Application Control Engine Module Getting Started Guide (Software Version A2(3.0)) - Configuring SSL Security [Cisco Services Modules]

Table Of Contents

Configuring SSL Security

Information About SSL

Prerequisites for Configuring SSL

Configuring SSL Termination

Task Flow for Configuring SSL Termination

Importing the SSL Certificate and Key Pair Files

Creating an SSL Proxy Service

Configuring a Traffic Policy for SSL Termination

Configuration Example for SSL Termination

Where to Go Next

Configuring SSL Security

This chapter describes how to configure Secure Sockets Layer (SSL) on the Cisco Application Control Engine (ACE) module.

This chapter contains the following sections:

•Information About SSL

•Prerequisites for Configuring SSL

•Configuring SSL Termination

•Configuration Example for SSL Termination

•Where to Go Next

Information About SSL

After reading this chapter, you should have a basic understanding of how the ACE provides SSL security for your network and how to configure SSL termination, in which the ACE operates as an SSL server.

SSL configuration in an ACE establishes and maintains a SSL session between the ACE and another device. It provides for secure data transactions between a client and a server. SSL provides authentication, encryption, and data integrity in a Public Key Infrastructure (PKI), which is a set of policies and procedures that establishes a secure information exchange between devices.

In SSL, data is encrypted using one or more symmetric keys that are known only by the two endpoints in the transaction. In a key exchange, one device generates the symmetric key and then encrypts it using an asymmetric encryption scheme before transmitting the key to the other device.

Asymmetric encryption requires each device to have a unique key pair consisting of a public key and a private key. A private key is an encryption/decryption key known only to the parties exchanging the messages. A public key is a value provided by some designated authority as an encryption key that, combined with a private key derived from the public key, can be used to effectively encrypt messages and digital signatures. The two keys are mathematically related; data that is encrypted using the public key can only be decrypted using the corresponding private key, and vice versa.

SSL facilitates client and server authentication through the use of digital certificates. Digital certificates are a form of digital identification to prove the identity of the server to the client, or optionally, the client to the server. A certificate ensures that the identification information is correct and the public key embedded in it actually belongs to the client or server.

A Certificate Authority (CA) issues digital certificates in the context of a PKI. CAs are trusted authorities that sign certificates to verify their authenticity. As the certificate issuer, the CA uses its private key to sign the certificate. Upon receiving a certificate, a client uses the issuer's public key to decrypt and verify the certificate signature to ensure that the certificate was actually issued and signed by an authorized entity.

If you do not have a certificate and the corresponding key pair, you can use the ACE to generate a key pair and a certificate signing request (CSR) to apply for a certificate from a CA. The CA signs the CSR and returns the authorized digital certificate to you. The ACE supports import, export, and other management functions to manage the various certificates and key pair files within each context.

The client and server use the SSL handshake protocol to establish an SSL session between the two devices. During the handshake, the client and server negotiate the SSL parameters that they will use during the secure session. During the SSL handshake, the ACE uses an SSL proxy service, which includes the configuration of SSL session parameters, an RSA key pair, and a matching certificate.

The ACE applies SSL session parameters to an SSL proxy service. Creating an SSL parameter map allows you to apply the same SSL session parameters to different proxy services. The SSL session parameters include timeouts, close protocol behavior, and SSL version—SSL 3 and/or Transport Layer Security (TLS) 1. For more information on these parameters, see the Cisco Application Control Engine Module SSL Configuration Guide.

You can configure the ACE to act as a client or a server during an SSL session by defining operational attributes such as SSL session parameters, SSL key pairs and certificates, and traffic characteristics. When the traffic characteristics match the settings specified in the operational attributes, the ACE executes the actions associated with the SSL proxy service. Figure 9-1 shows the three basic SSL configurations in which the ACE is used to encrypt and decrypt data between the client and the server: SSL termination, SSL initiation, and end-to-end SSL.

Figure 9-1 ACE SSL Configurations

In SSL termination, an ACE context is configured for a front-end application in which the ACE operates as an SSL server that communicates with a client. When you define the flow between an ACE and a client, the ACE operates as a virtual SSL server by adding security services between a web browser (the client) and the HTTP connection (the server).

All inbound SSL flows that come from a client terminate at the ACE. After the connection is terminated, the ACE decrypts the ciphertext (encrypted content) from the client and sends the data as clear text (unencrypted content) to an HTTP server. For information about configuring the ACE for SSL termination, see the "Configuring SSL Termination" section.

In SSL initiation, an ACE context is configured for a back-end application in which the ACE operates as a client that communicates with an SSL server. When you define the flow between an ACE and an SSL server, the ACE operates as a client and initiates the SSL session. SSL initiation enables the ACE to receive clear text from a client and then establish an SSL session with an SSL server, joining the client and SSL server connections.

The ACE encrypts the clear text that it receives from the client and sends the data as ciphertext to an SSL server. The SSL server can either be an ACE configured for SSL termination (a virtual SSL server) or a real SSL server (web server). On the outbound flow from the SSL server, the ACE decrypts the ciphertext from the server and sends clear text back to the client. For more information on configuring the ACE for SSL initiation, see the Cisco Application Control Engine Module SSL Configuration Guide.

In end-to-end SSL, an ACE context is configured for both SSL termination and SSL initiation. You configure the ACE for end-to-end SSL when you have an application that requires secure SSL channels between the client and the ACE, and between the ACE and the SSL server.

For example, a transaction between banks requires end-to-end SSL to protect all financial information exchanged. End-to-end SSL also allows the ACE to insert load-balancing and security information into the data. The ACE decrypts the ciphertext that it receives and inserts load-balancing and firewall information into the clear text. The ACE then reencrypts the data and passes the ciphertext to its intended destination. For more information on configuring the ACE for end-to-end SSL initiation, see the Cisco Application Control Engine Module SSL Configuration Guide.

Prerequisites for Configuring SSL

Before configuring the ACE for an SSL operation, you must first configure it for server load balancing. To configure your ACE for server load balancing, see Chapter 6, "Configuring Server Load Balancing."

Before you configure SSL termination using the procedure in this chapter, you should have a signed SSL certificate and a key pair residing on an FTP server. For details about obtaining an SSL certificate and key pair, see the Cisco Application Control Engine Module SSL Configuration Guide.

If you do not have your own SSL certificate and key pair, for internal testing only, you can use the following Cisco-provided self-signed sample certificate and key pair files as follows:

•cisco-sample-cert

•cisco-sample-key

Configuring SSL Termination

SSL termination occurs when the ACE, acting as an SSL proxy server, terminates an SSL connection from a client and then establishes a TCP connection to an HTTP server. When the ACE terminates the SSL connection, it decrypts the ciphertext from the client and transmits the data as clear text to the HTTP server.

Figure 9-2 shows the following network connections in which the ACE terminates the SSL connection with the client:

•Client to ACE—An SSL connection exists between the client and the ACE acting as an SSL proxy server.

•ACE to Server—A TCP connection exists between the ACE and the HTTP server.

Figure 9-2 SSL Termination

SSL termination is a Layer 3 and Layer 4 application because it is based on the destination IP address of the inbound traffic flow from the client. When configuring a policy map for SSL termination, you associate the following elements:

•The SSL proxy service, including SSL session parameters, certificate, and key pair.

•The virtual SSL server IP address that the destination IP address of the inbound traffic must match (a class map). When a match occurs, the ACE negotiates with the client to establish an SSL connection.

Task Flow for Configuring SSL Termination

Follow these steps to configure SSL termination:

Step 1 Import the SSL certificate and key pair files and verify that the certificate matches the key pair.

Step 2 Create an SSL proxy service.

Step 3 Configure a traffic policy for SSL.

Importing the SSL Certificate and Key Pair Files

Procedure
Command

Purpose
Step 1
changeto context
Example:
host1/Admin# changeto VC_WEB
host1/VC_WEB#
Changes to the correct context if necessary. Check the CLI prompt to verify that you are operating in the desired context.
Step 2
crypto import ftp ip_address username /remote_filename local_filename
Example:
host1/VC_WEB# crypto import ftp 
172.25.91.100 Admin /marketing.pem 
marketing.pem 
Password: ****
Passive mode on.
Hash mark printing on (1024 bytes/hash 
mark).
#
Successfully imported file from remote 
server.
host1/VC_WEB# 
Imports the key file marketing.pem from an FTP server. Use your own key pair file for this step. If you do not have a key file, see the Cisco Application Control Engine Module SSL Configuration Guide for information about how to obtain one and skip this step. Meanwhile, you can use the sample key file that is provided with your ACE software in a later step for internal testing.
Step 3
crypto import terminal filename
Example:
host1/VC_WEB# crypto import terminal 
marketing_cert.pem
Enter PEM formatted data ending with a 
blank line or "quit" on a line by 
itself.
-----------BEGIN CERTIFICATE-----------
MIIC1DCCAj2gAwIBAgIDCCQAMA0GCSqGSIb3DQE
BAgUAMIHEMQswCQYDVQQGEwJa
QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAY
DVQQHEwlDYXBlIFRvd24xHTAb
BgNVBAoTFFRoYXd0ZSBDb25zdWx0aW5nIGNjMSg
wJgYDVQQLEx9DZXJ0aWZpY2F0
aW9uIFNlcnZpY2VzIERpdmlzaW9uMRkwFwYDVQQ
DExBUaGF3dGUgU2VydmVyIENB
MSYwJAYJKoZIhvcNAQkBFhdzZXJ2ZXItY2VydHN
AdGhhd3RlLmNvbTAeFw0wMTA3
-----------END CERTIFICATE-------------
Copies the certificate information from the certificate that you received from the CA, and pastes it into a certificate file called marketing_cert.pem. Use your own certificate file for this step. If you do not have a signed certificate, see the Cisco Application Control Engine Module SSL Configuration Guide for information about how to obtain one and skip this step. Meanwhile, you can use the Cisco-provided sample self-signed certificate in a later step for internal testing.
Step 4
quit
Example:
quit
host1/VC_WEB#
Closes the file.
Step 5
crypto verify key_filename cert_fielname
Example:
host1/VC_WEB# crypto verify 
cisco-sample-key cisco-sample-cert
keypair in cisco-sample-key matches 
certificate in cisco-sample-cert
Verifies that the certificate matches the key pair. If you have not obtained your own SSL certificate and key pair files yet, you can use the Cisco-provided certificate (cisco-sample-cert) and key (cisco-sample-key) for internal testing.
Creating an SSL Proxy Service

Procedure
Step 1
config
Example:
host1/VC_WEB# config
host1/VC_WEB(config)# 
Enters configuration mode.
Step 2
ssl-proxy service pservice_name
Example:
host1/Admin(config)# ssl-proxy service 
PS_SSL_TERMINATION
host1/Admin(config-ssl-proxy)#
Creates the PS_SSL_TERMINATION SSL proxy service.
Step 3
key key_filename
Example:
host1/VC_WEB(config-ssl-proxy)# key 
cisco-sample-key
Specifies the key pair filename in the SSL proxy. Use your own key pair filename or enter the Cisco-provided sample key pair filename (cisco-sample-key) for internal testing.
Step 4
cert cert_filename
Example:
host1/VC_WEB(config-ssl-proxy)# cert cisco-sample-cert
Specifies the certificate filename in the SSL proxy. Use your own key pair filename or enter the Cisco-provided sample certificate filename (cisco-sample-cert) for internal testing.
Step 5
exit
Example:
host1/VC_WEB(config-ssl-proxy)# exit
host1/VC_WEB(config)#
Exits SSL proxy configuration mode.
Configuring a Traffic Policy for SSL Termination

Procedure
Command

Purpose
Step 1
class-map map_name
Example:
host1/VC_WEB(config)# class-map CM_SSL
Creates a Layer 3 and Layer 4 class map.
Step 2
match virtual-address vip_address tcp eq port
Example:
host1/VC_WEB(config-cmap)# match virtual-address 10.10.40.11 tcp eq https
Configures the class map with the input traffic match criteria, including the VIP and the TCP protocol.
Step 3
exit
Example:
host1/VC_WEB(config-cmap)# exit
host1/VC_WEB(config)#
Exits class map configuration mode.
Step 4
policy-map multi-match map_name
Example:
host1/VC_WEB(config)# policy-map multi-match PM_MULTI_MATCH
host1/VC_WEB(config-pmap)#
Enters policy map configuration mode.
Step 5
class name
Example:
host1/VC_WEB(config-pmap)# class CM_SSL
host1/VC_WEB(config-pmap-c)#
Associates the CM_SSL class map with the multimatch policy map.
Step 6
loadbalance VIP inservice
Example:
host1/VC_WEB(config-pmap-c)# loadbalance vip inservice
Enables a VIP for load balancing operations.
Step 7
loadbalance policy PM_LB
Example:
host1/VC_WEB(config-pmap-c)# loadbalance policy PM_LB
Associates the PM_LB Layer 7 load-balancing policy map with the PM_MULTI_MATCH Layer 3 and Layer 4 policy map.
Step 8
ssl-proxy server name
Example:
host1/VC_WEB(config-pmap-c)# ssl-proxy server PS_SSL_TERMINATION
Associates the SSL proxy service PS_SSL_TERMINATION with the policy map.
Step 9
exit
Example:
host1/VC_WEB(config-pmap-c)# exit
host1/VC_WEB(config-pmap)# exit
host1/VC_WEB(config)#
Exits policy map class configuration mode. Exits policy map configuration mode.
Step 10
interface vlan vlan_id
Example:
host1/VC_WEB(config)# interface vlan 400
Enters interface configuration mode for the client-side VLAN interface 400.
Step 11
service-policy input map_name
Example:
host1/VC_WEB(config-if)# service-policy input PM_SSL
Applies the policy map to the input traffic of the VLAN 400 interface.
Step 12
exit
Example:
host1/VC_WEB(config-if)# exit
host1/VC_WEB(config)# exit
host1/VC_WEB#
Exits interface configuration mode. Exits configuration mode.
Step 13
show running-config
Example:
host1/VC_WEB# show running-config
Displays the running configuration to verify that the information that you just added is configured properly.
Step 14
copy running-config startup-config
Example:
host1/VC_WEB# copy running-config startup-config
(Optional) Copies the running configuration to the startup configuration.
Configuration Example for SSL Termination

The following example shows how to configure SSL termination. The commands that you have configured in this chapter appear in bold text.
switch/VC_WEB(config)# do show running config
Generating configuration....
access-list INBOUND line 8 extended permit ip any any
rserver host RS_WEB1
  description content server web-one
  ip address 10.10.50.10
  inservice
rserver host RS_WEB2
  description content server web-two
  ip address 10.10.50.11
  inservice
rserver host RS_WEB3
  description content server web-three
  ip address 10.10.50.12
  inservice
rserver host RS_WEB4
  description content server web-four
  ip address 10.10.50.13
  inservice
serverfarm host SF_WEB
  predictor hash header Accept
  rserver RS_WEB1 80
    inservice
  rserver RS_WEB2 80
    inservice
  rserver RS_WEB3 80
    inservice
  rserver RS_WEB4 80
    inservice
sticky http-cookie Cookie1 StickyGroup1
  timeout 3600
  serverfarm SF_WEB
ssl-proxy service PS_SSL_TERMINATION
  key cisco-sample-key
  cert cisco-sample-cert
class-map match-all CM_SSL
  2 match virtual-address 10.10.40.11 tcp eq https
class-map type management match-any REMOTE_ACCESS
  description Remote access traffic match
  2 match protocol ssh any
  3 match protocol telnet any
  4 match protocol icmp any
class-map match-all VS_WEB
  2 match virtual-address 10.10.40.10 tcp eq www
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
  class REMOTE_ACCESS
    permit
policy-map type loadbalance first-match PM_LB
  class class-default
    serverfarm SF_WEB
policy-map multi-match PM_MULTI_MATCH
  class VS_WEB
    loadbalance vip inservice
    loadbalance policy PM_LB
  class CM_SSL
    loadbalance vip inservice
    loadbalance policy PM_LB
    ssl-proxy server PS_SSL_TERMINATION
service-policy input REMOTE_MGMT_ALLOW_POLICY
interface vlan 400
  description Client connectivity on VLAN 400
  ip address 10.10.40.1 255.255.255.0
  access-group input INBOUND
  service-policy input PM_MULTI_MATCH
  no shutdown
interface vlan 500
  description Server connectivity on VLAN 500
  ip address 10.10.50.1 255.255.255.0
  no shutdown
domain DOMAIN1
add-object all
ip route 0.0.0.0 0.0.0.0 172.25.91.1
username USER1 password 5 $1$vAN9gQDI$MmbmjQgJPj45lxbtzXPpB1  role SLB-Admin domain 
DOMAIN1
Where to Go Next

In this chapter, you have configured an SSL proxy service and a virtual server for SSL termination. In the next chapter, you will configure server health monitoring probes (keepalives).