Guest

Cisco CSS 11500 Series Content Services Switches

CSS 11500 Backend SSL Configuration Example

Document ID: 47390

Updated: Jan 31, 2006

   Print

Introduction

Content Services Switch (CSS) 11500 supports internal Secure Socket Layer (SSL) acceleration modules, which can be used to decrypt client traffic for better load balancing decisions (front-end SSL/SSL Termination). Using the CSS to offload SSL from the servers significantly increases server performance and allows traffic to be better distributed to backend applications. The CSS 11500 can reencrypt SSL terminated connections and send encrypted traffic to the back-end SSL servers (back-end SSL). This is necessary for environments requiring secure client to server communication and advanced server load balancing, such as using cookies to maintain session persistence. The integrated SSL capabilities allow the CSS to make content aware decisions to ensure the data is sent to the correct application, while maintaining data encryption throughout the network.

This document describes the SSL traffic flow from the client to the CSS and to the back-end SSL server. This document provides configurations and different implementation scenarios.

Prerequisites

Requirements

Before attempting this configuration, ensure that you meet these requirements:

  • basic concepts of Secure Socket Layer / Transport Layer Security (SSL/TLS)

  • basic setup of the CSS

  • access to the web servers keys and certificates from existing SSL Web servers

  • authorization to change the SSL configuration on your servers

Components Used

The information in this document is based on these software and hardware versions:

  • WebNS Version 7.20 build 206

  • CSS 11506

  • VeriSign On Site Certificate

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Related Products

This configuration can also be used with these hardware and software versions:

  • CSS 11501 with inbuilt SSL or CSS 11503/506 with a CSS5-SSL-K9 SSL module installed.

  • WebNS software Version 7.20 and above.

Conventions

For more information on document conventions, refer to the Cisco Technical Tips Conventions.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: To find additional information on the commands used in this document, use the Command Lookup Tool (registered customers only) .

Network Diagram

This document uses this network setup:

backend_ssl.jpg

Configurations

This document uses this configuration:

  • CSS 11506 (NWS-5-9)

Traffic from the client comes and hits the content front rule. This rule is port 443. This rule then load balances the traffic to the service ssl_front. This service then references the SSL proxy list.

The SSL proxy list defines the SSL negotiation with the client and establishes a secure SSL session between the CSS and the client. The configuration defines the SSL proxy IP address, the private key, and the chained / single certificate to use. It also defines the clear text content rule that you are going to hit.

The content rule referred to is content back. Due to the fact that this data is now in clear text, you can see the HTTP headers. In order to maintain stickyness to a server, use Arrowpoint cookies. The CSS then makes a load balancing decision based on the Arrowpoint cookie if the client has already received one or via the underlying load balancing algorithm if they have not. In this case, the switch is load balanced to service backend1.

The request is then sent to service backend1. This service is configured as a type ssl-accel-backend. There is no physical server here.

The SSL proxy list is referred to again, and from the configuration, you can see the backend-server configuration. This configuration is very similar to the SSL decryption on the front end but in the reverse. You can take clear text and convert it to SSL. You can also define a cipher to use in the client hello.

The request is the sent to the physical server encrypted.

CSS 11506 (NWS-5-9)
nws-5-2# sh run
 !Generated on 01/09/2004 01:16:00
 !Active version: sg0720206
 configure
 !*************************** GLOBAL ***************************
   cdp run 

 ssl associate rsakey privatekey myprivatekey 
 ssl associate cert certificate mynewcert.pem 


!--- Define the SSL certificate and key files to use for the Web site 
!--- These are for the client to SSL module connection.


 ip route 0.0.0.0 0.0.0.0 10.66.86.17 1 


 !************************* INTERFACE *************************
 interface 3/1
 bridge vlan 41 

 !************************** CIRCUIT **************************
 circuit VLAN1

 ip address 10.1.1.1 255.255.255.0

 circuit VLAN41

 ip address 10.66.86.29 255.255.255.240 

 !*********************** SSL PROXY LIST ***********************
 ssl-proxy-list my_secure_site 
 ssl-server 1 
 ssl-server 1 rsakey privatekey 
 ssl-server 1 rsacert certificate 
 ssl-server 1 cipher rsa-with-rc4-128-md5 10.1.1.10 81 
 ssl-server 1 vip address 10.66.86.28


!--- SSL server configuration. This is for the client to the SSL
!--- module connection.


 backend-server 10

 
!--- Backend SSL configuration. These specify the parameters for 
!--- the connection from the CSS to the backend servers. 


 backend-server 10 ip address 10.1.1.20 
 backend-server 10 port 81 


!--- This defines the clear text IP and port that are 
!--- used to encrypt data headed for the backend servers.

 backend-server 10 server-ip 10.1.1.20 
 backend-server 10 server-port 8003


!--- This is the physical server. As there is no server-port
!--- configured, the default 443 will be used.


 backend-server 10 cipher rsa-export-with-rc4-40-md5 


!--- The CSS behaves as a client. Specify what SSL cipher 
!--- you are going to present to the backend server in the SSL 
!--- handshake client hello packet.


 backend-server 20 
 backend-server 20 ip address 10.1.1.21 
 backend-server 20 port 81 
 backend-server 20 server-ip 10.1.1.21 
 backend-server 20 server-port 8003
   backend-server 20 cipher rsa-export-with-rc4-40-md5 

 backend-server 30 
 backend-server 30 ip address 10.1.1.22 
 backend-server 30 port 81 
 backend-server 30 server-ip 10.1.1.22
 backend-server 30 server-port 8003 
 backend-server 30 cipher rsa-export-with-rc4-40-md5 
 active 

 !************************** SERVICE **************************

 service ssl_front 
 slot 6 
 type ssl-accel 
 keepalive type none 
 add ssl-proxy-list my_secure_site 
 active 

 service backend1 
 ip address 10.1.1.20 
 type ssl-accel-backend 
 port 81
 add ssl-proxy-list my_secure_site 
 keepalive port 8003 
 keepalive type ssl 
 protocol tcp 
 active 

 service backend2 
 ip address 10.1.1.21 
 type ssl-accel-backend 
 port 81
 keepalive port 8003 
 add ssl-proxy-list my_secure_site 
 keepalive type ssl 
 protocol tcp 
 active 

 service backend3 
 ip address 10.1.1.22 
 protocol tcp 
 port 81
 keepalive port 8003 
 keepalive type ssl 
 type ssl-accel-backend 
 add ssl-proxy-list my_secure_site 
 active 


 !*************************** OWNER ***************************
 owner my_secure_site

 content back 
 protocol tcp 
 port 81
 url "/*" 
 vip address 10.1.1.10 
 add service backend1 
 add service backend2 
 add service backend3 
 advanced-balance arrowpoint-cookie 
 active 

 content front 
 protocol tcp 
 vip address 10.66.86.28 
 application ssl 
 add service ssl_front 
 port 443 
 active 

Verify and Troubleshoot

This section provides information you can use to troubleshoot your configuration. The left-hand column is a listing of the life cycle of a session. The right-hand column is a listing of the show commands and tools that can be used to check the state of each part of the life cycle.

Logical Life Cycle Commands / Techniques (examples below)
Client Sniffer trace from the client machine. Look for the TCP 3 way handshake and the SSL client hello and server hello.
Content Rule front show rule — Look for the rule as being active. Try to ping the VIP address of the rule; this should respond. Take a sniffer trace on the link connecting to the CSS on the client side.
Service ssl_front show service summary — Make sure the service is alive. show service ssl_front — Make sure the service is alive and the SSL proxy my_secure_site is listed and active. Check to see if the total local connections are incrementing.
SSL proxy List my_secure_site show ssl-proxy-list — Make sure the state is Active. show ssl -proxy-list my_secure_site— Provides the configuration information. show ssl statistics — Make sure there are no errors incrementing. See the example below. show ssl flows— Displays the current flows.
Content Rule back show rule — Look for the rule as being Active.
Services backend1 or backend2 or backend3 show service summary— Make sure the service is alive. show service service name — Make sure that at least one service is alive and the SSL proxy my_secure_site is listed and active. Check to see if the total local connections are incrementing.
SSL proxy List my_secure_site show ssl-proxy-list — Make sure the state is Active. show ssl -proxy-list my_secure_site — Provides the configuration information. show ssl statistics— Make sure there are no errors incrementing. See the example below. show ssl flows— Displays the current flows.
Server Sniffer trace from the client machine. Look for the TCP 3 way handshake and the SSL client hello and server hello. Check if the server is listening on the SSL. Issue the port netstat -a command for Windows, and the netstat -l command for Unix/Linux machines.

Verify and Troubleshooting Command Examples

This section provides troubleshooting information relevant to the commands listed in the above life cycle and what to look for in each command. Bolded sections should be checked if they show a different state.

show rule

Name:                    back   Owner:          my_secure_site
State:    Active   Type:                    HTTP
Balance:          Round Robin   Failover:                  N/A
Persistence:          Enabled   Param-Bypass:         Disabled
Session Redundancy:  Disabled
IP Redundancy:    Not Redundant
L3:         10.1.1.10   


!--- Theses lines indicate the configuration of the rule.


L4:         TCP/81
Url:        /*          


!--- This indicates a Layer 7 rule, where the CSS spoofs the
!--- connection.

Redirect: ""
TCP RST client if service unreachable: Disabled
Rule Services:
 1: backend1-Alive 

>>>>>>>>

Name:                   front   Owner:          my_secure_site
State:                 Active   Type:       SSL
Balance:          Round Robin   Failover:                  N/A
Persistence:          Enabled   Param-Bypass:         Disabled
Session Redundancy:  Disabled
IP Redundancy:    Not Redundant
L3:         10.66.86.28  


!--- Theses lines indicate the configuration of the rule.

L4:         TCP/443
Url:                             


!--- There is no configuration, so this is a Layer 4 rule.

Redirect: ""
TCP RST client if service unreachable: Disabled
Rule Services:
 1: ssl_front-Alive 

show service summary

Service Name                     State     Conn  Weight  Avg   State
                                                         Load  Transitions

backend1                         Alive         0      1     2            9
backend2                         Down          0      1   255            0
backend3                         Down          0      1   255            0
ssl_front                        Alive         0      1     2            4

sh service ssl_front

Name: ssl_front         Index: 4     
  Type: Ssl-Accel        State: Alive
  Rule ( 0.0.0.0  ANY  ANY )
  Session Redundancy: Disabled
  SSL-Accel slot: 6    


 !--- Make sure this is the slot where the SSL module is installed.

  Session Cache Size: 10000 
  Redirect Domain:  
  Redirect String:  
  Keepalive: (NONE   5   3   5 )
  Last Clearing of Stats Counters: 01/28/2004 22:29:34
  Mtu:                       1500        State Transitions:            4


 !--- Connection counters should be increasing.

  Total Local Connections:   576         Total Backup Connections:     0
  Current Local Connections: 0           Current Backup Connections:   0
  Total Connections:         576         Max Connections:              65534
  Total Reused Conns:        0         
  Weight:                    1           Load:                         2
  DFP:                       Disable     

  
SSL Proxy Lists:
   1: my_secure_site-Active

show ssl-proxy-list

Ssl-Proxy-List Table Entries (1 Entries)
    1) Name:  my_secure_site
       State:  Active
       

!--- The number of services pointing to the SSL proxy list. This 
!--- includes the back-end services as well.

       Services Associated:  4  

show ssl-proxy-list my_secure_site

- Ssl-proxy-list Entries for list my_secure_site -

Number of SSL-Servers:  1 
   Ssl-Server 1 -
     
     Vip address: 10.66.86.28
     Vip port:  443
     RSA Certificate:  certificate  
     

     !--- This is the certificate file associated for the SSL site.

     RSA Keypair:      privatekey   
     

     !--- This is the private key file associated for the SSL site.

     DSA Certificate:  none
     DSA Keypair:      none
     DH Param:         none
     Session Cache Timeout:         300     SSL Version:  SSL and TLS
     Re-handshake Timeout:          0       Re-handshake Data:            0
     Virtual TCP Inactivity TO:     240     Server TCP Inactivity TO:     240
     Virtual TCP Syn Timeout:       30      Server TCP Syn Timeout:       30
     Virtual TCP Nagle Algorithm:   enable  Server TCP Nagle Algorithm:   enable
     TCP Receive Buffer:            32768   TCP Transmit Buffer:          65536
     SSL Shutdown Procedure:        normal 

     Cipher Suite(s)               Weight     Port     Server
     ---------------               ------     ----     ------
     rsa-with-rc4-128-md5             1       81       10.1.1.10

    

    !--- This is the cipher suite used in the server SSL hello back to the client.
    !--- The clear text IP address and port of the decypted traffic.


     URL Rewrite Rule(s) - None
         
Number of Ssl Proxy backend-servers:  3 
   Backend-server 10 -


!--- This is the back-end server clear text IP and port.

     
     IP address: 10.1.1.20
     Port:  81
     

!--- This is the back-end server SSL server IP and port.

     
     Server IP address: 10.1.1.20
     Server port:  8003
     Session Cache Timeout:        300     SSL Version:  SSL and TLS
     Re-handshake Timeout:         0       Re-handshake Data:            0
     Virtual TCP Inactivity TO:    240     Server TCP Inactivity TO:     240
     Virtual TCP Syn Timeout:      30      Server TCP Syn Timeout:       30
     Virtual TCP Nagle Algorithm:  enable  Server TCP Nagle Algorithm:   enable
     TCP Receive Buffer:           32768   TCP Transmit Buffer:          65536

     Cipher Suite(s)               Weight    
     ---------------               ------    
     rsa-export-with-rc4-40-md5       1      

    
 
!--- This is the cipher suite used in the client hello to the SSL server.
!--- In this case, the SSL module is encypting the traffic and acting as 
!--- a client.


   Backend-server 20 -
     IP address: 10.1.1.21
     Port:  81
     Server IP address: 10.1.1.21
     Server port:  8003
     Session Cache Timeout:        300     SSL Version:  SSL and TLS
     Re-handshake Timeout:         0       Re-handshake Data:            0
     Virtual TCP Inactivity TO:    240     Server TCP Inactivity TO:     240
     Virtual TCP Syn Timeout:      30      Server TCP Syn Timeout:       30
     Virtual TCP Nagle Algorithm:  enable  Server TCP Nagle Algorithm:   enable
     TCP Receive Buffer:           32768   TCP Transmit Buffer:          65536

     Cipher Suite(s)               Weight    
     ---------------               ------    
     rsa-export-with-rc4-40-md5       1      

   Backend-server 30 -
     IP address: 10.1.1.22
     Port:  81
     Server IP address: 10.1.1.22
     Server port:  8003
     Session Cache Timeout:        300     SSL Version:  SSL and TLS
     Re-handshake Timeout:         0       Re-handshake Data:            0
     Virtual TCP Inactivity TO:    240     Server TCP Inactivity TO:     240
     Virtual TCP Syn Timeout:      30      Server TCP Syn Timeout:       30
     Virtual TCP Nagle Algorithm:  enable  Server TCP Nagle Algorithm:   enable
     TCP Receive Buffer:           32768   TCP Transmit Buffer:          65536

     Cipher Suite(s)               Weight    
     ---------------               ------    
     rsa-export-with-rc4-40-md5       1      

show ssl statistics

SSL Acceleration Statistics
Component: SSL Proxy Server   Slot: 6
     Count        Description
---------------   -----------
            
            576   Handshake started for incoming SSL connections
            576   Handshake completed for incoming SSL connections


!--- These are the SSL handshake statistics for the client to CSS connection.

            
            560   Handshake started for outgoing SSL connections
            560   Handshake completed for outgoing SSL connections


!--- These are the SSL handshake stats for the CSS to backend servers.

             
             12   Active SSL flows high water mark


!--- This is the maximum number of active SSL flows.


SSL Acceleration Statistics
Component: Crypto   Slot: 6
     Count        Description
---------------   -----------
             14   RSA Private
              3   RSA Public
              0   DH Shared
              0   DH Public
              0   DSA Sign
              0   DSA Verify
              0   SSL MAC
          7,515   TLS HMAC
              0   3DES
          7,918   ARC4
         69,876   HASH
              
              0   RSA Private Failed
              0   RSA Public Failed
              0   DH Shared Failed
              0   DH Public Failed
              0   DSA Sign Failed
              0   DSA Verify Failed
              0   SSL MAC Failed
              0   TLS HMAC Failed
              0   3DES Failed
              0   ARC4 Failed
              0   HASH Failed
              0   Hardware Device Not Found
              0   Hardware Device Timed Out
              0   Invalid Crypto Parameter
              0   Hardware Device Failed
              0   Hardware Device Busy
              0   Out Of Resources
              0   Cancelled -- Device Reset


!--- At this point, any errors need to be investigated.


SSL Acceleration Statistics
Component: SSL   Slot: 6
     Count        Description
---------------   -----------
             14   RSA Private Decrypt calls
              3   RSA Public Decrypt calls
              0   DH Compute key calls
              0   DH Generate key calls
              0   DSA Verify calls
              0   DSA Sign calls
         34,220   MD5 raw hash calls
         34,220   SHA1 raw hash calls
              0   3-DES calls
          7,918   RC4 calls
              0   SSL MAC(MD5) calls
              0   SSL MAC(SHA1) calls
          7,515   TLS MAC(MD5) calls
              0   TLS MAC(SHA1) calls
              0   Level 2 Alerts Received
            725   Level 1 Alerts Received
              0   Level 2 Alerts Sent
          1,134   Level 1 Alerts Sent
      
      1,200,211   SSL received bytes from TCP
      1,155,278   SSL transmitted bytes to TCP
      1,006,669   SSL received Application Data bytes
      1,970,856   SSL transmitted Application Data bytes
        124,497   SSL received non-application data bytes
        152,147   SSL transmitted non-application data bytes
  

!--- These are the traffic stats for the SSL module; they should be incrementing.

              0   RSA Private Decrypt failures
              0   MAC failures for packets received
              0   Re-handshake TimerAlloc failed
              0   Blocks SSL could not allocate
              0   Dup Blocks SSL could not allocate
              0   Too many blocks for Block2AccelFragmentArray
              0   Too many blocks in a SSL message

show ssl flows

SSL Acceleration Flows for slot 6
        Virtual  Port TCP Proxy Flows  Active SSL Flows  SSL Flows in Handshake
---------------  ---- ---------------  ----------------  ----------------------
    
    10.66.86.28   443               6                 2                       0
      10.1.1.20    81               6                 2                       0
      10.1.1.22    81               0                 0                       0
      10.1.1.21    81               0                 0                       0


!--- This is the number of active flows in the CSS. These can be difficult to see on a 
!--- box with little load.

show service backend1

Name: backend1          Index: 1     
  
  Type: Ssl-Accel-Backend State: Alive
  Rule ( 10.1.1.20  TCP  81 )
  Session Redundancy: Disabled
  Redirect Domain:  
  Redirect String:  
  Keepalive: (SSL-8003   5   3   5 )
  Last Clearing of Stats Counters: 01/28/2004 22:29:34
  Mtu:                       1500        State Transitions:            9
  Total Local Connections:   689         Total Backup Connections:     0
  Current Local Connections: 0           Current Backup Connections:   0
  Total Connections:         689         Max Connections:              65534
  Total Reused Conns:        0         
  Weight:                    1           Load:                         2
  DFP:                       Disable     

  
SSL Proxy Lists:
   1: my_secure_site-Active

TAC Service Request Information

Before opening a Technical Assistance Center (TAC) service request, gather this information:

  1. Using the life cycle above, gather all the commands mentioned and group them per life cycle step.

  2. Provide the script play showtech command output.

  3. Provide a detailed topology diagram.

  4. Provide sniffer traces from the client side of the CSS and the server side. This is optional, but may shorten resolution time.

  5. If providing sniffer traces, identify the clients' IP address.

Related Information

Updated: Jan 31, 2006
Document ID: 47390