occurs because the key contents are secure and should not be viewed. Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 193: Showing Ssl Dsa Private Keys
This restriction occurs because the key contents are secure and should not be viewed. To display information about all DSA key associations, enter: (config) # show ssl associate dsakey Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 194: Showing Ssl Diffie-Hellman Parameters
Table 7-5 Field Descriptions for the show ssl associate dhparam Command Field Description Parameter Name The name of the Diffie-Hellman parameter association File Name The name of the file containing the Diffie-Hellman parameters Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 195: Showing Ssl Associations
Used by List ------------ --------- ------------ rsakey rsakey.pem DH Param Name File Name Used by List ------------- --------- ------------ dhparams dhparams.pem DSA Key Name File Name Used by List ------------ --------- ------------ dsakey dsakey.pem Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 196: Showing Ssl Certificates, Key Pairs, And Diffie-Hellman Parameter Files
RSA key pair, DSA key pair, or Diffie-Hellman parameter file. File types can include DES-encoded, PEM-encoded, or PKCS#12-encoded. File Size The total size (in Kbytes) of the certificate, RSA key pair, DSA key pair, or Diffie-Hellman parameter file. Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 197: Showing Ssl Proxy Configuration Information
SSL or back-end server number to display its configuration information. This command is available in global, content, owner, service, SuperUser, and User modes. To view general information about all configured SSL proxy lists, enter: # show ssl-proxy-list Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 198: Table 7-7 Field Descriptions For The Show Ssl-Proxy-List Command
A unique number for the virtual SSL server. Number of The total number of back-end servers specified for Backend-Servers the SSL proxy list. Backend-server A unique number for the back-end server. Cisco Content Services Switch SSL Configuration Guide 7-10 OL-5655-01...
Page 199 CSS requires the full SSL handshake to establish a new SSL connection. SSL Version The specified SSL (version 3.0), TLS (version 1.0), or SSL and TLS protocol in use. Cisco Content Services Switch SSL Configuration Guide 7-11 OL-5655-01...
Page 200 The TCP port of the back-end content rule through which the back-end HTTP connections are sent. Server The VIP address of the back-end content rule through which the back-end HTTP connections are sent. URL Rewrite Rule(s) Cisco Content Services Switch SSL Configuration Guide 7-12 OL-5655-01...
Page 201 SSL connection information. For information on the fields inserted in the header, see Chapter 4, Configuring SSL Termination. HTTP Header Insert Configured static text string inserted in the HTTP Static request header. Cisco Content Services Switch SSL Configuration Guide 7-13 OL-5655-01...
Page 202: Showing Crl Record Configuration
This certificate verifies that the CRL is from the CA. Update Delay How long the CSS waits before updating the CRL on the CSS. CRL URL URL where the CSS downloads the latest CRL. Cisco Content Services Switch SSL Configuration Guide 7-14 OL-5655-01...
Page 203: Showing Ssl Url Rewrite Statistics
The virtual TCP port for the virtual SSL server. Searches The total number of flows received from the back-end server and evaluated by the SSL module to search for the presence of HTTP 300-series redirects. Cisco Content Services Switch SSL Configuration Guide 7-15 OL-5655-01...
Page 204: Showing Ssl Module Statistics
- Displays counter statistics for the SSL server counter – ssl-proxy-server - Displays counter statistics for the SSL proxy list – component that provides SSL termination in the SSL module Cisco Content Services Switch SSL Configuration Guide 7-16 OL-5655-01...
Page 205 SSL connections from a client connections to the SSL module. Handshake completed for Number of times the handshake process was incoming SSL completed for incoming SSL connections from a connections client to the SSL module. Cisco Content Services Switch SSL Configuration Guide 7-17 OL-5655-01...
Page 206 Number of Diffie-Hellman shared secret key calculations requested. DH Public Number of Diffie-Hellman public key calculations requested. DSA Sign Number of DSA signings requested. DSA Verify Number of DSA verifications requested. Cisco Content Services Switch SSL Configuration Guide 7-18 OL-5655-01...
Page 207 Hardware Device Timed Number of times the cryptography hardware did not complete an acceleration request within the specified time. This function is not currently implemented. This counter should always be 0. Cisco Content Services Switch SSL Configuration Guide 7-19 OL-5655-01...
Page 208 Number of DSA Signing calls. MD5 raw hash calls Number of MD5 pure hash calls. SHA1 raw hash calls Number of SHA1 pure hash calls. 3-DES calls Number of 3-DES calls. Cisco Content Services Switch SSL Configuration Guide 7-20 OL-5655-01...
Page 209 RSA Private Decrypt Number of RSA Private Decrypt calls that failed. failures MAC failures for packets Number of times the MAC could not be verified for received the incoming SSL messages. Cisco Content Services Switch SSL Configuration Guide 7-21 OL-5655-01...
Page 210 CRL. When a CRL cannot be stored in memory, all incoming client authentications will fail. Session Cache Statistics Handshakes Accepted Number of handshakes that the SSL module from Client accepted from clients. Cisco Content Services Switch SSL Configuration Guide 7-22 OL-5655-01...
Page 211 Number of times that the cache was full. Session ID Hits Number of times that there was a valid session ID to offer to the server. Total Number of Items Total number of sessions in the cache. Cached Cisco Content Services Switch SSL Configuration Guide 7-23 OL-5655-01...
Page 212: Clearing Ssl Statistics
To view SSL flows for all SSL modules in the CSS, enter: # show ssl flows To view SSL flows for a specific SSL module in the CSS chassis (for example, installed in slot 5), enter: # show ssl flows slot 5 Cisco Content Services Switch SSL Configuration Guide 7-24 OL-5655-01...
Page 213 Hello message has been received by the CSS but the final finished message still has not been sent. The SSL Flows in Handshake number is a subset of the Active SSL Flows column. Cisco Content Services Switch SSL Configuration Guide 7-25 OL-5655-01...
Page 214 Chapter 7 Displaying SSL Configuration Information and Statistics Showing SSL Flows Cisco Content Services Switch SSL Configuration Guide 7-26 OL-5655-01...
Page 215: Chapter 8 Examples Of Css Ssl Configurations
The proxy server can perform both TCP and SSL handshakes. The following example is intended as an overview on the flow process; how the CSS and SSL module translate flows from HTTPS-to-HTTP for inbound packets and from HTTP-to-HTTPS for outbound packets. Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 216: Figure 8-1 Css Configuration With Multiple Ssl Modules
Port 443 Internet Web shopping Payment/checkout session session Port 443 L5/L4 SSL Content Rule Acceleration Module L5/L4 HTTP Content Rule Port 80 CSS 11506 Ethernet connection Port 80 Port 80 ServerABC ServerDEF ServerGHI Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 217 The SSL Session ID maintains the stickiness between the client and the SSL module and the cookie maintains the stickiness between the SSL module and the servers. In this way, stickiness can be maintained consistently through the entire web transaction. Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 218: Figure 8-2 Css Configuration With A Back-End Ssl Server
L5/L4 SSL Content Rule Acceleration VIP Port 80 Module L5 HTTP-SSL Content Rule Backend SSL VIP Port 80 CSS 11506 Backend SSL Server IP Port 443 Ethernet Port 80 connection ServerABC ServerDEF ServerGHI Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 219: Ssl Transparent Proxy Configuration - One Ssl Module
VIP address of 10.1.1.5. The clear-text http-rule will be unreachable from the Internet, which can offer you more flexibility and granularity while allowing the CSS to be seamlessly integrated for secure transactions. Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 220: Figure 8-3 Transparent Proxy Configuration With A Single Ssl Module
!*************************** GLOBAL *************************** logging commands enable ssl associate dsakey dsakey dsakey.pem ssl associate dhparam dhparams dhparams.pem ssl associate rsakey rsakey rsakey.pem ssl associate cert rsacert rsacert.pem ftp-record ssl_record 161.44.174.127 anonymous des-password deye2gtcld1b6feeeebabfcfagyezc5f / Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 221 80 keepalive type http active service serverDEF ip address 192.168.7.2 protocol tcp port 80 keepalive type http active service serverGHI ip address 192.168.7.3 protocol tcp port 80 keepalive type http active Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 222: Ssl Transparent Proxy Configuration - Two Ssl Modules
VIP address of 10.1.1.5. The clear-text http-rule will be unreachable from the Internet, which can offer you more flexibility and granularity while allowing the CSS to be seamlessly integrated for secure transactions. Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 223: Figure 8-4 Transparent Proxy Configuration With Two Ssl Modules
!*************************** GLOBAL *************************** logging commands enable ssl associate dsakey dsakey dsakey.pem ssl associate rsakey rsakey rsakey.pem ssl associate cert rsacert rsacert.pem ssl associate dhparam dhparams dhparams.pem ftp-record ssl_record 161.44.174.127 anonymous des-password deye2gtcld1b6feeeebabfcfagyezc5f / Cisco Content Services Switch SSL Configuration Guide OL-5655-01...
Page 224 6 add ssl-proxy-list test active service serverABC ip address 192.168.7.1 protocol tcp port 80 keepalive type http active service serverDEF ip address 192.168.7.2 protocol tcp port 80 keepalive type http active Cisco Content Services Switch SSL Configuration Guide 8-10 OL-5655-01...
Page 225 192.168.5.5 protocol tcp port 80 url “/*” add service serverABC add service serverDEF add service serverGHI advanced-balance cookies active Cisco Content Services Switch SSL Configuration Guide 8-11 OL-5655-01...
Page 226 HTTP connection to content rule http-ssl-rule. The CSS directs the clear text data back to SSL module 2. The module terminates the connection, re-encrypts the traffic, and establishes an SSL connection to SSL server ServerDEF. Cisco Content Services Switch SSL Configuration Guide 8-12 OL-5655-01...
Page 227: Ssl Transparent Proxy Configuration - Http And Back-End Ssl Servers
Acceleration Module 2 Layer 5 http-ssl-rule Layer 5 http-rule Source = 172.16.6.58 Source = 172.16.6.62 Destination = 192.168.7.1 Destination = 192.168.7.2 Ethernet connection ServerABC ServerDEF ServerGHI ServerJKL 192.168.7.1 192.168.7.2 192.168.7.3 192.168.7.4 Cisco Content Services Switch SSL Configuration Guide 8-13 OL-5655-01...
Page 228 2 rsakey rsakey ssl-server 2 cipher rsa-with-rc4-128-md5 192.28.4.4 8080 active backend-server 3 backend-server 3 ip address 192.168.7.2 backend-server 3 port 8080 backend-server 3 server-ip 192.168.7.2 backend-server 3 rsacert rsacert active Cisco Content Services Switch SSL Configuration Guide 8-14 OL-5655-01...
Page 229 192.168.7.2 protocol tcp keepalive type ssl keepalive port 443 add ssl-proxy-list test active service serverGHI ip address 192.14.7.3 protocol tcp port 80 keepalive type http active Cisco Content Services Switch SSL Configuration Guide 8-15 OL-5655-01...
Page 230 “/*” add service serverABC add service serverGHI advanced-balance cookies active content ssl-rule-1 vip address 192.28.4.4 protocol tcp port 443 add service ssl_module1 add service ssl_module2 application ssl advanced-balance ssl active Cisco Content Services Switch SSL Configuration Guide 8-16 OL-5655-01...
Page 231: Ssl Full Proxy Configuration - One Ssl Module
VIP address of 10.1.1.5. The clear-text http-rule will be unreachable from the Internet, which can offer you more flexibility and granularity while allowing the CSS to be seamlessly integrated for secure transactions. Cisco Content Services Switch SSL Configuration Guide 8-17 OL-5655-01...
Page 232: Figure 8-6 Full Proxy Configuration Using A Single Ssl Module
!*************************** GLOBAL *************************** logging commands enable ssl associate dsakey dsakey dsakey.pem ssl associate dhparams dhparams dhparams.pem ssl associate rsakey rsakey rsakey.pem ssl associate cert rsacert rsacert.pem ftp-record ssl_record 161.44.174.127 anonymous des-password deye2gtcld1b6feeeebabfcfagyezc5f / Cisco Content Services Switch SSL Configuration Guide 8-18 OL-5655-01...
Page 233 6 add ssl-proxy-list test active service serverABC ip address 192.168.7.1 protocol tcp port 80 keepalive type http active service serverDEF ip address 192.168.7.2 protocol tcp port 80 keepalive type http active Cisco Content Services Switch SSL Configuration Guide 8-19 OL-5655-01...
Page 234 !*************************** GROUP *************************** group ssl_module_proxy add destination service serverABC add destination service serverDEF add destination service serverGHI vip address 192.168.7.200 active Cisco Content Services Switch SSL Configuration Guide 8-20 OL-5655-01...
Page 235: Ssl Initiation Configurations
SSL modules when multiple SSL modules exist (as in this example). The SSL initiation feature requires that the proxy list be applied to the SSL • module via a service of type ssl-init. Cisco Content Services Switch SSL Configuration Guide 8-21 OL-5655-01...
Page 236: Figure 8-7 Ssl Initiation Between A Css And Four Data Centers
192.168.7.10 192.168.7.20 192.168.7.30 192.168.7.40 !!*************************** GLOBAL *************************** ssl associate rsakey rsakey_association rsakey.pem ssl associate cert rsacert_association rsacert.pem ftp-record acct-ftp 192.168.7.241 root des-password ig5haaufqbnfuarb/tmp !************************* INTERFACE ************************* interface 1/1 bridge vlan 10 Cisco Content Services Switch SSL Configuration Guide 8-22 OL-5655-01...
Page 237 !************************** SERVICE ************************** service DC1 type ssl-init ip address 192.168.7.10 protocol tcp port 80 slot 2 keepalive type ssl keepalive port 443 add ssl-proxy-list SSLInit_list active service DC2 type ssl-init ip address 192.168.7.20 Cisco Content Services Switch SSL Configuration Guide 8-23 OL-5655-01...
Page 238 SSLInit_list active !*************************** OWNER *************************** owner Example content ssl-init protocol tcp vip address 172.16.1.100 port 80 add service DC1 add service DC2 add service DC3 add service DC4 advanced-balance arrowpoint-cookie active Cisco Content Services Switch SSL Configuration Guide 8-24 OL-5655-01...
Page 239: Ssl Tunnel To One Data Center With Server Authentication
You must obtain the certificate of the CA that issued the SSL server • certificate. After you import it and associate it, define the CA certificate as a cacert within the SSL proxy list. Cisco Content Services Switch SSL Configuration Guide 8-25 OL-5655-01...
Page 240: Figure 8-8 Ssl Initiation Between A Css And One Data Center
Encrypted text Data Center 192.168.7.10 !*************************** GLOBAL *************************** ssl associate rsakey rsakey_association rsakey.pem ssl associate cert rsacert_association rsacert.pem ftp-record acct-ftp 192.168.7.241 root des-password ig5haaufqbnfuarb/tmp ftp-record config 192.168.1.241 root des-password 4f1bxangrgehjgka /users/rclement/ssl-init Cisco Content Services Switch SSL Configuration Guide 8-26 OL-5655-01...
Page 241 443 add ssl-proxy-list SSLInit_list active service DC-SSL2 type ssl-init ip address 192.168.7.10 protocol tcp port 80 slot 3 keepalive type ssl keepalive port 443 add ssl-proxy-list SSLInit_list active Cisco Content Services Switch SSL Configuration Guide 8-27 OL-5655-01...
Page 242 Chapter 8 Examples of CSS SSL Configurations !*************************** OWNER *************************** owner Example content ssl-init protocol tcp vip address 192.168.7.200 port 80 add service DC-SSL1 add service DC-SSL2 advanced-balance arrowpoint-cookie active Cisco Content Services Switch SSL Configuration Guide 8-28 OL-5655-01...
Page 243 TCP SYN timeout 5-12 acceleration service type 5-19 virtual port activating service 4-51, 5-21 cipher suites configuration quick start configuring CA certificate configuring service IP address 5-20 client authentication 4-16 Cisco Content Services Switch SSL Configuration Guide IN-1 OL-5655-01...
Page 244 CRL record SSL rule quick start 4-17 2-13 display fields virtual SSL service 7-11 4-52 enabling CRL record 4-16 handling failures assigning 4-19 4-19 overview configuring 4-17 statistics displaying 7-22 7-14 Cisco Content Services Switch SSL Configuration Guide IN-2 OL-5655-01...
Page 245 4-30 SSL statistics 7-16 static text string 4-32 URL rewrite rule statistics 7-15 documentation audience chapter contents importing SSL keys and certificates 3-14 xvii initiation, SSL symbols and conventions Cisco Content Services Switch SSL Configuration Guide IN-3 OL-5655-01...
Page 246 2-2, 2-5 running-config example running-config example nagle algorithm back-end SSL server 2-10 client-side connection 6-15 back-end SSL server service and content server-side connection 6-17 rule 2-17, 2-19, 2-21 Cisco Content Services Switch SSL Configuration Guide IN-4 OL-5655-01...
Page 247 SSL initiation type 6-25 importing/exporting certificates and keys 3-14 SSL module slot, specifying 6-26 initiation SSL proxy lists, adding 4-47, 4-49, 5-18, 5-19, 6-26 key pairs 3-20, 7-4, 7-5, 7-7, 7-8 Cisco Content Services Switch SSL Configuration Guide IN-5 OL-5655-01...
Page 248 SSL service 4-49 session cache timeout, configuring 6-11 statistics, viewing 7-15, 7-16 session ID cache size 6-28 SSL back-end server, see back-end SSL server SSL module slot, specifying 6-26 Cisco Content Services Switch SSL Configuration Guide IN-6 OL-5655-01...
Page 249 6-17 activating 4-46, 5-17, 6-23 terminating client connection 4-34 adding to service 4-49, 5-19, 6-26 troubleshooting SSL initiation 6-30 adding to SSL services 4-47, 5-18 back-end SSL server, configuring Cisco Content Services Switch SSL Configuration Guide IN-7 OL-5655-01...
Page 250 SSL TCP inactivity timeout 4-43 SSL TCP server-side connection options 4-42 SSL TCP SYN timeout 4-43 TCP buffering 4-45 TCP nagle algorithm, client-side connection 4-44 TCP nagle algorithm, server-side connection 4-44 Cisco Content Services Switch SSL Configuration Guide IN-8 OL-5655-01...

This manual is also suitable for:

11500 series

Cisco 11503 - CSS Content Services Switch Configuration Manual

Preface

Cisco.com

Chapter 1 Overview of CSS SSL

Figure 1-2 SSL Handshake with Client Authentication

Chapter 2 SSL Configuration Quick Starts

Table 2-9 SSL Initiation Content Rule Quick Start

Chapter 3 Configuring SSL Certificates and Keys

Keys

Chapter 4 Configuring SSL Termination

Figure 4-2 Cipher Suite Algorithms

Table 4-1 SSL Cipher Suites Supported by the CSS

CHAPTER 5 Configuring Back-End SSL

CHAPTER 6 Configuring SSL Initiation

CHAPTER 7 Displaying SSL Configuration Information and Statistics

Table 7-8 Field Descriptions for the Show Ssl-Proxy-List Command

Table 7-9 Field Descriptions for the Show Ssl Crl-Record Command

Table 7-7 Field Descriptions for the Show Ssl-Proxy-List Command

Chapter 8 Examples of CSS SSL Configurations

Quick Links

Related Manuals for Cisco 11503 - CSS Content Services Switch

Summary of Contents for Cisco 11503 - CSS Content Services Switch