Document ID: 47390
Contents
Introduction
Prerequisites
Requirements
Components Used
Related Products
Conventions
Configure
Network Diagram
Configurations
Verify and Troubleshoot
Verify and Troubleshooting Command Examples
TAC Service Request Information
Related Information
Introduction
Content Services Switch (CSS) 11500 supports internal Secure Socket Layer (SSL) acceleration modules, which can be used to decrypt client traffic for better load balancing decisions (front-end SSL/SSL Termination). Using the CSS to offload SSL from the servers significantly increases server performance and allows traffic to be better distributed to backend applications. The CSS 11500 can reencrypt SSL terminated connections and send encrypted traffic to the back-end SSL servers (back-end SSL). This is necessary for environments requiring secure client to server communication and advanced server load balancing, such as using cookies to maintain session persistence. The integrated SSL capabilities allow the CSS to make content aware decisions to ensure the data is sent to the correct application, while maintaining data encryption throughout the network.
This document describes the SSL traffic flow from the client to the CSS and to the back-end SSL server. This document provides configurations and different implementation scenarios.
Prerequisites
Requirements
Before attempting this configuration, ensure that you meet these requirements:
-
basic concepts of Secure Socket Layer / Transport Layer Security (SSL/TLS)
-
basic setup of the CSS
-
access to the web servers keys and certificates from existing SSL Web servers
-
authorization to change the SSL configuration on your servers
Components Used
The information in this document is based on these software and hardware versions:
-
WebNS Version 7.20 build 206
-
CSS 11506
-
VeriSign On Site Certificate
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Related Products
This configuration can also be used with these hardware and software versions:
-
CSS 11501 with inbuilt SSL or CSS 11503/506 with a CSS5-SSL-K9 SSL module installed.
-
WebNS software Version 7.20 and above.
Conventions
For more information on document conventions, refer to the Cisco Technical Tips Conventions.
Configure
In this section, you are presented with the information to configure the features described in this document.
Note: To find additional information on the commands used in this document, use the Command Lookup Tool (registered customers only) .
Network Diagram
This document uses this network setup:
Configurations
This document uses this configuration:
-
CSS 11506 (NWS-5-9)
Traffic from the client comes and hits the content front rule. This rule is port 443. This rule then load balances the traffic to the service ssl_front. This service then references the SSL proxy list.
The SSL proxy list defines the SSL negotiation with the client and establishes a secure SSL session between the CSS and the client. The configuration defines the SSL proxy IP address, the private key, and the chained / single certificate to use. It also defines the clear text content rule that you are going to hit.
The content rule referred to is content back. Due to the fact that this data is now in clear text, you can see the HTTP headers. In order to maintain stickyness to a server, use Arrowpoint cookies. The CSS then makes a load balancing decision based on the Arrowpoint cookie if the client has already received one or via the underlying load balancing algorithm if they have not. In this case, the switch is load balanced to service backend1.
The request is then sent to service backend1. This service is configured as a type ssl-accel-backend. There is no physical server here.
The SSL proxy list is referred to again, and from the configuration, you can see the backend-server configuration. This configuration is very similar to the SSL decryption on the front end but in the reverse. You can take clear text and convert it to SSL. You can also define a cipher to use in the client hello.
The request is the sent to the physical server encrypted.
|
CSS 11506 (NWS-5-9) |
|---|
nws-5-2# sh run !Generated on 01/09/2004 01:16:00 !Active version: sg0720206 configure !*************************** GLOBAL *************************** cdp run ssl associate rsakey privatekey myprivatekey ssl associate cert certificate mynewcert.pem !--- Define the SSL certificate and key files to use for the Web site !--- These are for the client to SSL module connection. ip route 0.0.0.0 0.0.0.0 10.66.86.17 1 !************************* INTERFACE ************************* interface 3/1 bridge vlan 41 !************************** CIRCUIT ************************** circuit VLAN1 ip address 10.1.1.1 255.255.255.0 circuit VLAN41 ip address 10.66.86.29 255.255.255.240 !*********************** SSL PROXY LIST *********************** ssl-proxy-list my_secure_site ssl-server 1 ssl-server 1 rsakey privatekey ssl-server 1 rsacert certificate ssl-server 1 cipher rsa-with-rc4-128-md5 10.1.1.10 81 ssl-server 1 vip address 10.66.86.28 !--- SSL server configuration. This is for the client to the SSL !--- module connection. backend-server 10 !--- Backend SSL configuration. These specify the parameters for !--- the connection from the CSS to the backend servers. backend-server 10 ip address 10.1.1.20 backend-server 10 port 81 !--- This defines the clear text IP and port that are !--- used to encrypt data headed for the backend servers. backend-server 10 server-ip 10.1.1.20 backend-server 10 server-port 8003 !--- This is the physical server. As there is no server-port !--- configured, the default 443 will be used. backend-server 10 cipher rsa-export-with-rc4-40-md5 !--- The CSS behaves as a client. Specify what SSL cipher !--- you are going to present to the backend server in the SSL !--- handshake client hello packet. backend-server 20 backend-server 20 ip address 10.1.1.21 backend-server 20 port 81 backend-server 20 server-ip 10.1.1.21 backend-server 20 server-port 8003 backend-server 20 cipher rsa-export-with-rc4-40-md5 backend-server 30 backend-server 30 ip address 10.1.1.22 backend-server 30 port 81 backend-server 30 server-ip 10.1.1.22 backend-server 30 server-port 8003 backend-server 30 cipher rsa-export-with-rc4-40-md5 active !************************** SERVICE ************************** service ssl_front slot 6 type ssl-accel keepalive type none add ssl-proxy-list my_secure_site active service backend1 ip address 10.1.1.20 type ssl-accel-backend port 81 add ssl-proxy-list my_secure_site keepalive port 8003 keepalive type ssl protocol tcp active service backend2 ip address 10.1.1.21 type ssl-accel-backend port 81 keepalive port 8003 add ssl-proxy-list my_secure_site keepalive type ssl protocol tcp active service backend3 ip address 10.1.1.22 protocol tcp port 81 keepalive port 8003 keepalive type ssl type ssl-accel-backend add ssl-proxy-list my_secure_site active !*************************** OWNER *************************** owner my_secure_site content back protocol tcp port 81 url "/*" vip address 10.1.1.10 add service backend1 add service backend2 add service backend3 advanced-balance arrowpoint-cookie active content front protocol tcp vip address 10.66.86.28 application ssl add service ssl_front port 443 active |
Verify and Troubleshoot
This section provides information you can use to troubleshoot your configuration. The left-hand column is a listing of the life cycle of a session. The right-hand column is a listing of the show commands and tools that can be used to check the state of each part of the life cycle.
|
Logical Life Cycle |
Commands / Techniques (examples below) |
|---|---|
|
Client |
Sniffer trace from the client machine. Look for the TCP 3 way handshake and the SSL client hello and server hello. |
|
Content Rule front |
show rule — Look for the rule as being active. Try to ping the VIP address of the rule; this should respond. Take a sniffer trace on the link connecting to the CSS on the client side. |
|
Service ssl_front |
show service summary — Make sure the service is alive. show service ssl_front — Make sure the service is alive and the SSL proxy my_secure_site is listed and active. Check to see if the total local connections are incrementing. |
|
SSL proxy List my_secure_site |
show ssl-proxy-list — Make sure the state is Active. show ssl -proxy-list my_secure_site— Provides the configuration information. show ssl statistics — Make sure there are no errors incrementing. See the example below. show ssl flows— Displays the current flows. |
|
Content Rule back |
show rule — Look for the rule as being Active. |
|
Services backend1 or backend2 or backend3 |
show service summary— Make sure the service is alive. show service service name — Make sure that at least one service is alive and the SSL proxy my_secure_site is listed and active. Check to see if the total local connections are incrementing. |
|
SSL proxy List my_secure_site |
show ssl-proxy-list — Make sure the state is Active. show ssl -proxy-list my_secure_site — Provides the configuration information. show ssl statistics— Make sure there are no errors incrementing. See the example below. show ssl flows— Displays the current flows. |
|
Server |
Sniffer trace from the client machine. Look for the TCP 3 way handshake and the SSL client hello and server hello. Check if the server is listening on the SSL. Issue the port netstat -a command for Windows, and the netstat -l command for Unix/Linux machines. |
Verify and Troubleshooting Command Examples
This section provides troubleshooting information relevant to the commands listed in the above life cycle and what to look for in each command. Bolded sections should be checked if they show a different state.
show rule
Name: back Owner: my_secure_site State: Active Type: HTTP Balance: Round Robin Failover: N/A Persistence: Enabled Param-Bypass: Disabled Session Redundancy: Disabled IP Redundancy: Not Redundant L3: 10.1.1.10 !--- Theses lines indicate the configuration of the rule. L4: TCP/81 Url: /* !--- This indicates a Layer 7 rule, where the CSS spoofs the !--- connection. Redirect: "" TCP RST client if service unreachable: Disabled Rule Services: 1: backend1-Alive >>>>>>>> Name: front Owner: my_secure_site State: Active Type: SSL Balance: Round Robin Failover: N/A Persistence: Enabled Param-Bypass: Disabled Session Redundancy: Disabled IP Redundancy: Not Redundant L3: 10.66.86.28 !--- Theses lines indicate the configuration of the rule. L4: TCP/443 Url: !--- There is no configuration, so this is a Layer 4 rule. Redirect: "" TCP RST client if service unreachable: Disabled Rule Services: 1: ssl_front-Alive
show service summary
Service Name State Conn Weight Avg State
Load Transitions
backend1 Alive 0 1 2 9
backend2 Down 0 1 255 0
backend3 Down 0 1 255 0
ssl_front Alive 0 1 2 4
sh service ssl_front
Name: ssl_front Index: 4 Type: Ssl-Accel State: Alive Rule ( 0.0.0.0 ANY ANY ) Session Redundancy: Disabled SSL-Accel slot: 6 !--- Make sure this is the slot where the SSL module is installed. Session Cache Size: 10000 Redirect Domain: Redirect String: Keepalive: (NONE 5 3 5 ) Last Clearing of Stats Counters: 01/28/2004 22:29:34 Mtu: 1500 State Transitions: 4 !--- Connection counters should be increasing. Total Local Connections: 576 Total Backup Connections: 0 Current Local Connections: 0 Current Backup Connections: 0 Total Connections: 576 Max Connections: 65534 Total Reused Conns: 0 Weight: 1 Load: 2 DFP: Disable SSL Proxy Lists: 1: my_secure_site-Active
show ssl-proxy-list
Ssl-Proxy-List Table Entries (1 Entries)
1) Name: my_secure_site
State: Active
!--- The number of services pointing to the SSL proxy list. This
!--- includes the back-end services as well.
Services Associated: 4
show ssl-proxy-list my_secure_site
- Ssl-proxy-list Entries for list my_secure_site -
Number of SSL-Servers: 1
Ssl-Server 1 -
Vip address: 10.66.86.28
Vip port: 443
RSA Certificate: certificate
!--- This is the certificate file associated for the SSL site.
RSA Keypair: privatekey
!--- This is the private key file associated for the SSL site.
DSA Certificate: none
DSA Keypair: none
DH Param: none
Session Cache Timeout: 300 SSL Version: SSL and TLS
Re-handshake Timeout: 0 Re-handshake Data: 0
Virtual TCP Inactivity TO: 240 Server TCP Inactivity TO: 240
Virtual TCP Syn Timeout: 30 Server TCP Syn Timeout: 30
Virtual TCP Nagle Algorithm: enable Server TCP Nagle Algorithm: enable
TCP Receive Buffer: 32768 TCP Transmit Buffer: 65536
SSL Shutdown Procedure: normal
Cipher Suite(s) Weight Port Server
--------------- ------ ---- ------
rsa-with-rc4-128-md5 1 81 10.1.1.10
!--- This is the cipher suite used in the server SSL hello back to the client.
!--- The clear text IP address and port of the decypted traffic.
URL Rewrite Rule(s) - None
Number of Ssl Proxy backend-servers: 3
Backend-server 10 -
!--- This is the back-end server clear text IP and port.
IP address: 10.1.1.20
Port: 81
!--- This is the back-end server SSL server IP and port.
Server IP address: 10.1.1.20
Server port: 8003
Session Cache Timeout: 300 SSL Version: SSL and TLS
Re-handshake Timeout: 0 Re-handshake Data: 0
Virtual TCP Inactivity TO: 240 Server TCP Inactivity TO: 240
Virtual TCP Syn Timeout: 30 Server TCP Syn Timeout: 30
Virtual TCP Nagle Algorithm: enable Server TCP Nagle Algorithm: enable
TCP Receive Buffer: 32768 TCP Transmit Buffer: 65536
Cipher Suite(s) Weight
--------------- ------
rsa-export-with-rc4-40-md5 1
!--- This is the cipher suite used in the client hello to the SSL server.
!--- In this case, the SSL module is encypting the traffic and acting as
!--- a client.
Backend-server 20 -
IP address: 10.1.1.21
Port: 81
Server IP address: 10.1.1.21
Server port: 8003
Session Cache Timeout: 300 SSL Version: SSL and TLS
Re-handshake Timeout: 0 Re-handshake Data: 0
Virtual TCP Inactivity TO: 240 Server TCP Inactivity TO: 240
Virtual TCP Syn Timeout: 30 Server TCP Syn Timeout: 30
Virtual TCP Nagle Algorithm: enable Server TCP Nagle Algorithm: enable
TCP Receive Buffer: 32768 TCP Transmit Buffer: 65536
Cipher Suite(s) Weight
--------------- ------
rsa-export-with-rc4-40-md5 1
Backend-server 30 -
IP address: 10.1.1.22
Port: 81
Server IP address: 10.1.1.22
Server port: 8003
Session Cache Timeout: 300 SSL Version: SSL and TLS
Re-handshake Timeout: 0 Re-handshake Data: 0
Virtual TCP Inactivity TO: 240 Server TCP Inactivity TO: 240
Virtual TCP Syn Timeout: 30 Server TCP Syn Timeout: 30
Virtual TCP Nagle Algorithm: enable Server TCP Nagle Algorithm: enable
TCP Receive Buffer: 32768 TCP Transmit Buffer: 65536
Cipher Suite(s) Weight
--------------- ------
rsa-export-with-rc4-40-md5 1
show ssl statistics
SSL Acceleration Statistics
Component: SSL Proxy Server Slot: 6
Count Description
--------------- -----------
576 Handshake started for incoming SSL connections
576 Handshake completed for incoming SSL connections
!--- These are the SSL handshake statistics for the client to CSS connection.
560 Handshake started for outgoing SSL connections
560 Handshake completed for outgoing SSL connections
!--- These are the SSL handshake stats for the CSS to backend servers.
12 Active SSL flows high water mark
!--- This is the maximum number of active SSL flows.
SSL Acceleration Statistics
Component: Crypto Slot: 6
Count Description
--------------- -----------
14 RSA Private
3 RSA Public
0 DH Shared
0 DH Public
0 DSA Sign
0 DSA Verify
0 SSL MAC
7,515 TLS HMAC
0 3DES
7,918 ARC4
69,876 HASH
0 RSA Private Failed
0 RSA Public Failed
0 DH Shared Failed
0 DH Public Failed
0 DSA Sign Failed
0 DSA Verify Failed
0 SSL MAC Failed
0 TLS HMAC Failed
0 3DES Failed
0 ARC4 Failed
0 HASH Failed
0 Hardware Device Not Found
0 Hardware Device Timed Out
0 Invalid Crypto Parameter
0 Hardware Device Failed
0 Hardware Device Busy
0 Out Of Resources
0 Cancelled -- Device Reset
!--- At this point, any errors need to be investigated.
SSL Acceleration Statistics
Component: SSL Slot: 6
Count Description
--------------- -----------
14 RSA Private Decrypt calls
3 RSA Public Decrypt calls
0 DH Compute key calls
0 DH Generate key calls
0 DSA Verify calls
0 DSA Sign calls
34,220 MD5 raw hash calls
34,220 SHA1 raw hash calls
0 3-DES calls
7,918 RC4 calls
0 SSL MAC(MD5) calls
0 SSL MAC(SHA1) calls
7,515 TLS MAC(MD5) calls
0 TLS MAC(SHA1) calls
0 Level 2 Alerts Received
725 Level 1 Alerts Received
0 Level 2 Alerts Sent
1,134 Level 1 Alerts Sent
1,200,211 SSL received bytes from TCP
1,155,278 SSL transmitted bytes to TCP
1,006,669 SSL received Application Data bytes
1,970,856 SSL transmitted Application Data bytes
124,497 SSL received non-application data bytes
152,147 SSL transmitted non-application data bytes
!--- These are the traffic stats for the SSL module; they should be incrementing.
0 RSA Private Decrypt failures
0 MAC failures for packets received
0 Re-handshake TimerAlloc failed
0 Blocks SSL could not allocate
0 Dup Blocks SSL could not allocate
0 Too many blocks for Block2AccelFragmentArray
0 Too many blocks in a SSL message
show ssl flows
SSL Acceleration Flows for slot 6
Virtual Port TCP Proxy Flows Active SSL Flows SSL Flows in Handshake
--------------- ---- --------------- ---------------- ----------------------
10.66.86.28 443 6 2 0
10.1.1.20 81 6 2 0
10.1.1.22 81 0 0 0
10.1.1.21 81 0 0 0
!--- This is the number of active flows in the CSS. These can be difficult to see on a
!--- box with little load.
show service backend1
Name: backend1 Index: 1 Type: Ssl-Accel-Backend State: Alive Rule ( 10.1.1.20 TCP 81 ) Session Redundancy: Disabled Redirect Domain: Redirect String: Keepalive: (SSL-8003 5 3 5 ) Last Clearing of Stats Counters: 01/28/2004 22:29:34 Mtu: 1500 State Transitions: 9 Total Local Connections: 689 Total Backup Connections: 0 Current Local Connections: 0 Current Backup Connections: 0 Total Connections: 689 Max Connections: 65534 Total Reused Conns: 0 Weight: 1 Load: 2 DFP: Disable SSL Proxy Lists: 1: my_secure_site-Active
TAC Service Request Information
Before opening a Technical Assistance Center (TAC) service request, gather this information:
-
Using the life cycle above, gather all the commands mentioned and group them per life cycle step.
-
Provide the script play showtech command output.
-
Provide a detailed topology diagram.
-
Provide sniffer traces from the client side of the CSS and the server side. This is optional, but may shorten resolution time.
-
If providing sniffer traces, identify the clients' IP address.
Related Information
- CSS 11000 Series Content Services Switches Hardware Support
- CSS 11500 Series Content Services Switches Hardware Support
- Cisco WebNS CSS11500 Software Download Page (registered customers only)
- Cisco WebNS CSS11000 Software Download Page (registered customers only)
- Technical Support - Cisco Systems
| Updated: Jan 31, 2006 | Document ID: 47390 |