Table Of Contents
Commands for the Catalyst 6500 Series Switch SSL Services Module
show ssl-proxy certificate-history
ssl-proxy crypto key unlock rsa
Commands for the Catalyst 6500 Series Switch SSL Services Module
This chapter contains an alphabetical listing of commands for the Catalyst 6500 series switch SSL Services Module.
For additional SSL Services Module information, refer to the following documentation:
•
Catalyst 6500 Series Switch SSL Services Module Configuration Note
•
•
clear ssl-proxy conn
To clear all TCP connections on the entire system, use the clear ssl-proxy conn command.
clear ssl-proxy conn [context name [module [module]]][service name [context name [module [module]]]]
Syntax Description
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Examples
This example shows how to clear the connections for the specified service:
ssl-proxy# clear ssl-proxy conn service S6This example shows how to clear all TCP connections on the entire system:
ssl-proxy# clear ssl-proxy connssl-proxy#clear ssl-proxy content
To clear all TCP connections on the entire system, use the clear ssl-proxy conn command.
clear ssl-proxy content {all | rewrite | scanning} [module [module]]
Syntax Description
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
SSL Services Module Release 3.1(1)
Support for this command was introduced on the Catalyst 6500 series SSL Services Module.
Usage Guidelines
To reset all the content statistics that the SSL Services Module maintains, use the clear ssl-proxy content all command.
Examples
This example shows how to clear all of the content statistics:
ssl-proxy# clear ssl-proxy content allclear ssl-proxy session
To clear all entries from the session cache, use the clear ssl-proxy session command.
clear ssl-proxy session [service [name] [context name [module [module]]]]
Syntax Description
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Usage Guidelines
To clear all entries from the session cache for all services, use the clear ssl-proxy session command without options.
Examples
This example shows how to clear the entries from the session cache for the specified service on the SSL Services Module:
ssl-proxy# clear ssl-proxy session service S6This example shows how to clear all entries in the session cache that are maintained on the SSL Services Module:
ssl-proxy# clear ssl-proxy sessionssl-proxy#clear ssl-proxy stats
To reset the statistics counters that are maintained in the different system components on the SSL Services Module, use the clear ssl-proxy stats command.
clear ssl-proxy stats [context [name] | crypto | fdu | hdr | ipc | module [module] | pki | service | ssl | tcp | url]
Syntax Description
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Usage Guidelines
To reset all the statistics counters that the SSL Services Module maintains, use the clear ssl-proxy stats command without options.
Examples
This example shows how to reset the statistics counters that are maintained in the different system components on the SSL Services Module:
ssl-proxy# clear ssl-proxy stats cryptossl-proxy# clear ssl-proxy stats ipcssl-proxy# clear ssl-proxy stats pkissl-proxy# clear ssl-proxy stats service S6This example shows how to clear all the statistic counters that the SSL Services Module maintains:
ssl-proxy# clear ssl-proxy statsssl-proxy#crypto pki export pem
To export privacy-enhanced mail (PEM) files from the SSL Services Module, use the crypto pki export pem command.
crypto pki export trustpoint_label pem {terminal {des | 3des} {url url}} pass_phrase
Syntax Description
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
Usage Guidelines
The pass_phrase can be any phrase including spaces and punctuation except for the question mark (?), which has a special meaning to the Cisco IOS parser.
Pass-phrase protection associates a pass phrase with the key. The pass phrase is used to encrypt the key when it is exported. When this key is imported, you must enter the same pass phrase to decrypt it.
A key that is marked as unexportable cannot be exported.
You can change the default file extensions when prompted. The default file extensions are as follows:
•
•
•
•
•
•
Note
Examples
This example shows how to export a PEM-formatted file on the SSL Services Module:
ssl-proxy(config)# crypto ca export TP5 pem url tftp://10.1.1.1/tp99 3des password% Exporting CA certificate...Address or name of remote host [10.1.1.1]?Destination filename [tp99.ca]?% File 'tp99.ca' already exists.% Do you really want to overwrite it? [yes/no]: yes!Writing file to tftp://10.1.1.1/tp99.ca!% Key name: key1Usage: General Purpose Key% Exporting private key...Address or name of remote host [10.1.1.1]?Destination filename [tp99.prv]?% File 'tp99.prv' already exists.% Do you really want to overwrite it? [yes/no]: yes!Writing file to tftp://10.1.1.1/tp99.prv!% Exporting router certificate...Address or name of remote host [10.1.1.1]?Destination filename [tp99.crt]?% File 'tp99.crt' already exists.% Do you really want to overwrite it? [yes/no]: yes!Writing file to tftp://10.1.1.1/tp99.crt!ssl-proxy(config)#Related Commands
crypto pki import pem
To import a PEM-formatted file to the SSL Services Module, use the crypto pki import pem command.
crypto pki import trustpoint_label pem [exportable] {terminal | url url | usage-keys} pass_phrase
Syntax Description
Defaults
This command has no default settings.
Command History
Global configuration
Command History
Usage Guidelines
You will receive an error if you enter the pass phrase incorrectly. The pass_phrase can be any phrase including spaces and punctuation except for the question mark (?), which has a special meaning to the Cisco IOS parser.
Pass-phrase protection associates a pass phrase with the key. The pass phrase is used to encrypt the key when it is exported. When this key is imported, you must enter the same pass phrase to decrypt it.
When importing RSA keys, you can use a public key or its corresponding certificate.
The crypto pki import pem command imports only the private key (.prv), the server certificate (.crt), and the issuer CA certificate (.ca). If you have more than one level of CA in the certificate chain, you need to import the root and subordinate CA certificates before this command is issued for authentication. Use cut-and-paste or TFTP to import the root and subordinate CA certificates.
Examples
This example shows how to import a PEM-formatted file from the SSL Services Module:
ssl-proxy(config)# crypto pki import TP5 pem url tftp://10.1.1.1/TP5 password% Importing CA certificate...Address or name of remote host [10.1.1.1]?Destination filename [TP5.ca]?Reading file from tftp://10.1.1.1/TP5.caLoading TP5.ca from 10.1.1.1 (via Ethernet0/0.168): ![OK - 1976 bytes]% Importing private key PEM file...Address or name of remote host [10.1.1.1]?Destination filename [TP5.prv]?Reading file from tftp://10.1.1.1/TP5.prvLoading TP5.prv from 10.1.1.1 (via Ethernet0/0.168): ![OK - 963 bytes]% Importing certificate PEM file...Address or name of remote host [10.1.1.1]?Destination filename [TP5.crt]?Reading file from tftp://10.1.1.1/TP5.crtLoading TP5.crt from 10.1.1.1 (via Ethernet0/0.168): ![OK - 1692 bytes]% PEM files import succeeded.ssl-proxy(config)# endssl-proxy#*Apr 11 15:11:29.901: %SYS-5-CONFIG_I: Configured from console by consoleRelated Commands
crypto pki export pkcs12
To export a PKCS12 file from the SSL Services Module, use the crypto pki export pkcs12 command.
crypto pki export trustpoint_label pkcs12 file_system [pkcs12_filename] pass_phrase
Syntax Description
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
Usage Guidelines
Imported key pairs cannot be exported.
If you are using SSH, we recommend using SCP (secure file transfer) when exporting a PKCS12 file. SCP authenticates the host and encrypts the transfer session.
If you do not specify pkcs12_filename, you will be prompted to accept the default filename (the default filename is the trustpoint_label) or enter the filename. For the ftp: or tftp: value, include the full path in the pkcs12_filename.
You will receive an error if you enter the pass phrase incorrectly.
If there is more than one level of CA, the root CA and all the subordinate CA certificates are exported in the PKCS12 file.
Examples
This example shows how to export a PKCS12 file using SCP:
ssl-proxy(config)# crypto pki export TP1 pkcs12 scp: sky is blueAddress or name of remote host []? 10.1.1.1Destination username [ssl-proxy]? admin-1Destination filename [TP1]? TP1.p12Password:Writing TP1.p12 Writing pkcs12 file to scp://admin-1@10.1.1.1/TP1.p12Password:!CRYPTO_PKI:Exported PKCS12 file successfully.ssl-proxy(config)#crypto pki import pkcs12
To import a PKCS12 file to the SSL Services Module, use the crypto pki import pkcs12 command.
crypto pki import trustpoint_label pkcs12 file_system [pkcs12_filename] pass_phrase
Syntax Description
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
Usage Guidelines
If you are using SSH, we recommend using SCP (secure file transfer) when importing a PKCS12 file. SCP authenticates the host and encrypts the transfer session.
If you do not specify pkcs12_filename, you will be prompted to accept the default filename (the default filename is the trustpoint_label) or to enter the filename. For the ftp: or tftp: value, include the full path in the pkcs12_filename.
You will receive an error if you enter the pass phrase incorrectly.
If there is more than one level of CA, the root CA and all the subordinate CA certificates are exported in the PKCS12 file.
Security Measures
Keep the PKCS12 file stored in a secure place with restricted access.
An RSA keypair is more secure than a passphrase because the private key in the key pair is not known by multiple parties. When you export an RSA key pair to a PKCS#12 file, the RSA key pair now is only as secure as the passphrase.
To create a good passphrase, be sure to include numbers, as well as both lowercase and uppercase letters. Avoid publicizing the passphrase by mentioning it in e-mail or cell phone communications because the information could be accessed by an unauthorized user.
Examples
This example shows how to import a PKCS12 file using SCP:
ssl-proxy(config)# crypto pki import TP2 pkcs12 scp: sky is blueAddress or name of remote host []? 10.1.1.1Source username [ssl-proxy]? admin-1Source filename [TP2]? /users/admin-1/pkcs12/TP2.p12Password:passwordSending file modes:C0644 4379 TP2.p12!ssl-proxy(config)#*Aug 22 12:30:00.531:%CRYPTO-6-PKCS12IMPORT_SUCCESS:PKCS #12 Successfully Imported.ssl-proxy(config)#crypto key generate rsa (CA)
To generate RSA key pairs, use the crypto key generate rsa command in global configuration mode.
crypto key generate rsa [usage-keys | general-keys] [key-pair-label]
Syntax Description
Defaults
Rivest, Shamir, and Adelman (RSA) key pairs do not exist.
If key-pair-label is not specified, the fully qualified domain name (FQDN) of the router is used and general-purpose keys are generated.
Command Modes
Global configuration mode
Command History
11.3 T
This command was introduced.
12.2(8)T
The general-keys keyword and the key-pair-label argument were added.
Usage Guidelines
Use this command to generate RSA key pairs for your Cisco device (such as a router).
RSA keys are generated in pairs—one public RSA key and one private RSA key.
If your router already has RSA keys when you issue this command, you will be warned and prompted to replace the existing keys with new keys.
Note
This command is not saved in the router configuration; however, the keys generated by this command are saved in the private configuration in NVRAM (which is never displayed to the user or backed up to another device).
There are two mutually exclusive styles of RSA key pairs: special-usage keys and general-purpose keys. When you generate RSA key pairs, you will be prompted to select either generate special-usage keys or general-purpose keys.
Examples
Special-Usage Keys
If you generate special-usage keys, two pairs of RSA keys will be generated. One pair will be used with any Internet Key Exchange (IKE) policy that specifies RSA signatures as the authentication method, and the other pair used with any IKE policy that specifies RSA-encrypted nonces as the authentication method. (You configure RSA signatures or RSA-encrypted nonces in your IKE policies as described in the Cisco IOS Security Configuration Guide.)
A certification authority (CA) is used only with IKE policies specifying RSA signatures, not with IKE policies specifying RSA-encrypted nonces. (However, you could specify more than one IKE policy and have RSA signatures specified in one policy and RSA-encrypted nonces in another policy.)
If you plan to have both types of RSA authentication methods in your IKE policies, you might prefer to generate special-usage keys. With special-usage keys, each key is not unnecessarily exposed. (Without special-usage keys, one key is used for both purposes, increasing that key's exposure.)
General-Purpose Keys
If you generate general-purpose keys, only one pair of RSA keys will be generated. This pair will be used with IKE policies specifying either RSA signatures or RSA-encrypted nonces. Therefore, a general-purpose key pair might be used more frequently than a special-usage key pair.
Named Key Pairs
If you generate a named key pair using the key-pair-label argument, you must also specify the usage-keys keyword or the general-keys keyword. Named key pairs allow you to have multiple RSA key pairs, enabling the Cisco IOS software to maintain a different key pair for each identity certificate.
Modulus Length
When you generate RSA keys, you will be prompted to enter a modulus length. A longer modulus could offer stronger security but takes longer to generate (see Table 1 for sample times) and takes longer to use. A length of less than 512 bits is normally not recommended. (In certain situations, the shorter modulus may not function properly with IKE, so Cisco recommends using a minimum modulus of 1024 bits.)
Examples
The following example generates special-usage RSA keys.
crypto key generate rsa usage-keysThe name for the keys will be: myrouter.example.comChoose the size of the key modulus in the range of 360 to 2048 for your Signature Keys. Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus[512]? <return>Generating RSA keys.... [OK].Choose the size of the key modulus in the range of 360 to 2048 for your Encryption Keys. Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus[512]? <return>Generating RSA keys.... [OK].The following example generates general-purpose RSA keys. (Note, you cannot generate both special-usage and general-purpose keys; you can generate only one or the other.)
crypto key generate rsaThe name for the keys will be: myrouter.example.comChoose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus[512]? <return>Generating RSA keys.... [OK].The following example generates the general-purpose RSA key pair "exampleCAkeys":
crypto key generate rsa general-purpose exampleCAkeyscrypto ca trustpoint exampleCAkeysenroll url http://exampleCAkeys/certsrv/mscep/mscep.dllrsakeypair exampleCAkeys 1024 1024
Related Commands
crypto key zeroize rsa
To delete all RSA keys from your router, use the crypto key zeroize rsa command in global configuration mode.
crypto key zeroize rsa [key-pair-label]
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
11.3 T
This command was introduced.
12.2(8)T
The key-pair-label argument was added.
Usage Guidelines
This command deletes all Rivest, Shamir, and Adelman (RSA) keys that were previously generated by your router unless you include the key-pair-label argument, which will delete only the specified RSA key pair. If you issue this command, you must also perform two additional tasks for each trustpoint that is associated with the key pair that was deleted:
•
•
Note
This command is not saved to the configuration.
Examples
The following example deletes the general-purpose RSA key pair that was previously generated for the router. After deleting the RSA key pair, the administrator contacts the CA administrator and requests that the router's certificate be revoked. The administrator then deletes the router's certificate from the configuration.
crypto key zeroize rsacrypto ca certificate chainno certificateRelated Commands
crypto key decrypt rsa
To delete the encrypted key and leave only the unencrypted key, use the crypto key decrypt rsa command.
crypto key decrypt [write] rsa [name key-name] passphrase passphrase
Syntax Description
write
(Optional) Writes the configuration to the startup configuration.
name key-name
(Optional) Name of the key.
passphrase passphrase
Pass phrase.
Defaults
This command has no default settings.
Command Modes
Global configuration mode
Command History
SSL Services Module Release 3.1(1)
Support for this command was introduced on the Catalyst 6500 series SSL Services Module.
Usage Guidelines
Entering the write keyword immediately saves the unencrypted key to NVRAM. If you do not enter the write keyword, you must manually write the configuration to NVRAM; otherwise, the key remains encrypted the next time that the router is reloaded.
Examples
This example shows how to display the administration VLAN and related IP and gateway addresses:
ssl-proxy(config)# crypto key decrypt rsa name pki1-72a.cisco.com passphrase cisco1234WARNING: Configuration with decrypted key not saved.Please save it manually as soon as possible tosave decrypted keyssl-proxy(config)# endssl-proxy# show crypto key mypubkey rsaKey name: pki1-72a.cisco.comUsage: General Purpose KeyKey is not exportable.Key Data:30819F30 0D06092A 864886F7 0D010101 05000381...% Key pair was generated at: 15:42:15 PST Junssl-proxy#Related Commands
crypto key encrypt rsa
crypto key lock rsa
crypto key unlock rsacrypto key encrypt rsa
To encrypt the RSA keys, use the crypto key encrypt rsa command.
crypto key encrypt [write] rsa [name key-name] passphrase passphrase
Syntax Description
write
(Optional) Writes the configuration to the startup configuration.
name key-name
(Optional) Name of the key.
passphrase passphrase
Pass phrase.
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
SSL Services Module Release 3.1(1)
Support for this command was introduced on the Catalyst 6500 series SSL Services Module.
Usage Guidelines
After you enter this command, the router can continue to use the key; the key remains unlocked.
If you do not enter the write keyword, you must manually write the configuration to NVRAM; otherwise, the encrypted key will be lost the next time that the router is reloaded.
Examples
This example shows how to encrypt the RSA key "pki1-72a.cisco.com." Enter the show crypto key mypubkey rsa command to verify that the RSA key is encrypted (protected) and unlocked.
ssl-proxy(config)# crypto key encrypt rsa name pki1-72a.cisco.com passphrase cisco1234ssl-proxy(config)# exitssl-proxy# show crypto key mypubkey rsaKey name:pki1-72a.cisco.comUsage:General Purpose Key*** The key is protected and UNLOCKED. ***Key is not exportable.Key Data:305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00E0CC9A 1D23B52C...% Key pair was generated at:00:15:32 GMT Jun 25 2003ssl-proxy#Related Commands
crypto key decrypt rsa
crypto key lock rsa
crypto key unlock rsacrypto key export rsa pem
To export a PEM-formatted RSA key to the SSL Services Module, use the crypto key export rsa pem command.
crypto key export rsa keylabel pem {terminal | url url} {{3des | des} [exportable] pass_phrase}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
SSL Services Module Release 1.2(1)
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
The pass phrase can be any phrase including spaces and punctuation except for the question mark (?), which has a special meaning to the Cisco IOS parser.
Pass-phrase protection associates a pass phrase with the key. The pass phrase is used to encrypt the key when it is exported. When this key is imported, you must enter the same pass phrase to decrypt it.
Examples
This example shows how to export a key from the SSL Services Module:
ssl-proxy(config)# crypto key export rsa test-keys pem url scp: 3des password% Key name:test-keysUsage:General Purpose KeyExporting public key...Address or name of remote host []? 7.0.0.7Destination username [ssl-proxy]? labDestination filename [test-keys.pub]?Password:Writing test-keys.pub Writing file to scp://lab@7.0.0.7/test-keys.pubPassword:!Exporting private key...Address or name of remote host []? 7.0.0.7Destination username [ssl-proxy]? labDestination filename [test-keys.prv]?Password:Writing test-keys.prv Writing file to scp://lab@7.0.0.7/test-keys.prvPassword:ssl-proxy(config)#crypto key import rsa pem
To import a PEM-formatted RSA key from an external system, use the crypto key import rsa pem command.
crypto key import rsa keylabel pem [usage-keys] {terminal | url url} [exportable] passphrase
Syntax Description
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
SSL Services Module Release 1.2(1)
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
The pass phrase can be any phrase including spaces and punctuation except for the question mark (?), which has a special meaning to the Cisco IOS parser.
Pass-phrase protection associates a pass phrase with the key. The pass phrase is used to encrypt the key when it is exported. When this key is imported, you must enter the same pass phrase to decrypt it.
Examples
This example shows how to import a PEM-formatted RSA key from an external system and export the PEM-formatted RSA key to the SSL Services Module:
ssl-proxy(config)# crypto key import rsa newkeys pem url scp: password% Importing public key or certificate PEM file...Address or name of remote host []? 7.0.0.7Source username [ssl-proxy]? labSource filename [newkeys.pub]? test-keys.pubPassword:Sending file modes:C0644 272 test-keys.pubReading file from scp://lab@7.0.0.7/test-keys.pub!% Importing private key PEM file...Address or name of remote host []? 7.0.0.7Source username [ssl-proxy]? labSource filename [newkeys.prv]? test-keys.prvPassword:Sending file modes:C0644 963 test-keys.prvReading file from scp://lab@7.0.0.7/test-keys.prv!% Key pair import succeeded.ssl-proxy(config)#crypto key lock rsa
To lock the encrypted private key, use the crypto key lock rsa command.
crypto key lock rsa [name key-name] passphrase passphrase
Syntax Description
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
SSL Services Module Release 3.1(1)
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
After the key is locked, it cannot be used to authenticate the router to a peer device. This behavior disables any IPsec or SSL connections that use the locked key.
Any existing IPsec tunnels created on the basis of the locked key will be closed.
If all RSA keys are locked, SSH will automatically be disabled.
Examples
This example shows how to lock the key "pki1-72a.cisco.com." Enter the show crypto key mypubkey rsa command to verify that the key is protected (encrypted) and locked.
ssl-proxy# crypto key lock rsa name pki1-72a.cisco.com passphrase cisco1234ssl-proxy# show crypto key mypubkey rsaKey name:pki1-72a.cisco.comUsage:General Purpose Key*** The key is protected and LOCKED. ***Key is exportable.Key Data:305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D7808D C5FF14AC...% Key pair was generated at: 16:00:11 PST Feb 28 2002ssl-proxy#Related Commands
crypto key decrypt rsa
crypto key encrypt rsa
crypto key unlock rsacrypto key unlock rsa
To unlock the encrypted private key, use the crypto key unlock rsa command.
crypto key unlock rsa [name key-name] passphrase passphrase
Syntax Description
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
SSL Services Module Release 3.1(1)
Support for this command was introduced on the Catalyst 6500 series SSL Services Module.
Examples
This example shows how to lock the key "pki1-72a.cisco.com." Enter the show crypto key mypubkey rsa command to verify that the key is protected (encrypted) and locked.
ssl-proxy# crypto key unlock rsa name pki1-72a.cisco.com passphrase cisco1234...*Jun 18 00:26:08.275: %STE-5-UPDOWN: ssl-proxy service vip1 changed state to UP...ssl-proxy# show crypto key mypubkey rsaKey name:pki1-72a.cisco.comUsage:General Purpose Key*** The key is protected and UNLOCKED. ***Key is exportable.Key Data:305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D7808D C5FF14AC...% Key pair was generated at: 16:00:11 PST Feb 28 2002ssl-proxy#Related Commands
debug ssl-proxy
To turn on the debug flags in different system components, use the debug ssl-proxy command. Use the no form of this command to turn off the debug flags.
debug ssl-proxy {app | content [type] | fdu [type] | flash [module [module]] | health-probe | ipc | pki [type] | ssl [type] | tcp [type] | vlan}
Syntax Description
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Usage Guidelines
The content type includes the following values:
•
•
•
•
–
–
–
•
•
The fdu type includes the following values:
•
•
•
•
The pki type includes the following values:
•
•
•
•
•
The ssl type includes the following values:
•
•
•
•
Note
If you run TCP debug commands, the TCP module displays large amounts of debug information on the console, which can significantly slow down module performance. Slow module performance can lead to delayed processing of TCP connection timers, packets, and state transitions.The tcp type includes the following values:
•
•
•
•
Examples
This example shows how to turn on App debugging:
ssl-proxy# debug ssl-proxy appssl-proxy#This example shows how to turn on FDU debugging:
ssl-proxy# debug ssl-proxy fdussl-proxy#This example shows how to turn on IPC debugging:
ssl-proxy# debug ssl-proxy ipcssl-proxy#This example shows how to turn on PKI debugging:
ssl-proxy# debug ssl-proxy pkissl-proxy#This example shows how to turn on SSL debugging:
ssl-proxy# debug ssl-proxy sslssl-proxy#This example shows how to turn on TCP debugging:
ssl-proxy# debug ssl-proxy tcpssl-proxy#This example shows how to turn off TCP debugging:
ssl-proxy# no debug ssl-proxy tcpssl-proxy#do
To execute EXEC-level commands from global configuration mode or other configuration modes or submodes, use the do command.
do command
Syntax Description
Defaults
This command has no default settings.
Command Modes
Global configuration or any other configuration mode or submode from which you are executing the EXEC-level command.
Command History
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
Caution
You cannot use the do command to execute the configure terminal command because entering the configure terminal command changes the mode to configuration mode.
You cannot use the do command to execute the copy or write command in the global configuration or any other configuration mode or submode.
Examples
This example shows how to execute the EXEC-level show interfaces command from within global configuration mode:
ssl-proxy(config)# do show interfaces serial 3/0Serial3/0 is up, line protocol is upHardware is M8T-RS232MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255Encapsulation HDLC, loopback not set, keepalive set (10 sec)Last input never, output 1d17h, output hang neverLast clearing of "show interface" counters never...ssl-proxy(config)#interface ssl-proxy
To enter the subinterface configuration submode, use the interface ssl-proxy command. In interface configuration submode, you can configure a subinterface for the SSL Services Module.
Note
interface 0.subinterface-number
Syntax Description
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
SSL Services Module Release 3.1(1)
Support for this command was introduced on the Catalyst 6500 series SSL Services Module.
This command replaces the ssl-proxy vlan command.
Usage Guidelines
When you upgrade to SSL software release 3.x from SSL software release 2.x or 1.x, the VLAN configuration is converted automatically to an subinterface configuration. For example, ssl-proxy vlan 3 is converted to interface ssl-proxy0.3.
Note
Table 2-2 lists the commands that are available in subinterface configuration submode.
The valid values for configuring HSRP are as follows:
•
•
•
•
•
•
–
–
–
•
–
–
–
Examples
This example shows how to enter the subinterface configuration submode:
ssl-proxy (config)# interface ssl-proxy 0.6ssl-proxy (config-subif)#This example shows how to configure the specified subinterface with an IP address and subnet mask:
ssl-proxy (config-subif)# ip address 208.59.100.18 255.0.0.0ssl-proxy (config-subif)#This example shows how to configure the HSRP on the SSL module:
ssl-proxy(config)# interface ssl-proxy 0.100ssl-proxy(config-subif)# ip address 10.1.0.20 255.255.255.0ssl-proxy(config-subif)# standby 1 ip 10.1.0.21ssl-proxy(config-subif)# standby 1 priority 110ssl-proxy(config-subif)# standby 1 preemptssl-proxy(config-subif)# standby 2 ip 10.1.0.22ssl-proxy(config-subif)# standby 2 priority 100ssl-proxy(config-subif)# standby 2 preemptssl-proxy(config-subif)# endssl-proxy#Related Commands
show interfaces ssl-proxy
show ssl-proxy vlannatpool
To define a pool of IP addresses, which the SSL Services Module uses for implementing the client NAT, use the natpool command.
natpool nat-pool-name start_ip_addr end_ip_addr netmask netmask
Syntax Description
nat-pool-name
NAT pool name.
start-ip-addr
First IP address in the pool.
end-ip-addr
Last IP address in the pool.
netmask netmask
Specifies the netmask address.
Defaults
This command has no default settings.
Command Modes
Context subcommand mode
Command History
Examples
This example shows how to define a pool of IP addresses:
ssl-proxy(config)# ssl-proxy context Examplessl-proxy (config-context)# natpool NP2 207.59.10.01 207.59.10.08 netmask 255.0.0.0ssl-proxy (config-context)#Related Commands
policy health-probe tcp
To enter the TCP health probe configuration submode, use the policy health-probe command. In TCP health probe configuration submode, you can define the TCP health probe policy that is applied.
policy health-probe tcp policy-name
Syntax Description
Defaults
The defaults are as follows:
•
•
•
•
•
Command Modes
Context subcommand mode
Command History
SSL Services Module Release 3.1(1)
Support for this command was introduced on the Catalyst 6500 series SSL Services Module.
Usage Guidelines
Table 2-10 lists the commands that are available in TCP health probe policy configuration submode.
Table 2-3 TCP Health Probe Submode Command Descriptions
interval seconds
(Optional) Allows you to set the interval between probes in seconds (from the end of the previous probe to the beginning of the next probe) when the server is healthy. The default is 30 seconds. The valid range is from 30 to 300 seconds.
failed-interval seconds
(Optional) Allows you to set the time between health checks after the service has been marked as failed. The default is 60 seconds. The valid range is from 30 to 3600 seconds.
maximum-retry retries
(Optional) Sets the number of failed probes that are allowed before marking the service as failed. The default is 0 retries. The valid range is from 1 to 5 retries.
open-timeout seconds
(Optional) Allows you to set the maximum time to wait to establish a TCP connection. The default is 80 seconds. The valid range is from 70 to 120 seconds.
port port_number
(Optional) Allows you to configure an optional port for the health probe. Valid values are from 1 to 65535.
By default, the TCP health probe uses the server IP address and port for the SSL server proxy service. Enter the port command to specify a different port for the health probe.
If you configured the SSL server proxy service with no nat server, the TCP health probe uses the virtual IP address that you configured on the SSL server proxy service instead of the server IP address.
Note
See the "service" section for information on configuring the SSL server proxy service.
Examples
This example shows how to configure TCP health probe to check whether service at port 80 is up and running on server IP address 19.0.0.1:
ssl-proxy(config)# ssl-proxy context sslssl-proxy(config-context)# service ssl-1ssl-proxy(config-ctx-ssl-proxy)# virtual ipddr 7.100.100.180 protocol tcp port 443ssl-proxy(config-ctx-ssl-proxy)# server ipaddr 19.0.0.1 protocol tcp port 80ssl-proxy(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint cert1024ssl-proxy(config-ctx-ssl-proxy)# policy health-probe tcp probe1ssl-proxy(config-ctx-ssl-proxy)# inservicessl-proxy(config-ctx-ssl-proxy)# exitssl-proxy(config-context)# policy health-probe tcp probe1ssl-proxy(config-ctx-tcp-probe)# endssl-proxy#This example shows the state of the SSL proxy service when the health probe has failed:
Note
ssl-proxy# show ssl-proxy service ssl-1 context sslService id: 0, bound_service_id: 256Virtual IP: 7.100.100.180, port: 443Server IP: 19.0.0.1, port: 81TCP Health Probe Policy: probe1rsa-general-purpose certificate trustpoint: cert1024Certificate chain for new connections:Certificate:Key Label: cert1024.key, 1024-bit, exportableKey Timestamp: 05:18:23 UTC Dec 30 2005Serial Number: 12F332E200000000000DRoot CA Certificate:Serial Number: 6522F512C30E078447D8AFC35567B101Certificate chain completeContext name: sslContext Id : 1Admin Status: upOperation Status: downProxy status: Health Probe FailedThis example shows how to configure TCP health probe to check whether service at port 81 is up and running on server IP address 19.0.0.1:
ssl-proxy(config-context)# service ssloffloadssl-proxy(config-ctx-ssl-proxy)# virtual ipaddr 7.100.100.180 protocol tcp port 443ssl-proxy(config-ctx-ssl-proxy)# server ipaddr 19.0.0.1 protocol tcp port 80ssl-proxy(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint cert1024ssl-proxy(config-ctx-ssl-proxy)# policy health-probe tcp probe1ssl-proxy(config-ctx-ssl-proxy)# nat client natpoolssl-proxy(config-ctx-ssl-proxy)# inservicessl-proxy(config-ctx-ssl-proxy)# exitssl-proxy(config-context)# policy health-probe tcp probe1ssl-proxy(config-ctx-tcp-probe)# 81Warning: Port in the service ssloffload configuration (80) differs from the port in the health probe configuration (81)ssl-proxy(config-ctx-tcp-probe)# exitssl-proxy(config-context)#This example shows how to configure TCP health probe to check whether service at port 80 is up and running on virtual IP address 7.100.100.180:
ssl-proxy(config-context)# service ssloffloadssl-proxy(config-ctx-ssl-proxy)# virtual ipaddr 7.100.100.180 protocol tcp port 443ssl-proxy(config-ctx-ssl-proxy)# server ipaddr 19.0.0.1 protocol tcp port 80ssl-proxy(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint cert1024ssl-proxy(config-ctx-ssl-proxy)# policy health-probe tcp probe1ssl-proxy(config-ctx-ssl-proxy)# no nat serverssl-proxy(config-ctx-ssl-proxy)# nat client natpoolssl-proxy(config-ctx-ssl-proxy)# inservicessl-proxy(config-ctx-ssl-proxy)# exitssl-proxy(config-context)# policy health-probe tcp probe1ssl-proxy(config-ctx-tcp-probe)# exitssl-proxy(config-context)#This example shows how to configure TCP health probe to check whether service at port 444 is up and running on virtual IP address 7.100.100.180:
ssl-proxy(config-context)# service ssloffloadssl-proxy(config-ctx-ssl-proxy)# virtual ipaddr 7.100.100.180 protocol tcp port 443ssl-proxy(config-ctx-ssl-proxy)# server ipaddr 19.0.0.1 protocol tcp port 80ssl-proxy(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint cert1024ssl-proxy(config-ctx-ssl-proxy)# policy health-probe tcp probe1ssl-proxy(config-ctx-ssl-proxy)# no nat serverssl-proxy(config-ctx-ssl-proxy)# nat client natpoolssl-proxy(config-ctx-ssl-proxy)# inservicessl-proxy(config-ctx-ssl-proxy)# exitssl-proxy(config-context)# policy health-probe tcp probe1ssl-proxy(config-ctx-tcp-probe)# 444ssl-proxy(config-ctx-tcp-probe)# exitWarning: Port in the service ssloffload configuration (80) differs from the port in the health probe configuration (444)ssl-proxy(config-context)#Related Commands
show ssl-proxy policy
show ssl-proxy servicepolicy http-header
To enter the HTTP header insertion configuration submode, use the policy http-header command.
policy http-header http-header-policy-name
Syntax Description
Defaults
This command has no default settings.
Command Modes
Context subcommand mode
Command History
Usage Guidelines
In HTTP header insertion configuration submode, you can define the HTTP header insertion content policy that is applied to the payload.
HTTP header insertion allows you to insert additional HTTP headers to indicate to the real server that the connection is actually an SSL connection. These headers allow server applications to collect correct information for each SSL session and/or client.
You can insert these header types:
•
•
•
•
•
•
•
Table 2-4 lists the commands available in HTTP header insertion configuration submode.
Examples
This example shows how to enter the HTTP header insertion configuration submode:
ssl-proxy(config)# ssl-proxy context s1ssl-proxy(config-context)# policy http-header test1ssl-proxy(config-ctx-http-header-policy)#This example shows how to allow the back-end server to see the attributes of the client certificate that the SSL module has authenticated and approved:
ssl-proxy(config-ctx-http-header-policy)# client-certssl-proxy(config-ctx-http-header-policy)#This example shows how to insert the client IP address and information about the client port into the HTTP header, allowing the server to see the client IP address and port:
ssl-proxy(config-ctx-http-header-policy)# client-ip-portssl-proxy(config-ctx-http-header-policy)#This example shows how to insert the custom-string header into the HTTP header:
ssl-proxy(config-ctx-http-header-policy)# custom "SOFTWARE VERSION:3.1(1)"
ssl-proxy(config-ctx-http-header-policy)# custom "module:SSL MODULE - CATALYST 6500"
ssl-proxy(config-ctx-http-header-policy)# custom type-of-proxy:server_proxy_1024_bit_key_sizessl-proxy(config-ctx-http-header-policy)#This example shows how to add the prefix-string into the HTTP header:
ssl-proxy(config-ctx-http-header-policy)# prefix SSL-OFFLOADssl-proxy(config-ctx-http-header-policy)#This example shows how to pass information that is specific to an SSL connection to the back-end server as session headers:
ssl-proxy(config-ctx-http-header-policy)# sessionssl-proxy(config-ctx-http-header-policy)#This example shows how to create a header alias for the standard "session-cipher-name" header:
ssl-proxy(config-ctx-http-header-policy)# alias My-Session-Cipher session-cipher-nameIn addition to the standard HTTP headers, the following header information is inserted:
Note
SSL-OFFLOAD-Client-IP:7.100.100.1SSL-OFFLOAD-Client-Port:59008SSL-OFFLOAD-SOFTWARE VERSION:3.1(1)SSL-OFFLOAD-module:SSL MODULE - CATALYST 6500SSL-OFFLOAD-type-of-proxy:server_proxy_1024_bit_key_sizeSSL-OFFLOAD-Session-Id:33:FF:2C:2D:25:15:3C:50:56:AB:FA:5A:81:0A:EC:E9:00:00:0A:03:00:60:2F:30:9C:2F:CD:56:2B:91:F2:FFSSL-OFFLOAD-My-Session-Cipher:RC4-SHASSL-OFFLOAD-Session-Cipher-Key-Size:128SSL-OFFLOAD-Session-Cipher-Use-Size:128SSL-OFFLOAD-Session-Step-Up:FALSESSL-OFFLOAD-Session-Initial-Cipher-Key-Size:SSL-OFFLOAD-Session-Initial-Cipher-Name:SSL-OFFLOAD-Session-Initial-Cipher-Use-Size:SSL-OFFLOAD-ClientCert-Valid:1SSL-OFFLOAD-ClientCert-Error:noneSSL-OFFLOAD-ClientCert-Fingerprint:1B:11:0F:E8:20:3F:6C:23:12:9C:76:C0:C1:C2:CC:85SSL-OFFLOAD-ClientCert-Subject-CN:aSSL-OFFLOAD-ClientCert-Issuer-CN:Certificate ManagerSSL-OFFLOAD-ClientCert-Certificate-Version:3SSL-OFFLOAD-ClientCert-Serial-Number:0F:E5SSL-OFFLOAD-ClientCert-Data-Signature-Algorithm:sha1WithRSAEncryptionSSL-OFFLOAD-ClientCert-Subject:OID.1.2.840.113549.1.9.2 = ste2-server.cisco.com +OID.2.5.4.5 = B0FFF22E, CN = a, O = CiscoSSL-OFFLOAD-ClientCert-Issuer:CN = Certificate Manager, OU = HSS, O = Cisco, L = San Jose,ST = California, C = USSSL-OFFLOAD-ClientCert-Not-Before:22:29:26 UTC Jul 30 2003SSL-OFFLOAD-ClientCert-Not-After:07:00:00 UTC Apr 27 2006SSL-OFFLOAD-ClientCert-Public-Key-Algorithm:rsaEncryptionSSL-OFFLOAD-ClientCert-RSA-Public-Key-Size:1024 bitSSL-OFFLOAD-ClientCert-RSA-Modulus-Size:1024 bitSSL-OFFLOAD-ClientCert-RSA-Modulus:B3:32:3C:5E:C9:D1:CC:76:FF:81:F6:F7:97:58:91:4D:B2:0E:C1:3A:7B:62:63:BD:5D:F6:5F:68:F0:7D:AC:C6:72:F5:72:46:7E:FD:38:D3:A2:E1:03:8B:EC:F7:C9:9A:80:C7:37:DA:F3:BE:1F:F4:5B:59:BD:52:72:94:EE:46:F5:29:A4:B3:9B:2E:4C:69:D0:11:59:F7:68:3A:D9:6E:ED:6D:54:4E:B5:A7:89:B9:45:9E:66:0B:90:0B:B1:BD:F4:C8:15:12:CD:85:13:B2:0B:FE:7E:8D:F0:D7:4A:98:BB:08:88:6E:CC:49:60:37:22:74:4D:73:1E:96:58:91SSL-OFFLOAD-ClientCert-RSA-Exponent:00:01:00:01SSL-OFFLOAD-ClientCert-X509v3-Authority-Key-Identifier:keyid=EE:EF:5B:BD:4D:CD:F5:6B:60:9D:CF:46:C2:EA:25:7B:22:A5:08:00SSL-OFFLOAD-ClientCert-X509v3-Basic-Constraints:SSL-OFFLOAD-ClientCert-Signature-Algorithm:sha1WithRSAEncryptionSSL-OFFLOAD-ClientCert-Signature:87:09:C1:F8:86:C1:15:C5:57:18:8E:B3:0D:62:E1:0F:6F:D4:9D:75:DA:5D:53:E2:C6:0B:73:99:61:BE:B0:F6:19:83:F2:E5:48:1B:D2:6C:92:83:66:B3:63:A6:58:B4:5C:0E:5D:1B:60:F9:86:AF:B3:93:07:77:16:74:4B:C5SSL-OFFLOAD-ClientCert-X509v3-Subject-Alternative-Name: ipAddress=192.168.1.100,rfc822Name=my@other.comSSL-OFFLOAD-ClientCert-X509v3-Key-Usage: Digital Signature,Non-Repudiation,Key Encipherment,Data Encipherment,Key Agreement,Key Cert Sign,CRL Signature,Encipher Only,Decipher OnlySSL-OFFLOAD-ClientCert-X509v3-Authority-Information-Access: Access Method=OCSP,Access Location=http://ocsp.my.host/"SSL-OFFLOAD-ClientCert-X509v3-CRL-Distribution-Points: http://myhost.com/myca.crlRelated Commands
policy ssl
To enter the SSL-policy configuration submode, use the policy ssl command. In the SSL-policy configuration submode, you can define the SSL policy for one or more SSL-proxy services.
policy ssl ssl-policy-name
Syntax Description
Defaults
The defaults are as follows:
•
•
•
•
•
•
•
•
•
•
Command Modes
Context subcommand mode
Command History
Usage Guidelines
Each SSL-policy configuration submode command is entered on its own line.
Table 2-5 lists the commands available in SSL-policy configuration submode.
You can define the SSL policy templates using the policy ssl ssl-policy-name command and associate a SSL policy with a particular proxy server using the proxy server configuration CLI. The SSL policy template allows you to define various parameters that are associated with the SSL handshake stack.
When you enter the close-notify strict command, the SSL Services Module sends a close-notify alert message to the SSL peer, and the SSL Services Module expects a close-notify alert message from the SSL peer. If the SSL Services Module does not receive a close-notify alert, SSL resumption is not allowed for that session.
When you enter the close-notify none command, the SSL Services Module does not send a close-notify alert message to the SSL peer, and the SSL Services Module does not expect a close-notify alert message from the SSL peer. The SSL Services Module preserves the session information so that SSL resumption can be used for future SSL connections.
When close-notify is disabled (default), the SSL Services Module sends a close-notify alert message to the SSL peer; however, the SSL peer does not expect a close-notify alert before removing the session. Whether the SSL peer sends the close-notify alert or not, the session information is preserved allowing session resumption for future SSL connections.
The cipher-suite names follow the same convention as the existing SSL stacks.
The cipher-suites that are acceptable to the proxy-server are as follows:
•
•
•
•
•
•
•
•
•
•
•
•
•
If you enter the timeout session timeout absolute command, the session entry is kept in the session cache for the configured timeout before it is cleaned up. If the session cache is full, the timers are active for all the entries, the absolute keyword is configured, and all further new sessions are rejected.
If you enter the timeout session timeout command without the absolute keyword, the specified timeout is treated as the maximum timeout and a best-effort attempt is made to keep the session entry in the session cache. If the session cache runs out of session entries, the session entry that is currently being used is removed for incoming new connections.
When you enter the cert-req empty command, the SSL Services Module back-end service always returns the certificate associated with the trustpoint and does not look for a CA-name match. By default, the SSL Services Module always looks for a CA-name match before returning the certificate. If the SSL server does not include a CA-name list in the certificate request during client authentication, the handshake fails.
By default, the SSL Services Module uses the maximum supported SSL protocol version (SSL2.0, SSL3.0, or TLS1.0) in the ClientHello message. Enter the tls-rollback [current | any] command if the SSL client uses the negotiated version instead of the maximum supported version (as specified in the ClientHello message).
When you enter the tls-rollback current command, the SSL protocol version can be either the maximum supported version or the negotiated version.
When you enter the tls-rollback any command, the SSL protocol version is not checked at all.
Examples
This example shows how to enter the SSL-policy configuration submode:
ssl-proxy(config)# ssl-proxy context s1ssl-proxy(config-context)# policy ssl sslpl1ssl-proxy (config-ctx-ssl-policy)#This example shows how to define the cipher suites that are supported for the SSL-policy:
ssl-proxy (config-ctx-ssl-policy)# cipher RSA_WITH_3DES_EDE_CBC_SHAssl-proxy (config-ctx-ssl-policy)#This example shows how to enable the SSL-session closing protocol and configure the strict closing protocol behavior:
ssl-proxy (config-ctx-ssl-policy)# close-protocol strictssl-proxy (config-ctx-ssl-policy)#This example shows how to disable the SSL-session closing protocol:
ssl-proxy (config-ctx-ssl-policy)# no close-protocolssl-proxy (config-ctx-ssl-policy)#These examples shows how to set a given command to its default setting:
ssl-proxy (config-ctx-ssl-policy)# default cipherssl-proxy (config-ctx-ssl-policy)# default close-protocolssl-proxy (config-ctx-ssl-policy)# default session-cachessl-proxy (config-ctx-ssl-policy)# default versionssl-proxy (config-ctx-ssl-policy)#This example shows how to enable a session cache:
ssl-proxy (config-ctx-ssl-policy)# session-cachessl-proxy (config-ctx-ssl-policy)#This example shows how to disable a session cache:
ssl-proxy (config-ctx-ssl-policy)# no session-cachessl-proxy (config-ctx-ssl-policy)#This example shows how to set the maximum number of session entries to be allocated for a given service:
ssl-proxy (config-ctx-ssl-policy)# session-cache size 22000ssl-proxy (config-ctx-ssl-policy)#This example shows how to configure the session timeout to absolute:
ssl-proxy (config-ctx-ssl-policy)# timeout session 30000 absolutessl-proxy (config-ctx-ssl-policy)#These examples show how to enable the support of different SSL versions:
ssl-proxy (config-ctx-ssl-policy)# version allssl-proxy (config-ctx-ssl-policy)# version ssl3ssl-proxy (config-ctx-ssl-policy)# version tls1ssl-proxy (config-ctx-ssl-policy)#Related Commands
show ssl-proxy stats
show ssl-proxy stats sslpolicy tcp
To enter the proxy policy TCP configuration submode, use the policy tcp command. In proxy-policy TCP configuration submode, you can define the TCP policy templates.
policy tcp tcp-policy-name
Syntax Description
Defaults
The defaults are as follows:
•
•
•
•
•
•
•
•
•
•
•
Command Modes
Context subcommand mode
Command History
Usage Guidelines
After you define the TCP policy, you can associate the TCP policy with a proxy server using the proxy-policy TCP configuration submode commands.
Each proxy-policy TCP configuration submode command is entered on its own line.
Table 2-6 lists the commands that are available in proxy-policy TCP configuration submode.
Usage Guidelines
TCP commands that you enter on the SSL Services Module can apply either globally or to a particular proxy server.
You can configure a different maximum segment size for the client side and the server side of the proxy server.
The TCP policy template allows you to define parameters that are associated with the TCP stack.
You can either enter the no form of the command or use the default keyword to return to the default setting.
Examples
This example shows how to enter the proxy-policy TCP configuration submode:
ssl-proxy(config)# ssl-proxy context s1ssl-proxy(config-context)# ssl-proxy policy tcp tcppl1ssl-proxy(config-ctx-tcp-policy)#These examples show how to set a given command to its default value:
ssl-proxy (config-ctx-tcp-policy)# default timeout fin-waitssl-proxy (config-ctx-tcp-policy)# default inactivity-timeoutssl-proxy (config-ctx-tcp-policy)# default buffer-share rxssl-proxy (config-ctx-tcp-policy)# default buffer-share txssl-proxy (config-ctx-tcp-policy)# default mssssl-proxy (config-ctx-tcp-policy)# default timeout synssl-proxy (config-ctx-tcp-policy)#This example shows how to define the FIN-wait timeout in seconds:
ssl-proxy (config-ctx-tcp-policy)# timeout fin-wait 200ssl-proxy (config-ctx-tcp-policy)#This example shows how to define the inactivity timeout in seconds:
ssl-proxy (config-ctx-tcp-policy)# timeout inactivity 300ssl-proxy (config-ctx-tcp-policy)#This example shows how to define the maximum size for the receive buffer configuration:
ssl-proxy (config-ctx-tcp-policy)# buffer-share rx 16384ssl-proxy (config-ctx-tcp-policy)#This example shows how to define the maximum size for the transmit buffer configuration:
ssl-proxy (config-ctx-tcp-policy)# buffer-share tx 13444ssl-proxy (config-ctx-tcp-policy)#This example shows how to define the maximum size for the TCP segment:
ssl-proxy (config-ctx-tcp-policy)# mss 1460ssl-proxy (config-ctx-tcp-policy)#This example shows how to define the initial connection (SYN)-timeout value:
ssl-proxy (config-ctx-tcp-policy)# timeout syn 5ssl-proxy (config-ctx-tcp-policy)#This example shows how to define the reassembly-timeout value:
ssl-proxy (config-ctx-tcp-policy)# timeout reassembly 120ssl-proxy (config-ctx-tcp-policy)#This example shows how to carryover the ToS value to all packets within a flow:
ssl-proxy (config-ctx-tcp-policy)# tos carryoverssl-proxy (config-ctx-tcp-policy)#Related Commands
policy url-rewrite
To enter the URL rewrite configuration submode, use the policy url-rewrite command. In URL rewrite configuration submode, you can define the URL-rewrite content policy that is applied to the payload.
policy url-rewrite url-rewrite-policy-name
Syntax Description
Defaults
This command has no default settings.
Command Modes
Context subcommand mode
Command History
Usage Guidelines
URL rewrite allows you to rewrite redirection links only.
A URL rewrite policy consists of up to 32 rewrite rules for each SSL proxy service.
Table 2-7 lists the commands that are available in proxy-policy configuration submode.
url-string—Specifies the host portion of the URL link to be rewritten; it can have a maximum of 251 characters. You can use the asterisk (*) wildcard only as a prefix or a suffix of a hostname in a rewrite rule. For example, you can use the hostname in one of the following ways:
•
•
•
clearport port-number—(Optional) Specifies the port portion of the URL link that is to be rewritten; valid values are from 1 to 65535.
sslport port-number—(Optional) Specifies the port portion of the URL link that is to be written; valid values are from 1 to 65535.
Enter the no form of the command to remove the policy.
Note
Examples
This example shows how to enter the URL rewrite configuration submode for the test1 policy:
ssl-proxy(config)# ssl-pro context s1ssl-proxy(config-context)# ssl-proxy policy url-rewrite test1ssl-proxy(config-ctx-url-rewrite-policy#This example shows how to define the URL rewrite policy for the test1 policy:
ssl-proxy(config)# ssl-pro context s1ssl-proxy(config-context)# ssl-proxy policy url-rewrite test1ssl-proxy(config-ctx-url-rewrite-policy# url www.cisco.com clearport 80 sslport 443ssl-proxy(config-ctx-url-rewrite-policy#This example shows how to delete the URL rewrite policy for the test1 policy:
ssl-proxy(config)# ssl-pro context s1ssl-proxy(config-context)# ssl-proxy policy url-rewrite test1ssl-proxy(config-ctx-url-rewrite-policy# no url www.cisco.com clearport 80 sslport 443ssl-proxy(config-ctx-url-rewrite-policy#Related Commands
pool ca
To enter the certificate authority pool configuration submode, use the pool ca command. In the certificate authority pool configuration submode, you can configure a certificate authority pool, which lists the CAs that the module can trust.
pool ca ca-pool-name
Syntax Description
Defaults
This command has no arguments or keywords.
Command Modes
Context subcommand mode
Command History
Usage Guidelines
Enter each certificate-authority pool configuration submode command on its own line.
Table 2-8 lists the commands that are available in certificate-authority pool configuration submode.
Examples
This example shows how to add a certificate-authority trustpoint to a pool:
ssl-proxy(config)# ssl-proxy context s1ssl-proxy(config-context)# pool ca test1ssl-proxy(config-ctx-ca-pool)# ca trustpoint test20ssl-proxy(config-ctx-ca-pool)#service
To enter the proxy-service configuration submode, use the service command.
service ssl-proxy-name [client]
Syntax Description
ssl-proxy-name
SSL proxy name.
client
(Optional) Allows you to configure the SSL-client proxy services. See the service client command.
Defaults
Server NAT is enabled, and client NAT is disabled.
Command Modes
Context subcommand mode
Command History
Usage Guidelines
You cannot use the same service_name for both the server proxy service and the client proxy service.
In proxy-service configuration submode, you can configure the virtual IP address and port that is associated with the proxy service and the associated target IP address and port. You can also define TCP and SSL policies for both the client side (beginning with the virtual keyword) and the server side of the proxy (beginning with the server keyword).
In client proxy-service configuration submode, you specify that the proxy service accept clear-text traffic, encrypt it into SSL traffic, and forward it to the back-end SSL server.
In most cases, all of the SSL-server-proxy configurations that are performed are also valid for the SSL-client-proxy configuration, except for the following:
•
•
Enter each proxy-service or proxy-client configuration submode command on its own line.
Table 2-9 lists the commands that are available in proxy-service or proxy-client configuration submode.
Both secured and bridge mode between the Content Switching Module (CSM) and the SSL Services Module is supported.
Use the secondary keyword (optional) for bridge-mode topology.
Examples
This example shows how to enter the proxy-service configuration submode:
ssl-proxy (config)# ssl-proxy context s1ssl-proxy (config-context)# service S6ssl-proxy (config-ctx-ssl-proxy)#This example shows how to configure the method for certificate verification:
ssl-proxy (config-ctx-ssl-proxy)# authenticate verify allssl-proxy (config-ctx-ssl-proxy)#This example shows how to configure the certificate for the specified SSL-proxy services:
ssl-proxy (config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint tp1ssl-proxy (config-ctx-ssl-proxy)#These examples show how to set a specified command to its default value:
ssl-proxy (config-ctx-ssl-proxy)# default certificatessl-proxy (config-ctx-ssl-proxy)# default inservicessl-proxy (config-ctx-ssl-proxy)# default natssl-proxy (config-ctx-ssl-proxy)# default serverssl-proxy (config-ctx-ssl-proxy)# default virtualssl-proxy (config-ctx-ssl-proxy)#This example shows how to apply a trusted-certificate authenticate configuration to a proxy server:
ssl-proxy (config-ctx-ssl-proxy)# trusted-ca test1ssl-proxy (config-ctx-ssl-proxy)#This example shows how to configure a virtual IP address for the specified virtual server:
ssl-proxy (config-ctx-ssl-proxy)# virtual ipaddr 207.59.100.20 protocol tcp port 443ssl-proxy (config-ctx-ssl-proxy)#This example shows how to configure the SSL policy for the specified virtual server:
ssl-proxy (config-ctx-ssl-proxy)# virtual policy ssl sslpl1ssl-proxy (config-ctx-ssl-proxy)#This example shows how to configure the TCP policy for the specified virtual server:
ssl-proxy (config-ctx-ssl-proxy)# virtual policy tcp tcppl1ssl-proxy (config-ctx-ssl-proxy)#This example shows how to configure a clear-text web server for the SSL Services Module to forward the decrypted traffic:
ssl-proxy (config-ctx-ssl-proxy)# server ipaddr 207.50.0.50 protocol tcp port 80ssl-proxy (config-ctx-ssl-proxy)#This example shows how to configure a TCP policy for the given clear-text web server:
ssl-proxy (config-ctx-ssl-proxy)# server policy tcp tcppl1ssl-proxy (config-ctx-ssl-proxy)#This example shows how to configure a NAT pool for the client address that is used in the server connection of the specified service SSL offload:
ssl-proxy (config-ctx-ssl-proxy)# nat client NP1ssl-proxy (config-ctx-ssl-proxy)#This example shows how to enable a NAT server address for the server connection of the specified service SSL offload:
ssl-proxy (config-ctx-ssl-proxy)# nat serverssl-proxy (config-ctx-ssl-proxy)#Related Commands
service client
To enter the client proxy-service configuration submode, use the service client command.
service ssl-proxy-name client
Syntax Description
Defaults
Client NAT is disabled.
Command Modes
Context subcommand mode
Command History
Usage Guidelines
You cannot use the same service_name for both the server proxy service and the client proxy service.
In client proxy-service configuration submode, you specify that the proxy service accept clear-text traffic, encrypt it into SSL traffic, and forward it to the back-end SSL server.
In most cases, all of the SSL-server-proxy configurations that are performed are also valid for the SSL-client-proxy configuration, except for the following:
•
•
Each proxy-service or proxy-client configuration submode command is entered on its own line.
Table 2-10 lists the commands that are available in proxy-client configuration submode.
Both secured mode and bridge mode between the Content Switching Module (CSM) and the SSL Services Module are supported.
Use the secondary keyword (optional) for the bridge-mode topology.
Examples
This example shows how to enter the client proxy-service configuration submode:
ssl-proxy (config)# ssl-proxy context s1ssl-proxy (config-context)# service S7 clientssl-proxy (config-ctx-ssl-proxy)#This example shows how to configure the certificate for the specified SSL-proxy services:
ssl-proxy (config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint tp1ssl-proxy (config-ctx-ssl-proxy)#These examples show how to set a specified command to its default value:
ssl-proxy (config-ctx-ssl-proxy)# default certificatessl-proxy (config-ctx-ssl-proxy)# default inservicessl-proxy (config-ctx-ssl-proxy)# default natssl-proxy (config-ctx-ssl-proxy)# default serverssl-proxy (config-ctx-ssl-proxy)# default virtualssl-proxy (config-ctx-ssl-proxy)#This example shows how to configure a virtual IP address for the specified virtual server:
ssl-proxy (config-ctx-ssl-proxy)# virtual ipaddr 207.59.100.20 protocol tcp port 443ssl-proxy (config-ctx-ssl-proxy)#This example shows how to configure the SSL policy for the specified virtual server:
ssl-proxy (config-ctx-ssl-proxy)# virtual policy ssl sslpl1ssl-proxy (config-ctx-ssl-proxy)#This example shows how to configure the TCP policy for the specified virtual server:
ssl-proxy (config-ctx-ssl-proxy)# virtual policy tcp tcppl1ssl-proxy (config-ctx-ssl-proxy)#This example shows how to configure a clear-text web server for the SSL Services Module to forward the decrypted traffic:
ssl-proxy (config-ctx-ssl-proxy)# server ipaddr 207.50.0.50 protocol tcp port 80ssl-proxy (config-ctx-ssl-proxy)#This example shows how to configure a TCP policy for the given clear-text web server:
ssl-proxy (config-ctx-ssl-proxy)# server policy tcp tcppl1ssl-proxy (config-ctx-ssl-proxy)#This example shows how to configure a NAT pool for the client address that is used in the server connection of the specified service SSL offload:
ssl-proxy (config-ctx-ssl-proxy)# nat client NP1ssl-proxy (config-ctx-ssl-proxy)#This example shows how to enable a NAT server address for the server connection of the specified service SSL offload:
ssl-proxy (config-ctx-ssl-proxy)# nat serverssl-proxy (config-ctx-ssl-proxy)#Related Commands
show interfaces ssl-proxy
To display information about the configured subinterfaces, use the show interfaces ssl-proxy command.
show interfaces ssl-proxy 0.subinterface
Syntax Description
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
SSL Services Module Release 3.1(1)
Support for this command was introduced on the Catalyst 6500 series SSL Services Module.
Examples
This example shows how to display information about the configured subinterfaces:
ssl-proxy# show ionterfaces 0.3SSL-Proxy0.3 is up, line protocol is upHardware is STE interface, address is 0001.6445.c744 (bia 00e0.14c1.30e9)Internet address is 10.10.0.16/8MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,reliability 255/255, txload 1/255, rxload 1/255Encapsulation 802.1Q Virtual LAN, Vlan ID 3.ARP type: ARPA, ARP Timeout 04:00:00Last clearing of "show interface" counters neverssl-proxy#Related Commands
show ssl-proxy buffers
To display information about TCP buffer usage, use the show ssl-proxy buffers command.
show ssl-proxy buffers
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series switches.
Examples
This example shows how to display the buffer usage and other information in the TCP subsystem:
ssl-proxy# show ssl-proxy buffersBuffers info for TCP module 1TCP data buffers used 2817 limit 88064TCP ingress buffer pool size 44032 egress buffer pool size 44032TCP ingress data buffers min-thresh 5636096 max-thresh 9017344TCP ingress data buffers used Current 0 Max 0TCP ingress buffer RED shift 9 max drop prob 10Conns consuming ingress data buffers 0Buffers with App 0TCP egress data buffers used Current 0 Max 0Conns consuming egress data buffers 0In-sequence queue bufs 0 OOO bufs 0Per-flow avg qlen 0 Global avg qlen 0ssl-proxy#Related Commands
show ssl-proxy certificate-history
To display information about the event history of the certificate, use the show ssl-proxy certificate-history command.
show ssl-proxy certificate-history [service [name]]
Syntax Description
service name
Displays all certificate records of a proxy service and (optionally) for a specific proxy service.
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
The show ssl-proxy certificate-history command displays these records:
•
•
•
•
•
•
•
•
A syslog message is generated for each record. The oldest records are deleted after the limit of 512 records is reached.
Examples
This example shows how to display the event history of all the certificate processing:
ssl-proxy# show ssl-proxy certificate-historyRecord 1, Timestamp:00:00:51, 16:36:34 UTC Oct 31 2002Installed Server Certificate, Index 5Proxy Service:s1, Trust Point:t3Key Pair Name:k3, Key Usage:RSA General Purpose, ExportableTime of Key Generation:12:27:58 UTC Oct 30 2002Subject Name:OID.1.2.840.113549.1.9.2 = simpson5-2-ste.cisco.com, OID.1.2.840.113549.1.9.8 = 207.79.1.9, OID.2.5.4.5 = B0FFF235Issuer Name:CN = SimpsonTestCA, OU = Simpson Lab, O = Cisco Systems, L = San Jose, ST = CA, C = US, EA =<16> simpson-pki@cisco.comSerial Number:5D3D1931000100000D99Validity Start Time:21:58:12 UTC Oct 30 2002End Time:22:08:12 UTC Oct 30 2003Renew Time:00:00:00 UTC Jan 1 1970End of Certificate RecordRecord 2, Timestamp:00:01:06, 16:36:49 UTC Oct 31 2002Installed Server Certificate, Index 6Proxy Service:s5, Trust Point:t10Key Pair Name:k10, Key Usage:RSA General Purpose, ExportableTime of Key Generation:07:56:43 UTC Oct 11 2002Subject Name:CN = host1.cisco.com, OID.1.2.840.113549.1.9.2 = simpson5-2-ste.cisco.com, OID.1.2.840.113549.1.9.8 = 207.79.1.9, OID.2.5.4.5 = B0FFF235Issuer Name:CN = SimpsonTestCA, OU = Simpson Lab, O = Cisco Systems, L = San Jose, ST = CA, C = US, EA =<16> simpson-pki@cisco.comSerial Number:24BC81B7000100000D85Validity Start Time:22:38:00 UTC Oct 19 2002End Time:22:48:00 UTC Oct 19 2003Renew Time:00:00:00 UTC Jan 1 1970End of Certificate RecordRecord 3, Timestamp:00:01:34, 16:37:18 UTC Oct 31 2002Installed Server Certificate, Index 7Proxy Service:s6, Trust Point:t10Key Pair Name:k10, Key Usage:RSA General Purpose, ExportableTime of Key Generation:07:56:43 UTC Oct 11 2002Subject Name:CN = host1.cisco.com, OID.1.2.840.113549.1.9.2 = simpson5-2-ste.cisco.com, OID.1.2.840.113549.1.9.8 = 207.79.1.9, OID.2.5.4.5 = B0FFF235Issuer Name:CN = SimpsonTestCA, OU = Simpson Lab, O = Cisco Systems, L = San Jose, ST = CA, C = US, EA =<16> simpson-pki@cisco.comSerial Number:24BC81B7000100000D85Validity Start Time:22:38:00 UTC Oct 19 2002End Time:22:48:00 UTC Oct 19 2003Renew Time:00:00:00 UTC Jan 1 1970End of Certificate RecordRecord 4, Timestamp:00:01:40, 16:37:23 UTC Oct 31 2002Deleted Server Certificate, Index 0Proxy Service:s6, Trust Point:t6Key Pair Name:k6, Key Usage:RSA General Purpose, Not ExportableTime of Key Generation:00:28:28 UTC Mar 1 1993Subject Name:CN = host1.cisco.com, OID.1.2.840.113549.1.9.2 = simpson5-2-ste.cisco.com, OID.1.2.840.113549.1.9.8 = 207.79.1.8, OID.2.5.4.5 = B0FFF235Issuer Name:CN = SimpsonTestCA, OU = Simpson Lab, O = Cisco Systems, L = San Jose, ST = CA, C = US, EA =<16> simpson-pki@cisco.comSerial Number:5CB5CFD6000100000D97Validity Start Time:19:30:26 UTC Oct 30 2002End Time:19:40:26 UTC Oct 30 2003Renew Time:00:00:00 UTC Jan 1 1970End of Certificate Record% Total number of certificate history records displayed = 4ssl-proxy#This example shows how to display the certificate record for a specific proxy service:
ssl-proxy# show ssl-proxy certificate-history service s6Record 3, Timestamp:00:01:34, 16:37:18 UTC Oct 31 2002Installed Server Certificate, Index 7Proxy Service:s6, Trust Point:t10Key Pair Name:k10, Key Usage:RSA General Purpose, ExportableTime of Key Generation:07:56:43 UTC Oct 11 2002Subject Name:CN = host1.cisco.com, OID.1.2.840.113549.1.9.2 = simpson5-2-ste.cisco.com, OID.1.2.840.113549.1.9.8 = 207.79.1.9, OID.2.5.4.5 = B0FFF235Issuer Name:CN = SimpsonTestCA, OU = Simpson Lab, O = Cisco Systems, L = San Jose, ST = CA, C = US, EA =<16> simpson-pki@cisco.comSerial Number:24BC81B7000100000D85Validity Start Time:22:38:00 UTC Oct 19 2002End Time:22:48:00 UTC Oct 19 2003Renew Time:00:00:00 UTC Jan 1 1970End of Certificate RecordRecord 4, Timestamp:00:01:40, 16:37:23 UTC Oct 31 2002Deleted Server Certificate, Index 0Proxy Service:s6, Trust Point:t6Key Pair Name:k6, Key Usage:RSA General Purpose, Not ExportableTime of Key Generation:00:28:28 UTC Mar 1 1993Subject Name:CN = host1.cisco.com, OID.1.2.840.113549.1.9.2 = simpson5-2-ste.cisco.com, OID.1.2.840.113549.1.9.8 = 207.79.1.8, OID.2.5.4.5 = B0FFF235Issuer Name:CN = SimpsonTestCA, OU = Simpson Lab, O = Cisco Systems, L = San Jose, ST = CA, C = US, EA =<16> simpson-pki@cisco.comSerial Number:5CB5CFD6000100000D97Validity Start Time:19:30:26 UTC Oct 30 2002End Time:19:40:26 UTC Oct 30 2003Renew Time:00:00:00 UTC Jan 1 1970End of Certificate RecordTotal number of certificate history records displayed = 2Related Commands
show ssl-proxy conn
To display the TCP connections from the SSL Services Module, use the show ssl-proxy conn command.
show ssl-proxy conn 4tuple [local {ip local-ip-addr local-port} [remote [{ip remote-ip-addr [port remote-port]} | {port remote-port [ip remote-ip-addr]}]]]
show ssl-proxy conn 4tuple [local {port local-port} [remote [{ip remote-ip-addr [port remote-port]} | {port remote-port [ip remote-ip-addr]}]]]
show ssl-proxy conn 4tuple [local {remote [{ip remote-ip-addr [port remote-port]} | {port remote-port [ip remote-ip-addr]}]]
show ssl-proxy conn module module
show ssl-proxy conn service name [context name] module [module]
Syntax Description
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Usage Guidelines
The show ssl-proxy conn commanddisplays these records:
•
•
•
•
•
•
•
The State record indicates the TCP state of the connection between the SSL Services Module and a remote device. The TCP states are described in the following table:
Examples
These examples show different ways to display the TCP connection that is established from the SSL Services Module:
ssl-proxy# show ssl-proxy connConnections for TCP module 1Local Address Remote Address VLAN Conid Send-Q Recv-Q State--------------------- --------------------- ---- ------ ------ ------ ------2.0.0.10:4430 1.200.200.14:48582 2 0 0 0 ESTAB1.200.200.14:48582 2.100.100.72:80 2 1 0 0 ESTAB2.0.0.10:4430 1.200.200.14:48583 2 2 0 0 ESTAB1.200.200.14:48583 2.100.100.72:80 2 3 0 0 ESTAB2.0.0.10:4430 1.200.200.14:48584 2 4 0 0 ESTAB1.200.200.14:48584 2.100.100.72:80 2 5 0 0 ESTAB2.0.0.10:4430 1.200.200.14:48585 2 6 0 0 ESTAB1.200.200.14:48585 2.100.100.72:80 2 7 0 0 ESTAB2.0.0.10:4430 1.200.200.14:48586 2 8 0 0 ESTAB1.200.200.14:48586 2.100.100.72:80 2 9 0 0 ESTABssl-proxy# show ssl-proxy conn 4tuple local port 443Connections for TCP module 1Local Address Remote Address VLAN Conid Send-Q Recv-Q State--------------------- --------------------- ---- ------ ------ ------ ------2.50.50.133:443 1.200.200.12:39728 2 113676 0 0 TWAITNo Bound Connection2.50.50.133:443 1.200.200.12:39729 2 113680 0 0 TWAITNo Bound Connection2.50.50.131:443 1.200.200.14:40599 2 113684 0 0 TWAITNo Bound Connection2.50.50.132:443 1.200.200.13:48031 2 114046 0 0 TWAITNo Bound Connection2.50.50.132:443 1.200.200.13:48032 2 114048 0 0 TWAITNo Bound Connection2.50.50.132:443 1.200.200.13:48034 2 114092 0 0 TWAITNo Bound Connection2.50.50.132:443 1.200.200.13:48035 2 114100 0 0 TWAITNo Bound Connectionssl-proxy# show ssl-proxy conn 4tuple remote ip 1.200.200.14Connections for TCP module 1Local Address Remote Address VLAN Conid Send-Q Recv-Q State--------------------- --------------------- ---- ------ ------ ------ ------2.50.50.131:443 1.200.200.14:38814 2 58796 0 0 TWAITNo Bound Connection2.50.50.131:443 1.200.200.14:38815 2 58800 0 0 TWAITNo Bound Connection2.50.50.131:443 1.200.200.14:38817 2 58802 0 0 TWAITNo Bound Connection2.50.50.131:443 1.200.200.14:38818 2 58806 0 0 TWAITNo Bound Connection2.50.50.131:443 1.200.200.14:38819 2 58810 0 0 TWAITNo Bound Connection2.50.50.131:443 1.200.200.14:38820 2 58814 0 0 TWAITNo Bound Connection2.50.50.131:443 1.200.200.14:38821 2 58818 0 0 TWAITNo Bound Connectionssl-proxy# show ssl-proxy conn service iis1Connections for TCP module 1Local Address Remote Address VLAN Conid Send-Q Recv-Q State--------------------- --------------------- ---- ------ ------ ------ ------2.50.50.131:443 1.200.200.14:41217 2 121718 0 0 TWAITNo Bound Connection2.50.50.131:443 1.200.200.14:41218 2 121722 0 0 TWAITNo Bound Connection2.50.50.131:443 1.200.200.14:41219 2 121726 0 0 TWAITNo Bound Connection2.50.50.131:443 1.200.200.14:41220 2 121794 0 0 TWAITNo Bound Connection2.50.50.131:443 1.200.200.14:41221 2 121808 0 0 TWAITNo Bound Connection2.50.50.131:443 1.200.200.14:41222 2 121940 0 0 TWAITNo Bound Connection2.50.50.131:443 1.200.200.14:41223 2 122048 0 0 TWAITNo Bound Connectionshow ssl-proxy context
To display context information, use the show ssl-proxy context command.
show ssl-proxy context [name]
Syntax Description
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
SSL Services Module Release 3.1(1)
Support for this command was introduced on the Catalyst 6500 series SSL Services Module.
Examples
This example shows how to display all context information on the SSL Services Module:
ssl-proxy# show ssl-proxy contextTotal number of contexts : 2Context Name VRF Num Proxies------------ --- -----------Default 2c1 200This example shows how to display specific context information on the SSL Services Module:
ssl-proxy# show ssl-proxy context DefaultContext id : 0Number of proxies : 2Num max conns allowed : 65536Context 'Default' has the following service(s) configured..s2s3ssl-proxy#show ssl-proxy crash-info
To collect information about the software-forced reset from the SSL Services Module, use the show ssl-proxy crash-info command.
show ssl-proxy crash-info [brief | details]
Syntax Description
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series switches.
Examples
This example shows how to collect information about the software-forced reset:
ssl-proxy# show ssl-proxy crash-info===== SSL SERVICE MODULE - START OF CRASHINFO COLLECTION =====------------- COMPLEX 0 [FDU_IOS] ----------------------NVRAM CHKSUM:0xEB28NVRAM MAGIC:0xC8A514F0NVRAM VERSION:1++++++++++ CORE 0 (FDU) ++++++++++++++++++++++CID:0APPLICATION VERSION:2003.04.15 14:50:20 built for cantucAPPROXIMATE TIME WHEN CRASH HAPPENED:14:06:04 UTC Apr 16 2003THIS CORE DIDN'T CRASHTRACEBACK:222D48 216894CPU CONTEXT -----------------------------$0 :00000000, AT :00240008, v0 :5A27E637, v1 :000F2BB1a0 :00000001, a1 :0000003C, a2 :002331B0, a3 :00000000t0 :00247834, t1 :02BFAAA0, t2 :02BF8BB0, t3 :02BF8BA0t4 :02BF8BB0, t5 :00247834, t6 :00000000, t7 :00000001s0 :00000000, s1 :0024783C, s2 :00000000, s3 :00000000s4 :00000001, s5 :0000003C, s6 :00000019, s7 :0000000Ft8 :00000001, t9 :00000001, k0 :00400001, k1 :00000000gp :0023AE80, sp :031FFF58, s8 :00000019, ra :00216894LO :00000000, HI :0000000A, BADVADDR :828D641CEPC :00222D48, ErrorEPC :BFC02308, SREG :34007E03Cause 0000C000 (Code 0x0):Interrupt exceptionCACHE ERROR registers -------------------CacheErrI:00000000, CacheErrD:00000000ErrCtl:00000000, CacheErrDPA:0000000000000000PROCESS STACK -----------------------------stack top:0x3200000Process stack in use:sp is close to stack top;printing 1024 bytes from stack top:031FFC00:06405DE0 002706E0 0000002D 00000001 .@]`.'.`...-....031FFC10:06405DE0 002706E0 00000001 0020B800 .@]`.'.`..... 8.031FFC20:031FFC30 8FBF005C 14620010 24020004 ..|0.?.\.b..$....................................FFFFFFD0:00000000 00000000 00000000 00000000 ................FFFFFFE0:00627E34 00000000 00000000 00000000 .b~4............FFFFFFF0:00000000 00000000 00000000 00000006 ................===== SSL SERVICE MODULE - END OF CRASHINFO COLLECTION =======This example shows how to collect a small subset of software-forced reset information:
ssl-proxy# show ssl-proxy crash-info brief===== SSL SERVICE MODULE - START OF CRASHINFO COLLECTION =====------------- COMPLEX 0 [FDU_IOS] ----------------------SKE CRASH INFO Error: wrong MAGIC # 0CLI detected an error in FDU_IOS crash-info; wrong magic.------------- COMPLEX 1 [TCP_SSL] ----------------------Crashinfo fragment #0 from core 2 at offset 0 error:Remote system reports wrong crashinfo magic.Bad fragment received. Reception abort.CLI detected an error in TCP_SSL crash-info;===== SSL SERVICE MODULE - END OF CRASHINFO COLLECTION =======show ssl-proxy mac address
To display the current MAC address, use the show ssl-proxy mac address command.
show ssl-proxy mac address
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series switches.
Examples
This example shows how to display the current MAC address that is used in the SSL Services Module:
ssl-proxy# show ssl-proxy mac addressSTE MAC address: 00e0.b0ff.f232ssl-proxy#show ssl-proxy natpool
To display information about the NAT pool, use the show ssl-proxy natpool command.
show ssl-proxy natpool [name][context name]
Syntax Description
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Examples
This example shows how to display information for a specific NAT address pool that is configured on the SSL Services Module:
ssl-proxy# show ssl-proxy natpoolNo context name provided, assuming context 'Default'...natpool-name start-ip end-ip netmask use-countn1 207.57.110.1 207.57.110.8 255.0.0.0 2ssl-proxy#This example shows how to display information for a specific NAT address pool that is configured on the SSL Services Module:
ssl-proxy# show ssl-proxy natpool n1No context name provided, assuming context 'Default'...Start ip: 207.57.110.1End ip: 207.57.110.8netmask: 255.0.0.0vlan associated with natpool: 2SSL proxy services using this natpool:S2S3Num of proxies using this natpool: 2ssl-proxy#Related Commands
show ssl-proxy policy
To display the configured SSL proxy policies, use the show ssl-proxy policy command.
show ssl-proxy policy {health-probe tcp [name] [context name] | http-header | ssl | tcp | url-rewrite} [name]
Syntax Description
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Examples
This example shows how to display information about the HTTP header policy:
ssl-proxy# show ssl-proxy policy http-header h1No context name provided, assuming context 'Default'...Prefix SSLClient Certificate Insertion Not EnabledSession Header Insertion AllClient IP/Port Insertion Not EnabledHdr # Custom Header0 "a:"1 "b:"2 "c:"3 "d:"4 "e:"5 "f:"6 "g:"7 "h:"8 "i:"9 "j:"10 "k:"11 "l:"12 "m:"13 "n:"Usage count of this policy: 0ssl-proxy#This example shows how to display policy information about a specific SSL policy that is configured on the SSL Services Module:
ssl-proxy# show ssl-proxy policy ssl ssl-policy1No context name provided, assuming context 'Default'...
Cipher suites: (None configured, default ciphers included)
rsa-with-rc4-128-md5
rsa-with-rc4-128-sha
rsa-with-des-cbc-sha
rsa-with-3des-ede-cbc-sha
SSL Versions enabled:SSL3.0, TLS1.0
close protocol: default (close_notify sent but not expected from peer)
Session Cache:enabled
Session timeout: 72000 secondsRenegotiation timeout: 100 secondsHandshake timeout not configured (never times out)TLS Rollback: default (version number rollback not allowed)No. of policy users : 0ssl-proxy#This example shows how to display policy information about a specific TCP policy that is configured on the SSL Services Module:
ssl-proxy# show ssl-proxy policy tcp tcp-policy1No context name provided, assuming context 'Default'...MSS 1460SYN timeout 75Idle timeout 600FIN wait timeout 75Reassembly timeout 60Persist timeout 0Rx Buffer Share 32768Tx Buffer Share 65536TOS Carryover DisabledDelayed ACK timer 200Delayed ACK Threshold 2Nagle algorithm EnabledForced ACK EnabledNo. of policy users : 0ssl-proxy#This example shows how to display information about the URL rewrite policy:
ssl-proxy# show ssl-proxy policy url-rewrite urlrw-policyNo context name provided, assuming context 'Default'...Rule URL Clearport SSLport1 wwwin.cisco.com 80 4432 www.cisco.com 8080 444Usage count of this policy: 0ssl-proxy#This example shows how to display information about the TCP health probe policy:
ssl-proxy# show ssl-proxy policy health-probe tcpNo context name provided, assuming context 'Default'...TCP Health Probe Policy Name Usage-Counttcp-health 1This example shows how to display information about the specified TCP health probe policy:
ssl-proxy# show ssl-proxy policy health-probe tcp tcp-healthNo context name provided, assuming context 'Default'...TCP Health Probe Details : tcp-healthServer Port number 80Interval between probe 30Interval between failed probe 60TCP Connection open timeout 80Maximum retries for success probe 3No. of policy users 1SSL proxy services using this policy:s3 ConnectedUsage count of this policy: 1Related Commands
policy health-probe tcp
policy http-header
policy ssl
policy tcp
policy url-rewriteshow ssl-proxy service
To display information about the configured SSL virtual service, use the show ssl-proxy service command.
show ssl-proxy service [name][context name]
Syntax Description
name
(Optional) Service name.
context name
(Optional) Displays service information for the specifed context name.
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Examples
This example shows how to display all SSL virtual services that are configured on the SSL Services Module:
ssl-proxy# show ssl-proxy serviceNo context name provided, assuming context 'Default'...Proxy Service Name Context Name Admin Operationstatus statuss2 Default up ups3 Default up upssl-proxy#This example shows how to display a specific SSL virtual service that is configured on the SSL Services Module:
ssl-proxy# show ssl-proxy service S6No context name provided, assuming context 'Default'...Service id: 1, bound_service_id: 257Virtual IP: 10.10.1.104, port: 443Server IP: 10.10.1.100, port: 80Virtual SSL Policy: SSL1_PLCServer TCP Policy: nagleTCP Health Probe Policy: tcp-healthNat pool: n2rsa-general-purpose certificate trustpoint: tptestCertificate chain for new connections:Certificate:Key Label: mytp, 1024-bit, not exportableKey Timestamp: 07:21:09 UTC Apr 20 2005Serial Number: 0FE5Root CA Certificate:Serial Number: 01Certificate chain completeContext name: DefaultContext Id : 0Admin Status: upOperation Status: upssl-proxy#This example shows how to display a specific SSL virtual service on a specific context that is configured on the SSL Services Module:
ssl-proxy# show ssl-proxy service s2 context c1Service id: 214, bound_service_id: 470Virtual IP: 10.12.0.2, port: 443Server IP: 10.0.207.203, port: 80TCP Health Probe Policy: h1rsa-general-purpose certificate trustpoint: mytpCertificate chain for new connections:Certificate:Key Label: mytp, 1024-bit, not exportableKey Timestamp: 07:21:09 UTC Apr 20 2005Serial Number: 0FE5Root CA Certificate:Serial Number: 01Certificate chain completeContext name: c1Context Id : 167Admin Status: upOperation Status: upssl-proxy#Related Commands
show ssl-proxy stats
To display information about the statistics counter, use the show ssl-proxy stats command.
show ssl-proxy stats [type]
Syntax Description
type
(Optional) Information type; valid values are content, context, crypto, fdu, hdr, ipc, module, pki, service, ssl, tcp, and url. See the "Usage Guidelines" section for additional information.
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Usage Guidelines
The type values are defined as follows:
•
•
•
•
•
•
•
–
–
–
–
•
•
•
•
•
Examples
This example shows how to display all the statistics counters that are collected on the SSL Services Module:
ssl-proxy# show ssl-proxy statsTCP Statistics:Conns initiated : 20636 Conns accepted : 20636Conns established : 28744 Conns dropped : 28744Conns closed : 41272 SYN timeouts : 0Idle timeouts : 0 Total pkts sent : 57488Data packets sent : 0 Data bytes sent : 0Total Pkts rcvd : 70016 Pkts rcvd in seq : 0Bytes rcvd in seq : 0SSL Statistics:conns attempted : 20636 conns completed : 20636full handshakes : 0 resumed handshakes : 0active conns : 0 active sessions : 0renegs attempted : 0 conns in reneg : 0handshake failures : 20636 data failures : 0fatal alerts rcvd : 0 fatal alerts sent : 0no-cipher alerts : 0 ver mismatch alerts : 0no-compress alerts : 0 bad macs received : 0pad errors : 0 session fails : 0FDU Statistics:IP Frag Drops : 0 Serv_Id Drops : 9Conn Id Drops : 0 Bound Conn Drops : 0Vlan Id Drops : 0 Checksum Drops : 0IOS Congest Drops : 0 IP Version Drops : 0Hash Full Drops : 0 Hash Alloc Fails : 0Flow Creates : 41272 Flow Deletes : 41272conn_id allocs : 41272 conn_id deallocs : 41272Tagged Drops : 0 Non-Tagged Drops : 0Add ipcs : 3 Delete ipcs : 0Disable ipcs : 3 Enable ipcs : 0Unsolicited ipcs : 0 Duplicate ADD ipcs : 0IOS broadcast pkts : 29433 IOS unicast pkts : 5IOS total pkts : 29438ssl-proxy#This example shows how to display the TCP statistics:
ssl-proxy# show ssl-proxy stats tcpTCP Statistics:Connection related :Initiated : 4 Accepted : 4Established : 8 Dropped : 6Dropped before est : 0 Closed : 8Persist timeout drops : 0 Rxmt timeout drops : 0Current TIME-WAIT : 0 Current ESTABLISHED : 0Maximum TIME-WAIT : 1 Maximum ESTABLISHED : 4Conns Allocated : 4 Conns Deallocated : 4Conn Deletes sent : 8Timer related :RTT estimates : 48 RTT est. updates : 85delayed acks sent : 5 FIN-WAIT2 timeouts : 0Retransmit timeouts : 0 Persist Timeouts : 0SYN timeouts : 0 Idle Timeouts : 0Reassembly timeouts : 0Packet Transmit related :Total packets : 140 Data packets : 93Data bytes sent : 87332 Retransmitted pkts : 0Retransmitted bytes : 0 Ack only pkts : 19Window probes : 0 URG only pkts : 0Window Update pkts : 16 Cntrl pkts (S/F/R) : 12Tx TOS - normal : 122 Tx TOS - Min. Cost : 0Tx TOS - max. rel. : 0 Tx TOS - Max. thru. : 18Tx TOS - min. delay : 0 Tx TOS - invalid : 0Packet Receive related :Total packets : 173 In seq data pkts : 77In seq data bytes : 85188 Bad Offset : 0Too short : 0 Dup-only data pkts : 2Dup-only data bytes : 2896 Part. dup. data pkts : 0Part. Dup. data bytes : 0 OOO data pkts : 0OOO data bytes rcvd : 0 Pkts after rx win : 0Bytes after rx window : 0 Pkts after close : 0Window Probes : 0 Duplicate ACKs : 6ACKs for unsent data : 0 ACK-only pkts : 85Bytes acked by acks : 87313 Window Update pkts : 0PAWS dropped pkts : 0 Hdr pred. ACKs : 0Hdr pred. data pkts : 68 TCB cache misses : 1033 dup-only pkts : 0 Partial Acks : 0Rx TOS - normal : 157 Rx TOS - Min. Cost : 0Rx TOS - max. rel. : 0 Rx TOS - Max. thru. : 16Rx TOS - min. delay : 0 Rx TOS - invalid : 0Unrecognized Options : 0This example shows how to display the PKI statistics:
ssl-proxy# show ssl-proxy stats pkiPKI Memory Usage Counters:Malloc count: 0Setstring count: 0Free count: 0Malloc failed: 0Ipc alloc count: 0Ipc free count: 0Ipc alloc failed: 0PKI IPC Counters:Request buffer sent: 0Request buffer received: 0Request duplicated: 0Response buffer sent: 0Response buffer received: 0Response timeout: 0Response with error status: 0Response with no request: 0Response duplicated: 0Message type error: 0PKI Accumulative Certificate Counters:Proxy service trustpoint added: 0Proxy service trustpoint deleted: 0Proxy service trustpoint modified: 0Keypair added: 0Keypair deleted: 0Wrong key type: 0Server certificate added: 0Server certificate deleted: 0Server certificate rolled over: 0Server certificate completed: 0Intermediate CA certificate added: 0Intermediate CA certificate deleted: 0Root CA certificate added: 0Root CA certificate deleted: 0Certificate overwritten: 0History records written: 0History records read from NVRAM: 0Key cert table entries in use: 0ssl-proxy#This example shows how to display the HTTP header insertion statistics:
ssl-proxy# show ssl-proxy stats hdrHeader Insert Statistics:Session Headers Inserted : 0 Custom Headers Inserted : 0Session Id's Inserted : 0 Client Cert. Inserted : 0Client IP/Port Inserted : 0 PEM Cert. Inserted : 0Aliased Hdrs Inserted : 0No End of Hdr Detected : 0 Payload no HTTP header : 0Desc Alloc Failed : 0 Buffer Alloc Failed : 0Client Cert Errors : 0 Malloc failed : 0Service Errors : 0 Conn Entry Invalid : 0Buffers allocated : 0 Buffers Scanned : 0Insertion Points Found : 0 Hdrs Spanning Records : 0End of Header Found : 0 Buffers Accumulated : 0Multi-buffer IP Port : 0 Multi-buffer Session Id : 0Multi-buffer Session Hdr : 0 Multi-buffer Custom Hdr : 0Scan Internal Error : 0 Database Not Initialized: 0This example shows how to display context statistics:
ssl-proxy# show ssl-proxy stats contextContext name : DefaultTCP Context Statistics======================Current conns ACTIVE : 0Num conns DROPPED (hit max limit) : 0Maximum conns ESTABLISHED : 0This example shows how to display the URL rewrite statistics:
ssl-proxy# show ssl-proxy stats urlURL Rewrite Statistics:Rewrites Succeeded : 0 Rewrites Failed : 0Rsp Scan Incomplete : 0 URL Scan Incomplete : 0Invalid Conn Entry : 0 URL Mismatch : 0URL Object Error : 0 Dbase not initialized: 03xx URL Not Rewritten: 0 Scan Internal Error : 0Scan Dbase not Init. : 0This example shows how to display content statistics:
ssl-proxy# show ssl-proxy stats contentScan object statistics in CPU: SSL1Objects in use : 0Obj alloc failures : 0Max obj in use : 0show ssl-proxy status
To display information about the SSL Services Module proxy status, use the show ssl-proxy status command.
show ssl-proxy status [fdu | ssl | tcp]
Syntax Description
fdu
(Optional) Displays the FDU status.
ssl
(Optional) Displays the SSL status.
tcp
(Optional) Displays the TCP status.
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Examples
This example shows how to display the status of the SSL Services Module:
ssl-proxy# show ssl-proxy statusFDU cpu is alive!FDU cpu utilization:% process util : 0 % interrupt util : 0proc cycles : 0x2DB3980C int cycles : 0x2ADACD71total cycles: 0x4E75127FCEA4% process util (5 sec) : 0 % interrupt util (5 sec) : 0% process util (1 min) : 0 % interrupt util (1 min): 0% process util (5 min) : 0 % interrupt util (5 min) : 0TCP cpu is alive!TCP cpu utilization:% process util : 0 % interrupt util : 0proc cycles : 0x2E42C686 int cycles : 0x47F7C36A91total cycles: 0x4E799DB3F5F8% process util (5 sec) : 0 % interrupt util (5 sec) : 0% process util (1 min) : 0 % interrupt util (1 min): 0% process util (5 min) : 0 % interrupt util (5 min) : 0SSL cpu is alive!SSL cpu utilization:% process util : 0 % interrupt util : 0proc cycles : 0x9E396A4 int cycles : 0xDB85C98Btotal cycles: 0x4E798224EDC1% process util (5 sec) : 0 % interrupt util (5 sec) : 0% process util (1 min) : 0 % interrupt util (1 min): 0% process util (5 min) : 0 % interrupt util (5 min) : 0This example shows how to display the status of the TCP CPU on the SSL Services Module:
ssl-proxy# show ssl-proxy status tcpTCP cpu is alive!TCP cpu utilization:% process util : 0 % interrupt util : 0proc cycles : 0x2E45DAEE int cycles : 0x47FC7C2AC5total cycles: 0x4E7EC4499DC8% process util (5 sec) : 0 % interrupt util (5 sec) : 0% process util (1 min) : 0 % interrupt util (1 min): 0% process util (5 min) : 0 % interrupt util (5 min) : 0show ssl-proxy version
To display the current image version, use the show ssl-proxy version command.
show ssl-proxy version
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series switches.
Examples
This example shows how to display the image version that is currently running on the SSL Services Module:
ssl-proxy# show ssl-proxy versionCisco IOS Software, SVCSSL Software (SVCSSL-K9Y9-M)Copyright (c) 1986-2006 by Cisco Systems, Inc.Compiled Mon 09-Jan-06 16:54 by integROM: System Bootstrap, Version 12.2(11)YS1 RELEASE SOFTWAREssl-proxy uptime is 1 day, 15 hours, 57 minutesSystem returned to ROM by power-onSystem image file is "tftp://10.1.1.1/unknown"AP Version 3.1(1)ssl-proxy#show ssl-proxy vlan
To display VLAN information, use the show ssl-proxy vlan command.
show ssl-proxy vlan [vlan-id][debug][module module]
Syntax Description
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Examples
This example shows how to display all the VLANs that are configured on the SSL Services Module:
ssl-proxy# show ssl-proxy vlanVLAN index 2:Associated with interface SSL-Proxy0.2 (UP)IP addr 207.10.0.16 NetMask 255.0.0.0VLAN index 3:Associated with interface SSL-Proxy0.3 (UP)IP addr 208.10.0.16 NetMask 255.0.0.0VLAN index 4:Associated with interface SSL-Proxy0.4 (UP)IP addr 209.10.0.16 NetMask 255.0.0.0ssl-proxy#Related Commands
snmp-server enable
To configure the SNMP traps and informs, use the snmp-server enable command. Use the no form of this command to disable SNMP traps and informs.
snmp-server enable {informs | traps {ipsec | isakmp | snmp | {ssl-proxy [cert-expiring] [oper-status]}}}
no snmp-server enable {informs | traps {ipsec | isakmp | snmp | {ssl-proxy [cert-expiring] [oper-status]}}}
Syntax Description
Defaults
This command has no default setting.
Command Modes
Global configuration
Command History
SSL Services Module Release 2.1(1)
Support for this command was introduced on the Catalyst 6500 series SSL Services Module.
Examples
This example shows how to enable SNMP informs:
ssl-proxy (config)# snmp-server enable informsssl-proxy (config)#This example shows how to enable SSL-proxy traps:
ssl-proxy (config)# snmp-server enable traps ssl-proxyssl-proxy (config)#This example shows how to enable SSL-proxy notification traps:
ssl-proxy (config)# snmp-server enable traps ssl-proxy cert-expiring oper-statusssl-proxy (config)#ssl-proxy context
To enter the SSL context submode and define the virtual SSL context, use the ssl-proxy context command. Use the no form of this command to remove any commands that you have entered in the SSL context subcommand mode from the configuration.
ssl-proxy context [name]
no ssl-proxy context name
Syntax Description
Defaults
The default context name is "Default."
Command Modes
