Guest

Cisco LocalDirector 400 Series

Field Notice: LocalDirector User Interface 3.1 and 3.1.1 SSL Root Certificate Expiration


December 27, 1999


Products Affected

Product

Description

LocalDirector User Interface (LUI) V3.1 and V3.1.1 (LUI 3.1, 3.1.1)

The LocalDirector product can be affected by certain LUI configurations.

 

Problem Description

Several Verisign Certificate Authority (CA) root certificates contained in the product will expire at midnight GMT on December 31, 1999. Depending on the configuration of the LUI, availability of SSL servers could be interrupted.

Background

(This product is also referred to as the Content Verification System, or CVS).

The following Verisign (CA) root certificates contained in the LUI product will expire at midnight GMT on December 31, 1999:

  • Verisign/RSA Commercial CA

  • Verisign Class 1 Primary CA

  • Verisign Class 2 Primary CA

  • Verisign Class 3 Primary CA

  • Verisign Class 4 Primary CA

The following Verisign CA root certificate contained in the product will expire at midnight GMT on March 4, 2003:

Verisign test

If all of the following conditions exist, then the LUI will instruct the LocalDirector to stop sending traffic to the servers mentioned in the bullets below after the expiration date:

  • The LUI is configured to "probe" web servers using the Secure Sockets Layer (SSL)

  • The probed servers use certificates issued by the above CAs (these are the only certificates that the LUI supports)

  • The LUI is configured to "out of service" these same servers when server content does not pass the user-defined test criteria

Note: LUI configurations that do not meet ALL of the above conditions WILL NOT BE AFFECTED.

Problem Symptoms

If LUI is configured as is outlined in the Background section above, LocalDirector will stop sending traffic to all such servers. The availability of specific SSL servers is interrupted.

Workaround/Solution

To determine if you are affected:

  1. Log in to the LUI

  2. Right-click on the first probe that you have configured, and then select Properties (if you do not have any probes configured, stop here; you will not be affected).

  3. Check to see if the "Out of Service on failure" checkbox is checked.

    If this box is not checked, you will not be affected by the problem outlined in this notice, but the LUI will log notifications, and (if configured to do so) send SNMP traps with a message stating something similar to "certificate expired." (If this box is not checked, this particular probe will not be affected. Go to step one for the next probe.)

  4. Select the first probe step in the list, and click the Edit Step button.

    Navigate to the General Tab. Check to see if the "Allow probe to continue if this step fails" box is checked. (If the box is checked, this probe step will NOT be effected. Repeat for all steps in this probe, and all probes. If all steps for all probes do not have this box checked, you will not be effected).

  5. Navigate to the Basic Request Parameters tab.

    Check to see if the Communicate with Server via SSL box is checked. (If the box is NO checked, this probe step will NOT be affected. Repeat for all steps in this probe, and all probes. If all steps for all probes do not have this box checked, you will not be effected).

If any step in any probe meets ALL of the criteria outlined above, you WILL be affected. The LocalDirector User Interface will instruct the LocalDirector to stop sending traffic to all SSL servers bound to the same Web site (or virtual) as this probe.

The workaround:

Follow the steps below:

  1. Click Cancel on the Edit Web Probe Step dialog (this leaves you in the Edit Web Probe dialog)

  2. Uncheck the box titled "Out of service on failure"

  3. Click OK

  4. Repeat this for all probes that meet ALL of the criteria outlined above

Note: You have now disabled the SSL content verification capabilities of the LUI.

The long term fix is to upgrade the software. An upgrade is necessary because the expiration dates for the Verisign CA root certificates are built into the software. The new version will be available on CCO when verification is complete.

The a new upgraded software version is now ready. The files have been posted to the dir/cisco/internet/localdirector/ location and can be downloaded via one of the following methods:

http://www.cisco.com/cgi-bin/tablebuild.pl/localdir

ftp://username@ftp.cisco.com/cisco/internet/localdirector/ (where "username" is your CCO login userID)

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.