If you use load balancer in your environment for web content load balancing is always recommended to offload SSL traffic before it gets to web servers. Most application load balancers has hardware SSL modules to increase performance in comparison to the servers which have to do it in software. Additionally without decryption load balancer will not be able to utilize some of its capabilities like cookie check/insert, packet rewrite etc.
In order to perform SSL offload on Cisco CSS you will have to perform following tasks:
Step 1
First you have to purchase or generate in the form of a pfx file. Certificate should have the password for it. From a Unix box with openssl installed you will need to do the following
openssl pkcs12 –in <customercert.pfx> -out <customercert.com-cert.pem> Enter Import Password: MAC verified OK Enter PEM pass phrase:
You will be prompted for the import password that the customer supplied. After you enter the password you will be prompted for the PEM pass phrase: n this example we use “password” for the pass phrase.
To generate the rsa public key you will do the following:
openssl rsa –in <customercert.com-cert.pem> -out <customercert-key.pem>
Step 2
At this point you will need to ftp the newly created cert and public key to the css itself. In order to do this properly the you will need to ftp from the css to a server of your choice where the files will be located. I recommend using the config stations of that dc to act as the ftp server.
In the CSS you will need to set a ftp record for the config station:
CSS(conf)# ftp-record ftp-server <ipaddress> <username> “password” exit
Please note the password in this field has to be entered in quotes.
Now you will need to ftp the info from the server to the css. On the css you will need to do the following:
CSS# copy ssl ftp ftp-server import <customercert.com-cert.pem> PEM “password” copy ssl ftp ftp-server import <customercert-key.pem> PEM “password”
Step 3
At this point we will need to set the ssl association in the css. This will let the css know which file is the cert and which is the public key. On the css you will need to do the following:
CSS(conf)# ssl associate cert <domain-cert> <customercert.com-cert.pem> ssl associate rsakey <domain-key> <customercert-key.pem>
The next step would be to either create or add to the ssl proxy. If this is the first cert you will need to create the proxy. By default we always name it “ssl-proxy” however; I would always verify that there isn’t one on the device using a different name. When adding a cert/key pair to a ssl proxy list you will always have to include the following: vip address, cipher for the key, port we are going to use to send the clear text traffic back to the servers (typically something like 8080 or 8181, customer will usually specify). Please note when adding additional cert/key pairs to a existing ssl proxy list you will have to disable the proxy and the service for ssl first. The following example shows what the config should look like if this is the first cert on the css.
!***********SSL PROXY LIST ********!
ssl-proxy-list ssl-proxy
ssl-server 1
ssl-server 1 rsakey <domain-key>
ssl-server 1 rsacert <domain-cert>
ssl-server 1 vip address <privateipofvip>
ssl-server 1 cipher rsa-with-rc4-128-sha <privateipofvip> <cleartextportonservers>
active
Service for the ssl proxy:
service ssl-service
type ssl-accel
keepalive type none
slot 2
add ssl-proxy-list ssl-proxy
active
Below is an example of adding a second certificate to the css.
CSS(conf)#
service ssl-service
suspend
ssl-proxy-list ssl-proxy
suspend
ssl-server 2
ssl-server 2 rsakey <domain-key>
ssl-server 2 rsacert <domain-cert>
ssl-server 2 vip address <privatevipip>
ssl-server 2 cipher rsa-with-rc4-128-sha <privatevipip> <newvipport>
active
!
!
!
service ssl-service
active
!
!
!
owner vip
!
!
!
content <publicvipip>-ssl
vip address <privatevipip>
add service ssl-service
protocol tcp
port 443
balance leastconn
application ssl
advanced-balance ssl
active
active
content <publicvipip>-<newvipport>
add service <service1>
add service <service2>
...
protocol tcp
port 8080
url "/*"
vip address <privatevipip>
active
content <publicvipip>
balance leastconn
add service <service1>
sticky-mask 255.255.255.240
add service <service2>
vip address <privatevipip>
no persistent
active
You will need to setup a standard service for each of the web servers that the traffic is destined to. I would recommend setting the keepalive port to be the same as the port defined for the clear text traffic to return to the server. If the customer specified port 8080 the following is a example:
service <privateip>-8080-<server#>-web keepalive type tcp keepalive port 8080 active
Step 4
Now you will need to create the content rules for the ssl cert. You will make one for the ssl-service and one for the clear text return traffic. The following is a example of how both vips should look:
content <publicip>-ssl
vip address <privateip>
add service ssl-service
protocol tcp
port 443
balance leastconn
application ssl
advanced-balance ssl
active
content <publicip>-8080
vip address <privateip>
add service 192.168.1.35-8080-27561-web1
add service 192.168.1.36-8080-27562-web2
balance leastconn
protocol tcp
port 8080
url "/*"
active
At this point you will need to test the cert. With your web browser (prefer you test with box IE and firefox) go to https://ipaddress:443 Verify that you receive a valid cert the first time. Once you have a secure connection established to 443 click on the lock on the bottom of your browser. Look at the general tab information to make sure the cert doesn’t show as being expired.
Additional Information:
http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_example09186a00801aca4f.shtml
The following is a list of useful show commands related to certs and sample output :
show ssl file File Name File Type File Size ---------------- --------- ------------ CompanyX-rsa-key PEM 688 CompanyX-cert PEM 871 CompanyX-dh PEM 201 CompanyX-dsa-key PEM 404
show ssl flows SSL Acceleration Flows for slot 5 Virtual Port TCP Proxy Flows Active SSL Flows SSL Flows in Handshake --------------- ---- --------------- ---------------- ---------------------- 10.48.67.22 443 0 0 0
show ssl associate Certificate Name File Name Used by List ---------------- --------- ------------ rsacert CompanyX-cert yes RSA Key Name File Name Used by List ------------ --------- ------------ CompanyXrsa CompanyX-rsa-key yes DH Param Name File Name Used by List ------------- --------- ------------ CompanyX-dh CompanyX-dh no DSA Key Name File Name Used by List ------------ --------- ------------ CompanyXdsa CompanyX-dsa-key no
show ssl statistics SSL Acceleration Statistics 0 DSA Sign Failed 0 DSA Verify Failed 0 SSL MAC Failed 0 TLS HMAC Failed 0 3DES Failed 0 ARC4 Failed 0 HASH Failed 0 Hardware Device Not Found 0 Hardware Device Timed Out 0 Invalid Crypto Parameter 0 Hardware Device Failed 313 SSL received non-application data bytes 992 SSL transmitted non-application data bytes 0 RSA Private Decrypt failures 0 MAC failures for packets received 0 Re-handshake TimerAlloc failed 0 Blocks SSL could not allocate 0 Dup Blocks SSL could not allocate 0 Too many blocks for Block2AccelFragmentArray 0 Too many blocks in a SSL message show ssl statistics ssl-proxy-server SSL Acceleration Statistics Component: SSL Proxy Server Slot: 5 Count Description --------------- ----------- 20 Handshake started for incoming SSL connections 19 Handshake completed for incoming SSL connections 0 Handshake started for outgoing SSL connections 0 Handshake completed for outgoing SSL connections 1 Active SSL flows high water mark 0 Current number of TCP Proxy flows 2 Maximum number of TCP Proxy flows show ssl statistics ssl SSL Acceleration Statistics Component: SSL Slot: 5 Count Description --------------- ----------- 5 RSA Private Decrypt calls 0 RSA Public Decrypt calls 0 DH Compute key calls 0 DH Generate key calls 0 DSA Verify calls 0 DSA Sign calls 335 MD5 raw hash calls
show ssl statistics crypto SSL Acceleration Statistics Component: Crypto Slot: 5 Count Description --------------- ----------- 5 RSA Private 0 RSA Public 0 DH Shared 0 DH Public 0 DSA Sign 0 DSA Verify 192 SSL MAC 257 TLS HMAC 451 3DES 0 ARC4 3,303 HASH 0 RSA Private Failed 0 RSA Public Failed 0 DH Shared Failed 0 DH Public Failed 0 DSA Sign Failed 0 DSA Verify Failed 0 SSL MAC Failed 0 TLS HMAC Failed 0 3DES Failed 0 ARC4 Failed 0 HASH Failed 0 Hardware Device Not Found 0 Hardware Device Timed Out 0 Invalid Crypto Parameter 0 Hardware Device Failed 0 Hardware Device Busy 0 Out Of Resources 0 Cancelled -- Device Reset
Follow me!
