CSS SSL Configuration Guide (Software Version 7.40)
SSL Configuration Quick Starts
Downloads: This chapterpdf (PDF - 266.0KB) The complete bookPDF (PDF - 2.11MB) | Feedback

SSL Configuration Quick Starts

Table Of Contents

SSL Configuration Quick Starts

RSA Certificate and Key Generation Quick Start

RSA Certificate and Key Import Quick Start

SSL Proxy List Quick Start

SSL Termination Proxy List Quick Start

Back-End SSL Proxy List Quick Start

SSL Initiation Proxy List Quick Start

SSL Service and Content Rule Quick Start

SSL Termination Service and Content Rule Quick Start

Back-End SSL Service and Content Rule Quick Start

SSL Initiation Service Quick Start

SSL Initiation Content Rule Quick Start


SSL Configuration Quick Starts


This chapter provides a quick overview on how to manage SSL certificates in the CSS, create an SSL proxy list for virtual and back-end SSL servers, and add an SSL proxy list to an SSL service. Each step includes the CLI command required to complete the task. RSA has been chosen for the quick start procedures in this section because it is a popular public-key algorithm for encryption and authentication.

To configure SSL termination on a CSS, perform the steps in the following quick start procedures:

1. RSA Certificate and Key Generation Quick Start, Table 2-1

2. RSA Certificate and Key Import Quick Start, Table 2-2

3. SSL Termination Proxy List Quick Start, Table 2-3

4. SSL Termination Service and Content Rule Quick Start, Table 2-6

If your configuration includes back-end SSL, also perform the following quick start procedures:

1. Back-End SSL Proxy List Quick Start, Table 2-4

2. Back-End SSL Service and Content Rule Quick Start, Table 2-7

To configure SSL initiation, perform the following quick start procedures:

1. SSL Initiation Proxy List Quick Start, Table 2-5

2. SSL Initiation Service Quick Start, Table 2-8

3. SSL Initiation Content Rule Quick Start, Table 2-9

RSA Certificate and Key Generation Quick Start

Table 2-1 provides an overview of the steps required to generate and associate an RSA key pair and certificate in the CSS. Key and certificate generation may be necessary in instances where you do not have preexisting keys or certificates for the CSS. You may want to initially generate RSA keys and temporary certificates on the CSS for internal SSL testing. A generated certificate is temporary and expires in 30 days.

Table 2-1 RSA Certificate and Key Generation Quick Start 

Task and Command Example

1. Enter global configuration mode.

# config
(config) #

2. Generate the RSA key pair used in the exchange.

(config) # ssl genrsa CSSrsakey1 1024 "passwd123"
Please be patient this could take a few minutes

3. Associate the generated RSA key pair with a file.

(config) # ssl associate rsakey myrsakey1 CSSrsakey1

4. After generating the RSA key pair, generate the Certificate Signing Request (CSR) file for the RSA key pair file. For example, enter:

(config) # ssl gencsr myrsakey1
You are about to be asked to enter information
that will be incorporated into your certificate
request. What you are about to enter is what is
called a Distinguished Name or a DN.
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [US]US
State or Province (full name) [SomeState]New York
Locality Name (city) [SomeCity]Albany
Organization Name (company name) [Acme Inc]Cisco Systems, Inc.
Organizational Unit Name (section) [Web Administration]Web Admin
Common Name (your domain name) [www.acme.com]www.cisco.com
Email address [webadmin@acme.com]webadmin@cisco.com

-----BEGIN CERTIFICATE REQUEST-----
MIIBWDCCAQICAQAwgZwxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNQTETMBEGA1UE
BxMKQm94Ym9yb3VnaDEcMBoGA1UEChMTQ2lzY28gU3lzdGVtcywgSW5jLjESMBAG
A1UECxMJV2ViIEFkbWluMRYwFAYDVQQDEw13d3cuY2lzY28uY29tMSEwHwYJKoZI
hvcNAQkBFhJra3JvZWJlckBjaXNjby5jb20wXDANBgkqhkiG9w0BAQEFAANLADBI
AkEAqHXjtQUVXvmo6tAWPiMpe6oYhZbJUDgTxbW4VMCygzGZn2wUJTgLrifDB6N3
v+1tKFndE686BhKqfyOidml3wQIDAQABoAAwDQYJKoZIhvcNAQEEBQADQQA94yC3
4SUJJ4UQEnO2OqRGLOZpAElc4+IV9aTWK6NmiZsM9Gt0vPhIkLx5jjhVRLlb27Ak
H6D5omXa0SPJan5x
-----END CERTIFICATE REQUEST-----

CSS11503(config)# 

The ssl gencsr command generates the CSR in PKCS10 encoded in Privacy Enhanced Mail (PEM) format and outputs it to the screen. Note that the CSR is not saved in the CSS.

5. Transfer the certificate request to the Certificate Authority (CA). Most major Certificate Authorities have Web-based applications that require you to cut and paste the certificate request to the screen.

If you require a global site certificate that allows 128-bit encryption for export-restricted browsers, apply for a StepUp/SGC or chained certificate from the CA.

You will receive your certificate in one to seven days.

6. (Optional) While you are waiting to receive your signed certificate, you can test your CSR file by creating a temporary certificate by generating a CSR and signing it with your own private key. While this produces a valid certificate, most browsers flag the certificate as signed by an unrecognized signing authority. To generate a temporary certificate, see the "Generating a Self-Signed Certificate" section.

7. After you receive your certificate in one to seven days, save it as a file onto a secure FTP server.

If you received a server certificate, go to Step 11.

If you received a global site certificate, you must create a chained certificate. Go to Step 8.

8. Obtain the intermediate certificate for the global site certificate from the following link: http://www.verisign.com/support/install/intermediate.htm.

Save the certificate as a file on the secure FTP server.

9. Create a file, and copy the global site certificate and the intermediate certificate into it. The global site certificate must be first, followed by the intermediate certificate. Make sure that there is a single new line between the server and intermediate certificates.

10. Save the file.

11. Import the certificate into the CSS using the steps in the "RSA Certificate and Key Import Quick Start" section.


RSA Certificate and Key Import Quick Start

Table 2-2 provides an overview of the steps required to import and associate an RSA certificate and key pair to the CSS from a remote server.

Table 2-2 RSA Certificate and Key Import Quick Start 

Task and Command Example

1. Define a secure File Transfer Protocol (FTP) record file to import certificates and private keys into the CSS from an SFTP server.

# ftp-record ssl_record 192.168.19.21 johndoe "abc123"  
/home/johndoe

2. Use secure FTP to transfer the imported certificates and private keys to the CSS.

# copy ssl sftp ssl_record import rsacert.pem PEM "passwd123"
Connecting
Completed successfully

# copy ssl sftp ssl_record import rsakey.pem PEM "passwd123"
Connecting
Completed successfully

3. Enter configuration mode.

# config
(config) #

4. To use RSA public key exchange and authentication:

a. Associate the imported RSA certificate with a file.

(config) # ssl associate cert myrsacert1 rsacert.pem

b. Associate the imported RSA key pair with a file.

(config) # ssl associate rsakey myrsakey1 rsakey.pem

5. Compare the public key in the associated certificate with the public key stored with the associated private key and verify that they are identical.

(config) # ssl verify myrsacert1 myrsakey1 
Certificate mycert1 matches key mykey1

The following running-configuration example shows the results of entering the commands in Table 2-2.

!*************************** GLOBAL *************************** 
ftp-record ssl-record 192.168.19.21 johndoe des-password 
1frapbyg4fldce4d /home/johndoe

ssl associate cert myrsacert1 rsacert.pem
ssl associate rsakey myrsakey1 rsakey.pem

SSL Proxy List Quick Start

An SSL proxy list determines the flow of data to and from an SSL module. The following sections describe how to create a proxy list for:

SSL termination

Back-end SSL

SSL initiation

SSL Termination Proxy List Quick Start

You must define a virtual SSL server in an SSL proxy list for an SSL module to properly process and terminate SSL communications from the client and initiate an HTTP connection to the server.

Table 2-3 provides an overview of the steps required to create a virtual SSL server entry in an SSL proxy list for an RSA certificate and key pair. For information on configuring client authentication, see "Configuring Client Authentication" in Chapter 4, Configuring SSL Termination.

Table 2-3 SSL Termination Proxy List Quick Start  

Task and Command Example

1. Create the SSL proxy list.

(config)# ssl-proxy-list ssl_list1
Create ssl-list <ssl_list1>, [y/n]: y

Once you create an SSL proxy list, the CLI enters into ssl-proxy-list configuration mode for the newly created SSL proxy list.

(config-ssl-proxy-list[ssl_list1])#

2. Specify a number to identify a virtual SSL server in the SSL proxy list.

(config-ssl-proxy-list[ssl_list1])# ssl-server 20

3. Specify a virtual IP (VIP) address. Enter a VIP address that corresponds to an SSL content rule.

(config-ssl-proxy-list[ssl_list1])# ssl-server 20 vip address 
192.168.3.6

4. (Optional) Specify the virtual TCP port number if you need to change it to correspond with the content rule. By default, the virtual TCP port number is 443.

(config-ssl-proxy-list[ssl_list1])# ssl-server 20 port 444 

5. Specify the name of an existing RSA certificate association and RSA key pair association for the SSL proxy list virtual SSL server.

(config-ssl-proxy-list[ssl_list1])# ssl-server 20 rsacert 
myrsacert1
(config-ssl-proxy-list[ssl_list1])# ssl-server 20 rsakey 
myrsakey1

6. Assign the appropriate cipher suite for the RSA certificates and keys in use, the IP address of the back-end content rule used for the cipher suite, and the TCP port of the back-end content rule.

(config-ssl-proxy-list[ssl_list1])# ssl-server 20 cipher 
rsa-export-with-rc4-40-md5 192.168.3.6 8080 weight 5

7. (Optional) Specify the URL rewrite option for the domain name of the URL to be redirected to avoid nonsecure HTTP 300-series redirects.

(config-ssl-proxy-list[ssl_list1])# ssl-server 20 urlrewrite 22 
www.mydomain.com

8. Continue to Table 2-4 if the flow requires encryption to a back-end SSL server. If not, continue to step 9.

9. Activate the completed SSL proxy list.

(config-ssl-proxy-list[ssl_list1])# active

The following running-configuration example shows the results of entering the commands in Table 2-3.

!*********************** SSL PROXY LIST ***********************

ssl-proxy-list ssl_list1
  ssl-server 20
  ssl-server 20 vip address 192.168.3.6
  ssl-server 20 port 444
  ssl-server 20 rsacert myrsacert1
  ssl-server 20 rsakey myrsakey1
  ssl-server 20 cipher rsa-export-with-rc4-40-md5 192.168.3.6 8080 
weight 5
  ssl-server 20 urlrewrite 22 www.mydomain.com
  active

Back-End SSL Proxy List Quick Start

If you require that a CSS send encrypted data to an SSL server, configure a back-end server entry in the SSL proxy list to allow the SSL module to encrypt the data and initiate an SSL connection to the server. You must configure back-end SSL with SSL termination. For the SSL termination quick start procedure, see the "SSL Termination Proxy List Quick Start" section.

Table 2-4 provides an overview of steps required to create a back-end SSL proxy list.

Table 2-4 Back-End SSL Proxy List Quick Start  

Task and Command Example

1. Specify a number to identify a back-end SSL server in an existing SSL termination proxy list.

(config-ssl-proxy-list[ssl_list1])# backend-server 1

2. Specify an IP address. Enter an IP address that corresponds to the address of the service for the back-end SSL server.

(config-ssl-proxy-list[ssl_list1])# backend-server 1 ip address 
192.168.4.4

3. (Optional) By default, the virtual TCP port number for the back-end server is 80. Assign the virtual TCP port number if you need to change it.

(config-ssl-proxy-list[ssl_list1])# backend-server 1 port 8080

4. Specify server IP address for the back-end server. Enter a valid IP address for the server.

(config-ssl-proxy-list[ssl_list1])# backend-server 1 server-ip 
192.168.4.4

5. (Optional) By default, the server port number for the back-end server is 443. Assign the server port number if you need to change it.

(config-ssl-proxy-list[ssl_list1])# backend-server 1 server-port 
113

Note If you configure the backend-server number ip address and server-ip commands with the same address, configure the backend-server number port and server-port commands with different port numbers.

6. (Optional) By default, the back-end server supports all available CSS cipher suites. If necessary, assign a specific cipher suite to be used by the back-end SSL server, for example the RSA certificates and keys:

(config-ssl-proxy-list[ssl_list1])# backend-server 1 cipher 
rsa-export-with-rc4-40-md5

7. Activate the completed SSL proxy list.

(config-ssl-proxy-list[ssl_list1])# active

The following running-configuration example shows the results of entering the commands in Table 2-4 in bold and the commands associated with the virtual SSL server in Table 2-3.

!*********************** SSL PROXY LIST ***********************

ssl-proxy-list ssl_list1
  ssl-server 20
  ssl-server 20 vip address 192.168.3.6
  ssl-server 20 port 444
  ssl-server 20 rsacert myrsacert1
  ssl-server 20 rsakey myrsakey1
  ssl-server 20 cipher rsa-export-with-rc4-40-md5 192.168.3.6 8080 
weight 5
  ssl-server 20 urlrewrite 22 www.mydomain.com
  active

backend-server 1
  backend-server 1 ip address 192.168.4.4
  backend-server 1 port 8080
  backend-server 1 server-ip 192.168.4.4
  backend-server 1 server-port 113
  backend-server 1 cipher rsa-export-with-rc4-40-md5  
  active

SSL Initiation Proxy List Quick Start

When you require that a CSS receive clear text from a client and then send encrypted data to an SSL server, configure an SSL initiation back-end server entry in the SSL proxy list to allow the SSL module to encrypt the data and initiate an SSL connection with the server.

Table 2-5 provides an overview of steps required to create an SSL initiation proxy list.

Table 2-5 SSL Initiation Proxy List Quick Start  

Task and Command Example

1. Create the SSL proxy list.

(config)# ssl-proxy-list ssl_list1
Create ssl-list <ssl_list1>, [y/n]: y

Once you create an SSL proxy list, the CLI enters ssl-proxy-list configuration mode for the newly created SSL proxy list.

(config-ssl-proxy-list[ssl_list1)#

2. Specify a number to identify a back-end SSL server in an existing SSL termination proxy list.

(config-ssl-proxy-list[ssl_list1])# backend-server 1

3. Define the back-end server as an SSL initiation server.

(config-ssl-proxy-list[ssl_list1])# backend-server 1 type 
initiation

4. Specify an IP address. Enter an IP address that corresponds to the IP address of the service for the back-end SSL server.

(config-ssl-proxy-list[ssl_list1])# backend-server 1 ip address 
192.168.2.3

5. (Optional) By default, the virtual TCP port number for the back-end server is 80. Assign the virtual TCP port number if you need to change it.

(config-ssl-proxy-list[ssl_list1])# backend-server 1 port 8080

6. Specify a valid IP address for the back-end server.

(config-ssl-proxy-list[ssl_list1])# backend-server 1 server-ip 
192.168.2.3

7. (Optional) By default, the server port number for the back-end server is 443. Assign the server port number if you need to change it.

(config-ssl-proxy-list[ssl_list1])# backend-server 1 server-port 
40443

Note If you configure the backend-server number ip address and server-ip commands with the same address, configure the backend-server number port and server-port commands with different port numbers.

8. (Optional) By default, the back-end server supports all available CSS cipher suites. If necessary, assign a specific cipher suite to be used by the back-end SSL server.

(config-ssl-proxy-list[ssl_list1])# backend-server 1 cipher 
rsa-with-rc4-128-md5 weight 10

9. (If Required) Configure client certificates and keys in the proxy list for SSL servers that request them. The certificates and keys must have already been imported and associated with a filename on the CSS. For example, to configure an existing RSA client certificate and key, enter:

(config-ssl-proxy-list[ssl_list1])# backend-server 1 rsacert 
myrsacert
(config-ssl-proxy-list[ssl_list1])# backend-server 1 rsakey 
myrsakey

10. (Optional) Configure CA certificates in the proxy list for server authentication by the SSL module (the client). The CA certificate must already have been imported and associated with a filename on the CSS.

(config-ssl-proxy-list[ssl_list1])# backend-server 1 cacert 
mycert1

11. Activate the completed SSL proxy list.

(config-ssl-proxy-list[ssl_list1])# active

The following running-configuration example shows the results of entering the commands in Table 2-5.

!*********************** SSL PROXY LIST ***********************

ssl-proxy-list ssl-list1
  backend-server 1
  backend-server 1 initiation
  backend-server 1 ip address 192.168.2.3
  backend-server 1 port 8080
  backend-server 1 server-ip 192.168.2.3
  backend-server 1 server-port 40443
  backend-server 1 cipher  rsa-with-rc4-128-md5 weight 10
  backend-server 1 rsacert myrsacert
  backend-server 1 rsakey myrsakey
  backend-server 1 cacert mycert1
  active

SSL Service and Content Rule Quick Start

Before the CSS can use an SSL proxy list, you must add the proxy to an SSL service and add the service to an SSL content rule. The following sections describe how to:

Create an SSL service

Create an SSL content rule

Add the SSL service to the SSL content rule

SSL Termination Service and Content Rule Quick Start

Table 2-6 provides an overview of the steps required to create an SSL service for SSL termination, including adding the SSL proxy list to the service and creating an SSL content rule.

Table 2-6 SSL Server Service and Content Rule Quick Start  

Task and Command Example

1. Create an SSL service.

(config)# service ssl_serv1
Create service <ssl_serv1>, [y/n]: y

2. Specify ssl-accel as the service type.

(config-service[ssl_serv1])# type ssl-accel

3. Specify the slot of the SSL module in the CSS chassis.

(config-service[ssl_serv1])# slot 3

4. Disable the CSS from sending keepalive messages to the service.

(config-service[ssl_serv1])# keepalive type none

5. Add the SSL proxy list to the SSL service.

(config-service[ssl_serv1])# add ssl-proxy-list ssl_list1

6. Activate the SSL service.

(config-service[ssl_serv1])# active

7. Create an SSL content rule.

(config)# owner ssl_owner
Create owner <ssl_owner>, [y/n]: y
(config-owner[ssl_owner])# content ssl_rule1
Create content <ssl_rule1>, [y/n]: y

8. Configure a VIP address or domain name for the content rule. Ensure that the VIP address is the same as the address specified in the SSL proxy list.

(config-owner-content[ssl-rule1]# vip address 192.168.3.6 

9. Specify a TCP port number for the content rule. Ensure the port number is the same as the port specified in the SSL proxy list.

(config-owner-content[ssl-rule1]# port 444

10. If you are using two or more SSL modules and want to use stickiness based on SSL version 3 session ID for a Layer 5 content rule, specify the following parameters in the content rule to take advantage of the SSL session ID reuse:

Enter the application ssl command to specify the SSL application type.

(config-owner-content[ssl-rule1])# application ssl

Enter the advanced-balance ssl command to enable the content rule to be sticky based on SSL.

(config-owner-content[ssl-rule1])# advanced-balance ssl

11. Add the SSL service to the content rule.

(config-owner-content[ssl_rule1])# add service ssl_serv1

12. Activate the content rule.

(config-owner-content[ssl_rule1])# active

13. Save your configuration changes to the running configuration.

# copy running-config startup-config

14. Continue to Table 2-7 if your configuration includes back-end SSL or Table 2-8 if your configuration includes SSL initiation.


The following running-configuration example shows the results of entering the commands in Table 2-6.

!************************** SERVICE ************************** 
service ssl-serv1
  type ssl-accel
  slot 3
  keepalive type none
  add ssl-proxy-list ssl_list1 
  active

!*************************** OWNER *************************** 
owner ssl_owner

  content ssl_rule1
    protocol tcp
    vip address 192.168.3.6
    port 444
    application ssl
    advanced-balance ssl
    add service ssl-serv1 
    active

Back-End SSL Service and Content Rule Quick Start

If you configured a back-end SSL server entry in an SSL proxy list, Table 2-7 provides an overview of the steps required to create an SSL service for a back-end SSL server, including adding the SSL proxy list to the service and creating an SSL content rule.

Table 2-7 Back-End SSL Service and Content Rule Quick Start  

Task and Command Example

1. Create an SSL service.

(config)# service ssl_serv2
Create service <ssl_serv2>, [y/n]: y

2. Specify ssl-accel-backend as the service type.

(config-service[ssl_serv2])# type ssl-accel-backend

3. Configure a virtual IP (VIP) address for the back-end server. The IP address must match the IP address configured for the back-end server.

(config-service[ssl_serv2])# vip address 192.168.4.4

4. (Optional) Configure a virtual port number for the back-end server. The port number must match the virtual TCP port number configured for the back-end server. By default, the port number is 80. In this example, the port number is 8080.

(config-service[ssl_serv2])# port 8080

5. (Optional) By default, the service keepalive type is ICMP. You can also configure the keepalive type for a back-end service to be none, TCP, or SSL. If you configure a TCP or SSL keepalive type, you must configure the keepalive port correctly for the service to work.

For example, to configure a keepalive type of SSL, enter.

(config-service[ssl_serv2])# keepalive type ssl

Then configure the port for the back-end SSL server. For example, enter:

(config-service[ssl_serv2])# keepalive port 443

6. Add the SSL proxy list to the SSL service.

(config-service[ssl_serv2])# add ssl-proxy-list ssl_list1

7. Activate the SSL service.

(config-service[ssl_serv2])# active

8. Add the back-end server to an SSL content rule.

(config)# owner ssl_owner
(config-owner[ssl_owner])# content ssl_backend_rule1
Create content <ssl_backend_rule1>, [y/n]: y

9. Configure a virtual IP (VIP) address or domain name for the content rule. Ensure that the VIP address for the content rule is the same as the address specified for the virtual SSL server.

(config-owner-content[ssl_backend_rule1]# vip address 192.168.3.6 

10. Specify a TCP port number for the content rule. Ensure the port number is the same as the virtual TCP port specified for the back-end SSL entry in the SSL proxy list.

(config-owner-content[ssl_backend_rule1]# port 8080

11. Enter the advanced-balance arrowpoint-cookie command to enable the content rule to be sticky based on an arrowpoint cookie.

(config-owner-content[ssl_backend_rule1])# advanced-balance 
arrowpoint-cookie 

12. (Optional) Enter the url command set to /* to use stickiness based on the cookie.

(config-owner-content[ssl_backend_rule1])# url "/*"

13. Add the SSL service to the content rule.

(config-owner-content[ssl_backend_rule1])# add service ssl_serv2

14. Activate the content rule.

(config-owner-content[ssl_backend_rule1])# active

15. Save your configuration changes to the running configuration.

# copy running-config startup-config

The following running-configuration example shows the results of entering the commands in Table 2-7 in bold and the commands associated with the virtual SSL server in Table 2-6.

!************************** SERVICE ************************** 
service ssl-serv1
  type ssl-accel
  slot 3
  keepalive type none
  add ssl-proxy-list ssl_list1 
  active

service ssl_serv2
  type ssl-accel-backend
  ip address 192.168.4.4
  port 8080
  keepalive type ssl
  keepalive port 443
  add ssl-proxy-list ssl_list1 
  active

!*************************** OWNER *************************** 
owner ssl_owner

content ssl_backend_rule1
    vip address 192.168.3.6
    advanced-balance arrowpoint-cookie
    protocol tcp
    port 8080
    url "/*"
    add service ssl_serv2
    active

  content ssl_rule1
    protocol tcp
    vip address 192.168.3.6
    port 444
    application ssl
    advanced-balance ssl
    add service ssl-serv1 
    active

SSL Initiation Service Quick Start

If you configured an SSL initiation server entry in an SSL proxy list, Table 2-8 provides an overview of the steps required to create an SSL service for an SSL initiation server.

Table 2-8 SSL Initiation Service Quick Start  

Task and Command Example

1. Create an SSL service.

(config)# service ssl_serv1
Create service <ssl_serv1>, [y/n]: y

2. Specify ssl-init as the service type.

(config-service[ssl_serv1])# type ssl-init

3. Configure the IP address for the service. The service IP address must be the same as the IP address specified in the SSL initiation proxy list using the backend-server number ip address command. See the "SSL Initiation Proxy List Quick Start" section.

(config-service[ssl_serv1])# ip address 192.168.2.3

4. Configure the service port. The service port must match the SSL initiation back-end server port.

(config-service[ssl_serv1])# port 8080

5. By default, the service keepalive type is ICMP. For SSL initiation, the keepalive type can be ICMP, none, SSL, or TCP. If you specify either the SSL or TCP keepalive, you must configure the port that the keepalive uses. The keepalive port must match the SSL initiation back-end server port.

For example, to configure a keepalive type of SSL, enter:

(config-service[ssl_serv1])# keepalive type ssl
(config-service[ssl_serv1])# keepalive port 40443

6. Specify the slot in the CSS chassis where the SSL module designated for SSL initiation resides.

(config-service[ssl_serv1])# slot 5

7. Add the SSL proxy list to the SSL service.

(config-service[ssl_serv1])# add ssl-proxy-list ssl_list1

8. Activate the SSL service.

(config-service[ssl_serv1])# active

The following running-configuration example shows the results of entering the commands in Table 2-8.

!************************** SERVICE ************************** 
service ssl-serv2
  type ssl-init
  ip address 192.168.2.3
  port 8080
  slot 5
  keepalive type ssl
  keepalive port 40443
  add ssl-proxy-list ssl_list1 
  active

SSL Initiation Content Rule Quick Start

If you configured an SSL initiation server entry in an SSL proxy list, Table 2-9 provides an overview of the steps required to create an SSL content rule for an SSL initiation server.

Table 2-9 SSL Initiation Content Rule Quick Start

1. If necessary, create an owner.

(config)# owner ssl_owner
Create owner <ssl_owner>, [y/n]: y

2. Add the SSL initiation back-end server to an SSL content rule.

(config)# owner ssl_owner
(config-owner[ssl_owner])# content ssl_init_rule1
Create content <ssl_init_rule1>, [y/n]: y

3. Configure a virtual IP (VIP) address or domain name for the content rule.

(config-owner-content[ssl_backend_rule1]# vip address 192.168.2.3 

4. Specify a TCP port number for the content rule.

(config-owner-content[ssl_backend_rule1]# port 80

5. (Optional) Enter the url command set to /* to use stickiness based on the cookie.

(config-owner-content[ssl_backend_rule1])# url "/*"

6. (Optional) Enter the advanced-balance arrowpoint-cookie command to enable the content rule to be sticky based on an arrowpoint cookie.

(config-owner-content[ssl_backend_rule1])# advanced-balance 
arrowpoint-cookie 

7. Add the SSL service to the content rule.

(config-owner-content[ssl_backend_rule1])# add service ssl_serv2

8. Activate the content rule.

(config-owner-content[ssl_backend_rule1])# active

9. Save your configuration changes to the running configuration.

# copy running-config startup-config

The following running-configuration example shows the results of entering the commands in Table 2-9.

!*************************** OWNER *************************** 
owner ssl_owner

  content ssl_init_rule1
    vip address 192.168.2.3
    port 80
    url "/*"
    advanced-balance arrowpoint-cookie
    add service ssl_serv1
    active