Document ID: 27744
Updated: Jan 31, 2006
Contents
Introduction
This document provides a sample configuration for the CSS5-SSL module. The CSS5-SSL module is introduced with WebNs version 5.20 build 1.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
This document is not restricted to specific software and hardware versions.
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Configure
In this section, you are presented with the information to configure the features described in this document.
Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.
Network Diagram
This document uses this network setup.
Configurations
This document uses this configuration.
| POMPON (CSS 11506) |
|---|
POMPON#show running-config
!Generated on 10/09/2002 12:46:25
!Active version: sg0520002s
configure
!*************************** GLOBAL ***************************
logging buffer 64000
ssl associate rsakey keyrsa CompanyX-rsa-key
ssl associate cert rsacert CompanyX-cert
ssl associate dhparam CompanyX-dh CompanyX-dh
ssl associate dsakey CompanyXdsa CompanyX-dsa-key
ip route 0.0.0.0 0.0.0.0 10.48.66.1 1
!************************* INTERFACE *************************
interface Ethernet-Mgmt
phy 10Mbits-HD
interface 3/1
bridge vlan 10
interface 3/3
bridge vlan 149
!************************** CIRCUIT **************************
circuit VLAN10
ip address 10.48.67.8 255.255.254.0
circuit VLAN149
ip address 192.168.150.199 255.255.255.0
!--- Server VLAN.
!*********************** SSL PROXY LIST ***********************
ssl-proxy-list ssl-list
ssl-server 90
ssl-server 90 vip address 10.48.67.22
!--- The VIP address must be the same as in the content rule defined here.
!--- The default port is 443.
!--- You can change the default port when you issue the
!--- ssl-server 90 port <0-65535>
command.
ssl-server 90 cipher rsa-with-des-cbc-sha 192.168.150.15 80
ssl-server 90 cipher rsa-with-3des-ede-cbc-sha 192.168.150.15 80
ssl-server 90 cipher rsa-with-rc4-128-sha 192.168.150.15 80
ssl-server 90 cipher rsa-with-rc4-128-md5 192.168.150.15 80
!--- Note: The IP address in the cipher suite can be the VIP address or
!--- the address of a real server that is available to the CSS.
!--- Select which cipher mode you want the CSS to accept and define to which server
!--- deciphered (clear) traffic should be sent.
!--- You can select different servers/ports for each cipher mode.
ssl-server 90 rsacert rsacert
ssl-server 90 rsakey keyrsa
!--- Define which certificate and key to use.
active
!************************** SERVICE **************************
service WWW
type ssl-accel
!--- Define that the SSL module is used.
add ssl-proxy-list ssl-list
keepalive type none
!--- Disable keepalive - internal heartbeat is used.
slot 5
!--- Define which SSL module to use (issue the show chassis
!--- command to see in which slot the SSL module is.
active
!*************************** OWNER ***************************
owner CompanyX
!--- The content rule definition is the same as for any other service.
content ssl
port 443
vip address 10.48.67.22
!--- The ssl-proxy-list VIP address and port must match with those defined here.
protocol tcp
application ssl
add service WWW
active
POMPON#
|
Verify
Use this section to confirm that your configuration works properly.
The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output.
-
show chassis
POMPON#show chassis Configuration for CSS11506-2AC A0: Product Name: CSS11506-2AC A0 SW Version: 5.20 Build 2 Serial Number: PL505500237 Base Mac Address: 00-07-85-43-8d-96 Slot Number Module Name Status 1 CSS5-SCM-2GE primary 2 CSS5-SAM primary 3 CSS5-IOM-8FE primary 4 CSS5-IOM-2GE primary 5 CSS5-SSL primary 6 empty slot 7 CSS506-SM powered-on 8 CSS506-SM powered-on -
show version
POMPON#show version Version: sg0520002s (5.20 Build 2) Flash (Locked): 5.10 Build 1 Flash (Operational): 5.20 Build 2 Type: PRIMARY Licensed Cmd Set(s): Standard Feature Set Secure Management POMPON# -
show ssl file
POMPON#show ssl file File Name File Type File Size ---------------- --------- ------------ CompanyX-rsa-key PEM 688 CompanyX-cert PEM 871 CompanyX-dh PEM 201 CompanyX-dsa-key PEM 404 POMPON#
-
show ssl flows
POMPON#show ssl flows SSL Acceleration Flows for slot 5 Virtual Port TCP Proxy Flows Active SSL Flows SSL Flows in Handshake --------------- ---- --------------- ---------------- ---------------------- 10.48.67.22 443 0 0 0 POMPON#
-
show ssl associate
POMPON#show ssl associate Certificate Name File Name Used by List ---------------- --------- ------------ rsacert CompanyX-cert yes RSA Key Name File Name Used by List ------------ --------- ------------ CompanyXrsa CompanyX-rsa-key yes DH Param Name File Name Used by List ------------- --------- ------------ CompanyX-dh CompanyX-dh no DSA Key Name File Name Used by List ------------ --------- ------------ CompanyXdsa CompanyX-dsa-key no POMPON#
-
show ssl statistics
POMPON#show ssl statistics SSL Acceleration Statistics 0 DSA Sign Failed 0 DSA Verify Failed 0 SSL MAC Failed 0 TLS HMAC Failed 0 3DES Failed 0 ARC4 Failed 0 HASH Failed 0 Hardware Device Not Found 0 Hardware Device Timed Out 0 Invalid Crypto Parameter 0 Hardware Device Failed 313 SSL received non-application data bytes 992 SSL transmitted non-application data bytes 0 RSA Private Decrypt failures 0 MAC failures for packets received 0 Re-handshake TimerAlloc failed 0 Blocks SSL could not allocate 0 Dup Blocks SSL could not allocate 0 Too many blocks for Block2AccelFragmentArray 0 Too many blocks in a SSL message POMPON# -
show summary
POMPON#show summary Global Bypass Counters: No Rule Bypass Count: 0 Acl Bypass Count: 0 Owner Content Rules State Services Service Hits CompanyX ssl Master WWW 2 POMPON# -
show flows
POMPON#show flows --------------- ----- --------------- ----- --------------- --- ------- ------ Src Address SPort Dst Address DPort NAT Dst Address Prt InPort OutPort --------------- ----- --------------- ----- --------------- --- ------- ------ 192.168.150.15 80 10.254.8.98 38460 0.0.0.0 TCP 3/3 3/1 POMPON#
-
show rule owner content all
POMPON#show rule CompanyX ssl all Name: ssl Owner: CompanyX State: Active Type: SSL Balance: Round Robin Failover: N/A Persistence: Enabled Param-Bypass: Disabled Session Redundancy: Disabled PrimarySorryServer: None SecondSorryServer: None Name: Hits: Wgt: State: Ld: KAlive: Conn: DNS: ----- ----- ---- ------ --- ------- ----- ---- WWW 16 S-1 Alive 2 None 0 0 Rule DNS Information DNS Balance: roundrobin DNS Names: DNS TTL: Rule Hotlist Information Hotlist: Disabled Size: 10, Type: HitCount, Threshold 0, Interval 1 Associated ACLs: NONE -
show ssl statistics ssl-proxy-server
POMPON#show ssl statistics ssl-proxy-server SSL Acceleration Statistics Component: SSL Proxy Server Slot: 5 Count Description --------------- ----------- 20 Handshake started for incoming SSL connections 19 Handshake completed for incoming SSL connections 0 Handshake started for outgoing SSL connections 0 Handshake completed for outgoing SSL connections 1 Active SSL flows high water mark 0 Current number of TCP Proxy flows 2 Maximum number of TCP Proxy flows POMPON# -
show ssl statistics ssl
POMPON#show ssl statistics ssl SSL Acceleration Statistics Component: SSL Slot: 5 Count Description --------------- ----------- 5 RSA Private Decrypt calls 0 RSA Public Decrypt calls 0 DH Compute key calls 0 DH Generate key calls 0 DSA Verify calls 0 DSA Sign calls 335 MD5 raw hash calls -
show ssl statistics crypto
POMPON#show ssl statistics crypto SSL Acceleration Statistics Component: Crypto Slot: 5 Count Description --------------- ----------- 5 RSA Private 0 RSA Public 0 DH Shared 0 DH Public 0 DSA Sign 0 DSA Verify 192 SSL MAC 257 TLS HMAC 451 3DES 0 ARC4 3,303 HASH 0 RSA Private Failed 0 RSA Public Failed 0 DH Shared Failed 0 DH Public Failed 0 DSA Sign Failed 0 DSA Verify Failed 0 SSL MAC Failed 0 TLS HMAC Failed 0 3DES Failed 0 ARC4 Failed 0 HASH Failed 0 Hardware Device Not Found 0 Hardware Device Timed Out 0 Invalid Crypto Parameter 0 Hardware Device Failed 0 Hardware Device Busy 0 Out Of Resources 0 Cancelled -- Device Reset POMPON#
Troubleshoot
There is currently no specific troubleshooting information available for this configuration.
Related Information
Open a Support Case 
(Requires a Cisco Service Contract.)
Related Cisco Support Community Discussions
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.
Updated: Jan 31, 2006
Document ID: 27744