Document ID: 50061 |
FeedbackIntroduction
The backend Secure Socket Layer (SSL) configuration is used when you want a client using HTTP (clear text) to communicate with an HTTPS server (encrypted traffic). The SSL module will act as a proxy and accept the HTTP connection from the client. The SSL module then connects via SSL to the server. All traffic from the client is encrypted by the SSL module and forwarded to the server. The traffic from the server is decrypted before being forwarded to the client.
This is the initial configuration of the SSL module. The VLAN definitions are included.
ssl-proxy vlan 499 ipaddr 192.168.11.197 255.255.254.0 gateway 192.168.10.1 admin ssl-proxy vlan 500 ipaddr 192.168.21.197 255.255.254.0 gateway 192.168.20.1 ssl-proxy vlan 501 ipaddr 192.168.31.197 255.255.254.0
Before You Begin
Requirements
Before attempting this configuration, please ensure that you meet these requirements:
-
Catalyst 6000 with SSL module
-
SSL module has been configured with a management VLAN
-
SSL module has been configured with client and server VLANs
Components Used
The information in this document is based on this hardware and software version:
-
SSL module version 2.1 minimum
Conventions
For more information on document conventions, see the Cisco Technical Tips Conventions.
Backend SSL configuration
In this section, you are presented with the information to configure the features described in this document.
SSL and Certificates
A trusted Certificate Authority (CA) is required to validate the certificate presented to the SSL module by the Web server when establishing the SSL connection. Multiple trusted CAs can be configured and lined together with a CA pool.
Importing Trusted CA Certificates
Complete these steps:
-
Create a trusted CA entry indicating the method to be used to import the certificates. In this example, copy and paste the certificate into a terminal window. Also, specify that the CA has no certificates revocation list (CRL).
ssl-proxy(config)#crypto ca trustpoint CA1 ssl-proxy(ca-trustpoint)#enrollment terminal ssl-proxy(ca-trustpoint)#crl optional
-
Once the CA entry has been created, you can import the associated certificates.
ssl-proxy(config)#crypto ca authenticate CA1 Enter the base 64 encoded CA certificate. End with a blank line or the word "quit" on a line by itself -----BEGIN CERTIFICATE----- MIIEDDCCA3WgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBuzELMAkGA1UEBhMCLS0x EjAQBgNVBAgTCVNvbWVTdGF0ZTERMA8GA1UEBxMIU29tZUNpdHkxGTAXBgNVBAoT EFNvbWVPcmdhbml6YXRpb24xHzAdBgNVBAsTFlNvbWVPcmdhbml6YXRpb25hbFVu aXQxHjAcBgNVBAMTFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjEpMCcGCSqGSIb3DQEJ ARYacm9vdEBsb2NhbGhvc3QubG9jYWxkb21haW4wHhcNMDMxMTA3MTAyNTE5WhcN MDQxMTA2MTAyNTE5WjCBuzELMAkGA1UEBhMCLS0xEjAQBgNVBAgTCVNvbWVTdGF0 ZTERMA8GA1UEBxMIU29tZUNpdHkxGTAXBgNVBAoTEFNvbWVPcmdhbml6YXRpb24x HzAdBgNVBAsTFlNvbWVPcmdhbml6YXRpb25hbFVuaXQxHjAcBgNVBAMTFWxvY2Fs aG9zdC5sb2NhbGRvbWFpbjEpMCcGCSqGSIb3DQEJARYacm9vdEBsb2NhbGhvc3Qu bG9jYWxkb21haW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALbEc403lMrc TwM0MGU1IDe7QWQE5h5NjS/Lf8KX81sNcO7DGrDLxjxKpKEfp2XY9XYbFBXGzDIP JdROjujvcUi0ZgQYr2pqP2eYHkWaMKClZ32JX4hOhgo0vr7dAQ7CKDRAVLddwqsC YTl1QPQHR27gtI/M74v4kaP1JBf/8Z+jAgMBAAGjggEcMIIBGDAdBgNVHQ4EFgQU JKrmeHLjYClfDU3fR7BSQ8ckApQwgegGA1UdIwSB4DCB3YAUJKrmeHLjYClfDU3f R7BSQ8ckApShgcGkgb4wgbsxCzAJBgNVBAYTAi0tMRIwEAYDVQQIEwlTb21lU3Rh dGUxETAPBgNVBAcTCFNvbWVDaXR5MRkwFwYDVQQKExBTb21lT3JnYW5pemF0aW9u MR8wHQYDVQQLExZTb21lT3JnYW5pemF0aW9uYWxVbml0MR4wHAYDVQQDExVsb2Nh bGhvc3QubG9jYWxkb21haW4xKTAnBgkqhkiG9w0BCQEWGnJvb3RAbG9jYWxob3N0 LmxvY2FsZG9tYWluggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEA bVSfbEnrUKijkP5f76pyNFDYCS9Qu4PN8SJu8KXlmFTpcV1oToVAipUGBsgENvKx R1aJqpAU8a9iGVFukaco3Q+Gu9TErWauVevflwekcY5sOHXt33jWneveDcNwEQ1J JmptCZO2GS8td+PfFJKkc846fqe0LL/BzPPNrkM4C/8= -----END CERTIFICATE----- Certificate has the following attributes: Fingerprint: 458E7A60 0845AD98 A1649A8B 040F8E99 % Do you accept this certificate? [yes/no]:
-
You can repeat the steps above for as many CAs as needed.
Creating a Certificate Authority Pool
Complete these steps:
Now that you have created all the trusted CAs and imported their associated certificates, you need to link these CAs together.
ssl-proxy(config)#ssl-proxy pool ca pool1 ssl-proxy(config-ca-pool)#ca trustpoint CA1
Configuring the Backend SSL Service
Complete these steps:
-
Create the SSL-proxy service. Specify that this is a backend SSL service by using the keyword client after the service name.
ssl-proxy(config)#ssl-proxy service MyHTTPS client ssl-proxy(config-ssl-proxy)# -
Define the Virtual IP (VIP) address and port on which the SSL module will be listening. The IP address must be part of the IP subnet defined on one of the SSL module VLANs.
ssl-proxy(config-ssl-proxy)#virtual ipaddr 192.168.21.241 protocol tcp port 80
-
Define the HTTPS server that we will connect to
ssl-proxy(config-ssl-proxy)#server ipaddr 192.168.30.195 protocol tcp port 443
-
Link the CA pool, which has already been defined.
ssl-proxy(config-ssl-proxy)#trusted-ca mentone-pool
-
Define what part of the certificate you want the SSL module to verify during SSL negotiation. This step is optional.
ssl-proxy(config-ssl-proxy)#authenticate verify signature-only
-
Activate the service.
ssl-proxy(config-ssl-proxy)#inservice
Verify
This section provides information you can use to confirm your configuration is working properly.
Check that your SSL-proxy service is active and working properly:
ssl-proxy#sho ssl-proxy service MyHTTPS Service id: 260, bound_service_id: 4 Virtual IP: 192.168.21.241, port: 80 Server IP: 192.168.30.195, port: 443 Certificate authority pool: mentone-pool CA pool complete Certificate authentication type: only signature verification Admin Status: up Operation Status: up ssl-proxy#
The output is correct.
This example shows a possible problem:
ssl-proxy#sho ssl-proxy service gduf Service id: 259, bound_service_id: 3 Virtual IP: 192.168.31.241, port: 80 Server IP: 192.168.21.3, port: 443 Certificate authority pool: C2knica (not configured) Certificate authentication type: only signature verification Admin Status: up Operation Status: down Proxy status: CA pool incomplete
Check the statistics. Check that connections are being received from the client, and that connections are opened with the server.
ssl-proxy#sho ssl-proxy stats
TCP Statistics:
Conns initiated : 7 Conns accepted : 7
Conns established : 14 Conns dropped : 6
Conns Allocated : 22 Conns Deallocated : 22
Conns closed : 14 SYN timeouts : 0
Idle timeouts : 0 Total pkts sent : 54
Data packets sent : 18 Data bytes sent : 1227
Total Pkts rcvd : 54 Pkts rcvd in seq : 24
Bytes rcvd in seq : 9967
SSL Statistics:
conns attempted : 7 conns completed : 7
full handshakes : 1 resumed handshakes : 0
active conns : 0 active sessions : 0
renegs attempted : 0 conns in reneg : 0
handshake failures : 6 data failures : 0
fatal alerts rcvd : 0 fatal alerts sent : 6
no-cipher alerts : 0 ver mismatch alerts : 0
no-compress alerts : 0 bad macs received : 0
pad errors : 0 session fails : 0
FDU Statistics:
IP Frag Drops : 0 IP Version Drops : 0
IP Addr Discards : 0 Serv_Id Drops : 0
Conn Id Drops : 0 Bound Conn Drops : 0
Vlan Id Drops : 0 TCP Checksum Drops : 0
Hash Full Drops : 0 Hash Alloc Fails : 0
Flow Creates : 44 Flow Deletes : 44
Conn Id allocs : 22 Conn Id deallocs : 22
Tagged Pkts Drops : 0 Non-Tagg Pkts Drops : 0
Add ipcs : 1 Delete ipcs : 0
Disable ipcs : 1 Enable ipcs : 0
Unsolicited ipcs : 0 Duplicate Add ipcs : 0
IOS Broadcast Pkts : 36624 IOS Unicast Pkts : 1310
IOS Multicast Pkts : 0 IOS Total Pkts : 37934
IOS Congest Drops : 0 SYN Discards : 0
Troubleshoot
There is currently no specific troubleshooting information available for this configuration.
Related Information
- Catalyst 6500 Series SSL Services Module Documentation
- Catalyst 6500 Series SSL Services Module Product Support
- Technical Support & Documentation - Cisco Systems
| Updated: Nov 30, 2005 | Document ID: 50061 |