Guest

Cisco Services Modules

Simple Backend SSL Encryption Configuration with the Catalyst 6000 SSL Module

Cisco - Simple Backend SSL Encryption Configuration with the Catalyst 6000 SSL Module

Document ID: 50061

Updated: Nov 30, 2005

   Print

Introduction

The backend Secure Socket Layer (SSL) configuration is used when you want a client using HTTP (clear text) to communicate with an HTTPS server (encrypted traffic). The SSL module will act as a proxy and accept the HTTP connection from the client. The SSL module then connects via SSL to the server. All traffic from the client is encrypted by the SSL module and forwarded to the server. The traffic from the server is decrypted before being forwarded to the client.

simple_backend_ssl.jpg

This is the initial configuration of the SSL module. The VLAN definitions are included.

ssl-proxy vlan 499 
 ipaddr 192.168.11.197 255.255.254.0
 gateway 192.168.10.1  
 admin
ssl-proxy vlan 500 
 ipaddr 192.168.21.197 255.255.254.0
 gateway 192.168.20.1  
ssl-proxy vlan 501 
 ipaddr 192.168.31.197 255.255.254.0

Before You Begin

Requirements

Before attempting this configuration, please ensure that you meet these requirements:

  • Catalyst 6000 with SSL module

  • SSL module has been configured with a management VLAN

  • SSL module has been configured with client and server VLANs

Components Used

The information in this document is based on this hardware and software version:

  • SSL module version 2.1 minimum

Conventions

For more information on document conventions, see the Cisco Technical Tips Conventions.

Backend SSL configuration

In this section, you are presented with the information to configure the features described in this document.

SSL and Certificates

A trusted Certificate Authority (CA) is required to validate the certificate presented to the SSL module by the Web server when establishing the SSL connection. Multiple trusted CAs can be configured and lined together with a CA pool.

Importing Trusted CA Certificates

Complete these steps:

  1. Create a trusted CA entry indicating the method to be used to import the certificates. In this example, copy and paste the certificate into a terminal window. Also, specify that the CA has no certificates revocation list (CRL).

    ssl-proxy(config)#crypto ca trustpoint CA1
    ssl-proxy(ca-trustpoint)#enrollment terminal 
    ssl-proxy(ca-trustpoint)#crl optional 
  2. Once the CA entry has been created, you can import the associated certificates.

    ssl-proxy(config)#crypto ca authenticate CA1
    
    Enter the base 64 encoded CA certificate.
    End with a blank line or the word "quit" on a line by itself
    
    -----BEGIN CERTIFICATE-----
    MIIEDDCCA3WgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBuzELMAkGA1UEBhMCLS0x
    EjAQBgNVBAgTCVNvbWVTdGF0ZTERMA8GA1UEBxMIU29tZUNpdHkxGTAXBgNVBAoT
    EFNvbWVPcmdhbml6YXRpb24xHzAdBgNVBAsTFlNvbWVPcmdhbml6YXRpb25hbFVu
    aXQxHjAcBgNVBAMTFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjEpMCcGCSqGSIb3DQEJ
    ARYacm9vdEBsb2NhbGhvc3QubG9jYWxkb21haW4wHhcNMDMxMTA3MTAyNTE5WhcN
    MDQxMTA2MTAyNTE5WjCBuzELMAkGA1UEBhMCLS0xEjAQBgNVBAgTCVNvbWVTdGF0
    ZTERMA8GA1UEBxMIU29tZUNpdHkxGTAXBgNVBAoTEFNvbWVPcmdhbml6YXRpb24x
    HzAdBgNVBAsTFlNvbWVPcmdhbml6YXRpb25hbFVuaXQxHjAcBgNVBAMTFWxvY2Fs
    aG9zdC5sb2NhbGRvbWFpbjEpMCcGCSqGSIb3DQEJARYacm9vdEBsb2NhbGhvc3Qu
    bG9jYWxkb21haW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALbEc403lMrc
    TwM0MGU1IDe7QWQE5h5NjS/Lf8KX81sNcO7DGrDLxjxKpKEfp2XY9XYbFBXGzDIP
    JdROjujvcUi0ZgQYr2pqP2eYHkWaMKClZ32JX4hOhgo0vr7dAQ7CKDRAVLddwqsC
    YTl1QPQHR27gtI/M74v4kaP1JBf/8Z+jAgMBAAGjggEcMIIBGDAdBgNVHQ4EFgQU
    JKrmeHLjYClfDU3fR7BSQ8ckApQwgegGA1UdIwSB4DCB3YAUJKrmeHLjYClfDU3f
    R7BSQ8ckApShgcGkgb4wgbsxCzAJBgNVBAYTAi0tMRIwEAYDVQQIEwlTb21lU3Rh
    dGUxETAPBgNVBAcTCFNvbWVDaXR5MRkwFwYDVQQKExBTb21lT3JnYW5pemF0aW9u
    MR8wHQYDVQQLExZTb21lT3JnYW5pemF0aW9uYWxVbml0MR4wHAYDVQQDExVsb2Nh
    bGhvc3QubG9jYWxkb21haW4xKTAnBgkqhkiG9w0BCQEWGnJvb3RAbG9jYWxob3N0
    LmxvY2FsZG9tYWluggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEA
    bVSfbEnrUKijkP5f76pyNFDYCS9Qu4PN8SJu8KXlmFTpcV1oToVAipUGBsgENvKx
    R1aJqpAU8a9iGVFukaco3Q+Gu9TErWauVevflwekcY5sOHXt33jWneveDcNwEQ1J
    JmptCZO2GS8td+PfFJKkc846fqe0LL/BzPPNrkM4C/8=
    -----END CERTIFICATE-----
    
    Certificate has the following attributes:
    Fingerprint: 458E7A60 0845AD98 A1649A8B 040F8E99 
    % Do you accept this certificate? [yes/no]: 
  3. You can repeat the steps above for as many CAs as needed.

Creating a Certificate Authority Pool

Complete these steps:

Now that you have created all the trusted CAs and imported their associated certificates, you need to link these CAs together.

ssl-proxy(config)#ssl-proxy pool ca pool1
ssl-proxy(config-ca-pool)#ca trustpoint CA1

Configuring the Backend SSL Service

Complete these steps:

  1. Create the SSL-proxy service. Specify that this is a backend SSL service by using the keyword client after the service name.

    ssl-proxy(config)#ssl-proxy service MyHTTPS client
     
    ssl-proxy(config-ssl-proxy)#
    
  2. Define the Virtual IP (VIP) address and port on which the SSL module will be listening. The IP address must be part of the IP subnet defined on one of the SSL module VLANs.

    ssl-proxy(config-ssl-proxy)#virtual ipaddr 192.168.21.241 protocol tcp port 80
    
  3. Define the HTTPS server that we will connect to

    ssl-proxy(config-ssl-proxy)#server ipaddr 192.168.30.195 protocol tcp port 443
    
  4. Link the CA pool, which has already been defined.

    ssl-proxy(config-ssl-proxy)#trusted-ca mentone-pool
    
  5. Define what part of the certificate you want the SSL module to verify during SSL negotiation. This step is optional.

    ssl-proxy(config-ssl-proxy)#authenticate verify signature-only
    
  6. Activate the service.

    ssl-proxy(config-ssl-proxy)#inservice
    

Verify

This section provides information you can use to confirm your configuration is working properly.

Check that your SSL-proxy service is active and working properly:

ssl-proxy#sho ssl-proxy service MyHTTPS
Service id: 260, bound_service_id: 4
Virtual IP: 192.168.21.241, port: 80  
Server IP: 192.168.30.195, port: 443
Certificate authority pool: mentone-pool 
  CA pool complete 
Certificate authentication type: only signature verification
Admin Status: up
Operation Status: up
ssl-proxy#

The output is correct.

This example shows a possible problem:

ssl-proxy#sho ssl-proxy service gduf 
Service id: 259, bound_service_id: 3
Virtual IP: 192.168.31.241, port: 80  
Server IP: 192.168.21.3, port: 443
Certificate authority pool: C2knica (not configured)
Certificate authentication type: only signature verification
Admin Status: up
Operation Status: down
Proxy status: CA pool incomplete

Check the statistics. Check that connections are being received from the client, and that connections are opened with the server.

ssl-proxy#sho ssl-proxy stats
TCP Statistics:
    Conns initiated     : 7             Conns accepted       : 7         
    Conns established   : 14            Conns dropped        : 6         
    Conns Allocated     : 22            Conns Deallocated    : 22        
    Conns closed        : 14            SYN timeouts         : 0         
    Idle timeouts       : 0             Total pkts sent      : 54        
    Data packets sent   : 18            Data bytes sent      : 1227      
    Total Pkts rcvd     : 54            Pkts rcvd in seq     : 24        
    Bytes rcvd in seq   : 9967      

SSL Statistics: 
    conns attempted     : 7             conns completed     : 7         
    full handshakes     : 1             resumed handshakes  : 0         
    active conns        : 0             active sessions     : 0         
    renegs attempted    : 0             conns in reneg      : 0         
    handshake failures  : 6             data failures       : 0         
    fatal alerts rcvd   : 0             fatal alerts sent   : 6         
    no-cipher alerts    : 0             ver mismatch alerts : 0         
    no-compress alerts  : 0             bad macs received   : 0         
    pad errors          : 0             session fails       : 0         

FDU Statistics:
    IP Frag Drops       : 0             IP Version Drops    : 0         
    IP Addr Discards    : 0             Serv_Id Drops       : 0         
    Conn Id Drops       : 0             Bound Conn Drops    : 0         
    Vlan Id Drops       : 0             TCP Checksum Drops  : 0         
    Hash Full Drops     : 0             Hash Alloc Fails    : 0         
    Flow Creates        : 44            Flow Deletes        : 44        
    Conn Id allocs      : 22            Conn Id deallocs    : 22        
    Tagged Pkts Drops   : 0             Non-Tagg Pkts Drops : 0         
    Add ipcs            : 1             Delete ipcs         : 0         
    Disable ipcs        : 1             Enable ipcs         : 0         
    Unsolicited ipcs    : 0             Duplicate Add ipcs  : 0         
    IOS Broadcast Pkts  : 36624         IOS Unicast Pkts    : 1310      
    IOS Multicast Pkts  : 0             IOS Total Pkts      : 37934     
    IOS Congest Drops   : 0             SYN Discards        : 0       

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Related Information

Updated: Nov 30, 2005
Document ID: 50061