topic Re: Configuring SSL termination on ACE in Application Networking

Configuring SSL termination on ACE

new_networker — Fri, 19 Sep 2008 17:04:42 GMT

Hi,

Can someone explain what is SSL proxy service used for.

Also, please give a one liner description of the below entries.

ssl-proxy service PSERVICE_SERVER

key ACEKEY.PEM

cert ACEIDM-CERT.PEM

chaingroup CISCOSSLCA-group

ssl advanced-options PARAMMAP_SSL

Lastly, why is PEM extension used for certificate. Can other extensions be used as well like CER etc.

Thanks.

Re: Configuring SSL termination on ACE

Syed Iftekhar Ahmed — Fri, 19 Sep 2008 20:39:38 GMT

SSL proxy server is used to define the server certs, Intermediate certs (if any - using chaingroup) and RSA Key pairs that should be used to Offload SSL.

Following will be the line by line description

key ACEKEY.PEM <-- Use ACEKEY.PEM named RSA key to offload request

cert ACEIDM-CERT.PEM <-- USe this server certificate to offload SSL request

chaingroup CISCOSSLCA-group <-- Use this chain group to complete Cert chain. This cahin group is configured seperately and it carries all the intermediate certs needed to complete the certificate chain.

ssl advanced-options PARAMMAP_SSL <- This SSL type parameter map is also created seperately and it include the supported SSL version and SSL ciphers

If you don't use SSL type parameter type then by default ACE supports all ciphers & all SSL versions.

ACE supports PEM, DER & PKCS12 formats. You can use any extensions as long as the certs follow one of the above mentioned standards.

Syed

Re: Configuring SSL termination on ACE

new_networker — Sat, 20 Sep 2008 11:33:59 GMT

Ok.

If we were to use an SSL certificate on ACE module for lets say six months and then we replace the ACE module. Can the same certificate be used in the newly installed ACE module or would a new SSL certificate be required.

Thanks.

Re: Configuring SSL termination on ACE

Syed Iftekhar Ahmed — Sat, 20 Sep 2008 12:07:49 GMT

No worries..

You can export the RSA keypair and Certificates from one ACE and can import it to another ACE.

Syed

Re: Configuring SSL termination on ACE

new_networker — Mon, 22 Sep 2008 12:27:28 GMT

In reference to your previous post, does SSL proxy service need to be a dedicated server required to hold the server certificates.

Re: Configuring SSL termination on ACE

Syed Iftekhar Ahmed — Mon, 22 Sep 2008 18:46:17 GMT

Its just a configuration object defined on ACE that holds the relevant SSL objects (cert,key,cert chain, allowed ciphers..). You can have multiple SSL proxy services that can be used by ACE to offload traffic for different applications.

Syed

Re: Configuring SSL termination on ACE

new_networker — Wed, 22 Oct 2008 10:30:25 GMT

Hi,

Once I generate the key, how can I list it in the ACE file system.

I believe the key will be added from the local file system on ACE.

Also, it is ok that the key is in PEM format and the Certificate is in DER format.

Re: Configuring SSL termination on ACE

Syed Iftekhar Ahmed — Wed, 22 Oct 2008 17:26:27 GMT

show crypto files

will show you all keys & certs on ACE.

Using openssl you can easily convert pem-->DER and vice versa.

Syed Iftekhar Ahmed

Re: Configuring SSL termination on ACE

new_networker — Wed, 22 Oct 2008 17:38:18 GMT

Would you know whether MS IIS - Certificate Authority supports PEM format.

I can only see PKCS and DER.

Re: Configuring SSL termination on ACE

Syed Iftekhar Ahmed — Wed, 22 Oct 2008 18:08:05 GMT

I dont think PEM is supported on IIS.

But you can easily convert these to PEM using open ssl.

Following link will give you the needed steps

http://www.petefreitag.com/item/16.cfm

Syed Iftekhar Ahmed