Table Of Contents
Configuring the CSM-S SSL Services
Initial SSL Daughter Card Configuration
Configuring VLANs on the SSL Daughter Card
Configuring Telnet Remote Access
Configuring the Fully Qualified Domain Name
Configuring the Username and Password for SSH
Configuring Authentication, Authorization, and Accounting for SSH
Configuring SSL for Client-Side and Server-Side Operation
Configuring the CSM as the Back-End Server
Configuring the Real Server as the Back-End Server
Client IP and Port Address Headers
Configuring the HTTP Header Insertion
Configuring the SSL Proxy Services
Configuring TACACS, TACACS+, and RADIUS
Enabling the Cryptographic Self-Test
Displaying Statistics Information
Configuring the CSM-S SSL Services
This chapter describes the Command Line Interface (CLI) commands to configure, monitor, and debug the CSM-S software for SSL. These configuration commands are the same commands that are valid in the SSL Services Module.
Note
Except where specifically differentiated, the term Content Switching Module and its acronym CSM refer to both the Content Switching Module and the Content Switching Module with SSL. The term Content Switching Module with SSL and its acronym CSM-S are used to refer to the CSM-S only.
This chapter describes configuration additions made to the CSM-S to support the SSL daughter card and contains these sections:
•
•
•
•
•
Note
Initial SSL Daughter Card Configuration
This section describes how to make the initial configurations for the SSL daughter card.
Note
The initial SSL daughter card configuration consists of these tasks:
•
•
•
Configuring VLANs on the SSL Daughter Card
When you configure VLANs on the SSL daughter card, configure one of the VLANs as an administrative VLAN. The administrative VLAN is used for all management traffic, including SSH, public key infrastructure (PKI), secure file transfer (SCP), and TFTP operations. The system adds the default route through the gateway of the administrative VLAN.
Note
Note
Note
Note
To configure VLANs on the SSL daughter card, perform this task:
Step 1
Configures the VLANs and enters VLAN mode.
Step 2
Configures an IP address for the VLAN.
Step 3
Configures the client-side gateway IP address.
Note
Step 4
(Optional) Configures a static route for servers that are one or more Layer 3 hops away from the CSM-S.
Step 5
(Optional) Configures the VLAN as the administrative VLAN1 .
1 The administrative VLAN is for management traffic (PKI, SSH, SCP and TFTP). Specify only one VLAN as the administrative VLAN.
This example shows how to configure the VLAN and specify the IP address, the subnet mask, and the global gateway, and how to specify the VLAN as the administrative VLAN:
ssl-proxy(config)# ssl-proxy vlan 100ssl-proxy(config-vlan)# ipaddr 10.1.0.20 255.255.255.0ssl-proxy(config-vlan)# gateway 10.1.0.1ssl-proxy(config-vlan)# adminssl-proxy(config-vlan)# ^Zssl-proxy#Configuring Telnet Remote Access
To configure the SSL daughter card for Telnet remote access, perform this task:
This example shows how to configure the SSL daughter card for remote access:
ssl-proxy(config)# enable password ciscossl-proxy(config)# line vty 0 4ssl-proxy(config-line)#loginssl-proxy(config-line)#password ciscossl-proxy(config-line)#endssl-proxy#Configuring the Fully Qualified Domain Name
If you are using the SSL daughter card to enroll for certificates from a certificate authority, you must configure the Fully Qualified Domain Name (FQDN) on the module. The FQDN is the host name and domain name of the module.
To configure the FQDN, perform this task:
Step 1
Configures the host name.
Step 2
Configures the domain name.
This example shows how to configure the FQDN on the SSL daughter card:
ssl-proxy(config)# hostname ssl-proxy2ssl-proxy2(config)# ip domain-name example.comssl-proxy2(config)# endssl-proxy2(config)#Configuring SSH
After you complete the initial configuration for the module, enable SSH on the module, and then configure the username and password for the SSH connection using either a simple username and password or using an authentication, authorization, and accounting (AAA) server.
These sections describe how to enable and configure SSH:
•
•
Enabling SSH on the Module
SSH uses the first key pair generated on the module. In the following task, you generate a key pair used specifically for SSH.
Note
To generate an SSH key pair and enable SSH, perform this task:
This example shows how to enable SSH on the module, and how to verify that SSH is enabled:
ssl-proxy(config)# ip ssh rsa keypair-name ssh-keyPlease create RSA keys to enable SSH.ssl-proxy(config)# crypto key generate rsa general-keys label ssh-keyThe name for the keys will be: ssh-keyChoose the size of the key modulus in the range of 360 to 2048 for yourGeneral Purpose Keys. Choosing a key modulus greater than 512 may takea few minutes.How many bits in the modulus [512]: 1024% Generating 1024 bit RSA keys ...[OK]ssl-proxy(config)#*Aug 28 11:07:54.051: %SSH-5-ENABLED: SSH 1.5 has been enabledssl-proxy(config)# endssl-proxy# show ip sshSSH Enabled - version 1.5Authentication timeout: 120 secs; Authentication retries: 3ssl-proxy#Configuring the Username and Password for SSH
To configure the username and password for the SSH connection, perform this task:
This example shows how to configure the username and password for the SSH connection to the SSL daughter card:
ssl-proxy# configure terminalssl-proxy(config)# enable password ciscossl-proxy(config)# username admin password admin-passssl-proxy(config)# line vty 0 4ssl-proxy(config-line)# login localssl-proxy(config-line)# endAfter you configure the username and password, see the "Recovering a Lost Password" section to configure the switch.
Configuring Authentication, Authorization, and Accounting for SSH
To configure authentication, authorization, and accounting (AAA) for SSH, perform this task:
This example shows how to configure AAA for the SSH connection to the SSL daughter card:
ssl-proxy# configure terminalssl-proxy(config)# username admin secret admin-passssl-proxy(config)# enable password enable-passssl-proxy(config)# aaa new-modelssl-proxy(config)# aaa authentication login default localssl-proxy(config)# line vty 0 4ssl-proxy(config-line)# transport input sshssl-proxy(config-line)# endssl-proxy#After you configure AAA, see the "Recovering a Lost Password" section to configure the switch.
Configuring SSL for Client-Side and Server-Side Operation
This section describes how to configure the CSM-S. These topics are discussed in this section:
When you configure the server farm, if the real server is the SSL daughter card you must use the local keyword when defining the real server.
This example shows how to configure the CSM to support SSL:
Cat6k-2(config-module-csm)# serverfarm SSLfarmCat6k-2(config-slb-sfarm)# real 10.1.0.21 localCat6k-2(config-slb-real)# inserviceCat6k-2(config-module-csm)# vserver VS1Cat6k-2(config-slb-vserver)# virtual 10.1.0.21 tcp httpsCat6k-2(config-slb-vserver)# serverfarm SSLfarmCat6k-2(config-slb-vserver)# inserviceThe local keyword on the real server is the only CSM configuration change. Additional configuration is required on the CSM-S for proper CSM-SSL daughter card communication.
Configuring the Client Side
This example shows how to configure the SSL proxy service on the SSL daughter card:
ssl-proxy(config)# ssl-proxy service S1ssl-proxy(config-ssl-proxy)# virtual ipaddr 10.1.0.21 protocol tcp port 443 secondaryssl-proxy(config-ssl-proxy)# server ipaddr 10.2.0.100 protocol TCP port 80ssl-proxy(config-ssl-proxy)# inserviceThis example shows how to configure the CSM virtual server:
Cat6k-2(config-module-csm)# serverfarm SSLfarmCat6k-2(config-slb-sfarm)# real 10.1.0.21 localCat6k-2(config-slb-real)# inserviceCat6k-2(config-module-csm)# vserver VS1Cat6k-2(config-slb-vserver)# virtual 10.1.0.21 tcp httpsCat6k-2(config-slb-vserver)# serverfarm SSLfarmCat6k-2(config-slb-vserver)# inserviceYou can perform SSL load balancing between the SSL daughter card and an SSL Services Module in mixed mode.
The CSM uses SSL-ID sticky functionality to stick SSL connections to the same SSL Services Module. The CSM must terminate the client-side TCP connection in order to inspect the SSL-ID. The CSM must then initiate a TCP connection to either the SSL daughter card or the SSL Services Module when a load-balancing decision has been made.
The traffic flow has the CSM passing all traffic received on a virtual server to the SSL daughter card with TCP termination performed on the SSL daughter card itself. When you enable the SSL sticky function, the connection between the CSM and SSL daughter card becomes a full TCP connection.
This example shows how to configure mixed-mode SSL load balancing:
Cat6k-2(config-module-csm)# sticky 10 ssl timeout 60Cat6k-2(config-module-csm)# serverfarm SSLfarmCat6k-2(config-slb-sfarm)# real 10.1.0.21 localCat6k-2(config-slb-sfarm)# inserviceCat6k-2(config-slb-sfarm)# real 10.2.0.21Cat6k-2(config-slb-sfarm)# inserviceCat6k-2(config-module-csm)# vserver VS1Cat6k-2(config-slb-vserver)# virtual 10.1.0.21 tcp httpsCat6k-2(config-slb-vserver)# sticky 60 group 10Cat6k-2(config-slb-vserver)# serverfarm SSLfarmCat6k-2(config-slb-vserver)# persistent rebalanceCat6k-2(config-slb-vserver)# inserviceAdditionally, you must make an internally generated configuration to direct traffic at the SSL daughter card when the CSM must terminate the client-side TCP connection. You must create a virtual server with the same IP address or port of each local real server in the server farm SSLfarm. Internally, this virtual server is configured to direct all traffic that is intended for the virtual server to the SSL daughter card.
You must make an internally generated configuration because the IP address of the local real server and the SSL daughter card virtual server address must be the same. When the CSM initiates a connection to this local real server, the SYN frame is both sent and received by the CSM. When the CSM receives the SYN, and the destination IP address or port is the same as the virtual server VS1, it matches VS1 unless a more-specific virtual server is added.
Configuring the Server Side
A standard virtual server configuration is used for Layer 4 and Layer 7 load balancing when the SSL daughter card uses the CSM as the back-end server.
To restrict this virtual server to only receive traffic from the SSL daughter card, use the VLAN local virtual server submode command as follows:
Cat6k-2(config-module-csm)# serverfarm SLBdefaultfarmCat6k-2(config-slb-sfarm)# real 10.2.0.20Cat6k-2(config-slb-sfarm)# inserviceCat6k-2(config-module-csm)# vserver VS2Cat6k-2(config-slb-vserver)# virtual 10.2.0.100 tcp wwwCat6k-2(config-slb-vserver)# serverfarm SLBdefaultfarmCat6k-2(config-slb-vserver)# vlan localCat6k-2(config-slb-vserver)# inserviceYou can configure the real server as the back end as shown in this example:
Cat6k-2(config-module-csm)# serverfarm SSLpredictorforwardCat6k-2(config-slb-sfarm)# predictor forwardCat6k-2(config-module-csm)# vserver VS3Cat6k-2(config-slb-vserver)# virtual 0.0.0.0 0.0.0.0 tcp wwwCat6k-2(config-slb-vserver)# serverfarm SSLpredictorforwardCat6k-2(config-slb-vserver)# inserviceConfiguring the CSM as the Back-End Server
The virtual server and server farm configurations permits the SSL daughter card to use real servers as the back-end servers. Use the configuration that is described in the "Configuring the Client Side" section and then configure the SSL daughter card to use the CSM as the back-end server:
This example shows the CSM virtual server configuration for Layer 7 load balancing:
Cat6k-2(config-module-csm)# serverfarm SLBdefaultfarmCat6k-2(config-slb-sfarm)# real 10.2.0.20Cat6k-2(config-slb-real)# inserviceCat6k-2(config-module-csm)# serverfarm SLBjpgfarmCat6k-2(config-slb-sfarm)# real 10.2.0.21Cat6k-2(config-module-csm)# map JPG urlCat6k-2(config-slb-map-cookie)# match protocol http url *jpg*Cat6k-2(config-module-csm)# policy SLBjpgCat6k-2(config-slb-policy)# url-map JPGCat6k-2(config-slb-policy)#serverfarm SLBjpgfarmCat6k-2(config-module-csm)# vserver VS2Cat6k-2(config-slb-vserver)# virtual 10.2.0.100 tcp wwwCat6k-2(config-slb-vserver)# serverfarm SLBdefaultfarmCat6k-2(config-slb-vserver)# slb-policy SLBjpgCat6k-2(config-slb-vserver)# inserviceThis example shows the CSM virtual server configuration for Layer 4 load balancing:
Cat6k-2(config-module-csm)# serverfarm SLBdefaultfarmCat6k-2(config-slb-sfarm)# real 10.2.0.20Cat6k-2(config-slb-real)# inserviceCat6k-2(config-module-csm)# vserver VS2Cat6k-2(config-slb-vserver)# virtual 10.2.0.100 tcp wwwCat6k-2(config-slb-vserver)# serverfarm SLBdefaultfarmCat6k-2(config-slb-vserver)# vlan localCat6k-2(config-slb-vserver)# inserviceConfiguring the Real Server as the Back-End Server
The server side configuration traffic flow with the real server as the back end is similar to the client-side configuration. Use the configuration that is described in the "Configuring the Client Side" section and then configure the SSL daughter card to use a real server as the back-end server:
No new configuration is required for the SSL daughter card proxy service configuration. This example shows how the configuration is internally initiated and hidden from the user:
ssl-proxy(config)# ssl-proxy service S1ssl-proxy(config-ssl-proxy)# virtual ipaddr 10.1.0.21 protocol tcp port 443 secondaryssl-proxy(config-ssl-proxy)# server ipaddr 10.2.0.20 protocol TCP port 80ssl-proxy(config-ssl-proxy)# inserviceThis example shows how to configure the CSM virtual server:
Cat6k-2(config-module-csm)# serverfarm SSLrealsCat6k-2(config-slb-sfarm)# real 10.2.0.20Cat6k-2(config-slb-sfarm)# inserviceCat6k-2(config-module-csm)# serverfarm SSLpredictorforwardCat6k-2(config-slb-sfarm)# predictor forwardCat6k-2(config-module-csm)# vserver VS3Cat6k-2(config-slb-vserver)# virtual 0.0.0.0 0.0.0.0 tcp wwwCat6k-2(config-slb-vserver)# serverfarm SSLpredictorforwardCat6k-2(config-slb-vserver)# inserviceConfiguring Policies
This section describes how to configure the SSL and TCP policies:
Configuring SSL Policy
Note
The SSL policy template allows you to define parameters that are associated with the SSL stack.
One parameter that you can configure is the SSL close-protocol behavior. The SSL close protocol specifies that each of the SSL peers (client and server) should send a close-notify alert and receive a close-notify alert before closing the connection properly. If the SSL connection is not closed properly, the session is removed so that the peers cannot use the same SSL session ID in future SSL connections.
However, many SSL implementations do not follow the SSL close protocol strictly (for example, an SSL peer sends a close-notify alert but does not wait for the close-notify alert from the remote SSL peer before closing the connection).
When an SSL peer initiates the close-connection sequence, the SSL daughter card expects a close-notify alert message. If an SSL peer does not send a close-notify alert, the SSL daughter card removes the session from the session cache so that the same session ID cannot be used for future SSL connections.
When the SSL daughter card initiates the close-connection sequence, you can configure the following close-protocol options:
•
•
•
If you do not associate an SSL policy with a particular proxy server, the proxy server enables all the supported cipher suites and protocol versions by default.
To define an SSL policy template and associate an SSL policy with a particular proxy server, perform this task:
Step 1
Defines SSL policy templates.
Step 2
ssl-proxy (config-ssl-policy)# cipher {rsa-with-rc4-128-md5 | rsa-with-rc4-128-sha | rsa-with-des-cbc-sha | rsa-with-3des-ede-cbc-sha | others...}
Configures a list of cipher-suite names acceptable to the proxy server. The cipher-suite names follow the same convention as that of existing SSL stacks.
Step 3
ssl-proxy (config-ssl-policy)# protocol {ssl3 | tls1 | all}Defines the various protocol versions supported by the proxy server.
Step 4
Configures how long the module keeps the connection in the handshake phase. The valid range is 0 to 65535 seconds.
Step 5
ssl-proxy (config-ssl-policy)# close-protocol {strict | none}Configures the SSL close-protocol behavior. The close-protocol behavior is disabled by default.
Step 6
Enables the session-caching feature. Session caching is enabled by default.
Step 7
Configures the amount of time that an entry is kept in the session cache. The valid range is 1 to 72000 seconds.
Note
Step 8
(Optional) Specifies the size of the session cache1. The valid range is from 1 to 262143 entries.
Note
1 When the absolute keyword is configured, the session entry is not reused until the configured session timeout expires. When absolute is configured, the number of session entries required is equal to (new_connection_rate * absolute_timeout). Depending on the timeout configuration and the new connection rate, the number of session entries might be very large.You can limit the number of session entries by configuring the session-cache size.
Configuring TCP Policy
Note
The TCP policy template allows you to define parameters that are associated with the TCP stack.
To define an TCP policy template and associate a TCP policy with a particular proxy server, perform this task:
Step 1
Defines TCP policy templates. All defaults are assumed unless otherwise specified.
Step 2
Configures the connection establishment timeout. The default is 75 seconds. The valid range is from 5 to 75 seconds.
Step 3
Configures the maximum segment size (MSS) in bytes that the connection will identify in the SYN packet that it generates.
Note
Step 4
Configures the amount of time in seconds before the reassembly queue is cleared. If the transaction is not complete within the specified time, the reassembly queue is cleared and the connection is dropped. The default is 60 seconds. The valid range is from 0 to 960 seconds (0 = disabled).
Step 5
Configures the amount of time in seconds that an established connection can be inactive. The default is 600 seconds. The valid range is 0 to 960 seconds (0 = disabled).
Step 6
Configures the FIN wait timeout in seconds. The default value is 600 seconds. The valid range is from 75 to 600 seconds.
Step 7
Configures the maximum receive buffer share per connection in bytes. The default value is 32768 bytes. The valid range is from 8192 to 262144 bytes.
Step 8
Configures the maximum transmit buffer share per connection in bytes. The default value is 32768 bytes. The valid range is from 8192 to 262144 bytes.
1 If fragmentation occurs, decrease the MSS value until there is no fragmentation.
HTTP Header Insertion
In an SSL offloading environment, an SSL offloader terminatesthe secure client HTTP (HTTPS) connections, decrypts the SSL traffic into clear text, and forwards the clear text to a Web server through an HTTP connection. The HTTPS connections become nonsecure HTTP connections at the back-end server because it does not know that the client connection came in as a secure connection.
These reasons list why you should configure the HTTP header insertion:
•
•
•
The HTTP header insertion is performed for the following methods: GET, HEAD, PUT, TRACE, POST, and DELETE. HTTP header insertion is not performed for the CONNECT method.
The custom headers and client IP and port headers are inserted in every HTTP request packet. Full session headers and decoded client certificate fields are inserted in the first HTTP request packets; only the session ID is inserted in subsequent HTTP requests that use the same session ID. The servers are expected to cache the session or client certificate headers based on the session ID and use the session ID in subsequent requests to get the session and client certificate headers.
You can configure up to 100 HTTP header insertion policies, with each policy consisting of up to 32 prefixes or headers. The prefix and custom headers can include up to 240 characters.
These sections describe the information that can be inserted in the HTTP header:
•
Prefix
When you specify prefix prefix_string, the SSL daughter card adds the specified prefix to every inserted HTTP header. Adding a prefix enables the server to identify connections as coming from the SSL daughter card, and not from other appliances. A prefix is not added to standard HTTP headers from the client. The prefix_string can be up to 240 characters.
Client Certificate Headers
The client certificate header insertion allows the back-end server to see the attributes of the client certificate that the SSL daughter card has authenticated and approved. The client certificate headers are sent only once per session. The server is expected to cache these values using the session ID, which is also inserted with the headers. In subsequent requests, the server uses the session ID to look up the cached client certificate headers on the server itself.
Note
When you specify client-cert, the SSL daughter card passes the following headers to the back-end server.
Client IP and Port Address Headers
Network address translation (NAT) changes the client IP address and destination TCP port number information. When you specify client-ip-port, the SSL daughter card inserts the client IP address and TCP destination port information in the HTTP header, allowing the server to see the client IP address and destination port number.
Custom Headers
When you specify custom custom_string, the SSL daughter card inserts the user-defined header verbatim in the HTTP header. You can configure up to 16 custom headers per HTTP header policy. The custom_string can include up to 240 characters.
Note
"SOFTWARE VERSION : 2.1(1)"
SSL Session Headers
The session headers, including the session ID, are used to cache client certificates based on the session ID. The session headers are also cached based on the session ID if the server wants to track connections based on a particular cipher suite. The SSL daughter card inserts the full session headers in the HTTP request during the full SSL handshake but inserts only the session ID when the session resumes.
When you configure the SSL daughter card as a client, the SSL daughter card inserts the session ID of the connection between the module and the back-end SSL server.
When you specify session, the SSL daughter card passes information specific to an SSL connection to the back-end server in the form of the following session headers.
Session-Id
SSL session ID
Session-Cipher-Name
Symmetric cipher suite
Session-Cipher-Key-Size
Symmetric cipher key size
Session-Cipher-Use-Size
Symmetric cipher use
Configuring the HTTP Header Insertion
To configure the HTTP header insertion, perform this task:
This example shows how to configure the SSL daughter card to insert a prefix and session headers:
ssl-proxy (config)# ssl-proxy policy http-header ssl-offloadssl-proxy(config-http-header-policy)# prefix SSL-OFFLOADssl-proxy(config-http-header-policy)# sessionssl-proxy(config-http-header-policy)# custom "SOFTWARE VERSION:2.1(1)"
ssl-proxy(config-http-header-policy)# custom "module:SSL MODULE - CATALYST 6500"
ssl-proxy(config-http-header-policy)# custom type-of-proxy:server_proxy_1024_bit_key_sizessl-proxy(config-http-header-policy)# exitssl-proxy(config)# ssl-proxy service ssl-offloadssl-proxy(config-ssl-proxy)# policy http-header ssl-offloadIn addition to the standard HTTP headers, the following header information is inserted:
SSL-OFFLOAD-SOFTWARE VERSION:2.1(1)SSL-OFFLOAD-module:SSL MODULE - CATALYST 6500SSL-OFFLOAD-type-of-proxy:server_proxy_1024_bit_key_sizeSSL-OFFLOAD-Session-Id:33:FF:2C:2D:25:15:3C:50:56:AB:FA:5A:81:0A:EC:E9:00:00:0A:03:00:60:2F:30:9C:2F:CD:56:2B:91:F2:FFSSL-OFFLOAD-Session-Cipher-Name:RC4-SHASSL-OFFLOAD-Session-Cipher-Key-Size:128SSL-OFFLOAD-Session-Cipher-Use-Size:128Configuring URL Rewrite
In a typical SSL offloading environment, an SSL offloader terminates secure client HTTP (HTTPS) connections, decrypts the SSL traffic into clear text, and forwards the clear text to a Web server through an HTTP connection. The HTTPS connections become nonsecure HTTP connections at the back-end server. The back-end server does not know that the client connection came in as a secure connection.
If the data returned to the client contains an HTTP redirection link, and the client follows this link, the client leaves the secure domain and no longer has a secure connection. The redirected link may not be available from the server using a clear text connection.
You can avoid problems with nonsecure HTTP redirects from the back-end server by configuring one or more URL rewrite rules. Each rewrite rule is associated with a service in the SSL proxy list. The URL rewrite rules resolve the problem of a website redirecting you to a nonsecure HTTP URL by rewriting the domain from http:// to https://. By configuring URL rewrite, all client connections to the Web server are SSL connections, ensuring the secure delivery of HTTPS content back to the client.
Note
URL rewrite rewrites the protocol and the nondefault port (default ports are port 80 for clear text and port 443 for SSL).
You can configure up to 100 URL rewrite policies with each policy consisting of up to 32 rewrite rules per SSL proxy service and up to 200 characters per rule.
The guidelines for URL rewrite are as follows:
•
For example, www.cisco.com takes precedence, then www.cisco.*, and then *.cisco.com.
•
•
•
To configure URL rewrite, perform this task:
1 The clearport port_number specifies the port portion of the URL to be rewritten. Specify the cleartext port_number if it is not the default cleartext port 80.
2 The sslport port_number specifies the port portion of the URL that should be rewritten. Specify the ssltext port_number if it is not the default SSL port 443.
This example shows how to configure URL rewrite policy and apply the policy to a proxy service:
ssl-proxy(config)# ssl-proxy policy url-rewrite cisco_urlssl-proxy(config-ssl-proxy)# url www.cisco.*ssl-proxy(config-ssl-proxy)# url www.cisco.com clearport 81 sslport 444ssl-proxy(config-ssl-proxy)# url wwwin.cisco.com clearport 81 sslport 440ssl-proxy(config-ssl-proxy)# url 10.1.1.10 clearport 81 sslport 444ssl-proxy(config-ssl-proxy)# exitssl-proxy(config)# ssl-proxy service cisco_servicessl-proxy(config-ssl-proxy)# policy url-rewrite cisco_urlSee Table 7-1 for examples that show URL rewrite.
Configuring the SSL Proxy Services
You define the SSL proxy services using the ssl-proxy service ssl_proxy_name command. You can configure the virtual IP address and port that is associated with the proxy service and the associated target IP address and port.
You define the TCP and SSL policies for both client (virtual) and server (server) sides of the proxy.
These sections describe how to configure the proxy services:
SSL Server Proxy Services
To configure the SSL server proxy services, perform this task:
Step 1
Defines the name of the SSL proxy service.
Note
Step 2
Defines the virtual server IP address, transport protocol (TCP), and port number for which the CSM-S is the proxy.
Note
Step 3
Defines the IP address, port number, and transport protocol of the target server for the proxy.
Note
Step 4
(Optional) Applies a TCP policy to the client side of the proxy server. See the "Configuring TCP Policy" section for TCP policy parameters.
Step 5
(Optional) Applies an SSL policy to the client side of the proxy server. See the "Configuring SSL Policy" section for SSL policy parameters.
Step 6
(Optional) Applies a TCP policy to the server side of the proxy server. See the "Configuring TCP Policy" section.
Step 7
(Optional) Applies the HTTP header policy to the proxy server. See the "HTTP Header Insertion" section.
Step 8
(Optional) Applies the URL rewrite policy. See the "Configuring URL Rewrite" section.
Step 9
ssl-proxy(config-ssl-proxy)# trusted-ca ca_pool_name
(Optional) Associates the trusted certificate authority pool with the proxy service. See the "Client Certificate Authentication" section for information on the certificate authority pools.
Step 10
ssl-proxy(config-ssl-proxy)# authenticate verify {signature-only4 | all5 }
(Optional) Enables the server certificate authentication and specifies the form of verification. See the "Server Certificate Authentication" section for information on the server certificate authentication.
Step 11
ssl-proxy(config-ssl-proxy)# nat {server | client natpool_name}(Optional) Specifies the usage of either server NAT6 or client NAT for the server-side connection opened by the CSM-S. See the "Configuring NAT" section and "Configuring NAT" section.
Step 12
Applies a trustpoint configuration to the proxy server7 .
Note
Step 13
Sets the proxy server as administratively Up.
1 Configure the mask address to specify a wildcard proxy service. You must enter the secondary keyword to configure a wildcard proxy service.
2 When you enter the secondary keyword, the SSL daughter card does not respond to the ARP requests of the virtual IP address.
3 If you create a policy without specifying any parameters, the policy is created using the default values.
4 When you verify signature-only, authentication stops at the level that corresponds to one of the trusted certificate authority trustpoints in the trusted certificate authority pool.
5 When you verify all, the highest level issuer in the certificate chain must be configured as a trusted certificate authority trustpoint. The SSL daughter card authenticates all the certificates in the peer certificate chain and stops only at the highest level certificate authority. There must be a certificate authority trustpoint for the highest level certificate authority, and this trustpoint should be authenticated.
6 NAT = network address translation
7 If the key (modulus) size is other than 512, 768, 1024, 1536, or 2048, you will receive an error and the trustpoint configuration is not applied. Replace the key by generating a key (using the same key_label) and specifying a supported modulus size, and then repeat Step 12.
This example shows how to configure SSL proxy services:
ssl-proxy(config)# ssl-proxy service proxy1ssl-proxy(config-ssl-proxy)# virtual ipaddr 10.1.1.100 protocol tcp port 443ssl-proxy(config-ssl-proxy)# server ipaddr 10.1.1.1 protocol tcp port 80ssl-proxy(config-ssl-proxy)# virtual policy tcp tcp2ssl-proxy(config-ssl-proxy)# server policy tcp tcp2ssl-proxy(config-ssl-proxy)# virtual policy ssl ssl1ssl-proxy(config-ssl-proxy)# nat client t2ssl-proxy(config-ssl-proxy)# certificate rsa general-purpose trustpoint tp1ssl-proxy(config-ssl-proxy)# inservicessl-proxy(config-ssl-proxy)# endIf you have many virtual and server IP addresses to manage and configure, you can configure a wildcard proxy service.
This example shows how to configure a wildcard SSL proxy service, so that proxy1 accepts virtual IP addresses 10.0.0.1 through 10.25.255.254:
ssl-proxy(config)# ssl-proxy service proxy1ssl-proxy(config-ssl-proxy)# virtual ipaddr 10.0.0.0 255.0.0.0 protocol tcp port 443 secondaryssl-proxy(config-ssl-proxy)# server ipaddr 20.1.2.3 protocol tcp port 80ssl-proxy(config-ssl-proxy)# virtual policy tcp tcp2ssl-proxy(config-ssl-proxy)# server policy tcp tcp2ssl-proxy(config-ssl-proxy)# virtual policy ssl ssl1ssl-proxy(config-ssl-proxy)# inservicessl-proxy(config-ssl-proxy)# endSSL Version 2.0 Forwarding
The SSL daughter card is not able to terminate SSL version 2.0 (SSLv2) connections. However, you can configure the SSL daughter card to forward SSLv2 connections to another server by entering the sslv2 keyword at the server command. When you configure the SSLv2 server IP address, the SSL daughter card transparently forwards all SSLv2 connections to that server. If you require SSLv2 forwarding, you need to configure the SSLv2 server IP address in addition to the IP address of the server that is used for offloading SSL version 3.0 or Transport Layer Security (TLS) version 1.0 connections.
To configure SSLv2 forwarding, perform this task:
Defines the IP address, port number, and the transport protocol of the target server for the proxy.
Note
1 Enter the sslv2 keyword to forward SSL version 2.0 client connections to a SSL v2.0 server. When you enter sslv2, configure another server IP address to offload SSL version 3.0 or Transport Layer Security (TLS) version 1.0 connections.
This example shows how to configure the SSL proxy services to forward SSL v2.0 connections:
ssl-proxy(config)# ssl-proxy service frontendssl-proxy(config-ssl-proxy)# virtual ipaddr 35.200.200.102 protocol tcp port 443ssl-proxy(config-ssl-proxy)# server ipaddr 26.51.51.1 protocol tcp port 80ssl-proxy(config-ssl-proxy)# server ipaddr 26.51.51.2 protocol tcp port 443 sslv2ssl-proxy(config-ssl-proxy)# certificate rsa general-purpose trustpoint test-certssl-proxy(config-ssl-proxy)# inservicessl-proxy(config-ssl-proxy)# endSSL Client Proxy Services
You configure SSL client proxy services to specify that the proxy service accepts clear text traffic, encrypts the traffic into SSL traffic, and forwards the traffic to the back-end SSL server.
While you are required to configure a certificate for the SSL server proxy, you are not required to configure a certificate for the SSL client proxy. If you configure the certificate for the SSL client proxy, that certificate is sent in response to the certificate request message that is sent by the server during the client authentication phase of the handshake protocol.
Note
To configure SSL client proxy services, perform this task:
Step 1
Defines the name of the SSL proxy service. The client keyword configures the SSL client proxy service.
Note
Step 2
Defines the virtual server IP address, transport protocol (TCP), and port number for which the CSM-S is the proxy.
Note
Step 3
Defines the IP address, port number, and transport protocol of the target server for the proxy.
Note
Step 4
(Optional) Applies a TCP policy to the client side of the proxy server. See the "Configuring TCP Policy" section for the TCP policy parameters.
Step 5
(Optional) Applies an SSL policy to the server side of the proxy server. See the "Configuring SSL Policy" section for the SSL policy parameters.
Step 6
(Optional) Applies a TCP policy to the server side of the proxy server. See the "Configuring TCP Policy" section.
Step 7
(Optional) Applies the HTTP header policy to the proxy server. See the "HTTP Header Insertion" section.
Step 8
(Optional) Applies the URL rewrite policy. See the "Configuring URL Rewrite" section.
Step 9
ssl-proxy(config-ssl-proxy)# trusted-ca ca_pool_name
Associates the trusted certificate authority pool with the proxy service. See the "Client Certificate Authentication" section for information on the certificate authority pools.
Step 10
ssl-proxy(config-ssl-proxy)# authenticate verify {signature-only3 | all4 }
Enables the client certificate authentication and specifies the form of verification. See the "Client Certificate Authentication" section for information on the client certificate authentication.
Step 11
ssl-proxy(config-ssl-proxy)# nat {server | client natpool_name}(Optional) Specifies the usage of either server NAT5 or client NAT for the server-side connection opened by the SSL daughter card. See the "Configuring NAT" section.
Step 12
(Optional) Applies a trustpoint configuration to the client proxy.
Note
Step 13
Sets the proxy server as administratively Up.
1 Configure the mask address to specify a wildcard proxy service. You must enter the secondary keyword to configure a wildcard proxy service.
2 If you create a policy without specifying any parameters, the policy is created using the default values.
3 When you verify signature-only, authentication stops at the level corresponding to one of the trusted certificate authority trustpoints in the trusted certificate authority pool.
4 When you verify all, the highest level issuer in the certificate chain must be configured as a trusted certificate authority trustpoint. The SSL daughter card authenticates all the certificates in the peer certificate chain and stops only at the highest level certificate authority. There must be a certificate authority trustpoint for the highest level certificate authority, and this trustpoint should be authenticated.
5 NAT = network address translation
This example shows how to configure SSL client proxy services:
ssl-proxy(config)# ssl-proxy service proxy1 clientssl-proxy(config-ssl-proxy)# virtual ipaddr 10.1.1.100 protocol tcp port 80ssl-proxy(config-ssl-proxy)# virtual policy tcp tcp2ssl-proxy(config-ssl-proxy)# server ipaddr 10.1.1.1 protocol tcp port 443ssl-proxy(config-ssl-proxy)# server policy tcp tcp2ssl-proxy(config-ssl-proxy)# server policy ssl ssl1ssl-proxy(config-ssl-proxy)# inservicessl-proxy(config-ssl-proxy)# endConfiguring NAT
The client connections originate from the client and are terminated on the SSL daughter card. The server connections originate from the SSL daughter card.
You can configure client NAT, server NAT, or both, on the server connection.
Note
Server NAT
The server IP address configured with the ssl-proxy service command specifies the IP address and port for the destination device, either the SSL daughter card or the real server for which the SSL daughter card acts as a proxy. If you configure server NAT, the server IP address is used as the destination IP address for the server connection. If the server NAT is not configured, the destination IP address for the server connection is the same as the virtual ipaddress for which the SSL daughter card is a proxy. The SSL daughter card always performs the port translation by using the port number entered in the server ipaddress subcommand.
To configure server NAT, perform this task:
Client NAT
If you configure client NAT, the server connection source IP address and port are derived from a NAT pool. If client NAT is not configured, the server connection source IP address and port are derived from the source IP address and source port of the client connection.
Allocate enough IP addresses to satisfy the total number of connections supported by the SSL daughter card (256,000 connections). Assuming that you have 32,000 ports per IP address, configure 8 IP addresses in the NAT pool. If you try to configure fewer IP addresses than required by the total connections supported by the SSL daughter card, the command is rejected.
To configure a NAT pool and assign the NAT pool to the proxy service, perform this task:
Configuring TACACS, TACACS+, and RADIUS
For information on configuring TACACS, TACACS+, and RADIUS, refer to these URLs:
•
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsecsp/scfrad.htm
•
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsecsp/scftplus.htm
Configuring SNMP Traps
For a list of supported MIBs, refer to this URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
Note
To enable SNMP traps, perform this task:
Step 1
Specifies the IP address of an external network management device to which traps are sent.
Step 2
(Optional) Enables the SSL proxy certificate expiration notification trap.
Note
Note
Step 3
(Optional) Enables the SSL proxy operation status notification trap.
Step 4
(Optional) Specifies the number of trap events that are held before the queue must be emptied. The default length is 10; valid values are 1 through 1000.
Step 5
Displays the SNMP information.
This example shows how to enable SNMP traps:
ssl-proxy# configure terminalEnter configuration commands, one per line. End with CNTL/Z.ssl-proxy(config)# snmp-server host 10.1.1.1 traps version 2c ssl-proxyssl-proxy(config)# snmp-server enable traps ssl-proxy cert-expiring*Nov 27 03:47:10.739:%STE-6-PROXY_CERT_EXPIRING_TRAP_ENABLED:SNMP trap for proxy servicecertificate expiration warning has been enabled.ssl-proxy(config)# snmp-server enable traps ssl-proxy oper-status*Nov 27 03:46:59.607:%STE-6-PROXY_OPER_STATUS_TRAP_ENABLED:SNMP trap for proxy serviceoperational status change has been enabled.ssl-proxy(config)# snmp-server queue-length 256ssl-proxy(config)# endssl-proxy# show snmp0 SNMP packets input0 Bad SNMP version errors0 Unknown community name0 Illegal operation for community name supplied0 Encoding errors0 Number of requested variables0 Number of altered variables0 Get-request PDUs0 Get-next PDUs0 Set-request PDUs8 SNMP packets output0 Too big errors (Maximum packet size 1500)0 No such name errors0 Bad values errors0 General errors0 Response PDUs8 Trap PDUsSNMP logging:enabledLogging to 10.1.1.1.162, 0/256, 0 sent, 0 dropped.ssl-proxy#Enabling the Cryptographic Self-Test
Note
Note
To run the self-test, perform this task:
ssl-proxy(config)# ssl-proxy crypto self-test time-interval time
Enables the crytographic self-test. The default value for time is 3 seconds; valid values are 1 though 8.
This example shows how to enable the cryptographic self-test and display cryptographic information:
ssl-proxy(config)# ssl-proxy crypto self-test time-interval 1ssl-proxy(config)# endDisplaying Statistics Information
To display statistics information, perform this task:
This example shows how to display header insertion information:
ssl-proxy# show ssl-proxy stats hdrHeader Insert Statistics:Session Headers Inserted :1 Custom Headers Inserted :0Session Id's Inserted :2 Client Cert. Inserted :0Client IP/Port Inserted :0No End of Hdr Detected :0 Payload no HTTP header :0Desc Alloc Failed :0 Buffer Alloc Failed :0Client Cert Errors :0 No Service :0This example shows how to display crypto information:
ssl-proxy# show ssl-proxy stats cryptoCrypto Statistics from SSL Module:1Self-test is runningCurrent device index is 1Time interval between tests is 1 secondsDevice 0 statistics:Total Number of runs:50Runs all passed:50Number of timer error:0---------------------------------------------------------Test Name Passed Failed Did-not-run---------------------------------------------------------0 Power-on Crypto chip sel 1 0 01 Power-on Crypto chip key 1 0 02 Hash Test Case 1 50 0 03 Hash Test Case 2 50 0 04 Hash Test Case 3 50 0 05 Hash Test Case 4 50 0 06 SSL3 MAC Test Case 1 50 0 07 SSL3 MAC Test Case 2 50 0 08 TLS1 MAC Test Case 1 50 0 09 TLS1 MAC Test Case 2 50 0 010 DES Server Test 50 0 011 DES Encrypt Test 1 50 0 012 DES Decrypt Test 1 50 0 013 DES Encrypt Test 2 50 0 014 DES Decrypt Test 2 50 0 015 ARC4 Test Case 1 50 0 016 ARC4 Test Case 2 50 0 017 ARC4 Test Case 3 50 0 018 ARC4 State Test Case 1 50 0 019 ARC4 State Test Case 2 50 0 020 ARC4 State Test Case 3 50 0 021 ARC4 State Test Case 4 50 0 022 HMAC Test Case 1 50 0 023 HMAC Test Case 2 50 0 024 Random Bytes Generation 50 0 025 RSA Encrypt/Decrypt Test 50 0 026 Master Secret Generation 50 0 027 Key Material Generation 50 0 028 SSL3 Handshake Hash Test 50 0 029 TLS1 Handshake Hash Test 50 0 0Device 1 statistics:Total Number of runs:49Runs all passed:49Number of timer error:0---------------------------------------------------------Test Name Passed Failed Did-not-run---------------------------------------------------------0 Power-on Crypto chip sel 1 0 01 Power-on Crypto chip key 1 0 02 Hash Test Case 1 50 0 03 Hash Test Case 2 50 0 04 Hash Test Case 3 50 0 05 Hash Test Case 4 50 0 06 SSL3 MAC Test Case 1 50 0 07 SSL3 MAC Test Case 2 50 0 08 TLS1 MAC Test Case 1 50 0 09 TLS1 MAC Test Case 2 50 0 010 DES Server Test 50 0 011 DES Encrypt Test 1 50 0 012 DES Decrypt Test 1 50 0 013 DES Encrypt Test 2 50 0 014 DES Decrypt Test 2 50 0 015 ARC4 Test Case 1 50 0 016 ARC4 Test Case 2 50 0 017 ARC4 Test Case 3 50 0 018 ARC4 State Test Case 1 49 0 019 ARC4 State Test Case 2 49 0 020 ARC4 State Test Case 3 49 0 021 ARC4 State Test Case 4 49 0 022 HMAC Test Case 1 49 0 023 HMAC Test Case 2 49 0 024 Random Bytes Generation 49 0 025 RSA Encrypt/Decrypt Test 49 0 026 Master Secret Generation 49 0 027 Key Material Generation 49 0 028 SSL3 Handshake Hash Test 49 0 029 TLS1 Handshake Hash Test 49 0 0This example shows how to display PKI certificate authentication and authorization statistics:
ssl-proxy# show ssl-proxy stats pki authAuthentication request timeout:240 secondsMax in process:100 (requests)Max queued before dropping:0 (requests)Certificate Authentication & Authorization Statistics:Requests started:2Requests finished:2Requests pending to be processed:0Requests waiting for CRL:0Signature only requests:0Valid signature:0Invalid signature:0Total number of invalid certificates:0Approved with warning (no crl check):2Number of times polling CRL:0No certificates present:0Failed to get CRL:0Not authorized (e.g. denied by ACL):0Root certificates not self-signed:0Verify requests failed (e.g. expired or CRL operation failed):0Unknown failure:0Empty certificate chain:0No memory to process requests:0DER encoded certificates missing:0Bad DER certificate length:0Failed to get key from certificate:0Issuer CA not in trusted CA pool:0Issuer CA certificates not valid yet:0Expired issuer CA certificates:0Peer certificates not valid yet:0Expired peer certificates:0This example shows how to display PKI peer certificate cache statistics:
ssl-proxy# show ssl-proxy stats pki cachePeer certificate cache size:0 (entries), aging timeout:30 (minutes)Peer certificate cache statistics:In use:0 (entries)Cache hit:0Cache miss:0Cache allocated:0Cache freed:0Cache entries expired:0Cache error:0Cache full (wrapped around):0No memory for caching:0This example shows how to display the forwarding data unit statistics:
ssl-proxy# show ssl-prox stats fduFDU Statistics:IP Frag Drops : 0 IP Version Drops : 0IP Addr Discards : 0 Serv_Id Drops : 0Conn Id Drops : 0 Bound Conn Drops : 0Vlan Id Drops : 0 TCP Checksum Drops : 0Hash Full Drops : 0 Hash Alloc Fails : 0Flow Creates : 536701 Flow Deletes : 536701Conn Id allocs : 268354 Conn Id deallocs : 268354Tagged Pkts Drops : 0 Non-Tagg Pkts Drops : 0Add ipcs : 3 Delete ipcs : 0Disable ipcs : 1 Enable ipcs : 0Unsolicited ipcs : 1345 Duplicate Add ipcs : 0IOS Broadcast Pkts : 43432 IOS Unicast Pkts : 12899IOS Multicast Pkts : 0 IOS Total Pkts : 56331IOS Congest Drops : 0 SYN Discards : 0FDU Debug Counters:Inv. Conn Drops : 0 Inv. Conn Pkt Drops : 0Inv. TCP opcodes : 0Inv. Fmt Pkt Drops : 0 Inv. Bad Vlan ID : 0Inv. Bad Ctl Command: 0 Inv. TCP Congest : 0Inv. Bad Buffer Fmt : 0 Inv. Buf Undersized : 0ssl-proxy#Collecting Crash Information
The crash-info feature collects information for developers to fix software-forced resets. Enter the show ssl-proxy crash-info command to collect software-forced reset information. You can retrieve only the latest crash-info in case of multiple software-forced resets. The show ssl-proxy crash-info command takes 1 to 6 minutes to complete the information collection process.
Note
This example shows how to collect software-forced reset information:
ssl-proxy# show ssl-proxy crash-info===== SSL daughter card - START OF CRASHINFO COLLECTION =====------------- COMPLEX 0 [FDU_IOS] ----------------------NVRAM CHKSUM:0xEB28NVRAM MAGIC:0xC8A514F0NVRAM VERSION:1++++++++++ CORE 0 (FDU) ++++++++++++++++++++++CID:0APPLICATION VERSION:2003.04.15 14:50:20 built for cantucAPPROXIMATE TIME WHEN CRASH HAPPENED:14:06:04 UTC Apr 16 2003THIS CORE DIDN'T CRASHTRACEBACK:222D48 216894CPU CONTEXT -----------------------------$0 :00000000, AT :00240008, v0 :5A27E637, v1 :000F2BB1a0 :00000001, a1 :0000003C, a2 :002331B0, a3 :00000000t0 :00247834, t1 :02BFAAA0, t2 :02BF8BB0, t3 :02BF8BA0t4 :02BF8BB0, t5 :00247834, t6 :00000000, t7 :00000001s0 :00000000, s1 :0024783C, s2 :00000000, s3 :00000000s4 :00000001, s5 :0000003C, s6 :00000019, s7 :0000000Ft8 :00000001, t9 :00000001, k0 :00400001, k1 :00000000gp :0023AE80, sp :031FFF58, s8 :00000019, ra :00216894LO :00000000, HI :0000000A, BADVADDR :828D641CEPC :00222D48, ErrorEPC :BFC02308, SREG :34007E03Cause 0000C000 (Code 0x0):Interrupt exceptionCACHE ERROR registers -------------------CacheErrI:00000000, CacheErrD:00000000ErrCtl:00000000, CacheErrDPA:0000000000000000PROCESS STACK -----------------------------stack top:0x3200000Process stack in use:sp is close to stack top;printing 1024 bytes from stack top:031FFC00:06405DE0 002706E0 0000002D 00000001 .@]`.'.`...-....031FFC10:06405DE0 002706E0 00000001 0020B800 .@]`.'.`..... 8.031FFC20:031FFC30 8FBF005C 14620010 24020004 ..|0.?.\.b..$....................................FFFFFFD0:00000000 00000000 00000000 00000000 ................FFFFFFE0:00627E34 00000000 00000000 00000000 .b~4............FFFFFFF0:00000000 00000000 00000000 00000006 ................===== SSL daughter card - END OF CRASHINFO COLLECTION =======Enabling VTS Debugging
A virtual terminal server (VTS) is built into the SSL daughter card for debugging different processors (FDU, TCP, SSL) on the module.
Note
If you use TCP debug commands, the TCP module displays large amounts of debug information on the console, which can significantly slow down module performance. Slow module performance can lead to delayed processing of TCP connection timers, packets, and state transitions.
From a workstation or PC, make a Telnet connection to one of the VLAN IP addresses on the module to port 2001 to view debug information.
To display debugging information, perform this task:
ssl-proxy# [no] debug ssl-proxy {fdu | ssl | tcp} [type]Turns on or off the debug flags for the specified system component.
After you make the Telnet connection, enter the debug ssl-proxy {tcp | fdu | ssl} command from the SSL Certificate Management console. One connection is sent from a client and displays the logs found in TCP console.
This example shows how to display the log for TCP states for a connection and verify the debugging state:
ssl-proxy# debug ssl-proxy tcp statessl-proxy# show debuggingSTE Mgr:STE TCP states debugging is onThis example shows the output from the workstation or PC:
Conn 65066 state CLOSED --> state SYN_RECEIVEDConn 65066 state SYN_RECEIVED --> state ESTABLISHEDConn 14711 state CLOSED --> state SYN_SENTConn 14711 state SYN_SENT --> state ESTABLISHEDConn 14711 state ESTABLISHED --> state CLOSE_WAITConn 65066 state ESTABLISHED --> state FIN_WAIT_1Conn 65066 state FIN_WAIT_1 --> state FIN_WAIT_2Conn 65066 state FIN_WAIT_2 --> state TIME_WAITConn 14711 state CLOSE_WAIT --> state LAST_ACKConn 14711 state LAST_ACK --> state CLOSED##############Conn 65066 state TIME_WAIT --> state CLOSED