User Guide for CiscoView Device Manager for the Cisco Catalyst 6500 Series SSL Services Module Version 1.0
Getting Started with CVDM-SSLSM
Download this chapter
Getting Started with CVDM-SSLSMGetting Started with CVDM-SSLSM
Download the complete book
User Guide for CiscoView Device Manager for the Cisco Catalyst 6500 Series SSL Services Module (CVDM-SSLSM) - Book PDFUser Guide for CiscoView Device Manager for the Cisco Catalyst 6500 Series SSL Services Module (CVDM-SSLSM) - Book PDF (PDF - 3 MB)
give_us_feedback

Table Of Contents

Getting Started with CVDM-SSLSM

Key Features in CVDM-SSLSM

Navigating in CVDM-SSLSM

Installing the Java Plug-in

Starting CVDM-SSLSM

CVDM-SSLSM Home Page

Understanding the CVDM -SSLSM Desktop

Understanding the Action Buttons

Editing the Preferences

Setup Page

Viewing Running Configuration

Delivering CLI Commands to the Device

What's Next?

Getting Started with CVDM-SSLSM

The CiscoView Device Manager for Cisco Catalyst 6500 SSL Services Module is an embedded device manager for single service module setup, feature and services configuration, and monitoring of the services module.

SSLSM Overview

The Secure Socket Layer Services Module is a Layer 4-through-Layer 7 service module that you can install into the Catalyst 6500 series switch. The module terminates secure socket layer (SSL) transactions and accelerates the encryption and decryption of data used in SSL sessions.

The module operates either in a standalone configuration or with the Content Switching Module (CSM). In a standalone configuration, secure traffic is directed to the module using policy-based routing (PBR). When used with the CSM, only encrypted client traffic is forwarded to the module, while clear text traffic is forwarded to the real servers.

The SSLSM uses the SSL protocol to enable secure transactions of data through privacy, authentication, and data integrity; the protocol relies upon certificates, public keys, and private keys.

The certificates, which are issued by certificate authority and are similar to digital ID cards, verify the identity of the server to the clients and the clients to the server. The certificates include the name of the entity to which the certificate was issued, the public key of the entity, and the time stamp that indicates the certificate expiration date.

The public and private keys are the ciphers that are used to encrypt and decrypt information. The public key is shared without any restrictions, but the private key is never shared. Each public-private key pair works together; data that is encrypted with the public key can only be decrypted with the corresponding private key.

This chapter includes the following topics:

Key Features in CVDM-SSLSM

Navigating in CVDM-SSLSM

CVDM-SSLSM Home Page

Key Features in CVDM-SSLSM

CVDM-SSLSM supports several features in SSLSM software release 2.1.

The following table describes the key features of CVDM-SSLSM:

Table 1-1 Key Features 

Feature
Description

Public Key Infrastructure

CVDM-SSLSM allows you to:

Manage Certificates:

Declare Trustpoints, import and export certificates

Visual indication of expiring and missing configured certificates.

Grouping of the Trustpoints by CA, enrollment status, and expiration date.

Certificate Wizards to create and enroll certificates, import and export certificates.

Create and manage Key Pairs

Create and manage ACLs

Create and manage certification authority pools

Proxy Service

CVDM-SSLSM allows you to set up server proxy, client proxy and enable backend encryption service using this feature.

Policies

CVDM-SSLSM allows you configure SSL policy, TCP, header insertion, and URL rewrite policies.

Statistics

CVDM-SSLSM shows you the TCP, SSL, and PKI statistics.


Navigating in CVDM-SSLSM

Before you begin using CVDM-SSLSM, you must understand the basic operation of the user interface, including the login procedure and user interface elements. See the following sections for more information:

Starting CVDM-SSLSM

Understanding the CVDM -SSLSM Desktop

Installing the Java Plug-in

You need to install the Java Plug-in. Java Plug-in improves the performance of CVDM-SSLSM and allows the application to use the latest Java runtime functionality. For CVDM, the plug-in speeds up caching and application loading. CVDM-SSLSM requires the Java Plug-in version 1.4.1_05.

The first time you invoke any Java Plug-in window, you are alerted if the plug-in is not installed. CVDM-SSLSM prompts you to download and install the plug-in files, using the installation screens or the procedure displayed. The next time you start the application, CVDM-SSLSM automatically uses the plug-in. Install the Java Plug-in provided with CVDM-SSLSM.

Starting CVDM-SSLSM

Step 1 In your browser, enter the IP address or DNS hostname of the SSLSM. The Enter Network Password dialog box appears.

Step 2 Enter your SSLSM username and password.

Step 3 Click OK. The CVDM splash screen appears.

Step 4 Enter your device username and password.

Step 5 Click Yes. The Warning - Security dialog box appears. To accept the security certificate and continue, click Yes.

Step 6 The SSH Credentials dialog box appears.

Step 7 Enter your SSH username and password. The Enter Enable Password dialog box appears.

Step 8 Enter enable password.

Step 9 Click OK. CVDM-SSLSM homepage appears.

CVDM-SSLSM Home Page

The home page is the first screen that comes up when CVDM-SSLSM is started. The home page provides an overview of the SSL Services Module (SSLSM).

Figure 1-1 Home Page

Table 1-2 Home Page Elements

Figure 1-3 Reference
Location
Description

1

System Overview

Displays the overview of the system.

2

Connection Dashboard

Displays the statistics of the traffic through the SSLSM.

3

Certificate Dashboard

Displays the information on the certificates.

4

Service Dashboard

Displays the information on the PKI service, proxy service, policies, and VLANs.


The System Overview Dashboard displays the following information:

Field
Description

Hostname

The host name of the SSLSM.

Software Version

The application image version.

System Up Time

The time elapsed since the SSL module was started.

Utilization (5 mins)

System utilization during the last 5 minutes.

The following utilization information is available:

IOS CPU—The average utilization of the System CPU.

TCP CPU—The average utilization of the System CPU.

SSL CPU—The average utilization of the System CPU.

FDU CPU—The average utilization of the System CPU.

NVRAM—NVRAM utilization - [ NVRAM size in use / NVRAM size]

Note The utilization values are not updated in real time. You need to refresh the application to update the utilization.


The Certificate Dashboard displays the following information:

Certificate Expiry Dashboard

Number of certificates expiring in the near future. The expiry count will be displayed at weekly granularity.

This Week
Number of certificates that will expire this week.
Next Week
Number of certificates that will expire next week.
Week 3
Number of certificates that will expire the week after next.
Week 4
Number of certificates that will expire in the fourth week from now.

CA Certificates

Valid Certificates

The number of valid CA certificates.

Expired Certificates

The number of invalid CA certificates.

SSL Certificates

Valid Certificates

The number of valid SSL certificates.

Expired Certificates

The number of invalid SSL certificates.


The Connection Dashboard displays the following information:

Statistics

 

TCP

Connections in ESTABLISHED state

Number of TCP connections in connections Established state.

Connections in TIME-WAIT state

Number of TCP connections in connections Time-Wait state.

SSL

Active Sessions

The number of SSL sessions with active connections.

The value is rendered as horizontal bar charts.

Active Connections

The number of SSL connections in data, handshake and re-negotiation phase.

The value is rendered as horizontal bar charts.

Average Connection Rate (past 5 mins)

The rate at which successful connections were setup in the past 5 minutes.

Handshake Failures (past 5 mins)

Total handshake failures in the past 5 minutes.


The statistics are not updated in real time. You can view and update the statistics in Setup > Statistics.

The Service Dashboard displays the following information:

PKI

Complete Certificate Chains

Number of complete certificate chains.

A icon indicates that the certificate chain is complete.

Incomplete Certificate Chains

Number of incomplete certificate chains.

A icon indicates that the certificate chain is incomplete.

Proxy Services

Proxy Services Up

Total Proxy Services that are operational.

A icon indicates that the module is operationally up.

Proxy Services Down

Proxy services not operational due to fault conditions: invalid certificate, lack of server connectivity, and so forth, and those that are administratively down.

A icon indicates that the module is administratively and operationally down.

In Setup > Proxy Services dialog box, the administratively down status and operationally down status is indicated using different icons.

Policies

SSL Policies

Number of SSL policies configured on the module.

TCP Policies

Number of TCP policies configured on the module.

URL Rewrite Policies

Number of URL rewrite policies configured on the module.

HTTP Header Insertion Policies

Number of HTTP Header Insertion policies configured on the module.

VLANs

Total VLANs

Number of VLANs on the module.

Admin VLAN

The admin VLAN ID.

Admin IP Address

IP Address of the admin VLAN.

Admin Gateway

IP Address of the gateway configured for the admin VLAN.


All group objects contains a hyperlink. Click on the links to view the details for a group object.

FAQ

You can find answers for your questions on important tasks using FAQ. Select a question from the FAQ list, then click Go.

Understanding the CVDM -SSLSM Desktop

This section describes the main GUI elements of the CVDM-SSLSM application.

Figure 1-2 CVDM-SSLSM GUI Elements

Figure 1-2 Reference
Location
Description

1

Menu bar

Provides File, Edit, View, and Help options.

File

File > Save to Startup—Saves the configuration running on the device as the startup configuration.

File > Exit—Logs you out of CVDM-SSLSM and closes the application. A warning appears if any configuration has not been applied to the SSLSM.

Edit

Edit > Preferences—Displays the Preferences dialog box, from which you can edit application preferences.

2

Task bar

Provides access to CVDM-SSLSM functionality.

Home—Displays the home page.

Setup—Displays the features page.

Refresh—Collects the most recent device information and updates CVDM-SSLSM with it.

Deliver—Opens the Deliver Configuration to SSLSM dialog box, from which you can send accumulated CLI commands to the device.

Help—Displays context-sensitive help.

   

View

View > Home—Displays the Home page.

View > Setup—Displays the Features page.

View > Running Config > SSLSM...—Displays the configuration running on the SSLSM.

View > Refresh—Collects the most recent device information and updates CVDM-SSLSM with it.

View > Transport Log...—Displays the transport log of the device. You can clear the log or save the information to a file.

Help

Help > Help Topics—Displays online help.

Help > About CVDM for SSLSM...—Displays CVDM-SSLSM version information.

3

Page

CVDM-SSLSM working area in which you perform tasks.

4

Pane

One part of a divided page or dialog box.

5

Status bar

Provides the following information:

Message describing the status of the application.

Application user and privilege level.

Icon showing the security level of the connection.

Time stamp of the application startup time.

6

Selector

Hierarchy of the groups and objects available on the services page that allows you to access specific functions for a service module object. See the "Selector" section for more information.

7

Left-most pane

Contains buttons, on the setup page, that allow you to access SSLSM functions.


Selector

Figure 1-3 shows the selector; Table 1-3 describes the selector elements.

Figure 1-3 Selector

Table 1-3 Selector Elements

Figure 1-3 Reference
Location
Description

1

Object Grouper

You can group the objects using various parameters. Select your option from the list.

2

Selector handle

Click the handle to open and close the selector, or click the handle and drag it to resize it.

3

Group folder

Displays a group of objects. Click the plus (+) symbol to see the contents of this folder.

4

Subgroup folder

Displays a subgroup of objects. Click the plus (+) symbol to see the contents of this folder.

5

Object

Displays the individual entity contained in the group or subgroup. Click an object to open the page for that object.


Note Figure 1-3 shows what the selector looks like when folders, subfolders, and objects are displayed. Not all selectors contain all of these elements.

Understanding the Action Buttons

This section describes the action buttons that appear in the CVDM-SSLSM dialog boxes and wizards.

For a description of the wizard action buttons, see Table 1-4.

For a description of the dialog box action buttons, see Table 1-5.

Table 1-4 Wizard Action Buttons

Button
Action

Back

Takes you to the previous page.

Next

Takes you to the next page.

Finish

Takes you to the wizard summary page.

Cancel

Exits the wizard without making any changes.

Help

Displays context-sensitive online help.


Table 1-5 Dialog Box Action Buttons

Button
Action

OK

Saves your changes.

Cancel

Exits the dialog box without making any changes.

Help

Displays context-sensitive online help.


Editing the Preferences

Step 1 Select Edit > Preferences... The Preferences dialog box appears.

Step 2 Edit the appropriate values:

GUI Element
Action/Description

Show CLI Preview for Wizards check box

Select this checkbox if you want CVDM-SSLSM to display the CLI commands to be delivered to the device after you have completed a wizard.

When this checkbox is selected, when you click Finish in a wizard, the Deliver Configuration to the SSLSM dialog box opens and displays the CLI commands. For more information, see the "Delivering CLI Commands to the Device" section.

Show CLI Preview on Delivery check box

Select this checkbox if you want CVDM-SSLSM to display the CLI commands to be delivered to the device.

When this checkbox is selected, if you click Deliver, then the Deliver Configuration to SSLSM dialog box opens and displays the CLI commands. For more information, see the "Delivering CLI Commands to the Device" section.

Confirm before Exiting check box

Select this checkbox if you want CVDM-SSLSM to ask you to confirm that you want to exit the application.

When this checkbox is selected, CVDM-SSLSM displays a dialog box asking you if you want to exit CVDM-SSLSM. From this dialog box, you can select the Always display this dialog box before exiting checkbox if you always want CVDM-SSLSM to confirm that you want to exit CVDM-SSLSM.


Setup Page

The setup page allows you to access the SSLSM features. You can launch wizards from this page or you can start using the PKI, Proxy Service, Policy and VLAN features.

On selecting the Setup, the following GUI elements are displayed in a pane on the left side of the content window:

GUI Element
Description

Wizards

Click to launch wizards that will guide you to in creating and managing Trustpoints and proxy services.

PKI

Allows you to manage public key infrastructure on the SSLSM.

Proxy Services

Allows you to manage SSL proxy services on the SSLSM.

Policies

Allows you to manage the policy templates on the SSLSM.

VLANs

Allows you to manage VLAN configurations on the SSLSM.

Statistics

Allows you to view the SSLSM statistics.


Viewing Running Configuration

Step 1 Select View > Running Config > SSLSM.... The Running Configuration for SSLSM dialog box appears. Information about the running configuration for the SSL Services Module is displayed.

Step 2 Click Save to File... to save the configuration information to a text file.

Delivering CLI Commands to the Device

You must deliver accumulated CLI commands to the device before any changes you make in CVDM-SSLSM will be applied.

Step 1 Click the Deliver button at the top of the page. The Deliver Configuration to SSLSM dialog box appears if you have configured CVDM- SSLSM to display the accumulated CLI commands when you click the Deliver button.

Note The Deliver Configuration to SSLSM dialog box also appears
when you click the Finish button in a wizard if you have configured CVDM-SSLSM to display the accumulated CLI commands after you have completed a wizard.

Note For Certificate Import and Export Wizards, Deliver CLI Commands dialog box will not appear.

Step 2 Modify the appropriate values:

GUI Element
Action/Description

Save to Startup checkbox

Click the checkbox to save the running configuration, generated by CVDM, as the device startup configuration.

Deliver button

Click to send the accumulated CLI commands to the device.

Save to File... button

Click to save the CLI commands as a text file.

Close button1

Close the dialog box without delivering any CLI commands.

Deliver Later button2

Click to deliver the wizard CLI commands to the device at a later time.

1 This button is available only in the Deliver Configuration to SSLSM dialog box that is displayed after you click Deliver at the top of the window.

2 This button is available only in the Deliver Configuration to SSLSM dialog box that is displayed after you click Finish in a wizard.


Note For Certificate Wizards, Deliver Later option will be disabled. The task will be performed immediately at the end of the wizard.

Note The Deliver Configuration to Switch/Module(s) dialog box displays all accumulated CLI commands that will be delivered to the device; therefore, any previous CLI commands that were not sent to the device are shown in this dialog box, as well as the CLI commands you have generated in this session.

What's Next?

You are about to set up an SSL Service. To set up the SSL service, first set up the Public Key Infrastructure. You need to configure Trustpoints and install the Key Pairs, Proxy Service Certificates, and the corresponding CA Certificates. You can use the Trustpoint wizards to setup the PKI.

Once the Proxy Service Certificates and Key Pairs are installed in the SSLSM PKI, the next task in setting up the SSL service is to configure Proxy Services. You can use the Proxy Service Wizard to setup up the SSL service to configure proxy service.