-
Application Control Engine Module Command Reference (Software Version A2(1.0))
-
CLI Command Summary By Mode
-
Preface
-
Using the Command-Line Interface
-
CLI Commands
-
Exec Mode Commands
-
Configuration Mode Commands
-
Action List Configuration Mode Commands
-
Authentication Group Configuration Mode Commands
-
Chaingroup Configuration Mode Commands
-
Class Map Configuration Mode Commands
-
Console Configuration Mode Commands
-
Context Configuration Mode Commands
-
CSR Parameters Configuration Mode Commands
-
Domain Configuration Mode Commands
-
FT Group Configuration Mode Commands
-
FT Interface Configuration Mode Commands
-
FT Peer Configuration Mode Commands
-
FT Track Configuration Mode Commands
-
Interface Configuration Mode Commands
-
KAL-AP UDP Configuration Mode Commands
-
LDAP Configuration Mode Commands
-
Line Configuration Mode Commands
-
Object Group Configuration Mode Commands
-
Parameter Map Configuration Mode Commands
-
Policy Map Configuration Mode Commands
-
Probe Configuration Mode Commands
-
RADIUS Configuration Mode Commands
-
Real Server Configuration Mode Commands
-
Resource Configuration Mode Commands
-
Role Configuration Mode Commands
-
Server Farm Configuration Mode Commands
-
SSL Proxy Configuration Mode Commands
-
Sticky Configuration Mode Commands
-
TACACS+ Configuration Mode Commands
-
Table Of Contents
SSL Proxy Configuration Mode Commands
(config-ssl-proxy) ssl advanced-options
SSL Proxy Configuration Mode Commands
SSL proxy configuration mode commands allow you to define the Secure Sockets Layer (SSL) parameters that the ACE SSL proxy service uses in either SSL termination (proxy server service) or SSL initiation (proxy client service) during the SSL handshake.
To create a new proxy service (or edit an existing proxy service) and access SSL proxy configuration mode, use the ssl-proxy service command in configuration mode. The CLI prompt changes to (config-ssl-proxy). Use the no form of this command to delete an existing SSL proxy service.
ssl-proxy service pservice_name
no ssl-proxy service pservice_name
Syntax Description
pservice_name
Name of the SSL proxy service. Enter the proxy service name as a alphanumeric string from 1 to 64 characters in length.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
The commands in this mode require the SSL feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
When you create a SSL proxy service, the CLI changes to the SSL proxy configuration mode, where you define the following SSL proxy service attributes:
•
Client authentication group—See the (config-ssl-proxy) authgroup command.
•
•
•
•
•
Examples
To create the SSL proxy service PSERVICE_SERVER, enter:
host1/Admin(config)# ssl-proxy service PSERVICE_SERVERhost1/Admin(config-ssl-proxy)#To delete an existing SSL proxy service, enter:
host1/Admin(config)# no ssl-proxy PSERVICE_SERVERRelated Commands
(config-ssl-proxy) ssl advanced-options
(config-ssl-proxy) authgroup
To specify the certificate authentication group that the ACE uses during the Secure Sockets Layer (SSL) handshake and enable client authentication on this SSL-proxy service, use the authgroup command. Use the no form of this command to delete a certificate authentication group from the SSL proxy service.
authgroup group_name
no authgroup group_name
Syntax Description
Command Modes
SSL proxy configuration mode
Admin and user contexts
Command History
Usage Guidelines
When you enable client authentication, a significant performance decrease may occur in the ACE module.
Examples
To specify the certificate authentication group AUTH-CERT1, enter:
host1/Admin(config-ssl-proxy)# authgroup AUTH-CERT1To delete the certificate authentication group AUTH-CERT1 from the SSL proxy service, enter:
host1/Admin(config-ssl-proxy)# no authgroup AUTH-CERT1Related Commands
(config-ssl-proxy) ssl advanced-options
(config-ssl-proxy) cert
To specify the certificate that the ACE uses during the Secure Sockets Layer (SSL) handshake to prove its identity, use the cert command. Use the no form of this command to delete a certificate file from the SSL proxy service.
cert cert_filename
no cert cert_filename
Syntax Description
Command Modes
SSL proxy configuration mode
Admin and user contexts
Command History
Usage Guidelines
The public key embedded in the certificate that you select must match the public key in the key pair file that you select. To verify that the public keys in the two files match, use the crypto verify command in the Exec mode.
Examples
To specify the certificate in the certificate file MYCERT.PEM, enter:
host1/Admin(config-ssl-proxy)# cert MYCERT.PEMTo delete the certificate in the certificate file MYCERT.PEM from the SSL proxy service, enter:
host1/Admin(config-ssl-proxy)# no cert MYCERT.PEMRelated Commands
(config-ssl-proxy) ssl advanced-options
(config-ssl-proxy) chaingroup
To specify the certificate chain group that the ACE sends to its peer during the Secure Sockets Layer (SSL) handshake, use the chaingroup command. Use the no form of this command to delete a certificate chain group from the SSL proxy service.
chaingroup group_name
no chaingroup group_name
Syntax Description
Command Modes
SSL proxy configuration mode
Admin and user contexts
Command History
Usage Guidelines
The ACE includes the certificate chain with the certificate that you specified for the SSL proxy service.
When a change occurs in a chain-group certificate, the change takes effect when you readd the associated chain group through the chaingroup command.
Examples
To configure the ACE SSL proxy service to send the certificate chain group MYCHAINGROUP to its peer during the SSL handshake, enter:
host1/Admin(config-ssl-proxy)# chaingroup MYCHAINGROUPTo delete the certificate chain group MYCHAINGROUP from the SSL proxy service, enter:
host1/Admin(config-ssl-proxy)# no chaingroup MYCHAINGROUPRelated Commands
(config-ssl-proxy) ssl advanced-options
(config-ssl-proxy) crl
To determine which certificate revocation lists (CRLs) to use for client authentication, use the crl command. Use the no form of this command to disable the use of CRL client certificates during client authentication.
crl crl_name | best- effort
no crl crl_name | best-effort
Syntax Description
crl_name
Name that you assigned to the CRL when you downloaded it using the configuration mode crypto crl command. See (config) crypto crl for more information.
best-effort
Specifies that the ACE scan each client certificate to determine if it contains a CRL in the extension and then retrieve the value, if it exists.
Command Modes
SSL proxy configuration mode
Admin and user contexts
Command History
Usage Guidelines
By default, the ACE does not use CRLs during client authentication. You can configure the SSL proxy service to use a CRL by either of the following methods:
•
•
By default, the ACE does not reject client certificates when the CRL in use has passed its update date. To configure the ACE to reject certificates when the CRL is expired, use the expired-crl reject command in parameter map SSL configuration mode.
Examples
To enable the CRL1 CRL for client authentication on an SSL proxy service, enter:
host1/Admin(config-ssl-proxy)# crl CRL1To scan the client certificate for CRL information, enter:
host1/Admin(config-ssl-proxy)# crl best-effortTo disable the use of a downloaded CRL during client authentication, enter:
host1/Admin(config-ssl-proxy)# no crl CRL1To disable the use of CRL client certificates during client authentication, enter:
host1/Admin(config-ssl-proxy)# no crl best-effortRelated Commands
(config-parammap-ssl) expired-crl reject
(config-ssl-proxy) ssl advanced-options
(config-ssl-proxy) key
To specify the key pair that the ACE uses during the Secure Sockets Layer (SSL) handshake for data encryption, use the key command. Use the no form of this command to delete a private key from the SSL proxy service.
key key_filename
no key key_filename
Syntax Description
key_filename
Name of an existing key pair file loaded on the ACE. Enter an unquoted text string with no spaces and a maximum of 40 alphanumeric characters.
Command Modes
SSL proxy configuration mode
Admin and user contexts
Command History
Usage Guidelines
The public key in the key pair file that you select must match the public key embedded in the certificate that you select. To verify that the public keys in the two files match, use the crypto verify command in the Exec mode.
Examples
To specify the private key in the key pair file MYKEY.PEM for the SSL proxy service, enter:
host1/Admin(config-ssl-proxy)# key MYKEY.PEMTo delete the private key in the key pair file MYKEY.PEM from the SSL proxy service, enter:
host1/Admin(config-ssl-proxy)# no key MYKEY.PEMRelated Commands
(config-ssl-proxy) ssl advanced-options
(config-ssl-proxy) ssl advanced-options
To associate a context Secure Sockets Layer (SSL) parameter map with the SSL proxy server service, use the ssl advanced-options command. Use the no form of this command to remove the association of an SSL parameter map with the SSL proxy service.
ssl advanced-options parammap_name
no ssl advanced-options parammap_name
Syntax Description
Command Modes
SSL proxy configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command has no usage guidelines.
Examples
To associate the parameter map PARAMMAP_SSL with the SSL proxy service, enter:
host1/Admin(config-ssl-proxy)# ssl advanced-options PARAMMAP_SSLTo remove the association of an SSL parameter map PARAMMAP_SSL with the SSL proxy service, enter:
host1/Admin(config-ssl-proxy)# no ssl advanced-options PARAMMAP_SSLRelated Commands