Table Of Contents
Commands for the Catalyst 6500 Series Switch SSL Services Module
clear ssl-proxy conn
clear ssl-proxy content
clear ssl-proxy session
clear ssl-proxy stats
crypto pki export pem
crypto pki import pem
crypto pki export pkcs12
crypto pki import pkcs12
crypto key generate rsa (CA)
crypto key zeroize rsa
crypto key decrypt rsa
crypto key encrypt rsa
crypto key export rsa pem
crypto key import rsa pem
crypto key lock rsa
crypto key unlock rsa
debug ssl-proxy
do
interface ssl-proxy
natpool
policy health-probe tcp
policy http-header
policy ssl
policy tcp
policy url-rewrite
pool ca
service
service client
show interfaces ssl-proxy
show ssl-proxy buffers
show ssl-proxy certificate-history
show ssl-proxy conn
show ssl-proxy context
show ssl-proxy crash-info
show ssl-proxy mac address
show ssl-proxy natpool
show ssl-proxy policy
show ssl-proxy service
show ssl-proxy stats
show ssl-proxy status
show ssl-proxy version
show ssl-proxy vlan
snmp-server enable
ssl-proxy context
ssl-proxy crypto selftest
ssl-proxy mac address
ssl-proxy pki
ssl-proxy crypto key unlock rsa
ssl-proxy ip-frag-ttl
ssl-proxy ssl ratelimit
standby authentication
standby delay minimum reload
standby ip
standby mac-address
standby mac-refresh
standby name
standby preempt
standby priority
standby redirects
standby timers
standby track
standby use-bia
standby version
Commands for the Catalyst 6500 Series Switch SSL Services Module
This chapter contains an alphabetical listing of commands for the Catalyst 6500 series switch SSL Services Module.
For additional SSL Services Module information, refer to the following documentation:
•
Catalyst 6500 Series Switch SSL Services Module Configuration Note
•
Catalyst 6500 Series Switch SSL Services Module System Message Guide
•
Catalyst 6500 Series Switch SSL Services Module Installation and Verification Note
clear ssl-proxy conn
To clear all TCP connections on the entire system, use the clear ssl-proxy conn command.
clear ssl-proxy conn [context name [module [module]]][service name [context name [module
[module]]]]
Syntax Description
context name
|
(Optional) Clears the connections for a specific context.
|
module module
|
(Optional) Clears the connections for the specified module type.
The available options for the module variable are as follows:
• all—All CPUs
• fdu—FDU CPU
• ssl1—SSL1 CPU
• tcp1—TCP1 CPU
• tcp2—TCP2 CPU
|
service name
|
(Optional) Clears the connections for the specified service.
|
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
|
Modification
|
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
|
Support for this command was introduced on the Catalyst 6500 series switches.
|
SSL Services Module Release 3.1(1)
|
This command was changed to add the following keywords:
• context name
• module module
|
Examples
This example shows how to clear the connections for the specified service:
ssl-proxy# clear ssl-proxy conn service S6
This example shows how to clear all TCP connections on the entire system:
ssl-proxy# clear ssl-proxy conn
clear ssl-proxy content
To clear all TCP connections on the entire system, use the clear ssl-proxy conn command.
clear ssl-proxy content {all | rewrite | scanning} [module [module]]
Syntax Description
all
|
Clears all content statistics.
|
scanning
|
Clears scanning statistics.
|
rewrite
|
Clears rewriting statistics.
|
module module
|
(Optional) Clears statistics for the specified module type.
The available options for the module variable are as follows:
• all—All CPUs
• fdu—FDU CPU
• ssl1—SSL1 CPU
• tcp1—TCP1 CPU
• tcp2—TCP2 CPU
|
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
|
Modification
|
SSL Services Module Release 3.1(1)
|
Support for this command was introduced on the Catalyst 6500 series SSL Services Module.
|
Usage Guidelines
To reset all the content statistics that the SSL Services Module maintains, use the clear ssl-proxy content all command.
Examples
This example shows how to clear all of the content statistics:
ssl-proxy# clear ssl-proxy content all
clear ssl-proxy session
To clear all entries from the session cache, use the clear ssl-proxy session command.
clear ssl-proxy session [service [name] [context name [module [module]]]]
Syntax Description
context name
|
(Optional) Clears the session cache for a specific context.
|
module module
|
(Optional) Clears session cache for the specified module type.
The available options for the module variable are as follows:
• all—All CPUs
• fdu—FDU CPU
• ssl1—SSL1 CPU
• tcp1—TCP1 CPU
• tcp2—TCP2 CPU
|
service name
|
(Optional) Clears the session cache for the specified service.
|
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
|
Modification
|
SSL Services Module Release 1.2(1)
|
Support for this command was introduced on the Catalyst 6500 series switches.
|
SSL Services Module Release 3.1(1)
|
This command was changed to add the following keywords:
• context name
• module module
|
Usage Guidelines
To clear all entries from the session cache for all services, use the clear ssl-proxy session command without options.
Examples
This example shows how to clear the entries from the session cache for the specified service on the SSL Services Module:
ssl-proxy# clear ssl-proxy session service S6
This example shows how to clear all entries in the session cache that are maintained on the SSL Services Module:
ssl-proxy# clear ssl-proxy session
clear ssl-proxy stats
To reset the statistics counters that are maintained in the different system components on the SSL Services Module, use the clear ssl-proxy stats command.
clear ssl-proxy stats [context [name] | crypto | fdu | hdr | ipc | module [module] | pki | service |
ssl | tcp | url]
Syntax Description
context
|
(Optional) Clears statistics information about the context.
|
name
|
(Optional) Specifies the name of the context.
|
crypto
|
(Optional) Clears statistics information about the crypto.
|
fdu
|
(Optional) Clears statistics information about the FDU.
|
hdr
|
(Optional) Clears statistics information about HTTP header insertion.
|
ipc
|
(Optional) Clears statistics information about the inter-process communications (IPC).
|
module module
|
(Optional) Clears statistics information about the specified module type.
The available options for the module variable are as follows:
• all—All CPUs
• fdu—FDU CPU
• ssl1—SSL1 CPU
• tcp1—TCP1 CPU
• tcp2—TCP2 CPU
|
pki
|
(Optional) Clears information about the public key infrastruture (PKI).
|
service name
|
(Optional) Clears statistics information for a specific service.
|
ssl
|
(Optional) Clears statistics information about the SSL.
|
tcp
|
(Optional) Clears statistics information about the TCP.
|
url
|
(Optional) Clears statistics information about URL rewrite.
|
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
|
Modification
|
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
|
Support for this command was introduced on the Catalyst 6500 series switches.
|
SSL Services Module Release 3.1(1)
|
This command was changed to add the following keywords:
• context name
• hdr
• module module
• url
|
Usage Guidelines
To reset all the statistics counters that the SSL Services Module maintains, use the clear ssl-proxy stats command without options.
Examples
This example shows how to reset the statistics counters that are maintained in the different system components on the SSL Services Module:
ssl-proxy# clear ssl-proxy stats crypto
ssl-proxy# clear ssl-proxy stats ipc
ssl-proxy# clear ssl-proxy stats pki
ssl-proxy# clear ssl-proxy stats service S6
This example shows how to clear all the statistic counters that the SSL Services Module maintains:
ssl-proxy# clear ssl-proxy stats
crypto pki export pem
To export privacy-enhanced mail (PEM) files from the SSL Services Module, use the crypto pki export pem command.
crypto pki export trustpoint_label pem {terminal {des | 3des} {url url}} pass_phrase
Syntax Description
trustpoint-label
|
Name of the trustpoint.
|
terminal
|
Displays the request on the terminal.
|
des
|
Specifies the 56-bit DES-CBC encryption algorithm.
|
3des
|
Specifies the 168-bit DES (3DES) encryption algorithm.
|
url url
|
Specifies the URL location. Valid values are as follows:
• ftp:—Exports to the FTP: file system
• null:—Exports to the NULL: file system
• nvram:—Exports to the NVRAM: file system
• rcp:—Exports to the RCP: file system
• scp:—Exports to the SCP: file system
• system:—Exports to the system: file system
• tftp:—Exports to the TFTP: file system
|
pass-phrase
|
Pass phrase that is used to protect the private key.
|
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
Release
|
Modification
|
SSL Services Module Release 1.2(1)
|
Support for this command was introduced on the Catalyst 6500 series switches.
|
SSL Services Module Release 3.1(1)
|
The syntax for this command changed from crypto ca to crypto pki.
|
Usage Guidelines
The pass_phrase can be any phrase including spaces and punctuation except for the question mark (?), which has a special meaning to the Cisco IOS parser.
Pass-phrase protection associates a pass phrase with the key. The pass phrase is used to encrypt the key when it is exported. When this key is imported, you must enter the same pass phrase to decrypt it.
A key that is marked as unexportable cannot be exported.
You can change the default file extensions when prompted. The default file extensions are as follows:
•
public key (.pub)
•
private key (.prv)
•
certificate (.crt)
•
CA certificate (.ca)
•
signature key (-sign)
•
encryption key (-encr)
Note
In SSL software release 1.2, only the private key (.prv), the server certificate (.crt), and the issuer CA certificate (.ca) of the server certificate are exported. To export the whole certificate chain, including all the CA certificates, use a PKCS12 file instead of PEM files.
Examples
This example shows how to export a PEM-formatted file on the SSL Services Module:
ssl-proxy(config)# crypto ca export TP5 pem url tftp://10.1.1.1/tp99 3des password
% Exporting CA certificate...
Address or name of remote host [10.1.1.1]?
Destination filename [tp99.ca]?
% File 'tp99.ca' already exists.
% Do you really want to overwrite it? [yes/no]: yes
!Writing file to tftp://10.1.1.1/tp99.ca!
Usage: General Purpose Key
% Exporting private key...
Address or name of remote host [10.1.1.1]?
Destination filename [tp99.prv]?
% File 'tp99.prv' already exists.
% Do you really want to overwrite it? [yes/no]: yes
!Writing file to tftp://10.1.1.1/tp99.prv!
% Exporting router certificate...
Address or name of remote host [10.1.1.1]?
Destination filename [tp99.crt]?
% File 'tp99.crt' already exists.
% Do you really want to overwrite it? [yes/no]: yes
!Writing file to tftp://10.1.1.1/tp99.crt!
Related Commands
crypto pki import pem
crypto pki import pem
To import a PEM-formatted file to the SSL Services Module, use the crypto pki import pem command.
crypto pki import trustpoint_label pem [exportable] {terminal | url url | usage-keys}
pass_phrase
Syntax Description
trustpoint-label
|
Name of the trustpoint.
|
exportable
|
(Optional) Specifies the key that can be exported.
|
terminal
|
Displays the request on the terminal.
|
url url
|
Specifies the URL location. Valid values are as follows:
• ftp:—Exports to the FTP: file system
• null:—Exports to the null: file system
• nvram:—Exports to the NVRAM: file system
• rcp:—Exports to the RCP: file system
• scp:—Exports to the SCP: file system
• system:—Exports to the system: file system
• tftp:—Exports to the TFTP: file system
|
pass_phrase
|
Pass phrase.
|
usage-keys
|
Specifies that two special-usage key pairs should be generated, instead of one general-purpose key pair.
|
Defaults
This command has no default settings.
Command History
Global configuration
Command History
Release
|
Modification
|
SSL Services Module Release 1.2(1)
|
Support for this command was introduced on the Catalyst 6500 series switches.
|
SSL Services Module Release 3.1(1)
|
The syntax for this command changed from crypto ca to crypto pki.
|
Usage Guidelines
You will receive an error if you enter the pass phrase incorrectly. The pass_phrase can be any phrase including spaces and punctuation except for the question mark (?), which has a special meaning to the Cisco IOS parser.
Pass-phrase protection associates a pass phrase with the key. The pass phrase is used to encrypt the key when it is exported. When this key is imported, you must enter the same pass phrase to decrypt it.
When importing RSA keys, you can use a public key or its corresponding certificate.
The crypto pki import pem command imports only the private key (.prv), the server certificate (.crt), and the issuer CA certificate (.ca). If you have more than one level of CA in the certificate chain, you need to import the root and subordinate CA certificates before this command is issued for authentication. Use cut-and-paste or TFTP to import the root and subordinate CA certificates.
Examples
This example shows how to import a PEM-formatted file from the SSL Services Module:
ssl-proxy(config)# crypto pki import TP5 pem url tftp://10.1.1.1/TP5 password
% Importing CA certificate...
Address or name of remote host [10.1.1.1]?
Destination filename [TP5.ca]?
Reading file from tftp://10.1.1.1/TP5.ca
Loading TP5.ca from 10.1.1.1 (via Ethernet0/0.168): !
% Importing private key PEM file...
Address or name of remote host [10.1.1.1]?
Destination filename [TP5.prv]?
Reading file from tftp://10.1.1.1/TP5.prv
Loading TP5.prv from 10.1.1.1 (via Ethernet0/0.168): !
% Importing certificate PEM file...
Address or name of remote host [10.1.1.1]?
Destination filename [TP5.crt]?
Reading file from tftp://10.1.1.1/TP5.crt
Loading TP5.crt from 10.1.1.1 (via Ethernet0/0.168): !
% PEM files import succeeded.
*Apr 11 15:11:29.901: %SYS-5-CONFIG_I: Configured from console by console
Related Commands
crypto pki export pem
crypto pki export pkcs12
To export a PKCS12 file from the SSL Services Module, use the crypto pki export pkcs12 command.
crypto pki export trustpoint_label pkcs12 file_system [pkcs12_filename] pass_phrase
Syntax Description
trustpoint_label
|
Specifies the trustpoint label.
|
file_system
|
Specifies the file system. Valid values are scp:, ftp:, nvram:, rcp:, and tftp:
|
pkcs12_filename
|
(Optional) Specifies the name of the PKCS12 file to import.
|
pass_phrase
|
Specifies the pass phrase of the PKCS12 file.
|
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
Release
|
Modification
|
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
|
Support for this command was introduced on the Catalyst 6500 series switches.
|
SSL Services Module Release 3.1(1)
|
The syntax for this command changed from crypto ca to crypto pki.
|
Usage Guidelines
Imported key pairs cannot be exported.
If you are using SSH, we recommend using SCP (secure file transfer) when exporting a PKCS12 file. SCP authenticates the host and encrypts the transfer session.
If you do not specify pkcs12_filename, you will be prompted to accept the default filename (the default filename is the trustpoint_label) or enter the filename. For the ftp: or tftp: value, include the full path in the pkcs12_filename.
You will receive an error if you enter the pass phrase incorrectly.
If there is more than one level of CA, the root CA and all the subordinate CA certificates are exported in the PKCS12 file.
Examples
This example shows how to export a PKCS12 file using SCP:
ssl-proxy(config)# crypto pki export TP1 pkcs12 scp: sky is blue
Address or name of remote host []? 10.1.1.1
Destination username [ssl-proxy]? admin-1
Destination filename [TP1]? TP1.p12
Writing TP1.p12 Writing pkcs12 file to scp://admin-1@10.1.1.1/TP1.p12
CRYPTO_PKI:Exported PKCS12 file successfully.
crypto pki import pkcs12
To import a PKCS12 file to the SSL Services Module, use the crypto pki import pkcs12 command.
crypto pki import trustpoint_label pkcs12 file_system [pkcs12_filename] pass_phrase
Syntax Description
trustpoint_label
|
Name of the trustpoint who issues the certificate that a user is going to export. When you export the PKCS12 file, the trustpoint name is the RSA key name.
|
file_system
|
Specifies the file system. Valid values are as follows:
• ftp:—Imports from the FTP: file system
• nvram:—Imports from the NVRAM: file system
• rcp:—Imports from the RCP: file system
• scp:—Imports from the SCP: file system
• tftp:—Imports from the TFTP: file system
|
pkcs12_filename
|
(Optional) Specifies the name of the PKCS12 file to import.
|
pass_phrase
|
Passphrase that is used to encrypt the PKCS12 file for export.
|
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
Release
|
Modification
|
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
|
Support for this command was introduced on the Catalyst 6500 series switches.
|
SSL Services Module Release 3.1(1)
|
The syntax for this command changed from crypto ca to crypto pki.
|
Usage Guidelines
If you are using SSH, we recommend using SCP (secure file transfer) when importing a PKCS12 file. SCP authenticates the host and encrypts the transfer session.
If you do not specify pkcs12_filename, you will be prompted to accept the default filename (the default filename is the trustpoint_label) or to enter the filename. For the ftp: or tftp: value, include the full path in the pkcs12_filename.
You will receive an error if you enter the pass phrase incorrectly.
If there is more than one level of CA, the root CA and all the subordinate CA certificates are exported in the PKCS12 file.
Security Measures
Keep the PKCS12 file stored in a secure place with restricted access.
An RSA keypair is more secure than a passphrase because the private key in the key pair is not known by multiple parties. When you export an RSA key pair to a PKCS#12 file, the RSA key pair now is only as secure as the passphrase.
To create a good passphrase, be sure to include numbers, as well as both lowercase and uppercase letters. Avoid publicizing the passphrase by mentioning it in e-mail or cell phone communications because the information could be accessed by an unauthorized user.
Examples
This example shows how to import a PKCS12 file using SCP:
ssl-proxy(config)# crypto pki import TP2 pkcs12 scp: sky is blue
Address or name of remote host []? 10.1.1.1
Source username [ssl-proxy]? admin-1
Source filename [TP2]? /users/admin-1/pkcs12/TP2.p12
Sending file modes:C0644 4379 TP2.p12
*Aug 22 12:30:00.531:%CRYPTO-6-PKCS12IMPORT_SUCCESS:PKCS #12 Successfully Imported.
crypto key generate rsa (CA)
To generate RSA key pairs, use the crypto key generate rsa command in global configuration mode.
crypto key generate rsa [usage-keys | general-keys] [key-pair-label]
Syntax Description
usage-keys
|
(Optional) Specifies that two special-usage key pairs should be generated, instead of one general-purpose key pair.
|
general-keys
|
(Optional) Specifies that the general-purpose key pair should be generated.
|
key-pair-label
|
Optional) Specifies the name of the key pair that router will use. (If this argument is enabled, you must specify either usage-keys or general-keys.)
|
Defaults
Rivest, Shamir, and Adelman (RSA) key pairs do not exist.
If key-pair-label is not specified, the fully qualified domain name (FQDN) of the router is used and general-purpose keys are generated.
Command Modes
Global configuration mode
Command History
Release
|
Modification
|
11.3 T
|
This command was introduced.
|
12.2(8)T
|
The general-keys keyword and the key-pair-label argument were added.
|
Usage Guidelines
Use this command to generate RSA key pairs for your Cisco device (such as a router).
RSA keys are generated in pairs—one public RSA key and one private RSA key.
If your router already has RSA keys when you issue this command, you will be warned and prompted to replace the existing keys with new keys.
Note
Before issuing this command, ensure your router has a host name and IP domain name configured (with the hostname and ip domain-name commands). You will be unable to complete the crypto key generate rsa command without a host name and IP domain name. (This is not true only when you generate a named-key-pair.)
This command is not saved in the router configuration; however, the keys generated by this command are saved in the private configuration in NVRAM (which is never displayed to the user or backed up to another device).
There are two mutually exclusive styles of RSA key pairs: special-usage keys and general-purpose keys. When you generate RSA key pairs, you will be prompted to select either generate special-usage keys or general-purpose keys.
Examples
Special-Usage Keys
If you generate special-usage keys, two pairs of RSA keys will be generated. One pair will be used with any Internet Key Exchange (IKE) policy that specifies RSA signatures as the authentication method, and the other pair used with any IKE policy that specifies RSA-encrypted nonces as the authentication method. (You configure RSA signatures or RSA-encrypted nonces in your IKE policies as described in the Cisco IOS Security Configuration Guide.)
A certification authority (CA) is used only with IKE policies specifying RSA signatures, not with IKE policies specifying RSA-encrypted nonces. (However, you could specify more than one IKE policy and have RSA signatures specified in one policy and RSA-encrypted nonces in another policy.)
If you plan to have both types of RSA authentication methods in your IKE policies, you might prefer to generate special-usage keys. With special-usage keys, each key is not unnecessarily exposed. (Without special-usage keys, one key is used for both purposes, increasing that key's exposure.)
General-Purpose Keys
If you generate general-purpose keys, only one pair of RSA keys will be generated. This pair will be used with IKE policies specifying either RSA signatures or RSA-encrypted nonces. Therefore, a general-purpose key pair might be used more frequently than a special-usage key pair.
Named Key Pairs
If you generate a named key pair using the key-pair-label argument, you must also specify the usage-keys keyword or the general-keys keyword. Named key pairs allow you to have multiple RSA key pairs, enabling the Cisco IOS software to maintain a different key pair for each identity certificate.
Modulus Length
When you generate RSA keys, you will be prompted to enter a modulus length. A longer modulus could offer stronger security but takes longer to generate (see Table 1 for sample times) and takes longer to use. A length of less than 512 bits is normally not recommended. (In certain situations, the shorter modulus may not function properly with IKE, so Cisco recommends using a minimum modulus of 1024 bits.)
Table 1 Sample Times Required to Generate RSA Keys
| |
Modulus Length
|
Router
|
360 bits
|
512 bits
|
1024 bits
|
2048 bits
|
Cisco 2500
|
11 seconds
|
20 seconds
|
4 minutes, 38 seconds
|
longer than 1 hour
|
Cisco 4700
|
less than 1 second
|
1 second
|
4 seconds
|
50 seconds
|
Examples
The following example generates special-usage RSA keys.
crypto key generate rsa usage-keys
The name for the keys will be: myrouter.example.com
Choose the size of the key modulus in the range of 360 to 2048 for your Signature Keys.
Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus[512]? <return>
Generating RSA keys.... [OK].
Choose the size of the key modulus in the range of 360 to 2048 for your Encryption Keys.
Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus[512]? <return>
Generating RSA keys.... [OK].
The following example generates general-purpose RSA keys. (Note, you cannot generate both special-usage and general-purpose keys; you can generate only one or the other.)
The name for the keys will be: myrouter.example.com
Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose
Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus[512]? <return>
Generating RSA keys.... [OK].
The following example generates the general-purpose RSA key pair "exampleCAkeys":
crypto key generate rsa general-purpose exampleCAkeys
crypto ca trustpoint exampleCAkeys
enroll url http://exampleCAkeys/certsrv/mscep/mscep.dll
rsakeypair exampleCAkeys 1024 1024
Related Commands
Command
|
Description
|
|
Specifies which key pair to associate with the certificate.
|
crypto key zeroize rsa
To delete all RSA keys from your router, use the crypto key zeroize rsa command in global configuration mode.
crypto key zeroize rsa [key-pair-label]
Syntax Description
key-pair-label
|
(Optional) Specifies the name of the key pair that router will delete.
|
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.3 T
|
This command was introduced.
|
12.2(8)T
|
The key-pair-label argument was added.
|
Usage Guidelines
This command deletes all Rivest, Shamir, and Adelman (RSA) keys that were previously generated by your router unless you include the key-pair-label argument, which will delete only the specified RSA key pair. If you issue this command, you must also perform two additional tasks for each trustpoint that is associated with the key pair that was deleted:
•
Ask the certification authority (CA) administrator to revoke your router's certificates at the CA; you must supply the challenge password you created when you originally obtained the router's certificates using the crypto ca enroll command.
•
Manually remove the router's certificates from the configuration by removing the configured trustpoint (using the no crypto ca trustpoint name command.)
Note
This command cannot be undone (after you save your configuration), and after RSA keys have been deleted, you cannot use certificates or the CA or participate in certificate exchanges with other IP Security (IPSec) peers unless you reconfigure CA interoperability by regenerating RSA keys, getting the CA's certificate, and requesting your own certificate again.
This command is not saved to the configuration.
Examples
The following example deletes the general-purpose RSA key pair that was previously generated for the router. After deleting the RSA key pair, the administrator contacts the CA administrator and requests that the router's certificate be revoked. The administrator then deletes the router's certificate from the configuration.
crypto ca certificate chain
Related Commands
Command
|
Description
|
certificate
|
Adds certificates manually.
|
crypto ca certificate chain
|
Enters the certificate chain configuration mode.
|
crypto ca trustpoint
|
Declares the CA that your router should use.
|
|
Specifies which key pair to associate with the certificate.
|
crypto key decrypt rsa
To delete the encrypted key and leave only the unencrypted key, use the crypto key decrypt rsa command.
crypto key decrypt [write] rsa [name key-name] passphrase passphrase
Syntax Description
write
|
(Optional) Writes the configuration to the startup configuration.
|
name key-name
|
(Optional) Name of the key.
|
passphrase passphrase
|
Pass phrase.
|
Defaults
This command has no default settings.
Command Modes
Global configuration mode
Command History
Release
|
Modification
|
SSL Services Module Release 3.1(1)
|
Support for this command was introduced on the Catalyst 6500 series SSL Services Module.
|
Usage Guidelines
Entering the write keyword immediately saves the unencrypted key to NVRAM. If you do not enter the write keyword, you must manually write the configuration to NVRAM; otherwise, the key remains encrypted the next time that the router is reloaded.
Examples
This example shows how to display the administration VLAN and related IP and gateway addresses:
ssl-proxy(config)# crypto key decrypt rsa name pki1-72a.cisco.com passphrase cisco1234
WARNING: Configuration with decrypted key not saved.
Please save it manually as soon as possible to
ssl-proxy# show crypto key mypubkey rsa
Key name: pki1-72a.cisco.com
Usage: General Purpose Key
30819F30 0D06092A 864886F7 0D010101 05000381
% Key pair was generated at: 15:42:15 PST Jun
Related Commands
crypto key encrypt rsa
crypto key lock rsa
crypto key unlock rsa
crypto key encrypt rsa
To encrypt the RSA keys, use the crypto key encrypt rsa command.
crypto key encrypt [write] rsa [name key-name] passphrase passphrase
Syntax Description
write
|
(Optional) Writes the configuration to the startup configuration.
|
name key-name
|
(Optional) Name of the key.
|
passphrase passphrase
|
Pass phrase.
|
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
Release
|
Modification
|
SSL Services Module Release 3.1(1)
|
Support for this command was introduced on the Catalyst 6500 series SSL Services Module.
|
Usage Guidelines
After you enter this command, the router can continue to use the key; the key remains unlocked.
If you do not enter the write keyword, you must manually write the configuration to NVRAM; otherwise, the encrypted key will be lost the next time that the router is reloaded.
Examples
This example shows how to encrypt the RSA key "pki1-72a.cisco.com." Enter the show crypto key mypubkey rsa command to verify that the RSA key is encrypted (protected) and unlocked.
ssl-proxy(config)# crypto key encrypt rsa name pki1-72a.cisco.com passphrase cisco1234
ssl-proxy# show crypto key mypubkey rsa
Key name:pki1-72a.cisco.com
Usage:General Purpose Key
*** The key is protected and UNLOCKED. ***
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00E0CC9A 1D23B52C
% Key pair was generated at:00:15:32 GMT Jun 25 2003
Related Commands
crypto key decrypt rsa
crypto key lock rsa
crypto key unlock rsa
crypto key export rsa pem
To export a PEM-formatted RSA key to the SSL Services Module, use the crypto key export rsa pem command.
crypto key export rsa keylabel pem {terminal | url url} {{3des | des} [exportable] pass_phrase}
Syntax Description
keylabel
|
Name of the key.
|
terminal
|
Displays the request on the terminal.
|
url url
|
Specifies the URL location. Valid values are as follows:
• ftp:—Exports to the FTP: file system
• null:—Exports to the null: file system
• nvram:—Exports to the NVRAM: file system
• rcp:—Exports to the RCP: file system
• scp:—Exports to the SCP: file system
• system:—Exports to the system: file system
• tftp:—Exports to the TFTP: file system
|
3des
|
Specifies the 168-bit DES (3DES) encryption algorithm.
|
des
|
Specifies the 56-bit DES-CBC encryption algorithm.
|
exportable
|
(Optional) Specifies that the key can be exported.
|
pass_phrase
|
Pass phrase.
|
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
Release
|
Modification
|
SSL Services Module Release 1.2(1)
|
Support for this command was introduced on the Catalyst 6500 series switches.
|
Usage Guidelines
The pass phrase can be any phrase including spaces and punctuation except for the question mark (?), which has a special meaning to the Cisco IOS parser.
Pass-phrase protection associates a pass phrase with the key. The pass phrase is used to encrypt the key when it is exported. When this key is imported, you must enter the same pass phrase to decrypt it.
Examples
This example shows how to export a key from the SSL Services Module:
ssl-proxy(config)# crypto key export rsa test-keys pem url scp: 3des password
Usage:General Purpose Key
Address or name of remote host []? 7.0.0.7
Destination username [ssl-proxy]? lab
Destination filename [test-keys.pub]?
Writing test-keys.pub Writing file to scp://lab@7.0.0.7/test-keys.pub
Address or name of remote host []? 7.0.0.7
Destination username [ssl-proxy]? lab
Destination filename [test-keys.prv]?
Writing test-keys.prv Writing file to scp://lab@7.0.0.7/test-keys.prv
crypto key import rsa pem
To import a PEM-formatted RSA key from an external system, use the crypto key import rsa pem command.
crypto key import rsa keylabel pem [usage-keys] {terminal | url url} [exportable] passphrase
Syntax Description
keylabel
|
Name of the key.
|
usage-keys
|
(Optional) Specifies that two special-usage key pairs should be generated, instead of one general-purpose key pair.
|
terminal
|
Displays the request on the terminal.
|
url url
|
Specifies the URL location. Valid values are as follows:
• ftp:—Imports from the FTP: file system
• null:—Imports from the null: file system
• nvram:—Imports from the NVRAM: file system
• rcp:—Imports from the RCP: file system
• scp:—Imports from the SCP: file system
• system:—Imports from the system: file system
• tftp:—Imports from the TFTP: file system
|
exportable
|
(Optional) Specifies that the key can be exported.
|
passphrase
|
Pass phrase.
|
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
Release
|
Modification
|
SSL Services Module Release 1.2(1)
|
Support for this command was introduced on the Catalyst 6500 series switches.
|
Usage Guidelines
The pass phrase can be any phrase including spaces and punctuation except for the question mark (?), which has a special meaning to the Cisco IOS parser.
Pass-phrase protection associates a pass phrase with the key. The pass phrase is used to encrypt the key when it is exported. When this key is imported, you must enter the same pass phrase to decrypt it.
Examples
This example shows how to import a PEM-formatted RSA key from an external system and export the PEM-formatted RSA key to the SSL Services Module:
ssl-proxy(config)# crypto key import rsa newkeys pem url scp: password
% Importing public key or certificate PEM file...
Address or name of remote host []? 7.0.0.7
Source username [ssl-proxy]? lab
Source filename [newkeys.pub]? test-keys.pub
Sending file modes:C0644 272 test-keys.pub
Reading file from scp://lab@7.0.0.7/test-keys.pub!
% Importing private key PEM file...
Address or name of remote host []? 7.0.0.7
Source username [ssl-proxy]? lab
Source filename [newkeys.prv]? test-keys.prv
Sending file modes:C0644 963 test-keys.prv
Reading file from scp://lab@7.0.0.7/test-keys.prv!% Key pair import succeeded.
crypto key lock rsa
To lock the encrypted private key, use the crypto key lock rsa command.
crypto key lock rsa [name key-name] passphrase passphrase
Syntax Description
name key-name
|
(Optional) Name of the key.
|
passphrase passphrase
|
Pass phrase.
|
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
|
Modification
|
SSL Services Module Release 3.1(1)
|
Support for this command was introduced on the Catalyst 6500 series switches.
|
Usage Guidelines
After the key is locked, it cannot be used to authenticate the router to a peer device. This behavior disables any IPsec or SSL connections that use the locked key.
Any existing IPsec tunnels created on the basis of the locked key will be closed.
If all RSA keys are locked, SSH will automatically be disabled.
Examples
This example shows how to lock the key "pki1-72a.cisco.com." Enter the show crypto key mypubkey rsa command to verify that the key is protected (encrypted) and locked.
ssl-proxy# crypto key lock rsa name pki1-72a.cisco.com passphrase cisco1234
ssl-proxy# show crypto key mypubkey rsa
Key name:pki1-72a.cisco.com
Usage:General Purpose Key
*** The key is protected and LOCKED. ***
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D7808D C5FF14AC
% Key pair was generated at: 16:00:11 PST Feb 28 2002
Related Commands
crypto key decrypt rsa
crypto key encrypt rsa
crypto key unlock rsa
crypto key unlock rsa
To unlock the encrypted private key, use the crypto key unlock rsa command.
crypto key unlock rsa [name key-name] passphrase passphrase
Syntax Description
name key-name
|
(Optional) Name of the key.
|
passphrase passphrase
|
Pass phrase.
|
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
|
Modification
|
SSL Services Module Release 3.1(1)
|
Support for this command was introduced on the Catalyst 6500 series SSL Services Module.
|
Examples
This example shows how to lock the key "pki1-72a.cisco.com." Enter the show crypto key mypubkey rsa command to verify that the key is protected (encrypted) and locked.
ssl-proxy# crypto key unlock rsa name pki1-72a.cisco.com passphrase cisco1234
*Jun 18 00:26:08.275: %STE-5-UPDOWN: ssl-proxy service vip1 changed state to UP
ssl-proxy# show crypto key mypubkey rsa
Key name:pki1-72a.cisco.com
Usage:General Purpose Key
*** The key is protected and UNLOCKED. ***
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D7808D C5FF14AC
% Key pair was generated at: 16:00:11 PST Feb 28 2002
Related Commands
crypto key decrypt rsa
crypto key encrypt rsa
crypto key lock rsa
debug ssl-proxy
To turn on the debug flags in different system components, use the debug ssl-proxy command. Use the no form of this command to turn off the debug flags.
debug ssl-proxy {app | content [type] | fdu [type] | flash [module [module]] | health-probe | ipc |
pki [type] | ssl [type] | tcp [type] | vlan}
Syntax Description
app
|
Turns on App debugging.
|
content type
|
Turns on content debugging; (optional) type valid values are detail, error, ipc, module module, rewriting, and scanning. See the "Usage Guidelines" section for additional information.
|
fdu type
|
Turns on FDU debugging; (optional) type valid values are cli, hash, ipc, and trace. See the "Usage Guidelines" section for additional information.
|
flash
|
Turns on Flash debugging.
|
module module
|
Specifies the module to be debugged.
The available options for the module variable are as follows:
• fdu—FDU CPU
• ssl1—SSL1 CPU
• tcp1—TCP1 CPU
|
health-probe
|
Turns on health probe debugging.
|
ipc
|
Turns on IPC debugging.
|
pki type
|
Turns on PKI debugging; (optional) type valid values are cert, events, history, ipc, and key. See the "Usage Guidelines" section for additional information.
|
ssl type
|
Turns on SSL debugging; (optional) type valid values are alert, error, handshake, and pkt. See the "Usage Guidelines" section for additional information.
|
tcp type
|
Turns on TCP debugging; (optional) type valid values are event, packet, state, and timers. See the "Usage Guidelines" section for additional information.
|
vlan
|
Turns on VLAN debugging.
|
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
|
Modification
|
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
|
Support for this command was introduced on the Catalyst 6500 series switches.
|
SSL Services Module Release 3.1(1)
|
This command was changed to add the following keywords:
• content type
• flash
• health-probe
• module module
• vlan
|
Usage Guidelines
The content type includes the following values:
•
detail—content detail
•
error—content error
•
ipc—content ipc
•
module module—module to be debugged; module includes the following values:
–
fdu—fdu cpu
–
ssl1—ssl1 cpu
–
tcp1—tcp1 cpu
•
rewriting—content rewriting
•
scanning—content scanning
The fdu type includes the following values:
•
cli—Debugs the FDU CLI.
•
hash—Debugs the FDU hash.
•
ipc —Debugs the FDU IPC.
•
trace—Debugs the FDU trace.
The pki type includes the following values:
•
certs—Debugs the certificate management.
•
events—Debugs events.
•
history—Debugs the certificate history.
•
ipc—Debugs the IPC messages and buffers.
•
key—Debugs key management.
The ssl type includes the following values:
•
alert—Debugs the SSL alert events.
•
error—Debugs the SSL error events.
•
handshake—Debugs the SSL handshake events.
•
pkt—Debugs the received and transmitted SSL packets.
Note
Use the TCP debug commands only to troubleshoot basic connectivity issues under little or no load conditions (for instance, when no connection is being established to the virtual server or real server).
If you run TCP debug commands, the TCP module displays large amounts of debug information on the console, which can significantly slow down module performance. Slow module performance can lead to delayed processing of TCP connection timers, packets, and state transitions.
The tcp type includes the following values:
•
events—Debugs the TCP events.
•
pkt—Debugs the received and transmitted TCP packets.
•
state—Debugs the TCP states.
•
timers—Debugs the TCP timers.
Examples
This example shows how to turn on App debugging:
ssl-proxy# debug ssl-proxy app
This example shows how to turn on FDU debugging:
ssl-proxy# debug ssl-proxy fdu
This example shows how to turn on IPC debugging:
ssl-proxy# debug ssl-proxy ipc
This example shows how to turn on PKI debugging:
ssl-proxy# debug ssl-proxy pki
This example shows how to turn on SSL debugging:
ssl-proxy# debug ssl-proxy ssl
This example shows how to turn on TCP debugging:
ssl-proxy# debug ssl-proxy tcp
This example shows how to turn off TCP debugging:
ssl-proxy# no debug ssl-proxy tcp
do
To execute EXEC-level commands from global configuration mode or other configuration modes or submodes, use the do command.
do command
Syntax Description
command
|
EXEC-level command to be executed.
|
Defaults
This command has no default settings.
Command Modes
Global configuration or any other configuration mode or submode from which you are executing the EXEC-level command.
Command History
Release
|
Modification
|
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
|
Support for this command was introduced on the Catalyst 6500 series switches.
|
Usage Guidelines
Caution 
Do not enter the
do command in EXEC mode. Interruption of service may occur.
You cannot use the do command to execute the configure terminal command because entering the configure terminal command changes the mode to configuration mode.
You cannot use the do command to execute the copy or write command in the global configuration or any other configuration mode or submode.
Examples
This example shows how to execute the EXEC-level show interfaces command from within global configuration mode:
ssl-proxy(config)# do show interfaces serial 3/0
Serial3/0 is up, line protocol is up
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation HDLC, loopback not set, keepalive set (10 sec)
Last input never, output 1d17h, output hang never
Last clearing of "show interface" counters never
interface ssl-proxy
To enter the subinterface configuration submode, use the interface ssl-proxy command. In interface configuration submode, you can configure a subinterface for the SSL Services Module.
Note
The ssl-proxy0 interface is enabled by default and should not be shut down or otherwise configured.
interface 0.subinterface-number
Syntax Description
subinterface-number
|
Subinterface ID; valid values are from 0 to 4294967295.
|
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
Release
|
Modification
|
SSL Services Module Release 3.1(1)
|
Support for this command was introduced on the Catalyst 6500 series SSL Services Module.
This command replaces the ssl-proxy vlan command.
|
Usage Guidelines
When you upgrade to SSL software release 3.x from SSL software release 2.x or 1.x, the VLAN configuration is converted automatically to an subinterface configuration. For example, ssl-proxy vlan 3 is converted to interface ssl-proxy0.3.
Note
The ssl-proxy0 interface is enabled by default and should not be shut down or otherwise configured.
Table 2-2 lists the commands that are available in subinterface configuration submode.
Table 2-2 Subinterface Configuration Submode Command Descriptions
Syntax
|
Description
|
default
|
Sets a command to its defaults.
|
description
|
Allows you to enter a description for the subinterface.
|
encapsulation dot1q vlan_ID [native]
|
Sets the encapsulation type for the interface. Enter the native keyword to make this a native VLAN.
|
exit
|
Exits from the subinterface configuration submode.
|
ip address ipaddress subnet [secondary]
|
Configures the subinterface with an IP address and a subnet mask. Enter the secondary keywork to make this IP address a secondary address.
|
no
|
Negates a command or sets its defaults.
|
[no] shutdown
|
Shuts down the subinterface. Use the no form of this command to put the subinterface in service.
|
standby [group-number] {authentication text string} | {delay minimum [min-delay] reload [reload-delay]} | {ip [ip-address [secondary]]} | {mac-address mac-address} | {mac-refresh seconds} | {name group-name} | {preempt [delay{minimum delay | reload delay | sync delay}]} | {priority priority} | {redirects [enable | disable] [timers advertisement holddown] [unknown]} | {timers [msec] hellotime [msec] holdtime} | {track object-number [decrement priority]} | [version {1 | 2}]
|
Configures redundancy on the subinterface. See the following commands for valid values:
• standby authentication
• standby delay minimum reload
• standby ip
• standby mac-address
• standby mac-refresh
• standby name
• standby preempt
• standby priority
• standby redirects
• standby timers
• standby track
• standby use-bia
• standby version
|
timeout absolute minutes seconds
|
Sets the session timeout values for this interface. Valid values for minutes are from 0 to 71582787 minutes. Valid values for seconds are from 0 to 59 seconds.
|
The valid values for configuring HSRP are as follows:
•
group-number—(Optional) Group number on the interface for which HSRP is being activated; valid values are from 0 to 255 for HSRP version 1; valid values are from 0 to 4095 for HSRP version 2. See the "standby version" section for information about changing the HSRP version. If you do not specify a group-number, group 0 is used.
•
ip ip-addr—Specifies the IP address of the HSRP interface.
•
priority priority— Specifies the priority for the HSRP interface. Increase the priority of at least one interface in the HSRP group. The interface with the highest priority becomes active for that HSRP group.
•
prempt —Enables preemption. When you enable preemption, if the local router has a hot standby priority that is higher than the current active router, the local router attempts to assume control as the active router. If you do not configure preemption, the local router assumes control as the active router only if it receives information indicating that no router is in the active state (acting as the designated router).
•
delay—(Optional) Specifies the preemption delay. When a router first comes up, it does not have a complete routing table. If it is configured to preempt, it becomes the active router but cannot provide adequate routing services. You can configure a delay before the preempting router actually preempts the currently active router.
•
type time—Specifies the preemption type and delay; valid values are as follows:
–
minimum time—Specifies the minimum delay period in delay seconds; valid values are from 0 to 3600 seconds (1 hour).
–
reload time—Specifies the preemption delay after a reload only.
–
sync time—Specifies the maximum synchronization period in delay seconds.
•
timers [msec] hellotime holdtime—Configures the time between hello packets and the time before other routers declare the active hot standby or standby router to be down; valid values are as follows:
–
msec—(Optional) Interval in milliseconds. Millisecond timers allow for faster failover.
–
hellotime—Hello interval (in seconds); valid values are from 1 to 254 seconds. If you specify the msec keyword, the hello interval is in milliseconds; valid values are from 15 to 999 milliseconds. The default is 3 seconds.
–
holdtime—Time (in seconds) before the active or standby router is declared to be down; valid values are from x to 255; x is the hellotime plus 50 milliseconds and is rounded up to the nearest 1 second. If you specify the msec keyword, the holdtime is in milliseconds; valid values are from y to 3000 milliseconds; y is greater than or equal to 3 times the hellotime and is not less than 50 milliseconds. The default is 10 seconds.
Examples
This example shows how to enter the subinterface configuration submode:
ssl-proxy (config)# interface ssl-proxy 0.6
ssl-proxy (config-subif)#
This example shows how to configure the specified subinterface with an IP address and subnet mask:
ssl-proxy (config-subif)# ip address 208.59.100.18 255.0.0.0
ssl-proxy (config-subif)#
This example shows how to configure the HSRP on the SSL module:
ssl-proxy(config)# interface ssl-proxy 0.100
ssl-proxy(config-subif)# ip address 10.1.0.20 255.255.255.0
ssl-proxy(config-subif)# standby 1 ip 10.1.0.21
ssl-proxy(config-subif)# standby 1 priority 110
ssl-proxy(config-subif)# standby 1 preempt
ssl-proxy(config-subif)# standby 2 ip 10.1.0.22
ssl-proxy(config-subif)# standby 2 priority 100
ssl-proxy(config-subif)# standby 2 preempt
ssl-proxy(config-subif)# end
Related Commands
show interfaces ssl-proxy
show ssl-proxy vlan
natpool
To define a pool of IP addresses, which the SSL Services Module uses for implementing the client NAT, use the natpool command.
natpool nat-pool-name start_ip_addr end_ip_addr netmask netmask
Syntax Description
nat-pool-name
|
NAT pool name.
|
start-ip-addr
|
First IP address in the pool.
|
end-ip-addr
|
Last IP address in the pool.
|
netmask netmask
|
Specifies the netmask address.
|
Defaults
This command has no default settings.
Command Modes
Context subcommand mode
Command History
Release
|
Modification
|
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
|
Support for this command was introduced on the Catalyst 6500 series switches.
|
SSL Services Module Release 3.1(1)
|
The natpool command (entered in context subcommand mode) replaces the ssl-proxy natpool command (entered in global subcommand mode).
|
Examples
This example shows how to define a pool of IP addresses:
ssl-proxy(config)# ssl-proxy context Example
ssl-proxy (config-context)# natpool NP2 207.59.10.01 207.59.10.08 netmask 255.0.0.0
ssl-proxy (config-context)#
Related Commands
show ssl-proxy natpool
policy health-probe tcp
To enter the TCP health probe configuration submode, use the policy health-probe command. In TCP health probe configuration submode, you can define the TCP health probe policy that is applied.
policy health-probe tcp policy-name
Syntax Description
policy-name
|
TCP health probe policy name.
|
Defaults
The defaults are as follows:
•
failed-interval is 60 seconds.
•
interval is 30 seconds.
•
maximum-retry is 0.
•
open-timeout is 80 seconds.
•
port is the port of the server IP address that you configured in the SSL server proxy service.
Command Modes
Context subcommand mode
Command History
Release
|
Modification
|
SSL Services Module Release 3.1(1)
|
Support for this command was introduced on the Catalyst 6500 series SSL Services Module.
|
Usage Guidelines
Table 2-10 lists the commands that are available in TCP health probe policy configuration submode.
Table 2-3 TCP Health Probe Submode Command Descriptions
Syntax
|
Description
|
interval seconds
|
(Optional) Allows you to set the interval between probes in seconds (from the end of the previous probe to the beginning of the next probe) when the server is healthy. The default is 30 seconds. The valid range is from 30 to 300 seconds.
|
failed-interval seconds
|
(Optional) Allows you to set the time between health checks after the service has been marked as failed. The default is 60 seconds. The valid range is from 30 to 3600 seconds.
|
maximum-retry retries
|
(Optional) Sets the number of failed probes that are allowed before marking the service as failed. The default is 0 retries. The valid range is from 1 to 5 retries.
|
open-timeout seconds
|
(Optional) Allows you to set the maximum time to wait to establish a TCP connection. The default is 80 seconds. The valid range is from 70 to 120 seconds.
|
port port_number
|
(Optional) Allows you to configure an optional port for the health probe. Valid values are from 1 to 65535.
By default, the TCP health probe uses the server IP address and port for the SSL server proxy service. Enter the port command to specify a different port for the health probe.
If you configured the SSL server proxy service with no nat server, the TCP health probe uses the virtual IP address that you configured on the SSL server proxy service instead of the server IP address.
Note TCP health probe is not supported when you configure a wildcard proxy and no nat server on the SSL server proxy service.
See the "service" section for information on configuring the SSL server proxy service.
|
Examples
This example shows how to configure TCP health probe to check whether service at port 80 is up and running on server IP address 19.0.0.1:
ssl-proxy(config)# ssl-proxy context ssl
ssl-proxy(config-context)# service ssl-1
ssl-proxy(config-ctx-ssl-proxy)# virtual ipddr 7.100.100.180 protocol tcp port 443
ssl-proxy(config-ctx-ssl-proxy)# server ipaddr 19.0.0.1 protocol tcp port 80
ssl-proxy(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint cert1024
ssl-proxy(config-ctx-ssl-proxy)# policy health-probe tcp probe1
ssl-proxy(config-ctx-ssl-proxy)# inservice
ssl-proxy(config-ctx-ssl-proxy)# exit
ssl-proxy(config-context)# policy health-probe tcp probe1
ssl-proxy(config-ctx-tcp-probe)# end
This example shows the state of the SSL proxy service when the health probe has failed:
Note
The proxy service is down until service at port 81 is up and running again.
ssl-proxy# show ssl-proxy service ssl-1 context ssl
Service id: 0, bound_service_id: 256
Virtual IP: 7.100.100.180, port: 443
Server IP: 19.0.0.1, port: 81
TCP Health Probe Policy: probe1
rsa-general-purpose certificate trustpoint: cert1024
Certificate chain for new connections:
Key Label: cert1024.key, 1024-bit, exportable
Key Timestamp: 05:18:23 UTC Dec 30 2005
Serial Number: 12F332E200000000000D
Serial Number: 6522F512C30E078447D8AFC35567B101
Certificate chain complete
Proxy status: Health Probe Failed
This example shows how to configure TCP health probe to check whether service at port 81 is up and running on server IP address 19.0.0.1:
ssl-proxy(config-context)# service ssloffload
ssl-proxy(config-ctx-ssl-proxy)# virtual ipaddr 7.100.100.180 protocol tcp port 443
ssl-proxy(config-ctx-ssl-proxy)# server ipaddr 19.0.0.1 protocol tcp port 80
ssl-proxy(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint cert1024
ssl-proxy(config-ctx-ssl-proxy)# policy health-probe tcp probe1
ssl-proxy(config-ctx-ssl-proxy)# nat client natpool
ssl-proxy(config-ctx-ssl-proxy)# inservice
ssl-proxy(config-ctx-ssl-proxy)# exit
ssl-proxy(config-context)# policy health-probe tcp probe1
ssl-proxy(config-ctx-tcp-probe)# 81
Warning: Port in the service ssloffload configuration (80) differs from the port in the
health probe configuration (81)
ssl-proxy(config-ctx-tcp-probe)# exit
ssl-proxy(config-context)#
This example shows how to configure TCP health probe to check whether service at port 80 is up and running on virtual IP address 7.100.100.180:
ssl-proxy(config-context)# service ssloffload
ssl-proxy(config-ctx-ssl-proxy)# virtual ipaddr 7.100.100.180 protocol tcp port 443
ssl-proxy(config-ctx-ssl-proxy)# server ipaddr 19.0.0.1 protocol tcp port 80
ssl-proxy(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint cert1024
ssl-proxy(config-ctx-ssl-proxy)# policy health-probe tcp probe1
ssl-proxy(config-ctx-ssl-proxy)# no nat server
ssl-proxy(config-ctx-ssl-proxy)# nat client natpool
ssl-proxy(config-ctx-ssl-proxy)# inservice
ssl-proxy(config-ctx-ssl-proxy)# exit
ssl-proxy(config-context)# policy health-probe tcp probe1
ssl-proxy(config-ctx-tcp-probe)# exit
ssl-proxy(config-context)#
This example shows how to configure TCP health probe to check whether service at port 444 is up and running on virtual IP address 7.100.100.180:
ssl-proxy(config-context)# service ssloffload
ssl-proxy(config-ctx-ssl-proxy)# virtual ipaddr 7.100.100.180 protocol tcp port 443
ssl-proxy(config-ctx-ssl-proxy)# server ipaddr 19.0.0.1 protocol tcp port 80
ssl-proxy(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint cert1024
ssl-proxy(config-ctx-ssl-proxy)# policy health-probe tcp probe1
ssl-proxy(config-ctx-ssl-proxy)# no nat server
ssl-proxy(config-ctx-ssl-proxy)# nat client natpool
ssl-proxy(config-ctx-ssl-proxy)# inservice
ssl-proxy(config-ctx-ssl-proxy)# exit
ssl-proxy(config-context)# policy health-probe tcp probe1
ssl-proxy(config-ctx-tcp-probe)# 444
ssl-proxy(config-ctx-tcp-probe)# exit
Warning: Port in the service ssloffload configuration (80) differs from the port in the
health probe configuration (444)
ssl-proxy(config-context)#
Related Commands
show ssl-proxy policy
show ssl-proxy service
policy http-header
To enter the HTTP header insertion configuration submode, use the policy http-header command.
policy http-header http-header-policy-name
Syntax Description
http-header-policy-name
|
HTTP header policy name.
|
Defaults
This command has no default settings.
Command Modes
Context subcommand mode
Command History
Release
|
Modification
|
SSL Services Module Release 2.1(1)
|
Support for this command was introduced on the Catalyst 6500 series switches.
|
SSL Services Module Release 3.1(1)
|
The policy http-header command (entered in context subcommand mode) replaces the ssl-proxy policy http-header command (entered in global subcommand mode).
This command was changed to add the following submode commands:
• client-cert pem
• alias
|
Usage Guidelines
In HTTP header insertion configuration submode, you can define the HTTP header insertion content policy that is applied to the payload.
HTTP header insertion allows you to insert additional HTTP headers to indicate to the real server that the connection is actually an SSL connection. These headers allow server applications to collect correct information for each SSL session and/or client.
You can insert these header types:
•
Client Certificate—Client certificate header insertion allows the back-end server to see the attributes of the client certificate that the SSL module has authenticated and approved. When you specify client-cert, the SSL module passes the following headers to the back-end server:
Field To Insert
|
Description
|
ClientCert-Valid
|
Certificate validity state
|
ClientCert-Error
|
Error conditions
|
ClientCert-Fingerprint
|
Hash output
|
ClientCert-Subject-CN
|
X.509 subject's common name
|
ClientCert-Issuer-CN
|
X.509 certificate issuer's common name
|
ClientCert-Certificate-Version
|
X.509 certificate version
|
ClientCert-Serial-Number
|
Certificate serial number
|
ClientCert-Data-Signature-Algorithm
|
X.509 hashing and encryption method
|
ClientCert-Subject
|
X.509 subject's distinguished name
|
ClientCert-Issuer
|
X.509 certificate issuer's distinguished name
|
ClientCert-Not-Before
|
Certificate is not valid before this date
|
ClientCert-Not-After
|
Certificate is not valid after this date
|
ClientCert-Public-Key-Algorithm
|
The algorithm used for the public key
|
ClientCert-RSA-Public-Key-Size
|
Size of the RSA public key
|
ClientCert-RSA-Modulus-Size
|
Size of the RSA private key
|
ClientCert-RSA-Modulus
|
RSA modulus
|
ClientCert-RSA-Exponent
|
The public RSA exponent
|
ClientCert-X509v3-Authority-Key-Identifier
|
X.509 authority key identifier
|
ClientCert-X509v3-Basic-Constraints
|
X.509 basic constraints
|
ClientCert-X509v3-Key-Usage
|
X.509 key usage
|
ClientCert-X509v3-Subject-Alternative-Name
|
X.509 subject alternative name
|
ClientCert-X509v3-CRL-Distribution-Points
|
X.509 CRL distribution points
|
ClientCert-X509v3-Authority-Information-Access
|
X.509 authority information access
|
ClientCert-Signature-Algorithm
|
Certificate signature algorithm
|
ClientCert-Signature
|
Certificate signature
|
•
Client Certificate in PEM format—When you specify client-cert pem, the SSL module sends the entire client certificate in PEM format.
•
Client IP and Port Address—Network address translation (NAT) removes the client IP address and port information. When you specify client-ip-port, the SSL module inserts the client IP address and information about the client port into the HTTP header, allowing the server to see the client IP address and port.
•
Custom—When you specify custom custom-string, the SSL module inserts the user-defined header into the HTTP header.
•
Prefix—When you specify prefix prefix-string, the SSL module adds the specified prefix into the HTTP header to enable the server to identify that the connections are coming from the SSL module, not from other appliances.
•
Header alias—Some applications use different names for the standard header. You can create an alias for the standard name of the header so that the same value is passed using the aliased name instead of the standard name that the SSL Services Module sends. If you have specified a prefix for header insertion, the prefix is also applied to the aliased name.
•
SSL Session—Session headers, including the session ID, are used to cache client certificates that are based on the session ID. The session headers are also cached on a session basis if the server wants to track connections that are based on a particular cipher suite. When you specify session, the SSL Services Module passes information specific to an SSL connection to the back-end server in the form of the following session headers.
Field to insert
|
Description
|
Session-Id
|
The SSL session ID
|
Session-Cipher-Name
|
The symmetric cipher suite
|
Session-Cipher-Key-Size
|
The symmetric cipher key size
|
Session-Cipher-Use-Size
|
The symmetric cipher use size
|
Session-Step-Up
|
TRUE if the server presented a stepup certificate and the client renegotiated the cipher; otherwise FALSE
|
Session-Initial-Cipher-Name
|
If Session-Step-Up is TRUE, the initially negotiated cipher name
|
Session-Initial-Cipher-Key-Size
|
If Session-Step-Up is TRUE, the initially negotiated cipher's key size
|
Session-Initial-Cipher-Use-Size
|
If Session-Step-Up is TRUE, the initially negotiated cipher's use size
|
Table 2-4 lists the commands available in HTTP header insertion configuration submode.
Table 2-4 HTTP Header Insertion Configuration Submode Command Descriptions
Syntax
|
Description
|
alias user-defined-name standard-name
|
Specifies the alias name of the header.
Note You can configure only one alias per standard name. You cannot configure the same alias name for multiple standard names.
|
client-cert [pem]
|
Allows the back-end server to see the attributes of the client certificate that the SSL module has authenticated and approved.
Note You can insert the headers listed below by entering the client-cert command, or you can send the entire client certificate in PEM format by entering the client-cert pem command.
Note The client certificate headers, or the client certificate in PEM format, are inserted only if the policy's service is configured for client authentication. The root CA and intermediate CA certificates will not be inserted the when client certificate is inserted in the HTTP header.
|
client-ip-port
|
Inserts the client IP address and information about the client port into the HTTP header, allowing the server to see the client IP address and port.
|
custom custom-string
|
Inserts the custom-string header into the HTTP header. The maximum custom-string length is 239 characters. If this length is exceeded, an "Incomplete command" error will display. If the string includes spaces, you must enclose it in quotes ("").
|
prefix
|
Adds the prefix-string to the HTTP header to enable the server to identify the connections that come from the SSL module, not from other appliances
|
session
|
Passes information that is specific to an SSL connection to the back-end server as session headers.
|
Examples
This example shows how to enter the HTTP header insertion configuration submode:
ssl-proxy(config)# ssl-proxy context s1
ssl-proxy(config-context)# policy http-header test1
ssl-proxy(config-ctx-http-header-policy)#
This example shows how to allow the back-end server to see the attributes of the client certificate that the SSL module has authenticated and approved:
ssl-proxy(config-ctx-http-header-policy)# client-cert
ssl-proxy(config-ctx-http-header-policy)#
This example shows how to insert the client IP address and information about the client port into the HTTP header, allowing the server to see the client IP address and port:
ssl-proxy(config-ctx-http-header-policy)# client-ip-port
ssl-proxy(config-ctx-http-header-policy)#
This example shows how to insert the custom-string header into the HTTP header:
ssl-proxy(config-ctx-http-header-policy)# custom "SOFTWARE VERSION:3.1(1)"
ssl-proxy(config-ctx-http-header-policy)# custom "module:SSL MODULE - CATALYST 6500"
ssl-proxy(config-ctx-http-header-policy)# custom
type-of-proxy:server_proxy_1024_bit_key_size
ssl-proxy(config-ctx-http-header-policy)#
This example shows how to add the prefix-string into the HTTP header:
ssl-proxy(config-ctx-http-header-policy)# prefix SSL-OFFLOAD
ssl-proxy(config-ctx-http-header-policy)#
This example shows how to pass information that is specific to an SSL connection to the back-end server as session headers:
ssl-proxy(config-ctx-http-header-policy)# session
ssl-proxy(config-ctx-http-header-policy)#
This example shows how to create a header alias for the standard "session-cipher-name" header:
ssl-proxy(config-ctx-http-header-policy)# alias My-Session-Cipher session-cipher-name
In addition to the standard HTTP headers, the following header information is inserted:
Note
The alias name (My-Session-Cipher) is used instead of the standard name (session-cipher-name).
SSL-OFFLOAD-Client-IP:7.100.100.1
SSL-OFFLOAD-Client-Port:59008
SSL-OFFLOAD-SOFTWARE VERSION:3.1(1)
SSL-OFFLOAD-module:SSL MODULE - CATALYST 6500
SSL-OFFLOAD-type-of-proxy:server_proxy_1024_bit_key_size
SSL-OFFLOAD-Session-Id:33:FF:2C:2D:25:15:3C:50:56:AB:FA:5A:81:0A:EC:E9:00:00:0A:03:00:60:
2F:30:9C:2F:CD:56:2B:91:F2:FF
SSL-OFFLOAD-My-Session-Cipher:RC4-SHA
SSL-OFFLOAD-Session-Cipher-Key-Size:128
SSL-OFFLOAD-Session-Cipher-Use-Size:128
SSL-OFFLOAD-Session-Step-Up:FALSE
SSL-OFFLOAD-Session-Initial-Cipher-Key-Size:
SSL-OFFLOAD-Session-Initial-Cipher-Name:
SSL-OFFLOAD-Session-Initial-Cipher-Use-Size:
SSL-OFFLOAD-ClientCert-Valid:1
SSL-OFFLOAD-ClientCert-Error:none
SSL-OFFLOAD-ClientCert-Fingerprint:1B:11:0F:E8:20:3F:6C:23:12:9C:76:C0:C1:C2:CC:85
SSL-OFFLOAD-ClientCert-Subject-CN:a
SSL-OFFLOAD-ClientCert-Issuer-CN:Certificate Manager
SSL-OFFLOAD-ClientCert-Certificate-Version:3
SSL-OFFLOAD-ClientCert-Serial-Number:0F:E5
SSL-OFFLOAD-ClientCert-Data-Signature-Algorithm:sha1WithRSAEncryption
SSL-OFFLOAD-ClientCert-Subject:OID.1.2.840.113549.1.9.2 = ste2-server.cisco.com +
OID.2.5.4.5 = B0FFF22E, CN = a, O = Cisco
SSL-OFFLOAD-ClientCert-Issuer:CN = Certificate Manager, OU = HSS, O = Cisco, L = San Jose,
SSL-OFFLOAD-ClientCert-Not-Before:22:29:26 UTC Jul 30 2003
SSL-OFFLOAD-ClientCert-Not-After:07:00:00 UTC Apr 27 2006
SSL-OFFLOAD-ClientCert-Public-Key-Algorithm:rsaEncryption
SSL-OFFLOAD-ClientCert-RSA-Public-Key-Size:1024 bit
SSL-OFFLOAD-ClientCert-RSA-Modulus-Size:1024 bit
SSL-OFFLOAD-ClientCert-RSA-Modulus:B3:32:3C:5E:C9:D1:CC:76:FF:81:F6:F7:97:58:91:4D:B2:0E:
C1:3A:7B:62:63:BD:5D:F6:5F:68:F0:7D:AC:C6:72:F5:72:46:7E:FD:38:D3:A2:E1:03:8B:EC:F7:C9:9A:
80:C7:37:DA:F3:BE:1F:F4:5B:59:BD:52:72:94:EE:46:F5:29:A4:B3:9B:2E:4C:69:D0:11:59:F7:68:3A:
D9:6E:ED:6D:54:4E:B5:A7:89:B9:45:9E:66:0B:90:0B:B1:BD:F4:C8:15:12:CD:85:13:B2:0B:FE:7E:8D:
F0:D7:4A:98:BB:08:88:6E:CC:49:60:37:22:74:4D:73:1E:96:58:91
SSL-OFFLOAD-ClientCert-RSA-Exponent:00:01:00:01
SSL-OFFLOAD-ClientCert-X509v3-Authority-Key-Identifier:keyid=EE:EF:5B:BD:4D:CD:F5:6B:60:
9D:CF:46:C2:EA:25:7B:22:A5:08:00
SSL-OFFLOAD-ClientCert-X509v3-Basic-Constraints:
SSL-OFFLOAD-ClientCert-Signature-Algorithm:sha1WithRSAEncryption
SSL-OFFLOAD-ClientCert-Signature:87:09:C1:F8:86:C1:15:C5:57:18:8E:B3:0D:62:E1:0F:6F:D4:9D:
75:DA:5D:53:E2:C6:0B:73:99:61:BE:B0:F6:19:83:F2:E5:48:1B:D2:6C:92:83:66:B3:63:A6:58:B4:5C:
0E:5D:1B:60:F9:86:AF:B3:93:07:77:16:74:4B:C5
SSL-OFFLOAD-ClientCert-X509v3-Subject-Alternative-Name:
ipAddress=192.168.1.100,rfc822Name=my@other.com
SSL-OFFLOAD-ClientCert-X509v3-Key-Usage: Digital Signature,Non-Repudiation,Key
Encipherment,
Data Encipherment,Key Agreement,Key Cert Sign,CRL Signature,Encipher Only,Decipher Only
SSL-OFFLOAD-ClientCert-X509v3-Authority-Information-Access: Access Method=OCSP,Access
Location=http://ocsp.my.host/"
SSL-OFFLOAD-ClientCert-X509v3-CRL-Distribution-Points: http://myhost.com/myca.crl
Related Commands
show ssl-proxy policy
policy ssl
To enter the SSL-policy configuration submode, use the policy ssl command. In the SSL-policy configuration submode, you can define the SSL policy for one or more SSL-proxy services.
policy ssl ssl-policy-name
Syntax Description
ssl-policy-name
|
SSL policy name.
|
Defaults
The defaults are as follows:
•
cipher is all-strong.
•
close-protocol is disabled.
•
session-caching is enabled.
•
version is all.
•
session-cache size size is 262143 entries.
•
timeout session timeout is 0 seconds.
•
timeout handshake timeout is 0 seconds.
•
cert-req empty is disabled.
•
tls-rollback is disabled.
•
renegotiation is disabled.
Command Modes
Context subcommand mode
Command History
Release
|
Modification
|
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
|
Support for this command was introduced on the Catalyst 6500 series switches.
|
SSL Services Module Release 1.2(1)
|
This command was changed to add the following subcommands:
• session-cache size size
• timeout session timeout [absolute]
|
SSL Services Module Release 2.1(5)
|
This command was changed to add the following subcommands:
• cert-req empty
• tls-rollback [current | any]
|
SSL Services Module Release 3.1(1)
|
The policy ssl command (entered in context subcommand mode) replaces the ssl-proxy policy ssl command (entered in global subcommand mode).
This command was changed to add the following submode commands:
• cipher rsa-exp-with-des40-cbc-sha
• cipher rsa-exp-with-rc4-40-md5
• cipher rsa-exp1024-with-des-cbc-sha
• cipher rsa-exp1024-with-rc4-56-md5
• cipher rsa-exp1024-with-rc4-56-sha
• cipher rsa-with-null-md5
• renegotiation volume
• renegotiation interval
• renegotiation wait-time
• renegotiation optional
|
Usage Guidelines
Each SSL-policy configuration submode command is entered on its own line.
Table 2-5 lists the commands available in SSL-policy configuration submode.
Table 2-5 SSL-Policy Configuration Submode Command Descriptions
Syntax
|
Description
|
cert-req empty
|
Allows you to specify that the SSL Services Module backend service always returns the certificate associated with the trustpoint and does not look for a CA-name match.
|
cipher-suite {all | all-export | all-strong | rsa-exp-with-des40-cbc-sha | rsa-exp-with-rc4-40-md5 | rsa-exp1024-with-des-cbc-sha | rsa-exp1024-with-rc4-56-md5 | rsa-exp1024-with-rc4-56-sha | rsa-with-3des-ede-cbc-sha | rsa-with-des-cbc-sha | rsa-with-null-md5 | rsa-with-rc4-128-md5 | rsa-with-rc4-128-sha}
|
Allows you to configure a list of cipher-suites acceptable to the proxy-server.
|
[no] close-protocol {strict | none}
|
Allows you to configure the SSL close-protocol behavior. Use the no form of this command to disable close protocol.
|
default {cipher | close-protocol | session-cache | version}
|
Sets a command to its default settings.
|
exit
|
Exits from SSL-policy configuration submode.
|
help
|
Provides a description of the interactive help system.
|
renegotiation volume size
|
Allows you to enable autorenegotiation and specifies the data volume size (in kilobytes).
When the encrypted or decrypted data amount exceeds this size, the SSL Services Module sends a renegotiation request. This setting is disabled by default. The valid range is from 1024 to 1073741824 kilobytes.
|
renegotiation interval time
|
Allows you to enable autorenegotiation and specifies the interval (in seconds).
After the set interval, the SSL Services Module sends an renegotiation request. This setting is disabled by default. The valid range is from 60 to 86400 seconds.
|
renegotiation wait-time time
|
(Optional) When you enable autorenegotiation, this command specifies the amount of time (in seconds) that the SSL Services Module waits for the peer to respond to the renegotiation request. The default is 100 seconds. The valid range is from 10 to 300 seconds.
|
renegotiation optional
|
(Optional) When you enable autorenegotiation, the SSL Services Module allows the session to continue if the peer does not respond to the renegotiation request after timeout. This setting is disabled by default and the session is disconnected after timeout.
|
[no] session-cache
|
Allows you to enable the session-caching feature. Use the no form of this command to disable session caching.
|
session-cache size size
|
Specifies the maximum number of session entries to be allocated for a given service; valid values are from 1 to 262143 entries.
|
timeout handshake timeout
|
Allows you to configure how long the module keeps the connection in the handshake phase; valid values are from 0 to 65535 seconds.
|
timeout session timeout [absolute]
|
Allows you to configure the session timeout. The syntax description is as follows:
• timeout—Session timeout; valid values are from 0 to 72000 seconds.
• absolute—(Optional) The session entry is not removed until the configured timeout has completed.
|
tls-rollback [current | any]
|
Allows you to specify if the SSL protocol version number in the TLS/SSL premaster secret message is either the maximum version or the negotiated version (current) or if the version is not checked (any).
|
version {all | ssl3 | tls1}
|
Allows you to set the version of SSL to one of the following:
• all—Both SSL3 and TLS1 versions are used.
• ssl3—SSL version 3 is used.
• tls1—TLS version 1 is used.
|
You can define the SSL policy templates using the policy ssl ssl-policy-name command and associate a SSL policy with a particular proxy server using the proxy server configuration CLI. The SSL policy template allows you to define various parameters that are associated with the SSL handshake stack.
When you enter the close-notify strict command, the SSL Services Module sends a close-notify alert message to the SSL peer, and the SSL Services Module expects a close-notify alert message from the SSL peer. If the SSL Services Module does not receive a close-notify alert, SSL resumption is not allowed for that session.
When you enter the close-notify none command, the SSL Services Module does not send a close-notify alert message to the SSL peer, and the SSL Services Module does not expect a close-notify alert message from the SSL peer. The SSL Services Module preserves the session information so that SSL resumption can be used for future SSL connections.
When close-notify is disabled (default), the SSL Services Module sends a close-notify alert message to the SSL peer; however, the SSL peer does not expect a close-notify alert before removing the session. Whether the SSL peer sends the close-notify alert or not, the session information is preserved allowing session resumption for future SSL connections.
The cipher-suite names follow the same convention as the existing SSL stacks.
The cipher-suites that are acceptable to the proxy-server are as follows:
•
all-export—All export ciphers
•
all-strong—All strong ciphers (default)
•
all—All supported ciphers
•
RSA-WITH-3DES-EDE-CBC-SHA—RSA with 3des-sha
•
RSA-WITH-DES-CBC-SHA—RSA with des-sha
•
RSA-WITH-RC4-128-MD5—RSA with rc4-md5
•
RSA-WITH-RC4-128-SHA—RSA with rc4-sha
•
RSA-EXP-WITH-DES40-CBC-SHA—RSA export with des40-sha
•
RSA-EXP-WITH-RC4-40-MD5—RSA export with rc4-md5
•
RSA-EXP1024-WITH-DES-CBC-SHA—RSA export1024 with des-sha
•
RSA-EXP1024-WITH-RC4-56-MD5—RSA export1024 with rc4-md5
•
RSA-EXP1024-WITH-RC4-56-SHA—RSA export1024 with rc4-sha
•
RSA-WITH-NULL-MD5—RSA with null-md5
If you enter the timeout session timeout absolute command, the session entry is kept in the session cache for the configured timeout before it is cleaned up. If the session cache is full, the timers are active for all the entries, the absolute keyword is configured, and all further new sessions are rejected.
If you enter the timeout session timeout command without the absolute keyword, the specified timeout is treated as the maximum timeout and a best-effort attempt is made to keep the session entry in the session cache. If the session cache runs out of session entries, the session entry that is currently being used is removed for incoming new connections.
When you enter the cert-req empty command, the SSL Services Module back-end service always returns the certificate associated with the trustpoint and does not look for a CA-name match. By default, the SSL Services Module always looks for a CA-name match before returning the certificate. If the SSL server does not include a CA-name list in the certificate request during client authentication, the handshake fails.
By default, the SSL Services Module uses the maximum supported SSL protocol version (SSL2.0, SSL3.0, or TLS1.0) in the ClientHello message. Enter the tls-rollback [current | any] command if the SSL client uses the negotiated version instead of the maximum supported version (as specified in the ClientHello message).
When you enter the tls-rollback current command, the SSL protocol version can be either the maximum supported version or the negotiated version.
When you enter the tls-rollback any command, the SSL protocol version is not checked at all.
Examples
This example shows how to enter the SSL-policy configuration submode:
ssl-proxy(config)# ssl-proxy context s1
ssl-proxy(config-context)# policy ssl sslpl1
ssl-proxy (config-ctx-ssl-policy)#
This example shows how to define the cipher suites that are supported for the SSL-policy:
ssl-proxy (config-ctx-ssl-policy)# cipher RSA_WITH_3DES_EDE_CBC_SHA
ssl-proxy (config-ctx-ssl-policy)#
This example shows how to enable the SSL-session closing protocol and configure the strict closing protocol behavior:
ssl-proxy (config-ctx-ssl-policy)# close-protocol strict
ssl-proxy (config-ctx-ssl-policy)#
This example shows how to disable the SSL-session closing protocol:
ssl-proxy (config-ctx-ssl-policy)# no close-protocol
ssl-proxy (config-ctx-ssl-policy)#
These examples shows how to set a given command to its default setting:
ssl-proxy (config-ctx-ssl-policy)# default cipher
ssl-proxy (config-ctx-ssl-policy)# default close-protocol
ssl-proxy (config-ctx-ssl-policy)# default session-cache
ssl-proxy (config-ctx-ssl-policy)# default version
ssl-proxy (config-ctx-ssl-policy)#
This example shows how to enable a session cache:
ssl-proxy (config-ctx-ssl-policy)# session-cache
ssl-proxy (config-ctx-ssl-policy)#
This example shows how to disable a session cache:
ssl-proxy (config-ctx-ssl-policy)# no session-cache
ssl-proxy (config-ctx-ssl-policy)#
This example shows how to set the maximum number of session entries to be allocated for a given service:
ssl-proxy (config-ctx-ssl-policy)# session-cache size 22000
ssl-proxy (config-ctx-ssl-policy)#
This example shows how to configure the session timeout to absolute:
ssl-proxy (config-ctx-ssl-policy)# timeout session 30000 absolute
ssl-proxy (config-ctx-ssl-policy)#
These examples show how to enable the support of different SSL versions:
ssl-proxy (config-ctx-ssl-policy)# version all
ssl-proxy (config-ctx-ssl-policy)# version ssl3
ssl-proxy (config-ctx-ssl-policy)# version tls1
ssl-proxy (config-ctx-ssl-policy)#
Related Commands
show ssl-proxy stats
show ssl-proxy stats ssl
policy tcp
To enter the proxy policy TCP configuration submode, use the policy tcp command. In proxy-policy TCP configuration submode, you can define the TCP policy templates.
policy tcp tcp-policy-name
Syntax Description
tcp-policy-name
|
TCP policy name.
|
Defaults
The defaults are as follows:
•
buffer-share rx is 32768 bytes.
•
buffer-share tx is 32768 bytes.
•
delayed-ack-threshold is 2.
•
delayed-ack-timeout is 200 seconds.
•
mss is 1460 bytes.
•
nagle is enabled.
•
timeout syn is 75 seconds.
•
timeout reassembly is 60 seconds.
•
timeout inactivity is 600 seconds.
•
timeout fin-wait is 600 seconds.
•
tos carryover is disabled.
Command Modes
Context subcommand mode
Command History
Release
|
Modification
|
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
|
Support for this command was introduced on the Catalyst 6500 series switches.
|
SSL Services Module Release 1.2(1)
|
This command was changed to add the timeout reassembly time subcommand.
|
SSL Services Module Release 2.1(4)
|
This command was changed to add the tos carryover subcommand.
|
SSL Services Module Release 3.1(1)
|
The policy tcp command (entered in context subcommand mode) replaces the ssl-proxy policy tcp command (entered in global subcommand mode).
This command was changed to add the following submode commands:
• forced-ack
• nagle
|
Usage Guidelines
After you define the TCP policy, you can associate the TCP policy with a proxy server using the proxy-policy TCP configuration submode commands.
Each proxy-policy TCP configuration submode command is entered on its own line.
Table 2-6 lists the commands that are available in proxy-policy TCP configuration submode.
Table 2-6 Proxy-policy TCP Configuration Submode Command Descriptions
Syntax
|
Description
|
[no] buffer-share rx buffer-limit-in-bytes
|
Allows you to configure the maximum size of the receive buffer share per connection; valid values are from 8192 to 262144. Use the no form of this command to return to the default setting.
Note When large encrypted files are transferred by the module, the receive buffer size must be at least the maximum SSL record size of 16384 bytes for reassembly of the SSL record. We recommend a receive buffer size of at least 20000 bytes for optimal performance.
|
[no] buffer-share tx buffer-limit-in-bytes
|
Allows you to configure the maximum size of the transmit buffer share per connection; valid values are from 8192 to 262144. Use the no form of this command to return to the default setting.
Note When large encrypted files are transferred by the module, the transmit buffer size must be at least the maximum SSL record size of 16384 bytes for reassembly of the SSL record. We recommend a transmit buffer size of at least 20000 bytes for optimal performance.
|
default
|
Sets a command to its default settings.
|
delayed-ack-threshold delay
|
Allows you to configure the delayed ACK threshold. The default is 2. The valid range is from 1 to 10.
|
delayed-ack-timeout timer
|
Allows you to configure the delayed ACK timeout. The default is 200 seconds. The valid range is from 50 to 500 seconds.
|
exit
|
Exits from proxy-service configuration submode.
|
forced-ack
|
Allows you to enable the forced-ACK algorithm.
|
help
|
Provides a description of the interactive help system.
|
[no] mss max-segment-size-in-bytes
|
Allows you to configure the maximum segment size that the connection identifies in the generated SYN packet; valid values are from 64 to 1460. Use the no form of this command to return to the default setting.
|
[no] nagle
|
Allows you to enable or disable the Nagle algorithm, which combines many small packets for more efficient transmission. Nagle is enabled by default.
|
[no] timeout fin-wait timeout-in-seconds
|
Allows you to configure the FIN wait timeout; valid values are from 75 to 600 seconds. Use the no form of this command to return to the default setting.
|
[no] timeout inactivity timeout-in-seconds
|
Allows you to configure the inactivity timeout; valid values are from 0 to 960 seconds. This command allows you to set the aging timeout for an idle connection and helps protect the connection resources. Use the no form of this command to return to the default setting.
|
[no] timeout syn timeout-in-seconds
|
Allows you to configure the connection establishment timeout; valid values are from 5 to 75 seconds. Use the no form of this command to return to the default setting.
|
[no] timeout reassembly time
|
Allows you to configure the amount of time in seconds before the reassembly queue is cleared; valid values are from 0 to 960 seconds (0 = disabled). If the transaction is not complete within the specified time, the reassembly queue is cleared and the connection is dropped. Use the no form of this command to return to the default setting.
|
[no] tos carryover
|
Forwards the type of service (ToS) value to all packets within a flow.
Note If the policy is configured as a server TCP policy, the ToS value is sent from the server to the client. If the policy is configured as a virtual policy, the ToS value is sent from the client to the server.
Note The ToS value needs to be learned before it can be propagated. For example, when a ToS value is configured to be propagated from the server to client connection, the server connection must be established before the value is learned and propagated. Therefore, some of the initial packets will not carry the ToS value.
|
Usage Guidelines
TCP commands that you enter on the SSL Services Module can apply either globally or to a particular proxy server.
You can configure a different maximum segment size for the client side and the server side of the proxy server.
The TCP policy template allows you to define parameters that are associated with the TCP stack.
You can either enter the no form of the command or use the default keyword to return to the default setting.
Examples
This example shows how to enter the proxy-policy TCP configuration submode:
ssl-proxy(config)# ssl-proxy context s1
ssl-proxy(config-context)# ssl-proxy policy tcp tcppl1
ssl-proxy(config-ctx-tcp-policy)#
These examples show how to set a given command to its default value:
ssl-proxy (config-ctx-tcp-policy)# default timeout fin-wait
ssl-proxy (config-ctx-tcp-policy)# default inactivity-timeout
ssl-proxy (config-ctx-tcp-policy)# default buffer-share rx
ssl-proxy (config-ctx-tcp-policy)# default buffer-share tx
ssl-proxy (config-ctx-tcp-policy)# default mss
ssl-proxy (config-ctx-tcp-policy)# default timeout syn
ssl-proxy (config-ctx-tcp-policy)#
This example shows how to define the FIN-wait timeout in seconds:
ssl-proxy (config-ctx-tcp-policy)# timeout fin-wait 200
ssl-proxy (config-ctx-tcp-policy)#
This example shows how to define the inactivity timeout in seconds:
ssl-proxy (config-ctx-tcp-policy)# timeout inactivity 300
ssl-proxy (config-ctx-tcp-policy)#
This example shows how to define the maximum size for the receive buffer configuration:
ssl-proxy (config-ctx-tcp-policy)# buffer-share rx 16384
ssl-proxy (config-ctx-tcp-policy)#
This example shows how to define the maximum size for the transmit buffer configuration:
ssl-proxy (config-ctx-tcp-policy)# buffer-share tx 13444
ssl-proxy (config-ctx-tcp-policy)#
This example shows how to define the maximum size for the TCP segment:
ssl-proxy (config-ctx-tcp-policy)# mss 1460
ssl-proxy (config-ctx-tcp-policy)#
This example shows how to define the initial connection (SYN)-timeout value:
ssl-proxy (config-ctx-tcp-policy)# timeout syn 5
ssl-proxy (config-ctx-tcp-policy)#
This example shows how to define the reassembly-timeout value:
ssl-proxy (config-ctx-tcp-policy)# timeout reassembly 120
ssl-proxy (config-ctx-tcp-policy)#
This example shows how to carryover the ToS value to all packets within a flow:
ssl-proxy (config-ctx-tcp-policy)# tos carryover
ssl-proxy (config-ctx-tcp-policy)#
Related Commands
show ssl-proxy policy
policy url-rewrite
To enter the URL rewrite configuration submode, use the policy url-rewrite command. In URL rewrite configuration submode, you can define the URL-rewrite content policy that is applied to the payload.
policy url-rewrite url-rewrite-policy-name
Syntax Description
url-rewrite-policy-name
|
URL rewrite policy name.
|
Defaults
This command has no default settings.
Command Modes
Context subcommand mode
Command History
Release
|
Modification
|
SSL Services Module Release 2.1(1)
|
Support for this command was introduced on the Catalyst 6500 series switches.
|
SSL Services Module Release 3.1(1)
|
The policy url-rewrite command (entered in context subcommand mode) replaces the ssl-proxy policy url-rewrite command (entered in global subcommand mode).
|
Usage Guidelines
URL rewrite allows you to rewrite redirection links only.
A URL rewrite policy consists of up to 32 rewrite rules for each SSL proxy service.
Table 2-7 lists the commands that are available in proxy-policy configuration submode.
Table 2-7 Proxy-policy Configuration Submode Command Descriptions
default
|
Sets a command to its default settings.
|
exit
|
Exits from proxy-policy configuration submode.
|
help
|
Provides a description of the interactive help system.
|
[no] url url-string [clearport port-number | sslport port-number]
|
Allows you to configure the URL string to be rewritten. Use the no form of this command to remove the policy.
|
url-string—Specifies the host portion of the URL link to be rewritten; it can have a maximum of 251 characters. You can use the asterisk (*) wildcard only as a prefix or a suffix of a hostname in a rewrite rule. For example, you can use the hostname in one of the following ways:
•
www.cisco.com
•
*.cisco.com
•
wwwin.cisco.*
clearport port-number—(Optional) Specifies the port portion of the URL link that is to be rewritten; valid values are from 1 to 65535.
sslport port-number—(Optional) Specifies the port portion of the URL link that is to be written; valid values are from 1 to 65535.
Enter the no form of the command to remove the policy.
Note
When a server includes the default HTTP port number 80 in a URL redirect (for example, www.example.com:80), then the url command must be configured in the same manner (for example, url www.example.com:80). Non-standard port numbers need not be configured as part of the URL, but may instead by configured using the clearport keyword.
Examples
This example shows how to enter the URL rewrite configuration submode for the test1 policy:
ssl-proxy(config)# ssl-pro context s1
ssl-proxy(config-context)# ssl-proxy policy url-rewrite test1
ssl-proxy(config-ctx-url-rewrite-policy#
This example shows how to define the URL rewrite policy for the test1 policy:
ssl-proxy(config)# ssl-pro context s1
ssl-proxy(config-context)# ssl-proxy policy url-rewrite test1
ssl-proxy(config-ctx-url-rewrite-policy# url www.cisco.com clearport 80 sslport 443
ssl-proxy(config-ctx-url-rewrite-policy#
This example shows how to delete the URL rewrite policy for the test1 policy:
ssl-proxy(config)# ssl-pro context s1
ssl-proxy(config-context)# ssl-proxy policy url-rewrite test1
ssl-proxy(config-ctx-url-rewrite-policy# no url www.cisco.com clearport 80 sslport 443
ssl-proxy(config-ctx-url-rewrite-policy#
Related Commands
show ssl-proxy policy
pool ca
To enter the certificate authority pool configuration submode, use the pool ca command. In the certificate authority pool configuration submode, you can configure a certificate authority pool, which lists the CAs that the module can trust.
pool ca ca-pool-name
Syntax Description
ca-pool-name
|
Certificate authority pool name.
|
Defaults
This command has no arguments or keywords.
Command Modes
Context subcommand mode
Command History
Release
|
Modification
|
SSL Services Module Release 2.1(1)
|
Support for this command was introduced on the Catalyst 6500 series switches.
|
SSL Services Module Release 3.1(1)
|
The pool ca command (entered in context subcommand mode) replaces the ssl-proxy pool ca command (entered in global subcommand mode).
|
Usage Guidelines
Enter each certificate-authority pool configuration submode command on its own line.
Table 2-8 lists the commands that are available in certificate-authority pool configuration submode.
Table 2-8 Proxy-policy TCP Configuration Submode Command Descriptions
Syntax
|
Description
|
ca
|
Configures a certificate authority. The available subcommand is as follows:
trustpoint ca-trustpoint-name—Configures a certificate-authority trustpoint.
Use the no form of this command to return to the default setting.
|
default
|
Sets a command to its default settings.
|
exit
|
Exits from proxy-service configuration submode.
|
help
|
Allows you to configure the connection-establishment timeout; valid values are from 5 to 75 seconds. Use the no form of this command to return to the default setting.
|
Examples
This example shows how to add a certificate-authority trustpoint to a pool:
ssl-proxy(config)# ssl-proxy context s1
ssl-proxy(config-context)# pool ca test1
ssl-proxy(config-ctx-ca-pool)# ca trustpoint test20
ssl-proxy(config-ctx-ca-pool)#
service
To enter the proxy-service configuration submode, use the service command.
service ssl-proxy-name [client]
Syntax Description
ssl-proxy-name
|
SSL proxy name.
|
client
|
(Optional) Allows you to configure the SSL-client proxy services. See the service client command.
|
Defaults
Server NAT is enabled, and client NAT is disabled.
Command Modes
Context subcommand mode
Command History
Release
|
Modification
|
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
|
Support for this command was introduced on the Catalyst 6500 series switches.
|
SSL Services Module Release 2.1(1)
|
This command was changed to add the following submode commands:
• authenticate
• policy urlrewrite policy-name
• trusted-ca ca-pool-name
• sslv2—See the server ipaddr subcommand.
|
SSL Services Module Release 3.1(1)
|
The service command (entered in context subcommand mode) replaces the ssl-proxy service command (entered in global subcommand mode).
This command was changed to add the following submode commands:
• policy health-probe tcp policy-name
• policy http-header policy-name
|
Usage Guidelines
You cannot use the same service_name for both the server proxy service and the client proxy service.
In proxy-service configuration submode, you can configure the virtual IP address and port that is associated with the proxy service and the associated target IP address and port. You can also define TCP and SSL policies for both the client side (beginning with the virtual keyword) and the server side of the proxy (beginning with the server keyword).
In client proxy-service configuration submode, you specify that the proxy service accept clear-text traffic, encrypt it into SSL traffic, and forward it to the back-end SSL server.
In most cases, all of the SSL-server-proxy configurations that are performed are also valid for the SSL-client-proxy configuration, except for the following:
•
You must configure a certificate for the SSL-server-proxy but you do not have to configure a certificate for the SSL-client-proxy. If you configure a certificate for the SSL-client-proxy, that certificate is sent in response to the certificate request message that is sent by the server during the client-authentication phase of the handshake protocol.
•
The SSL policy is attached to the virtual subcommand for the SSL server proxy service; whereas, the SSL policy is attached to the server subcommand for the SSL client proxy service.
Enter each proxy-service or proxy-client configuration submode command on its own line.
Table 2-9 lists the commands that are available in proxy-service or proxy-client configuration submode.
Table 2-9 Proxy-service Configuration Submode Command Descriptions
Syntax
|
Description
|
authenticate verify {all | signature-only}
|
Configures the method for certificate verification. You can specify the following:
• all—Verifies CRLs and signature authority.
• signature-only—Verifies the signature only.
|
certificate rsa general-purpose trustpoint trustpoint-name
|
Configures the certificate with RSA general-purpose keys and associates a trustpoint to the certificate.
|
default {certificate | inservice | nat | server | virtual}
|
Sets a command to its default settings.
|
description
|
Allows you to enter a description for proxy service.
|
exit
|
Exits from proxy-service or proxy-client configuration submode.
|
help
|
Provides a description of the interactive help system.
|
inservice
|
Declares a proxy server or client as administratively up.
|
nat {server | client}{natpool-name}
|
Specifies the usage of either server NAT or client NAT for the server-side connection that is opened by the SSL Services Module.
|
policy health-probe tcp policy-name
|
Applies a TCP health probe policy to a proxy server.
|
policy http-header policy-name
|
Applies an HTTP header insertion policy to a proxy server.
|
policy urlrewrite policy-name
|
Applies a URL rewrite policy to a proxy server.
|
server ipaddr ip-addr protocol protocol port portno [sslv2]
|
Defines the IP address of the target server for the proxy server. You can also specify the port number and the transport protocol. The target IP address can be a virtual IP address of an SLB device or a real IP address of a web server. The sslv2 keyword specifies the server that is used for handling SSL version 2 traffic.
|
server policy tcp server-side-tcp-policy-name
|
Applies a TCP policy to the server side of a proxy server. You can specify the port number and the transport protocol.
|
trusted-ca ca-pool-name
|
Applies a trusted certificate authenticate configuration to a proxy server.
|
virtual ipaddr ip-addr protocol protocol port portno [secondary]
|
Defines the virtual IP address of the virtual server to which the STE is proxying. You can also specify the port number and the transport protocol. The valid values for protocol are tcp; valid values for portno is from 1 to 65535. The secondary keyword (optional) prevents the STE from replying to the ARP request coming to the virtual IP address.
|
virtual policy ssl ssl-policy-name
|
Applies an SSL policy with the client side of a proxy server.
|
virtual policy tcp client-side-tcp-policy-name
|
Applies a TCP policy to the client side of a proxy server.
|
vlan vlan
|
Virtual Service VLAN configuration
|
Both secured and bridge mode between the Content Switching Module (CSM) and the SSL Services Module is supported.
Use the secondary keyword (optional) for bridge-mode topology.
Examples
This example shows how to enter the proxy-service configuration submode:
ssl-proxy (config)# ssl-proxy context s1
ssl-proxy (config-context)# service S6
ssl-proxy (config-ctx-ssl-proxy)#
This example shows how to configure the method for certificate verification:
ssl-proxy (config-ctx-ssl-proxy)# authenticate verify all
ssl-proxy (config-ctx-ssl-proxy)#
This example shows how to configure the certificate for the specified SSL-proxy services:
ssl-proxy (config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint tp1
ssl-proxy (config-ctx-ssl-proxy)#
These examples show how to set a specified command to its default value:
ssl-proxy (config-ctx-ssl-proxy)# default certificate
ssl-proxy (config-ctx-ssl-proxy)# default inservice
ssl-proxy (config-ctx-ssl-proxy)# default nat
ssl-proxy (config-ctx-ssl-proxy)# default server
ssl-proxy (config-ctx-ssl-proxy)# default virtual
ssl-proxy (config-ctx-ssl-proxy)#
This example shows how to apply a trusted-certificate authenticate configuration to a proxy server:
ssl-proxy (config-ctx-ssl-proxy)# trusted-ca test1
ssl-proxy (config-ctx-ssl-proxy)#
This example shows how to configure a virtual IP address for the specified virtual server:
ssl-proxy (config-ctx-ssl-proxy)# virtual ipaddr 207.59.100.20 protocol tcp port 443
ssl-proxy (config-ctx-ssl-proxy)#
This example shows how to configure the SSL policy for the specified virtual server:
ssl-proxy (config-ctx-ssl-proxy)# virtual policy ssl sslpl1
ssl-proxy (config-ctx-ssl-proxy)#
This example shows how to configure the TCP policy for the specified virtual server:
ssl-proxy (config-ctx-ssl-proxy)# virtual policy tcp tcppl1
ssl-proxy (config-ctx-ssl-proxy)#
This example shows how to configure a clear-text web server for the SSL Services Module to forward the decrypted traffic:
ssl-proxy (config-ctx-ssl-proxy)# server ipaddr 207.50.0.50 protocol tcp port 80
ssl-proxy (config-ctx-ssl-proxy)#
This example shows how to configure a TCP policy for the given clear-text web server:
ssl-proxy (config-ctx-ssl-proxy)# server policy tcp tcppl1
ssl-proxy (config-ctx-ssl-proxy)#
This example shows how to configure a NAT pool for the client address that is used in the server connection of the specified service SSL offload:
ssl-proxy (config-ctx-ssl-proxy)# nat client NP1
ssl-proxy (config-ctx-ssl-proxy)#
This example shows how to enable a NAT server address for the server connection of the specified service SSL offload:
ssl-proxy (config-ctx-ssl-proxy)# nat server
ssl-proxy (config-ctx-ssl-proxy)#
Related Commands
show ssl-proxy service
service client
To enter the client proxy-service configuration submode, use the service client command.
service ssl-proxy-name client
Syntax Description
ssl-proxy-name
|
SSL proxy service name.
|
Defaults
Client NAT is disabled.
Command Modes
Context subcommand mode
Command History
Release
|
Modification
|
SSL Services Module Release 2.1(1)
|
Support for this command was introduced on the Catalyst 6500 series switches.
|
SSL Services Module Release 3.1(1)
|
The service client command (entered in context subcommand mode) replaces the ssl-proxy service client command (entered in global subcommand mode).
This command was changed to add the following submode commands:
• policy health-probe tcp
• policy http-header
|
Usage Guidelines
You cannot use the same service_name for both the server proxy service and the client proxy service.
In client proxy-service configuration submode, you specify that the proxy service accept clear-text traffic, encrypt it into SSL traffic, and forward it to the back-end SSL server.
In most cases, all of the SSL-server-proxy configurations that are performed are also valid for the SSL-client-proxy configuration, except for the following:
•
You must configure a certificate for the SSL-server-proxy but you do not have to configure a certificate for the SSL-client-proxy. If you configure a certificate for the SSL-client-proxy, that certificate is sent in response to the certificate request message that is sent by the server during the client-authentication phase of the handshake protocol.
•
The SSL policy is attached to the virtual subcommand for the SSL server proxy service; whereas, the SSL policy is attached to the server subcommand for the SSL client proxy service.
Each proxy-service or proxy-client configuration submode command is entered on its own line.
Table 2-10 lists the commands that are available in proxy-client configuration submode.
Table 2-10 Proxy-client Configuration Submode Command Descriptions
Syntax
|
Description
|
certificate rsa general-purpose trustpoint trustpoint-name
|
Configures the certificate with RSA general-purpose keys and associates a trustpoint to the certificate.
|
default {certificate | inservice | nat | server | virtual}
|
Sets a command to its default settings.
|
description
|
Allows you to enter a description for the proxy service.
|
exit
|
Exits from proxy-client configuration submode.
|
help
|
Provides a description of the interactive help system.
|
inservice
|
Declares a proxy client as administratively up.
|
nat {server | client natpool-name}
|
Specifies the usage of either server NAT or client NAT for the server-side connection that is opened by the SSL Services Module.
|
policy health-probe tcp policy-name
|
Applies a TCP health probe policy to a proxy server.
|
policy http-header policy-name
|
Applies an HTTP header insertion policy to a proxy server.
|
policy urlrewrite policy-name
|
Applies a URL rewrite policy to the proxy server.
|
server ipaddr ip-addr protocol protocol port portno [sslv2]
|
Defines the IP address of the target server for the proxy server. You can also specify the port number and the transport protocol. The target IP address can be a virtual IP address of an SLB device or a real IP address of a web server. The sslv2 keyword enables SSL version 2.
|
server policy tcp server-side-tcp-policy-name
|
Applies a TCP policy to the server side of a proxy server. You can specify the port number and the transport protocol.
|
virtual ipaddr ip-addr protocol protocol port portno [secondary]
|
Defines the IP address of the target server for the proxy server. You can also specify the port number and the transport protocol. The target IP address can be a virtual IP address of an SLB device or a real IP address of a web server.
|
virtual policy ssl ssl-policy-name
|
Applies an SSL policy with the client side of a proxy server.
|
virtual policy tcp client-side-tcp-policy-name
|
Applies a TCP policy to the client side of a proxy server.
|
vlan vlan
|
Virtual Service VLAN configuration.
|
Both secured mode and bridge mode between the Content Switching Module (CSM) and the SSL Services Module are supported.
Use the secondary keyword (optional) for the bridge-mode topology.
Examples
This example shows how to enter the client proxy-service configuration submode:
ssl-proxy (config)# ssl-proxy context s1
ssl-proxy (config-context)# service S7 client
ssl-proxy (config-ctx-ssl-proxy)#
This example shows how to configure the certificate for the specified SSL-proxy services:
ssl-proxy (config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint tp1
ssl-proxy (config-ctx-ssl-proxy)#
These examples show how to set a specified command to its default value:
ssl-proxy (config-ctx-ssl-proxy)# default certificate
ssl-proxy (config-ctx-ssl-proxy)# default inservice
ssl-proxy (config-ctx-ssl-proxy)# default nat
ssl-proxy (config-ctx-ssl-proxy)# default server
ssl-proxy (config-ctx-ssl-proxy)# default virtual
ssl-proxy (config-ctx-ssl-proxy)#
This example shows how to configure a virtual IP address for the specified virtual server:
ssl-proxy (config-ctx-ssl-proxy)# virtual ipaddr 207.59.100.20 protocol tcp port 443
ssl-proxy (config-ctx-ssl-proxy)#
This example shows how to configure the SSL policy for the specified virtual server:
ssl-proxy (config-ctx-ssl-proxy)# virtual policy ssl sslpl1
ssl-proxy (config-ctx-ssl-proxy)#
This example shows how to configure the TCP policy for the specified virtual server:
ssl-proxy (config-ctx-ssl-proxy)# virtual policy tcp tcppl1
ssl-proxy (config-ctx-ssl-proxy)#
This example shows how to configure a clear-text web server for the SSL Services Module to forward the decrypted traffic:
ssl-proxy (config-ctx-ssl-proxy)# server ipaddr 207.50.0.50 protocol tcp port 80
ssl-proxy (config-ctx-ssl-proxy)#
This example shows how to configure a TCP policy for the given clear-text web server:
ssl-proxy (config-ctx-ssl-proxy)# server policy tcp tcppl1
ssl-proxy (config-ctx-ssl-proxy)#
This example shows how to configure a NAT pool for the client address that is used in the server connection of the specified service SSL offload:
ssl-proxy (config-ctx-ssl-proxy)# nat client NP1
ssl-proxy (config-ctx-ssl-proxy)#
This example shows how to enable a NAT server address for the server connection of the specified service SSL offload:
ssl-proxy (config-ctx-ssl-proxy)# nat server
ssl-proxy (config-ctx-ssl-proxy)#
Related Commands
show ssl-proxy service
show interfaces ssl-proxy
To display information about the configured subinterfaces, use the show interfaces ssl-proxy command.
show interfaces ssl-proxy 0.subinterface
Syntax Description
subinterface-number
|
Subinterface ID; valid values are from 0 to 4294967295.
|
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
|
Modification
|
SSL Services Module Release 3.1(1)
|
Support for this command was introduced on the Catalyst 6500 series SSL Services Module.
|
Examples
This example shows how to display information about the configured subinterfaces:
ssl-proxy# show ionterfaces 0.3
SSL-Proxy0.3 is up, line protocol is up
Hardware is STE interface, address is 0001.6445.c744 (bia 00e0.14c1.30e9)
Internet address is 10.10.0.16/8
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation 802.1Q Virtual LAN, Vlan ID 3.
ARP type: ARPA, ARP Timeout 04:00:00
Last clearing of "show interface" counters never
Related Commands
policy tcp
show ssl-proxy buffers
To display information about TCP buffer usage, use the show ssl-proxy buffers command.
show ssl-proxy buffers
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
|
Modification
|
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
|
Support for this command was introduced on the Catalyst 6500 series switches.
|
Examples
This example shows how to display the buffer usage and other information in the TCP subsystem:
ssl-proxy# show ssl-proxy buffers
Buffers info for TCP module 1
TCP data buffers used 2817 limit 88064
TCP ingress buffer pool size 44032 egress buffer pool size 44032
TCP ingress data buffers min-thresh 5636096 max-thresh 9017344
TCP ingress data buffers used Current 0 Max 0
TCP ingress buffer RED shift 9 max drop prob 10
Conns consuming ingress data buffers 0
TCP egress data buffers used Current 0 Max 0
Conns consuming egress data buffers 0
In-sequence queue bufs 0 OOO bufs 0
Per-flow avg qlen 0 Global avg qlen 0
Related Commands
policy tcp
show ssl-proxy certificate-history
To display information about the event history of the certificate, use the show ssl-proxy certificate-history command.
show ssl-proxy certificate-history [service [name]]
Syntax Description
service name
|
Displays all certificate records of a proxy service and (optionally) for a specific proxy service.
|
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
|
Modification
|
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
|
Support for this command was introduced on the Catalyst 6500 series switches.
|
Usage Guidelines
The show ssl-proxy certificate-history command displays these records:
•
Service name
•
Key pair name
•
Generation or import time
•
Trustpoint name
•
Certificate subject name
•
Certificate issuer name
•
Serial number
•
Date
A syslog message is generated for each record. The oldest records are deleted after the limit of 512 records is reached.
Examples
This example shows how to display the event history of all the certificate processing:
ssl-proxy# show ssl-proxy certificate-history
Record 1, Timestamp:00:00:51, 16:36:34 UTC Oct 31 2002
Installed Server Certificate, Index 5
Proxy Service:s1, Trust Point:t3
Key Pair Name:k3, Key Usage:RSA General Purpose, Exportable
Time of Key Generation:12:27:58 UTC Oct 30 2002
Subject Name:OID.1.2.840.113549.1.9.2 = simpson5-2-ste.cisco.com,
OID.1.2.840.113549.1.9.8 = 207.79.1.9, OID.2.5.4.5 = B0FFF235
Issuer Name:CN = SimpsonTestCA, OU = Simpson Lab, O = Cisco Systems, L = San Jose, ST
= CA, C = US, EA =<16> simpson-pki@cisco.com
Serial Number:5D3D1931000100000D99
Validity Start Time:21:58:12 UTC Oct 30 2002
End Time:22:08:12 UTC Oct 30 2003
Renew Time:00:00:00 UTC Jan 1 1970
End of Certificate Record
Record 2, Timestamp:00:01:06, 16:36:49 UTC Oct 31 2002
Installed Server Certificate, Index 6
Proxy Service:s5, Trust Point:t10
Key Pair Name:k10, Key Usage:RSA General Purpose, Exportable
Time of Key Generation:07:56:43 UTC Oct 11 2002
Subject Name:CN = host1.cisco.com, OID.1.2.840.113549.1.9.2 =
simpson5-2-ste.cisco.com, OID.1.2.840.113549.1.9.8 = 207.79.1.9, OID.2.5.4.5 = B0FFF235
Issuer Name:CN = SimpsonTestCA, OU = Simpson Lab, O = Cisco Systems, L = San Jose, ST
= CA, C = US, EA =<16> simpson-pki@cisco.com
Serial Number:24BC81B7000100000D85
Validity Start Time:22:38:00 UTC Oct 19 2002
End Time:22:48:00 UTC Oct 19 2003
Renew Time:00:00:00 UTC Jan 1 1970
End of Certificate Record
Record 3, Timestamp:00:01:34, 16:37:18 UTC Oct 31 2002
Installed Server Certificate, Index 7
Proxy Service:s6, Trust Point:t10
Key Pair Name:k10, Key Usage:RSA General Purpose, Exportable
Time of Key Generation:07:56:43 UTC Oct 11 2002
Subject Name:CN = host1.cisco.com, OID.1.2.840.113549.1.9.2 =
simpson5-2-ste.cisco.com, OID.1.2.840.113549.1.9.8 = 207.79.1.9, OID.2.5.4.5 = B0FFF235
Issuer Name:CN = SimpsonTestCA, OU = Simpson Lab, O = Cisco Systems, L = San Jose, ST
= CA, C = US, EA =<16> simpson-pki@cisco.com
Serial Number:24BC81B7000100000D85
Validity Start Time:22:38:00 UTC Oct 19 2002
End Time:22:48:00 UTC Oct 19 2003
Renew Time:00:00:00 UTC Jan 1 1970
End of Certificate Record
Record 4, Timestamp:00:01:40, 16:37:23 UTC Oct 31 2002
Deleted Server Certificate, Index 0
Proxy Service:s6, Trust Point:t6
Key Pair Name:k6, Key Usage:RSA General Purpose, Not Exportable
Time of Key Generation:00:28:28 UTC Mar 1 1993
Subject Name:CN = host1.cisco.com, OID.1.2.840.113549.1.9.2 =
simpson5-2-ste.cisco.com, OID.1.2.840.113549.1.9.8 = 207.79.1.8, OID.2.5.4.5 = B0FFF235
Issuer Name:CN = SimpsonTestCA, OU = Simpson Lab, O = Cisco Systems, L = San Jose, ST
= CA, C = US, EA =<16> simpson-pki@cisco.com
Serial Number:5CB5CFD6000100000D97
Validity Start Time:19:30:26 UTC Oct 30 2002
End Time:19:40:26 UTC Oct 30 2003
Renew Time:00:00:00 UTC Jan 1 1970
End of Certificate Record
% Total number of certificate history records displayed = 4
This example shows how to display the certificate record for a specific proxy service:
ssl-proxy# show ssl-proxy certificate-history service s6
Record 3, Timestamp:00:01:34, 16:37:18 UTC Oct 31 2002
Installed Server Certificate, Index 7
Proxy Service:s6, Trust Point:t10
Key Pair Name:k10, Key Usage:RSA General Purpose, Exportable
Time of Key Generation:07:56:43 UTC Oct 11 2002
Subject Name:CN = host1.cisco.com, OID.1.2.840.113549.1.9.2 =
simpson5-2-ste.cisco.com, OID.1.2.840.113549.1.9.8 = 207.79.1.9, OID.2.5.4.5 = B0FFF235
Issuer Name:CN = SimpsonTestCA, OU = Simpson Lab, O = Cisco Systems, L = San Jose, ST
= CA, C = US, EA =<16> simpson-pki@cisco.com
Serial Number:24BC81B7000100000D85
Validity Start Time:22:38:00 UTC Oct 19 2002
End Time:22:48:00 UTC Oct 19 2003
Renew Time:00:00:00 UTC Jan 1 1970
End of Certificate Record
Record 4, Timestamp:00:01:40, 16:37:23 UTC Oct 31 2002
Deleted Server Certificate, Index 0
Proxy Service:s6, Trust Point:t6
Key Pair Name:k6, Key Usage:RSA General Purpose, Not Exportable
Time of Key Generation:00:28:28 UTC Mar 1 1993
Subject Name:CN = host1.cisco.com, OID.1.2.840.113549.1.9.2 =
simpson5-2-ste.cisco.com, OID.1.2.840.113549.1.9.8 = 207.79.1.8, OID.2.5.4.5 = B0FFF235
Issuer Name:CN = SimpsonTestCA, OU = Simpson Lab, O = Cisco Systems, L = San Jose, ST
= CA, C = US, EA =<16> simpson-pki@cisco.com
Serial Number:5CB5CFD6000100000D97
Validity Start Time:19:30:26 UTC Oct 30 2002
End Time:19:40:26 UTC Oct 30 2003
Renew Time:00:00:00 UTC Jan 1 1970
End of Certificate Record
Total number of certificate history records displayed = 2
Related Commands
service
show ssl-proxy conn
To display the TCP connections from the SSL Services Module, use the show ssl-proxy conn command.
show ssl-proxy conn 4tuple [local {ip local-ip-addr local-port} [remote [{ip remote-ip-addr [port
remote-port]} | {port remote-port [ip remote-ip-addr]}]]]
show ssl-proxy conn 4tuple [local {port local-port} [remote [{ip remote-ip-addr [port
remote-port]} | {port remote-port [ip remote-ip-addr]}]]]
show ssl-proxy conn 4tuple [local {remote [{ip remote-ip-addr [port remote-port]} | {port
remote-port [ip remote-ip-addr]}]]
show ssl-proxy conn module module
show ssl-proxy conn service name [context name] module [module]
Syntax Description
4tuple
|
Displays the TCP connections for a specific address.
|
local
|
(Optional) Displays the TCP connections for a specific local device.
|
ip local-ip-addr
|
IP address of a local device.
|
local-port
|
Port number of a local device.
|
remote
|
(Optional) Displays the TCP connections for a specific remote device.
|
ip remote-ip-addr
|
IP address of a remote device.
|
port remote-port
|
Port number of a remote device.
|
port local-port
|
(Optional) Displays the TCP connections for a specific local port.
|
module module
|
(Optional) Displays the information for a specific module.
The available options for the module variable are as follows:
• all—all CPUs
• fdu—FDU CPU
• ssl1—SSL1 CPU
• tcp1—TCP1 CPU
|
service name
|
Displays the connections for a specific proxy service.
|
context name
|
(Optional) Displays information about the specified context.
|
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
|
Modification
|
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
|
Support for this command was introduced on the Catalyst 6500 series switches.
|
SSL Services Module Release 3.1(1)
|
This command was changed to add the following keywords:
• context name
• module module
|
Usage Guidelines
The show ssl-proxy conn commanddisplays these records:
•
Local Address
•
Remote Address
•
VLAN
•
Conid
•
Send-Q
•
Recv-Q
•
State
The State record indicates the TCP state of the connection between the SSL Services Module and a remote device. The TCP states are described in the following table:
Table 2-11 TCP Connection State Descriptions
LISTEN
|
This module is wating for a request to initiate a TCP connection.
|
SYN_SEND
|
This module has sent a SYN packet to another device in order to initiate the opening of a TCP connection.
|
SYN_RECEIVED
|
This module has received a SYN packet from another device that is requesting to open a TCP connection.
|
ESTABLISHED
or ESTAB
|
The three-way TCP handshake (SYN, SYN/ACK, ACK) has been completed and a TCP connection is now established between this module and another device.
|
FIN_WAIT_1
|
This module has sent a FIN packet to a connected device in order to close the TCP connection.
|
TIME_WAIT
or TWAIT
|
This module has successfully completed a FIN sequence to close a TCP connection with a connected device. The connection will be held in this state for 30-120 seconds to receive any late packets.
|
CLOSE_WAIT
|
This module has received a FIN packet from a connected device that is requesting to close the TCP connection.
|
FIN_WAIT_2
|
After sending a FIN packet to a connected device in order to close the TCP connection, this module has received an ACK packet and is wating for a FIN packet.
|
LAST_ACK
|
At the request of a connected device, this module has closed the TCP connection and is waiting for a final ACK from the other device.
|
CLOSING
|
This module has actively closed the TCP connection and is waiting for a final ACK from the other device before entering the TIME_WAIT state.
|
CLOSED
|
A TCP connection has been closed with all wait times and acknowledgments completed.
|
Examples
These examples show different ways to display the TCP connection that is established from the SSL Services Module:
ssl-proxy# show ssl-proxy conn
Connections for TCP module 1
Local Address Remote Address VLAN Conid Send-Q Recv-Q State
--------------------- --------------------- ---- ------ ------ ------ ------
2.0.0.10:4430 1.200.200.14:48582 2 0 0 0 ESTAB
1.200.200.14:48582 2.100.100.72:80 2 1 0 0 ESTAB
2.0.0.10:4430 1.200.200.14:48583 2 2 0 0 ESTAB
1.200.200.14:48583 2.100.100.72:80 2 3 0 0 ESTAB
2.0.0.10:4430 1.200.200.14:48584 2 4 0 0 ESTAB
1.200.200.14:48584 2.100.100.72:80 2 5 0 0 ESTAB
2.0.0.10:4430 1.200.200.14:48585 2 6 0 0 ESTAB
1.200.200.14:48585 2.100.100.72:80 2 7 0 0 ESTAB
2.0.0.10:4430 1.200.200.14:48586 2 8 0 0 ESTAB
1.200.200.14:48586 2.100.100.72:80 2 9 0 0 ESTAB
ssl-proxy# show ssl-proxy conn 4tuple local port 443
Connections for TCP module 1
Local Address Remote Address VLAN Conid Send-Q Recv-Q State
--------------------- --------------------- ---- ------ ------ ------ ------
2.50.50.133:443 1.200.200.12:39728 2 113676 0 0 TWAIT
2.50.50.133:443 1.200.200.12:39729 2 113680 0 0 TWAIT
2.50.50.131:443 1.200.200.14:40599 2 113684 0 0 TWAIT
2.50.50.132:443 1.200.200.13:48031 2 114046 0 0 TWAIT
2.50.50.132:443 1.200.200.13:48032 2 114048 0 0 TWAIT
2.50.50.132:443 1.200.200.13:48034 2 114092 0 0 TWAIT
2.50.50.132:443 1.200.200.13:48035 2 114100 0 0 TWAIT
ssl-proxy# show ssl-proxy conn 4tuple remote ip 1.200.200.14
Connections for TCP module 1
Local Address Remote Address VLAN Conid Send-Q Recv-Q State
--------------------- --------------------- ---- ------ ------ ------ ------
2.50.50.131:443 1.200.200.14:38814 2 58796 0 0 TWAIT
2.50.50.131:443 1.200.200.14:38815 2 58800 0 0 TWAIT
2.50.50.131:443 1.200.200.14:38817 2 58802 0 0 TWAIT
2.50.50.131:443 1.200.200.14:38818 2 58806 0 0 TWAIT
2.50.50.131:443 1.200.200.14:38819 2 58810 0 0 TWAIT
2.50.50.131:443 1.200.200.14:38820 2 58814 0 0 TWAIT
2.50.50.131:443 1.200.200.14:38821 2 58818 0 0 TWAIT
ssl-proxy# show ssl-proxy conn service iis1
Connections for TCP module 1
Local Address Remote Address VLAN Conid Send-Q Recv-Q State
--------------------- --------------------- ---- ------ ------ ------ ------
2.50.50.131:443 1.200.200.14:41217 2 121718 0 0 TWAIT
2.50.50.131:443 1.200.200.14:41218 2 121722 0 0 TWAIT
2.50.50.131:443 1.200.200.14:41219 2 121726 0 0 TWAIT
2.50.50.131:443 1.200.200.14:41220 2 121794 0 0 TWAIT
2.50.50.131:443 1.200.200.14:41221 2 121808 0 0 TWAIT
2.50.50.131:443 1.200.200.14:41222 2 121940 0 0 TWAIT
2.50.50.131:443 1.200.200.14:41223 2 122048 0 0 TWAIT
show ssl-proxy context
To display context information, use the show ssl-proxy context command.
show ssl-proxy context [name]
Syntax Description
name
|
(Optional) Name of the context.
|
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
|
Modification
|
SSL Services Module Release 3.1(1)
|
Support for this command was introduced on the Catalyst 6500 series SSL Services Module.
|
Examples
This example shows how to display all context information on the SSL Services Module:
ssl-proxy# show ssl-proxy context
Total number of contexts : 2
Context Name VRF Num Proxies
------------ --- -----------
This example shows how to display specific context information on the SSL Services Module:
ssl-proxy# show ssl-proxy context Default
Num max conns allowed : 65536
Context 'Default' has the following service(s) configured..
show ssl-proxy crash-info
To collect information about the software-forced reset from the SSL Services Module, use the show ssl-proxy crash-info command.
show ssl-proxy crash-info [brief | details]
Syntax Description
brief
|
(Optional) Collects a small subset of software-forced reset information, limited to processor registers.
|
details
|
(Optional) Collects the full set of software-forced reset information, including exception and interrupt stacks dump (this process can take up to 10 minutes to complete printing).
|
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
|
Modification
|
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
|
Support for this command was introduced on the Catalyst 6500 series switches.
|
Examples
This example shows how to collect information about the software-forced reset:
ssl-proxy# show ssl-proxy crash-info
===== SSL SERVICE MODULE - START OF CRASHINFO COLLECTION =====
------------- COMPLEX 0 [FDU_IOS] ----------------------
++++++++++ CORE 0 (FDU) ++++++++++++++++++++++
APPLICATION VERSION:2003.04.15 14:50:20 built for cantuc
APPROXIMATE TIME WHEN CRASH HAPPENED:14:06:04 UTC Apr 16 2003
CPU CONTEXT -----------------------------
$0 :00000000, AT :00240008, v0 :5A27E637, v1 :000F2BB1
a0 :00000001, a1 :0000003C, a2 :002331B0, a3 :00000000
t0 :00247834, t1 :02BFAAA0, t2 :02BF8BB0, t3 :02BF8BA0
t4 :02BF8BB0, t5 :00247834, t6 :00000000, t7 :00000001
s0 :00000000, s1 :0024783C, s2 :00000000, s3 :00000000
s4 :00000001, s5 :0000003C, s6 :00000019, s7 :0000000F
t8 :00000001, t9 :00000001, k0 :00400001, k1 :00000000
gp :0023AE80, sp :031FFF58, s8 :00000019, ra :00216894
LO :00000000, HI :0000000A, BADVADDR :828D641C
EPC :00222D48, ErrorEPC :BFC02308, SREG :34007E03
Cause 0000C000 (Code 0x0):Interrupt exception
CACHE ERROR registers -------------------
CacheErrI:00000000, CacheErrD:00000000
ErrCtl:00000000, CacheErrDPA:0000000000000000
PROCESS STACK -----------------------------
sp is close to stack top;
printing 1024 bytes from stack top:
031FFC00:06405DE0 002706E0 0000002D 00000001 .@]`.'.`...-....
031FFC10:06405DE0 002706E0 00000001 0020B800 .@]`.'.`..... 8.
031FFC20:031FFC30 8FBF005C 14620010 24020004 ..|0.?.\.b..$...
FFFFFFD0:00000000 00000000 00000000 00000000 ................
FFFFFFE0:00627E34 00000000 00000000 00000000 .b~4............
FFFFFFF0:00000000 00000000 00000000 00000006 ................
===== SSL SERVICE MODULE - END OF CRASHINFO COLLECTION =======
This example shows how to collect a small subset of software-forced reset information:
ssl-proxy# show ssl-proxy crash-info brief
===== SSL SERVICE MODULE - START OF CRASHINFO COLLECTION =====
------------- COMPLEX 0 [FDU_IOS] ----------------------
SKE CRASH INFO Error: wrong MAGIC # 0
CLI detected an error in FDU_IOS crash-info; wrong magic.
------------- COMPLEX 1 [TCP_SSL] ----------------------
Crashinfo fragment #0 from core 2 at offset 0 error:
Remote system reports wrong crashinfo magic.
Bad fragment received. Reception abort.
CLI detected an error in TCP_SSL crash-info;
===== SSL SERVICE MODULE - END OF CRASHINFO COLLECTION =======
show ssl-proxy mac address
To display the current MAC address, use the show ssl-proxy mac address command.
show ssl-proxy mac address
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
|
Modification
|
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
|
Support for this command was introduced on the Catalyst 6500 series switches.
|
Examples
This example shows how to display the current MAC address that is used in the SSL Services Module:
ssl-proxy# show ssl-proxy mac address
STE MAC address: 00e0.b0ff.f232
show ssl-proxy natpool
To display information about the NAT pool, use the show ssl-proxy natpool command.
show ssl-proxy natpool [name][context name]
Syntax Description
name
|
(Optional) NAT pool name.
|
context name
|
(Optional) Context name.
|
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
|
Modification
|
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
|
Support for this command was introduced on the Catalyst 6500 series switches.
|
SSL Services Module Release 3.1(1)
|
This command was changed to add the context name keyword.
|
Examples
This example shows how to display information for a specific NAT address pool that is configured on the SSL Services Module:
ssl-proxy# show ssl-proxy natpool
No context name provided, assuming context 'Default'...
natpool-name start-ip end-ip netmask use-count
n1 207.57.110.1 207.57.110.8 255.0.0.0 2
This example shows how to display information for a specific NAT address pool that is configured on the SSL Services Module:
ssl-proxy# show ssl-proxy natpool n1
No context name provided, assuming context 'Default'...
vlan associated with natpool: 2
SSL proxy services using this natpool:
Num of proxies using this natpool: 2
Related Commands
natpool
show ssl-proxy policy
To display the configured SSL proxy policies, use the show ssl-proxy policy command.
show ssl-proxy policy {health-probe tcp [name] [context name] | http-header | ssl | tcp |
url-rewrite} [name]
Syntax Description
health-probe tcp
|
Displays the configured TCP health probe policies.
|
name
|
(Optional) TCP health probe name.
|
context name
|
(Optional) Displays the TCP health probe policies in this context.
|
http-header
|
Displays the configured HTTP header policies.
|
ssl
|
Displays the configured SSL policies.
|
tcp
|
Displays the configured TCP policies.
|
url-rewrite
|
Displays the configured URL rewrite policies.
|
name
|
(Optional) Policy name.
|
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
|
Modification
|
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
|
Support for this command was introduced on the Catalyst 6500 series switches.
|
SSL Services Module Release 2.1(1)
|
This command was changed to include the http-header and url-rewrite keywords.
|
SSL Services Module Release 3.1(1)
|
This command was changed to add the health-probe tcp keyword.
|
Examples
This example shows how to display information about the HTTP header policy:
ssl-proxy# show ssl-proxy policy http-header h1
No context name provided, assuming context 'Default'...
Client Certificate Insertion Not Enabled
Session Header Insertion All
Client IP/Port Insertion Not Enabled
Usage count of this policy: 0
This example shows how to display policy information about a specific SSL policy that is configured on the SSL Services Module:
ssl-proxy# show ssl-proxy policy ssl ssl-policy1
No context name provided, assuming context 'Default'...
Cipher suites: (None configured, default ciphers included)
rsa-with-rc4-128-md5
rsa-with-rc4-128-sha
rsa-with-des-cbc-sha
rsa-with-3des-ede-cbc-sha
SSL Versions enabled:SSL3.0, TLS1.0
close protocol: default (close_notify sent but not expected from peer)
Session Cache:enabled
Session timeout: 72000 seconds
Renegotiation timeout: 100 seconds
Handshake timeout not configured (never times out)
TLS Rollback: default (version number rollback not allowed)
This example shows how to display policy information about a specific TCP policy that is configured on the SSL Services Module:
ssl-proxy# show ssl-proxy policy tcp tcp-policy1
No context name provided, assuming context 'Default'...
This example shows how to display information about the URL rewrite policy:
ssl-proxy# show ssl-proxy policy url-rewrite urlrw-policy
No context name provided, assuming context 'Default'...
Rule URL Clearport SSLport
Usage count of this policy: 0
This example shows how to display information about the TCP health probe policy:
ssl-proxy# show ssl-proxy policy health-probe tcp
No context name provided, assuming context 'Default'...
TCP Health Probe Policy Name Usage-Count
This example shows how to display information about the specified TCP health probe policy:
ssl-proxy# show ssl-proxy policy health-probe tcp tcp-health
No context name provided, assuming context 'Default'...
TCP Health Probe Details : tcp-health
Interval between probe 30
Interval between failed probe 60
TCP Connection open timeout 80
Maximum retries for success probe 3
SSL proxy services using this policy:
Usage count of this policy: 1
Related Commands
policy health-probe tcp
policy http-header
policy ssl
policy tcp
policy url-rewrite
show ssl-proxy service
To display information about the configured SSL virtual service, use the show ssl-proxy service command.
show ssl-proxy service [name][context name]
Syntax Description
name
|
(Optional) Service name.
|
context name
|
(Optional) Displays service information for the specifed context name.
|
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
|
Modification
|
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
|
Support for this command was introduced on the Catalyst 6500 series switches.
|
SSL Services Module Release 3.1(1)
|
This command was changed to add the context name keyword.
|
Examples
This example shows how to display all SSL virtual services that are configured on the SSL Services Module:
ssl-proxy# show ssl-proxy service
No context name provided, assuming context 'Default'...
Proxy Service Name Context Name Admin Operation
This example shows how to display a specific SSL virtual service that is configured on the SSL Services Module:
ssl-proxy# show ssl-proxy service S6
No context name provided, assuming context 'Default'...
Service id: 1, bound_service_id: 257
Virtual IP: 10.10.1.104, port: 443
Server IP: 10.10.1.100, port: 80
Virtual SSL Policy: SSL1_PLC
TCP Health Probe Policy: tcp-health
rsa-general-purpose certificate trustpoint: tptest
Certificate chain for new connections:
Key Label: mytp, 1024-bit, not exportable
Key Timestamp: 07:21:09 UTC Apr 20 2005
Certificate chain complete
This example shows how to display a specific SSL virtual service on a specific context that is configured on the SSL Services Module:
ssl-proxy# show ssl-proxy service s2 context c1
Service id: 214, bound_service_id: 470
Virtual IP: 10.12.0.2, port: 443
Server IP: 10.0.207.203, port: 80
TCP Health Probe Policy: h1
rsa-general-purpose certificate trustpoint: mytp
Certificate chain for new connections:
Key Label: mytp, 1024-bit, not exportable
Key Timestamp: 07:21:09 UTC Apr 20 2005
Certificate chain complete
Related Commands
service
service client
show ssl-proxy stats
To display information about the statistics counter, use the show ssl-proxy stats command.
show ssl-proxy stats [type]
Syntax Description
type
|
(Optional) Information type; valid values are content, context, crypto, fdu, hdr, ipc, module, pki, service, ssl, tcp, and url. See the "Usage Guidelines" section for additional information.
|
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
|
Modification
|
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
|
Support for this command was introduced on the Catalyst 6500 series switches.
|
SSL Services Module Release 1.2(1)
|
The output of the show ssl-proxy stats command was changed to include information about the session allocation failure and session limit-exceed table.
|
SSL Services Module Release 3.1(1)
|
This command was changed to add the following keywords:
• content
• context
• hdr
• module module
• url
|
Usage Guidelines
The type values are defined as follows:
•
content—Displays content scan object statistics.
•
context—Displays context statistics information.
•
crypto—Displays crypto statistics.
•
fdu—Displays FDU statistics.
•
hdr—Displays HTTP header insertion statistics.
•
ipc—Displays IPC statistics.
•
module module—Displays statistics for the specified module; module type includes the following:
–
all—all CPUs
–
fdu—FDU CPU
–
ssl1—SSL1 CPU
–
tcp1—TCP1 CPU
•
pki—Displays PKI statistics.
•
service—Displays proxy service statistics.
•
ssl—Displays SSL detailed statistics.
•
tcp—Displays TCP detailed statistics.
•
url—Displays URL rewrite statistics.
Examples
This example shows how to display all the statistics counters that are collected on the SSL Services Module:
ssl-proxy# show ssl-proxy stats
Conns initiated : 20636 Conns accepted : 20636
Conns established : 28744 Conns dropped : 28744
Conns closed : 41272 SYN timeouts : 0
Idle timeouts : 0 Total pkts sent : 57488
Data packets sent : 0 Data bytes sent : 0
Total Pkts rcvd : 70016 Pkts rcvd in seq : 0
conns attempted : 20636 conns completed : 20636
full handshakes : 0 resumed handshakes : 0
active conns : 0 active sessions : 0
renegs attempted : 0 conns in reneg : 0
handshake failures : 20636 data failures : 0
fatal alerts rcvd : 0 fatal alerts sent : 0
no-cipher alerts : 0 ver mismatch alerts : 0
no-compress alerts : 0 bad macs received : 0
pad errors : 0 session fails : 0
IP Frag Drops : 0 Serv_Id Drops : 9
Conn Id Drops : 0 Bound Conn Drops : 0
Vlan Id Drops : 0 Checksum Drops : 0
IOS Congest Drops : 0 IP Version Drops : 0
Hash Full Drops : 0 Hash Alloc Fails : 0
Flow Creates : 41272 Flow Deletes : 41272
conn_id allocs : 41272 conn_id deallocs : 41272
Tagged Drops : 0 Non-Tagged Drops : 0
Add ipcs : 3 Delete ipcs : 0
Disable ipcs : 3 Enable ipcs : 0
Unsolicited ipcs : 0 Duplicate ADD ipcs : 0
IOS broadcast pkts : 29433 IOS unicast pkts : 5
This example shows how to display the TCP statistics:
ssl-proxy# show ssl-proxy stats tcp
Initiated : 4 Accepted : 4
Established : 8 Dropped : 6
Dropped before est : 0 Closed : 8
Persist timeout drops : 0 Rxmt timeout drops : 0
Current TIME-WAIT : 0 Current ESTABLISHED : 0
Maximum TIME-WAIT : 1 Maximum ESTABLISHED : 4
Conns Allocated : 4 Conns Deallocated : 4
RTT estimates : 48 RTT est. updates : 85
delayed acks sent : 5 FIN-WAIT2 timeouts : 0
Retransmit timeouts : 0 Persist Timeouts : 0
SYN timeouts : 0 Idle Timeouts : 0
Packet Transmit related :
Total packets : 140 Data packets : 93
Data bytes sent : 87332 Retransmitted pkts : 0
Retransmitted bytes : 0 Ack only pkts : 19
Window probes : 0 URG only pkts : 0
Window Update pkts : 16 Cntrl pkts (S/F/R) : 12
Tx TOS - normal : 122 Tx TOS - Min. Cost : 0
Tx TOS - max. rel. : 0 Tx TOS - Max. thru. : 18
Tx TOS - min. delay : 0 Tx TOS - invalid : 0
Total packets : 173 In seq data pkts : 77
In seq data bytes : 85188 Bad Offset : 0
Too short : 0 Dup-only data pkts : 2
Dup-only data bytes : 2896 Part. dup. data pkts : 0
Part. Dup. data bytes : 0 OOO data pkts : 0
OOO data bytes rcvd : 0 Pkts after rx win : 0
Bytes after rx window : 0 Pkts after close : 0
Window Probes : 0 Duplicate ACKs : 6
ACKs for unsent data : 0 ACK-only pkts : 85
Bytes acked by acks : 87313 Window Update pkts : 0
PAWS dropped pkts : 0 Hdr pred. ACKs : 0
Hdr pred. data pkts : 68 TCB cache misses : 103
3 dup-only pkts : 0 Partial Acks : 0
Rx TOS - normal : 157 Rx TOS - Min. Cost : 0
Rx TOS - max. rel. : 0 Rx TOS - Max. thru. : 16
Rx TOS - min. delay : 0 Rx TOS - invalid : 0
This example shows how to display the PKI statistics:
ssl-proxy# show ssl-proxy stats pki
PKI Memory Usage Counters:
Request buffer received: 0
Response buffer received: 0
Response with error status: 0
Response with no request: 0
PKI Accumulative Certificate Counters:
Proxy service trustpoint added: 0
Proxy service trustpoint deleted: 0
Proxy service trustpoint modified: 0
Server certificate added: 0
Server certificate deleted: 0
Server certificate rolled over: 0
Server certificate completed: 0
Intermediate CA certificate added: 0
Intermediate CA certificate deleted: 0
Root CA certificate added: 0
Root CA certificate deleted: 0
Certificate overwritten: 0
History records written: 0
History records read from NVRAM: 0
Key cert table entries in use: 0
This example shows how to display the HTTP header insertion statistics:
ssl-proxy# show ssl-proxy stats hdr
Header Insert Statistics:
Session Headers Inserted : 0 Custom Headers Inserted : 0
Session Id's Inserted : 0 Client Cert. Inserted : 0
Client IP/Port Inserted : 0 PEM Cert. Inserted : 0
Aliased Hdrs Inserted : 0
No End of Hdr Detected : 0 Payload no HTTP header : 0
Desc Alloc Failed : 0 Buffer Alloc Failed : 0
Client Cert Errors : 0 Malloc failed : 0
Service Errors : 0 Conn Entry Invalid : 0
Buffers allocated : 0 Buffers Scanned : 0
Insertion Points Found : 0 Hdrs Spanning Records : 0
End of Header Found : 0 Buffers Accumulated : 0
Multi-buffer IP Port : 0 Multi-buffer Session Id : 0
Multi-buffer Session Hdr : 0 Multi-buffer Custom Hdr : 0
Scan Internal Error : 0 Database Not Initialized: 0
This example shows how to display context statistics:
ssl-proxy# show ssl-proxy stats context
Num conns DROPPED (hit max limit) : 0
Maximum conns ESTABLISHED : 0
This example shows how to display the URL rewrite statistics:
ssl-proxy# show ssl-proxy stats url
Rewrites Succeeded : 0 Rewrites Failed : 0
Rsp Scan Incomplete : 0 URL Scan Incomplete : 0
Invalid Conn Entry : 0 URL Mismatch : 0
URL Object Error : 0 Dbase not initialized: 0
3xx URL Not Rewritten: 0 Scan Internal Error : 0
This example shows how to display content statistics:
ssl-proxy# show ssl-proxy stats content
Scan object statistics in CPU: SSL1
show ssl-proxy status
To display information about the SSL Services Module proxy status, use the show ssl-proxy status command.
show ssl-proxy status [fdu | ssl | tcp]
Syntax Description
fdu
|
(Optional) Displays the FDU status.
|
ssl
|
(Optional) Displays the SSL status.
|
tcp
|
(Optional) Displays the TCP status.
|
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
|
Modification
|
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
|
Support for this command was introduced on the Catalyst 6500 series switches.
|
SSL Services Module Release 1.2(1)
|
The output of the show ssl-proxy status command was changed to include statistics that are displayed at a 5-second, 1-minute, and 5-minute traffic rate for CPU utilization.
|
SSL Services Module Release 3.1(1)
|
This command was changed to add the following keywords:
• fdu
• ssl
• tcp
|
Examples
This example shows how to display the status of the SSL Services Module:
ssl-proxy# show ssl-proxy status
% process util : 0 % interrupt util : 0
proc cycles : 0x2DB3980C int cycles : 0x2ADACD71
total cycles: 0x4E75127FCEA4
% process util (5 sec) : 0 % interrupt util (5 sec) : 0
% process util (1 min) : 0 % interrupt util (1 min): 0
% process util (5 min) : 0 % interrupt util (5 min) : 0
% process util : 0 % interrupt util : 0
proc cycles : 0x2E42C686 int cycles : 0x47F7C36A91
total cycles: 0x4E799DB3F5F8
% process util (5 sec) : 0 % interrupt util (5 sec) : 0
% process util (1 min) : 0 % interrupt util (1 min): 0
% process util (5 min) : 0 % interrupt util (5 min) : 0
% process util : 0 % interrupt util : 0
proc cycles : 0x9E396A4 int cycles : 0xDB85C98B
total cycles: 0x4E798224EDC1
% process util (5 sec) : 0 % interrupt util (5 sec) : 0
% process util (1 min) : 0 % interrupt util (1 min): 0
% process util (5 min) : 0 % interrupt util (5 min) : 0
This example shows how to display the status of the TCP CPU on the SSL Services Module:
ssl-proxy# show ssl-proxy status tcp
% process util : 0 % interrupt util : 0
proc cycles : 0x2E45DAEE int cycles : 0x47FC7C2AC5
total cycles: 0x4E7EC4499DC8
% process util (5 sec) : 0 % interrupt util (5 sec) : 0
% process util (1 min) : 0 % interrupt util (1 min): 0
% process util (5 min) : 0 % interrupt util (5 min) : 0
show ssl-proxy version
To display the current image version, use the show ssl-proxy version command.
show ssl-proxy version
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
|
Modification
|
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
|
Support for this command was introduced on the Catalyst 6500 series switches.
|
Examples
This example shows how to display the image version that is currently running on the SSL Services Module:
ssl-proxy# show ssl-proxy version
Cisco IOS Software, SVCSSL Software (SVCSSL-K9Y9-M)
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Mon 09-Jan-06 16:54 by integ
ROM: System Bootstrap, Version 12.2(11)YS1 RELEASE SOFTWARE
ssl-proxy uptime is 1 day, 15 hours, 57 minutes
System returned to ROM by power-on
System image file is "tftp://10.1.1.1/unknown"
show ssl-proxy vlan
To display VLAN information, use the show ssl-proxy vlan command.
show ssl-proxy vlan [vlan-id][debug][module module]
Syntax Description
vlan-id
|
(Optional) VLAN ID. Displays information for a specific VLAN; valid values are from 1 to 1005.
|
debug
|
(Optional) Displays debug information.
|
module module
|
(Optional) Displays statistics for the specified module; module type includes the following:
• all—all CPUs
• fdu—FDU CPU
• ssl1—SSL1 CPU
• tcp1—TCP1 CPU
|
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Release
|
Modification
|
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
|
Support for this command was introduced on the Catalyst 6500 series switches.
|
SSL Services Module Release 3.1(1)
|
This command was changed to add the module module keyword.
|
Examples
This example shows how to display all the VLANs that are configured on the SSL Services Module:
ssl-proxy# show ssl-proxy vlan
Associated with interface SSL-Proxy0.2 (UP)
IP addr 207.10.0.16 NetMask 255.0.0.0
Associated with interface SSL-Proxy0.3 (UP)
IP addr 208.10.0.16 NetMask 255.0.0.0
Associated with interface SSL-Proxy0.4 (UP)
IP addr 209.10.0.16 NetMask 255.0.0.0
Related Commands
interface ssl-proxy
snmp-server enable
To configure the SNMP traps and informs, use the snmp-server enable command. Use the no form of this command to disable SNMP traps and informs.
snmp-server enable {informs | traps {ipsec | isakmp | snmp | {ssl-proxy [cert-expiring]
[oper-status]}}}
no snmp-server enable {informs | traps {ipsec | isakmp | snmp | {ssl-proxy [cert-expiring]
[oper-status]}}}
Syntax Description
informs
|
Enables SNMP informs.
|
traps
|
Enables SNMP traps.
|
ipsec
|
Enables IPsec traps.
|
isakmp
|
Enables ISAKMP traps.
|
snmp
|
Enables SNMP traps.
|
ssl-proxy
|
Enables SNMP SSL proxy notification traps.
|
cert-expiring
|
(Optional) Enables SSL proxy certificate-expiring notification traps.
|
oper-status
|
(Optional) Enables SSL proxy operation-status notification traps.
|
Defaults
This command has no default setting.
Command Modes
Global configuration
Command History
Release
|
Modification
|
SSL Services Module Release 2.1(1)
|
Support for this command was introduced on the Catalyst 6500 series SSL Services Module.
|
Examples
This example shows how to enable SNMP informs:
ssl-proxy (config)# snmp-server enable informs
This example shows how to enable SSL-proxy traps:
ssl-proxy (config)# snmp-server enable traps ssl-proxy
This example shows how to enable SSL-proxy notification traps:
ssl-proxy (config)# snmp-server enable traps ssl-proxy cert-expiring oper-status
ssl-proxy context
To enter the SSL context submode and define the virtual SSL context, use the ssl-proxy context command. Use the no form of this command to remove any commands that you have entered in the SSL context subcommand mode from the configuration.
ssl-proxy context [name]
no ssl-proxy context name
Syntax Description
name
|
Name of the context.
|
Defaults
The default context name is "Default."
Command Modes