Configuring End-to-End SSL
This chapter describes how to configure a Cisco 4700 Series Application Control Engine (ACE) appliance to provide end-to-end SSL connectivity. This process involves combining SSL termination (front end) with SSL initiation (back end) to provide a secure link between the client, the ACE, and the server. All data is encrypted and sent as ciphertext among the three devices.
This chapter contains the following major sections:
•End-to-End SSL Overview
•ACE End-to-End SSL Configuration Prerequisites
•Configuring End-to-End SSL
•Example of an End-to-End SSL Configuration
End-to-End SSL Overview
End-to-end SSL refers to the ACE's establishing and maintaining SSL connections between the client at one end of the connection and the server at the other end of the connection. When you configure the ACE for end-to-end SSL, the ACE performs the following functions:
•Terminates an SSL session with the client (front-end connection)
•Initiates an SSL session with the server (back-end connection)
•Load balances the back-end content
End-to-end SSL combines the configurations that you use to configure the ACE for SSL termination and SSL initiation. For end-to-end SSL, you must create the following policy map types:
•Layer 7 policy map—Directs the back-end flow of traffic between the ACE and the server.
•Layer 3 and Layer 4 policy map—Performs the following functions:
–Directs the front-end flow of traffic between the client and the ACE.
–Applies the associated Layer 7 policy map to the traffic that meets the criteria of the Layer 3 and Layer 4 policy map.
Figure 5-1 shows an end-to-end SSL application in which the ACE terminates an SSL connection with an SSL client and initiates an SSL connection with an SSL server.
Figure 5-1 End-to-End SSL
The ACE uses a combination of parameter maps, SSL proxy services, and class maps to build the policy maps that determine the flow of information between the client, the ACE, and the SSL server.
Figure 5-2 provides a basic overview of the process required to build the Layer 7 load-balancing policy map and associate it with the Layer 3 and Layer 4 policy map to create an end-to-end SSL configuration. To allow you to easily discern between the Layer 7 and Layer 3 and Layer 4 configuration attributes, the Layer 7 attributes are shaded gray.
In the final step of the process, you apply the Layer 3 and Layer 4 policy map to the input traffic of the context. The figure also shows how the various components of the policy map configurations are associated with each other.
Figure 5-2 Basic End-to-End SSL Configuration Flow Diagram
ACE End-to-End SSL Configuration Prerequisites
Before configuring your ACE for SSL operation, you must first configure it for server load balancing (SLB). During the SLB configuration process, you create the following configuration objects:
•Layer 7 class map
•Layer 3 and Layer 4 class map
•Layer 7 policy map
•Layer 3 and Layer 4 policy map
After configuring SLB, modify the existing SLB class maps and policy maps with the SSL configuration requirements described in this guide for end-to end SSL.
To configure your ACE for SLB, see the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide.
Configuring End-to-End SSL
Table 5-1 provides an overview of the process required to configure the ACE for end-to-end SSL. Because end-to-end SSL combines the configuration processes of SSL termination and SSL initiation, the procedure provides links to the sections of this guide where the specified process is described in detail.
Example of an End-to-End SSL Configuration
The following example illustrates an end-to-end SSL configuration, which combines front-end SSL and back-end SSL. The ACE receives encrypted text from an HTTP client, and also transmits the encrypted data as cipher text to the SSL server. On the reverse side, the ACE decrypts the cipher text that it receives from the SSL server and sends the data to the client as clear text. The SSL-specific configuration elements appear in bold in the example.
access-list ACL line 10 extended permit ip any any
parameter-map type ssl PM1
session-cache timeout 300
ssl-proxy service SSL_CLIENT
ssl-proxy service SSL_SERVER
class-map type http loadbalance match-any SSL
class-map match-any SSL_C1
2 match virtual-address 10.10.2.101 tcp eq https
3 match virtual-address 10.10.2.101 tcp any
policy-map type loadbalance first-match SSL_BACK
ssl-proxy client SSL_CLIENT
policy-map multi-match L7_1
loadbalance vip inservice
loadbalance policy SSL_BACK
loadbalance vip icmp-reply
ssl-proxy server SSL_SERVER
ip address 10.10.2.1 255.255.255.0
service-policy input L7_1
ip address 220.127.116.11 255.255.255.0
ip address 10.90.15.27 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.90.15.1