Guest

Cisco Services Modules

SSLM Software release 2.1(1) for 6500 Switches and 7600 Routers

Table Of Contents

Cisco Catalyst 6500 Series SSL Services Module Software Version 2.1(1)

Platform Requirements

Availability

Product Information

Additional Information

Product Bulletin No. 2447

Cisco Catalyst 6500 Series SSL Services Module Software Version 2.1(1)


The Cisco® Catalyst® 6500 Series SSL Services Module is an integrated service module for the Cisco Catalyst 6500 Series Switch and 7600 Series Router that offloads the processor-intensive tasks related to securing traffic with Secure Sockets Layer (SSL) while allowing servers to handle high-speed plaintext traffic. Cisco Systems® announces the new software release for the SSL Services Module. Table 1 describes the new features supported in release 2.1(1).

Table 1  Features Description  

Feature
Description
Back-end Encryption

With back-end encryption, the SSL Services Module accepts incoming SSL sessions from external clients and initiates SSL sessions to a back-end real server without sacrificing the ability of the content switch to make intelligent Layer 5 to Layer 7 local load-balancing decisions.

End-to-end encryption allows all the benefits of SSL acceleration and content-based switching services without sacrificing the security of client-to-server SSL.

Client Authentication

Client authentication allows you to configure the option to request and authenticate the client certificate when the SSL Services Module acts as a SSL server. The SSL Services Module automatically authenticates the server certificate when it acts as an SSL client. The feature specifies a set of trusted certificate authorities and the scope of validation for each proxy service.

Client Certificates

SSL certificates are used during the SSL handshake (an exchange of certificates between the server and client that occurs during an SSL session).

SSL V2.0 Forwarding

SSL forwarding allows you to configure the SSL Services Module to forward SSLv2 connections to another server. When you configure the SSLv2 server IP address, the SSL Services Module transparently forwards all SSLv2 connections to that server.

Certificate Revocation List (CRL) Lookup

SSL Services Module downloads a CRL from a certificate authority only if there is a demand to lookup the CRL. The CRL is deleted when it expires.

Hot Standby Router Protocol (HSRP) Redundancy

You can configure HSRP to provide redundancy when the SSL Services Module is used in a standalone configuration (using policy-based routing). Among other benefits, HSRP protocol provides an active/active (load sharing) model on top of the typical active/standby model. It allows users to configure multiple HSRP groups across two or more redundant systems and to implement redundancy independently in each group.

URL Rewrite

URL rewrite may be needed when a customer offloads SSL processing. The SSL accelerator converts HTTPS sessions into HTTP sessions. In some cases, the server application overlooks that the session with the client should be encrypted. We support URL rewrite feature in this release for redirects only an dnot for embedded links. It can also be used to indicate cipher suite in use, which can be used in a load balancing decision. Client IP/port information is used to keep track of clients.

Header Insertion

Header insertion is another method by which the SSL card can indicate to the real server that the connection it is processing is a SSL connection. The application on the real server uses the information inserted as headers to respond to the client.

Simple Network Management Protocol (SNMP) Support

Cisco Catalyst 6500 Series SSL Services Module Software Version 2.1(1) supports the following objects and operations:

Global configuration—Version string, Federal Information Processing Standard mode, and cipher suites supported

Proxy service configuration—Name, type, addresses, ports, administrative status and operation status

Proxy service policy configuration—Policy names assigned for each proxy service, NULL string if none

Global counters—SSL, SSL 3.0, Transport Layer Security (TLS) 1.0 and SSL errors

CPU information—Name and usage in percentage over a period of time

Public key infrastructure (PKI)—Key and certificate configuration per proxy service

Traps—Proxy service up/down and certificate expiring, disabled by default

Wildcard Proxy

Wildcard proxy aggregates many servers behind a single gateway.

Password Recovery

If users forget one or more passwords (for instance, the nonprivileged user password or the enable mode password), they are unable to log in to the Cisco IOS® Software console.

A special mode of the running image bypasses the password checking and allows users to reset or change the passwords on bootup.

PKI—Access Control List (ACL)

Certificates can be used to identity an entity and, using fields within the certificate, to associate attributes with that entity. The certificate includes fields used to determine if the entity is authorized to perform a specified action. ACLs based on fields within the certificate are used to create a certificate-based ACL. The certificate-based ACL specifies one or more fields within the certificate and an acceptable value for each specified field.

Certificate Caching

Validating the certificate is a CPU intensive operation. It is beneficial if certificate data is cached which avoids validating every time a certificate is received. When the certificate is received for the first time, validate it and cache the certificate data so that the entire validation process is unnecessary when the same certificate is received later. The cache entries are deleted when aged.

Certificate Expiration Warning

Enabling certificate expiration warnings means that the SSL Services Module checks every 30 minutes for expiration information. The SSL Services Module logs warning messages and sends SNMP traps when certificates have expired or will expire within a specified amount of time.


Platform Requirements

The SSL Services Module Software v2.1(1) is supported on Cisco SSL Services Module (WS-SVC-SSL-1-K9). The SSL Services Module Software v2.1(1) release notes have detailed information on minimum supervisor engine operating system requirements.

Availability

Download SSL Services Module Software v2.1(1) from the Cisco.com Software Center.

Product Information

For additional product information go to:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/ssl_mod/index.htm

http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4156/index.html

Additional Information

For additional product ordering and availability information or if you have questions, send e-mail to
ask-c6000-pm@cisco.com or cs-cat-ssl@cisco.com.