-
CSS 11000 SCA/SCA2 Version 4.0
-
Release Note for the Cisco 11000 Series Secure Content Accelerator: SCA2
-
Cisco CSS 11000 Secure Content Accelerator Configuration Guide Index (Software Version 4.0.0)
-
About This Guide
-
Using the QuickStart Wizard
-
Using the Configuration Manager
-
Graphical User Interface Reference
-
FIPS Operation
-
Specifications
-
Deployment Examples
-
Troubleshooting
-
SSL Introduction
-
Regulatory Information
-
Glossary
-
Table of Contents
Graphical User Interface ReferenceBrowser and System Support
Enabling Web Management
Restricting Access to Web Management
Starting the GUI
Web Management User Interface
General Configuration Examples
Example: Resetting the IP Address
Example: Configuring an Ethernet Interface
Example: Enabling RIP
Example: Adding a Route to the Routing Table
Example: Working with Syslogs
Example: Restricting Access using an Access List
Example: Reloading (Rebooting) the Appliance
Example: Setting an Enable Password
Example: Configuring SNMP
Example: Creating and Using Certificate Groups
Example: Supporting Other Secure Protocols
Example: Generating an RSA Private Key
Example: Generating a Self-Signed Certificate
Example: Importing a PKCS#7 Certificate Group
Example: Importing a PKCS#12 Certificate Group
Graphical User Interface Reference
This chapter describes how to use the Graphical User Interface (GUI) to configure the Cisco Secure Content Accelerator. The GUI provides a convenient, Web browser-based method of configuring the Secure Content Accelerator.
 |
Note The GUI cannot be used to configure the Secure Content Accelerator in FIPS Mode. See Chapter 6, Graphic al User Interface Reference, for further information. |
This chapter contains the following sections:
- Overview
- Browser and System Support
- Enabling Web Management
- Restricting Access to Web Management
- Starting the GUI
- Web Management User Interface
- General Configuration Examples
- SSL Configuration Examples
- Running the Secure Server Wizard
Overview
While most configuration options are available with the GUI, you must be aware of the following constraints:
- The Secure Content Accelerator must have an IP address assigned before connecting with the GUI; use either serial configuration or the remote CLI to set the appliance IP information.
- The GUI cannot be used to set the SSL appliance to single-port operation.
- Web management must be enabled. See the command web-mgmt in Appendix C.
Browser and System Support
The GUI has the following requirements:
- Color recommendations—The minimum display resolution required is SVGA (800x600 resolution). For best results, use XGA (1024x768 resolution).
- Browser Support—The GUI requires Microsoft® Internet Explorer version 5.x or later, or Netscape® Navigator 4.77 or 6.x or later.
Enabling Web Management
... Web Management: disabled ...
Enter Privileged and Configuration modes and enable Web management using these commands:
enable configure web-mgmt enable
The default TCP service port is 80. If you change it with the web-mgmt port command, you must use that port to connect with the device via the Web browser. Enter show device to check the state. The status should be listed similar to the following:
... Web Management: enabled on port 80 ...
Restricting Access to Web Management
We recommend that you restrict Web management access to the Secure Content Accelerator. Create one or more access lists using either the CLI (see "Example: Restricting Access using an Access List" in Chapter 4) or the GUI (as described later in this chapter.)
Starting the GUI
Follow these steps to use the GUI to manage the Secure Content Accelerator.
1. Launch the Web browser.
2. When configuring a device in dual-port mode from a computer via the "Server" port, enter the SSL appliance IP address in the Address text box and press Return or Enter. If an enable password has been defined on the device, you are prompted for an user name and the enable password, as shown in Figure 5-1. Use "admin" for the user name. If no enable password has been configured, the GUI starts at the General content area.
Figure 5-1: Password Request Dialog Box
|
Note Before configuring a device in two-port mode from the client side (via the "Network" port), you must first set up a secure server for this purpose. See "Config uring for Client-Side Access". |
Configuring for Client-Side Access
myDevice> attach myDevice> enable myDevice# configure (config[myDevice])> ssl (config-ssl[myDevice])> server web create (config-ssl-server[web])> ip address 127.0.0.1 (config-ssl-server[web])> sslport 443 (config-ssl-server[web])> remoteport 80 (config-ssl-server[web])> no transparent (config-ssl-server[web])> cert default-1024 (config-ssl-server[web])> key default-1024 (config-ssl-server[web])> secpolicy all (config-ssl-server[web])> finished myDevice#
Type https:// and the IP address of the device in the Address text box of the browser, and press Enter. You receive a security alert dialog. Click Yes to proceed. If prompted, indicate that you wish to accept the certificate for this session only. You can proceed with configurations. You can also use the Subsystem tab in the Access content area to configure port access. Click the HTTPS Service Enable check box.
Web Management User Interface
The GUI is divided into two main parts: the area panel on the left and content tabs on the right. Figure 5-2 shows an example of this interface. Take a few moments to familiarize yourself with the screen layout.
Figure 5-2: Basic User Interface Example
On the left is a panel with links to the seven main content areas.
- General: View general status, set device-specific information, view performance statistics, and set device time and date parameters
- Access: Set passwords, create and manage access lists, and specify subsystem access
- Network: Manage Ethernet interfaces, view network statistics, view ARP information, view and add to the routing table, view interface statistics and errors, view IP statistics, set DNS information
- Log: Set syslog message hosts and clear and view the device message log
- Tools: Reboot the device, manage running and startup configurations, update firmware, run diagnostic commands, and open a telnet connection with the device
- SSL: View SSL status and statistics and configure SSL (secure) servers, private keys, certificates, certificate chains, and security policies
- SNMP: View and configure SNMP traps and parameters
General Configuration Examples
The following examples demonstrate how to use the GUI to configure general Secure Content Accelerator settings.
|
Note To save time, make all the changes you wish, then click Save to Flash to write the configuration to the device flash memory. |
Example: Setting the Device Name (Hostname)
Follow these steps to change the hostname of the device to myDevice.
1. Click General to activate the General content tabs.
2. Click the Settings tab. The Settings page opens, as shown in Figure 5-3
3. Type "myDevice" in the Device Name text box.
Figure 5-3: Changing Hostname Configuration Example
4. Click Update.
Example: Resetting the IP Address
1. Click Network to activate the Network tabs.
2. Type the new IP address information including the appropriate netmask and default router in the Internet Address, Netmask, and Gateway text boxes, respectively, on the Settings tab. The Settings page opens, as shown in Figure 5-4.
Figure 5-4: Resetting IP Information Configuration Example
3. Click Update. The Status area tells you that the connection switches to the new address in 20 seconds.
|
Note In certain situations, such as when changing to a different subnet, redirection might not occur. If the connection is not redirected, manually connect to the device. If you still are unable to connect, use the serial configuration manager to check the device configuration and try again. |
Example: Configuring an Ethernet Interface
1. Click Network to activate the Network tabs.
2. Use the list box in the Network Interface or Server Interface panel of the Settings tab to change the Ethernet interface settings. The Settings page is shown in Figure 5-5.
Figure 5-5: Ethernet Interface Configuration Example
3. Click Update.
Example: Enabling RIP
1. Click Network to activate the Network tabs.
2. Click the Settings tab. The Settings page opens, as shown in Figure 5-6.
Figure 5-6: RIP Configuration Example
3. Scroll to the bottom of the page, if necessary, to see the Rip panel.
4. Select the Enabled check box.
5. Click Update.
Example: Adding a Route to the Routing Table
1. Click Network to activate the Network tabs.
2. Click the Route tab. The Route page opens, as shown in Figure 5-7.
Figure 5-7: Routing Table Configuration Example
3. Scroll to the bottom of the page, if necessary, to see the Add Route button.
4. Click Add Route. The Add Route window opens as shown in Figure 5-8.
Figure 5-8: Adding a Route Example
5. Type the addressing and gateway information in the appropriate text boxes. Type the number of hops into the Metric text box.
6. Click OK to add the route or Cancel to close the window without adding the route information.
Example: Working with Syslogs
1. Click Log to activate the Log tabs. The Settings page open automatically, as shown in Figure 5-9.
Figure 5-9: Syslog Configuration Example
2. Enter the IP addresses of the syslog hosts in the System Log Forwarding text boxes on the Settings tab.
3. Click Update.
Use the View Log tab to display the syslog and clear the syslogs.
Example: Restricting Access using an Access List
1. Click Access to activate the Access tabs.
2. Click the Access Control Lists tab. The Access Control Lists page opens, as shown in Figure 5-10.
Figure 5-10: Access List Configuration Example
3. Click Add Access Entry. The Add Access Control List window opens, as shown in Figure 5-11.
Figure 5-11: Add Access List Entry Example
4. Enter the appropriate information for the list entry. (See the access-list command in Appendix C for more information.)
5. Click OK to create the access list entry and close the window.
6. Click the Subsystem tab. The Subsystem page opens, as shown in Figure 5-12.
Figure 5-12: Subsystem Access Configuration Example
7. Type the number of the access list just created in the Access Control List Id text box of the Web Management panel. (You can also change the TCP port on this tab.)
8. Click Update.
Example: Reloading (Rebooting) the Appliance
1. Click Tools to activate the Tools tabs. The Restart page opens automatically, as shown in Figure 5-13.
Figure 5-13: Device Reloading Example
2. If you have made changes to the device configuration but have not saved them to flash memory, click Save to Flash in the Status area, as shown in Figure 5-14.
 |
Caution The appliance restarts using the configuration stored in flash memory. Any changes you have made but have not saved are lost. |
Figure 5-14: Save Changes Button
3. Click Reboot on the Restart page. The appliance reboots using the configuration stored in flash memory.
Example: Setting an Enable Password
The Enable password is requested prior to connecting to the device.
1. Click Access to activate the Access tabs. The Password page opens automatically, as shown in Figure 5-15.
Figure 5-15: Change Password Example
2. If an Enable password has already been assigned, type it in the Old Password text box.
3. Type the password to use in the New Password text box, and retype it in the Confirm New Password text box.
4. Click Update to set the password.
|
Note To remove an existing Enable password entirely, clear the Enable checkbox, type the existing password in the Old Password text box. Click Update. |
Example: Configuring SNMP
1. Click SNMP to activate the SNMP tabs. The Settings page opens automatically, as shown in Figure 5-16.
Figure 5-16: SNMP Configuration Example
2. Type the default community, contact information, and location information in appropriate text boxes. Click Update after changing the value in each field and selecting the Enabled check box.
3. Click the Traps tab. The Traps page opens, as shown in Figure 5-17.
Figure 5-17: SNMP Trap Example
4. Click Add Trap Host to specify a host to which to send trapping messages. The Add Trap Host window opens, as shown in Figure 5-18.
Figure 5-18: Add SNMP Trap Host Example
5. Type the host IP address into the IP Address text box. If you wish the trap messages to be sent to a community other than the default community, enter the community name in the Community text box. Select the desired version of SNMP from the SNMP Version list box.
6. Click OK to add the trap host.
7. Set the desired traps by selecting the Enable option buttons and typing appropriate values in the Threshold/Hysteresis Low and Hysteresis High text boxes. If you wish to use only one trap point, enter a value only in the Threshold/Hysteresis Low text box.
|
Note Additional information is presented in the online Help for this tab. Click Help in the top right corner of the window. |
8. Click Update to set the configuration.
SSL Configuration Examples
The following examples demonstrate how to set up SSL configurations for the Secure Content Accelerator. If necessary, refer to Chapter 3 to see how the Secure Content Accelerator works with SSL protocol information.
Example: Setting up a Secure Server
The first step is to load a key to assign to the secure server. In this example, a key is imported into the GUI.
1. Click SSL to activate the SSL tabs.
2. Click the Private Keys tab. The Private Keys page opens, as shown in Figure 5-19.
Figure 5-19: Private Keys Tab
3. Click Add Private Key. The Add Private Key window opens, as shown in Figure 5-20.
Figure 5-20: Add Private Key Example
4. Click From File. The From File page opens, a shown in Figure 5-21. (In this example, the key is imported from a file. Alternatively, you can copy the key from the key file, and paste it into the Paste Private Key Here text box on the Paste tab. For an example of key generation, see " Example: Generating an RSA Private Key".)
Figure 5-21: Importing a Private Key File Example
5. Type the key name, myKey, in the Private Key Name text box. Select the appropriate Private Key File Encoding option button. Type the password for the key in the Private Key Password text box. Enter the key file name and path or click the Browse button to find and select the file.
6. Click OK to load the key into the Secure Content Accelerator.
- Next, load a certificate to assign to the secure server. In this example, a certificate is imported into the GUI.
Figure 5-22: Certificates Tab
8. Click Add Certificate. The Add Certificate window opens, as shown in Figure 5-23.
Figure 5-23: Add Certificate Example
9. Click From File. The From File page opens, as shown in Figure 5-24. (In this example, the certificate is imported from a file. Alternatively, you can copy the certificate from the file, and paste it into the Paste Certificate Here text box on the Paste tab. For an example demonstrating certificate generation, see " Example: Generating a Self-Signed Certificate" below.)
Figure 5-24: Importing a Certificate Example
10. Type the certificate name, myCert, in the Certificate Name text box. Select the appropriate Certificate File Encoding option button. Enter the certificate fie name and path or click the Browse button to find and select the file.
11. Click OK to load the certificate into the Secure Content Accelerator.
12. Click the Security Policies tab. The Security Policies page opens, as shown in Figure 5-25.
Figure 5-25: Security Policies Tab
13. Click Add Security Policy. The Add Security Policy window opens, as shown in Figure 5-26.
Figure 5-26: Add Security Policy Example
14. Type the desired name in the Security Policy Name text box. Select the policies to include in the new security policy by clicking and CTRL+clicking the entries in the Security Policy Algorithms list box.
15. Click OK to create the policy.
- Now, set up the secure server.
Figure 5-27: Secure Servers Tab
17. Click Add Secure Server. The Add Secure Server window opens, as shown in Figure 5-28.
Figure 5-28: Add Secure Server Information Example
18. Choose the type of secure server to create by clicking the appropriate option button. (This example configures a Normal Server.) Type the server name, myServer, in the Secure Server Name text box. Type the IP address of the server to which to send decrypted SSL traffic in the IP Address text box. Change the Clear-Text Port to "81".
19. Scroll to the Server Certificate and Security Policy panel. Select myCert from the Certificate list box. Select myKey from the Private Key list box. Select strong from the Security Policy list box. These options are shown in Figure 5-29.
Figure 5-29: Server Certificate and Security Policy Example
20. Select the desired options in the Client Certificate Authentication panel, shown in Figure 5-30.
Figure 5-30: Add Secure Server Information Example
21. Set up Secure URL Rewrite for the server, if desired. Enter the domain name (including wildcard, if appropriate) in the URL Clear-Text Port text box. Edit the port definitions, if necessary. Click Add, as shown in Figure 5-31, to define the URL rewrite rule.
Figure 5-31: Add URL Rewrite Rule Example
- Use the Rewrite "HTTP 3xx" Header Only check box to indicate only 30x-series redirects referencing http:// rather than all instances of http:// (such as those appearing intentionally in the application data) be rewritten.
22. Click OK to create the secure server on the Secure Content Accelerator.
The same procedures are used to create and edit backend servers and reverse-proxy servers. Options presented in the window change, depending upon the type of server being configured.
Example: Creating and Using Certificate Groups
This example demonstrates how to select certificates already loaded in the Secure Content Accelerator to create a certificate group. Alternatively, a PKCS#7 certificate group can be imported directly. See " Example: Importing a PKCS#7 Certificate Group", below, for a demonstration.
1. Click SSL to activate the SSL tabs.
2. Click the Certificate Groups tab. The Certificate Groups page is shown in Figure 5-32.
Figure 5-32: Certificate Groups Tab
3. Click Add Certificate Group. The Add Certificate Group window opens, as shown in Figure 5-33.
Figure 5-33: Add Certificate Group Example
4. Type the name for the group in the Certificate Group Name text box.
5. Click and CTRL+click the certificates listed in the Member Certificates list box to add to the certificate group. You can also click and SHIFT+click either end of a contiguous group of certificates to select all certificates in it.
6. Click OK to add the certificate group to the device.
Follow the steps below to assign the certificate group to a secure server.
1. Click SSL to activate the SSL tabs.
2. Click the Secure Servers tab.
3. Either click Edit next to an existing secure server, or click Add Secure Server to create a new server. The appropriate secure server window opens.
4. Locate the Server Certificate and Security Policy panel.
5. Select "myCertGroup" from the Certificate Group - Server Chain list box. These options are shown in Figure 5-34.
Figure 5-34: Assign Certificate Group Example
6. Click OK to add the new configuration.
|
Note If you are creating a new secure server, you must complete configuring the server as presented previously in this chapter. |
Example: Supporting Other Secure Protocols
1. Click the Secure Servers tab.
2. Click Add Secure Server. The Add Secure Server window opens.
3. Type the server name, mySecureMail, in the Secure Server Name text box. Type the IP address of the server to which to send decrypted SSL traffic. Type "110" in the Remote Port text box. Type "995" in the SSL Port text box. Select strong from the Security Policy list box. Select default-1024 from the Certificate list box. Select default-1024 from the Private Key list box. These options are shown in Figure 5-35.
Figure 5-35: Configuring for Other Protocols Example
4. Click OK to create the secure server in the Secure Content Accelerator.
Example: Generating an RSA Private Key
This example demonstrates how to generate an RSA private key named myOwnKey.
1. Click SSL to activate the SSL tabs.
2. Click Add Private Key. The Add Private Key window opens.
3. Click the Generate tab. The Generate an RSA Private Key window opens, as shown in Figure 5-36.
Figure 5-36: Generating a Private Key
4. Type "myOwnKey" in the Private Key Name text box.
5. Select 512 bits from the Private Key Length list box. This value is proportionate to the strength of the key.
6. If you want to specify any additional seed data for the random number generator, type it into the Extra Random Number Generator Seed Data text box.
7. Choose an option in the Display Encrypted Key for Backup list box.
- Do Not Display Key: The private key is never displayed. You cannot save the key to a file for backup purposes.
- Display key using Des Encryption: The private key is displayed using DES encryption and can be saved to a file.
- Display key using Des3 Encryption: The private key is displayed using 3DES encryption and can be saved to a file.
8. Click OK. Depending upon the selection made from the Display Encrypted Key for Backup list box, one of two windows opens:
- If Do Not Display Key was selected, the key is generated and a window opens, reminding you that the key cannot be displayed or exported. This is shown in Figure 5-37. Click Close.
Figure 5-37: Key Not Displayed Example
- If either Display key using Des Encryption or Display key using Des3 Encryption were selected, the key is generated and a window opens, displaying the encrypted key. This is shown in Figure 5-38. Click Download Encrypted Private Key to make a backup copy of the key, if desired. Click Close.
Figure 5-38: Key Displayed Example
Example: Generating a Self-Signed Certificate
1. Click SSL to activate the SSL tabs.
2. Click the Certificates tab.
3. Click Add Certificate. The Add Certificate window opens.
4. Click the Generate CSR/Self-signed Certificate tab. The Generate CSR/Self-signed Certificate page opens, as shown in Figure 5-39.
Figure 5-39: Generate CSR Example
5. Select the key to associate with the certificate from the Private Key Association list box.
6. Enter the desired domain name, country, state, locality, organization name, organization unit, and e-mail address in the appropriate text boxes.
7. Select the appropriate message digest format for the signing request from the CSR Message Digest list box.
8. Select the appropriate header from the CSR Header list box.
9. Click OK. The certificate is created and the Generate Certificate Signing Request (CSR) opens, as shown in Figure 5-40.
Figure 5-40: Generate Self-Signed Certificate
10. Click Download CSR File to save the file to the local file system for transfer to the Certificate Authority.
|
Note If you know the preferred file name convention of the CA, name the file appropriately now. Otherwise, accept the default naming convention and rename the file later if necessary. |
11. Click Self-sign this CSR to generate a self-signed digital certificate to be used for testing while you wait for the certificate to be signed. The Generate Self-signed Certificate window opens, as shown in Figure 5-41.
Figure 5-41: Self-Signed Certificate Example
12. Type the name for the certificate in the Certificate Name text box. Select the appropriate date to begin validity of the certificate from the Start Date list boxes. Change the number of days the certificate is valid in the Days Valid text box, if desired. Click Generate Self-signed Certificate. The certificate is generated, and a window opens, allowing the certificate to be downloaded. The Generate Self-signed Certificate window is shown in Figure 5-42. Click Close.
Figure 5-42: Successfully Generated Self-Signed Certificate
Example: Importing a PKCS#7 Certificate Group
1. Click SSL to activate the SSL tabs.
2. Click the Certificate Groups tab.
3. Click Add Certificate Group. The Add Certificate Group window opens.
4. Click the From PKCS7 File tab. The Import PKCS7 File page opens, as shown in Figure 5-43.
Figure 5-43: Import PKCS#7 Certificate Group Example
5. Type the name of the group in the Certificate Group Name text box.
6. Type the base name of the certificate in the Certificate Name Prefix text box.
7. Select the encoding option for the file to import by clicking the appropriate Encoding option button.
8. Either type the name and path of the PKCS#7 file to import, or click Browse and navigate to and select the file.
9. Click OK.
Example: Importing a PKCS#12 Certificate Group
1. Click SSL to activate the SSL tabs.
2. Click the Certificate Groups tab.
3. Click Add Certificate Group. The Add Certificate Group window opens.
4. Click the From PKCS12 File tab. The Import PKCS12 Certificate Chain window opens, as shown in Figure 5-44.
Figure 5-44: Import PKCS#12 Certificate Group Example
5. Type the name of the group in the Certificate Group Name text box.
6. Type the key password in the Password text box.
7. Either type the name and path of the PKCS#12 file to import, or click Browse and navigate to and select the file.
8. Click OK.
Running the Secure Server Wizard
1. Click SSL to activate the SSL tabs.
2. Click Secure Server Wizard. The first screen of the wizard opens, as shown in Figure 5-45.
Figure 5-45: Starting the Secure Server Wizard
3. Follow the instructions and prompts in the wizard to configure the secure server. When you have completed configuring the server, you can immediately configure another one or exit the Secure Server wizard.