Configuring End-to-End SSL
This chapter describes how to configure a Cisco 4700 Series Application Control Engine (ACE) appliance to provide end-to-end SSL connectivity. This process involves combining SSL termination (front end) with SSL initiation (back end) to provide a secure link between the client, the ACE, and the server. All data is encrypted and sent as ciphertext among the three devices.
This chapter contains the following major sections:
•End-to-End SSL Overview
•ACE End-to-End SSL Configuration Prerequisites
•Configuring End-to-End SSL
End-to-End SSL Overview
End-to-end SSL refers to the ACE's establishing and maintaining SSL connections between the client at one end of the connection and the server at the other end of the connection. When you configure the ACE for end-to-end SSL, the ACE performs the following functions:
•Terminates an SSL session with the client (front-end connection)
•Initiates an SSL session with the server (back-end connection)
•Load balances the back-end content
End-to-end SSL combines the configurations that you use to configure the ACE for SSL termination and SSL initiation. For end-to-end SSL, you must create the following policy map types:
•Layer 7 policy map—Directs the back-end flow of traffic between the ACE and the server.
•Layer 3 and Layer 4 policy map—Performs the following functions:
–Directs the front-end flow of traffic between the client and the ACE.
–Applies the associated Layer 7 policy map to the traffic that meets the criteria of the Layer 3 and Layer 4 policy map.
Figure 5-1 shows an end-to-end SSL application in which the ACE terminates an SSL connection with an SSL client and initiates an SSL connection with an SSL server.
Figure 5-1 End-to-End SSL
The ACE uses a combination of parameter maps, SSL proxy services, and class maps to build the policy maps that determine the flow of information between the client, the ACE, and the SSL server.
Figure 5-2 provides a basic overview of the process required to build the Layer 7 load-balancing policy map and associate it with the Layer 3 and Layer 4 policy map to create an end-to-end SSL configuration. To allow you to easily discern between the Layer 7 and Layer 3 and Layer 4 configuration attributes, the Layer 7 attributes are shaded gray.
In the final step of the process, you apply the Layer 3 and Layer 4 policy map to the input traffic of the context. The figure also shows how the various components of the policy map configurations are associated with each other.
Figure 5-2 Basic End-to-End SSL Configuration Flow Diagram
ACE End-to-End SSL Configuration Prerequisites
Before configuring your ACE for SSL operation, you must first configure it for server load balancing (SLB). During the SLB configuration process, you create the following configuration objects:
•Layer 7 class map
•Layer 3 and Layer 4 class map
•Layer 7 policy map
•Layer 3 and Layer 4 policy map
After configuring SLB, modify the existing SLB class maps and policy maps with the SSL configuration requirements described in this guide for end-to end SSL.
To configure your ACE for SLB, see the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide.
Configuring End-to-End SSL
Table 5-1 provides an overview of the process required to configure the ACE for end-to-end SSL. Because end-to-end SSL combines the configuration processes of SSL termination and SSL initiation, the procedure provides links to the sections of this guide where the specified process is described in detail.