topic Re: CSS: "ssl-server 10 rsacert" command was deleted during boot in Application Networking

CSS: "ssl-server 10 rsacert" command was deleted during boot up

snakayama — Mon, 06 Apr 2009 08:53:33 GMT

Hi everyone,

I need your help.

After rebooting both Pri/Sec CSSs, "ssl-server 10 rsacert" command under "ssl-proxy-list" was deleted on both CSSs.

Because same symptom occurred on both CSSs, I'd like to explain the detail of the problem about one CSS(Pri CSS).

The following was the config just after rebooting.

ssl associate cert key1-09.crt key1-09.crt

ssl associate rsakey key1-06.pem key1-06.pem

ssl-proxy-list SSL-LIST

ssl-server 10

ssl-server 10 vip address 172.16.3.32

ssl-server 10 cipher rsa-with-rc4-128-sha 172.16.3.32 80

ssl-server 10 rsakey key1-06.pem

"ssl-server 10 rsacert key1-09.crt" didn't exist.

So the problem was resolved by just adding "ssl-server 10 rsacert key1-09.crt".

ssl associate cert key1-09.crt key1-09.crt

ssl associate rsakey key1-06.pem key1-06.pem

ssl-proxy-list SSL-LIST

ssl-server 10

ssl-server 10 vip address 172.16.3.32

ssl-server 10 cipher rsa-with-rc4-128-sha 172.16.3.32 80

ssl-server 10 rsakey key1-06.pem

ssl-server 10 rsacert key1-09.crt

active

I'd like to go back to explain the problem before adding "ssl-server 10 rsacert key1-09.crt".

After rebooting, I found the following error on CSS.

#sh log startup-errors tail 100

57. ssl-server 10 rsacert key1-09.crt

%% SSL Proxy List ssl-server does not exist

58. active

%% SSL Proxy Lists must have ssl-servers or backend-servers before activation

90. active

%% No active ssl-lists on service, service not activated.

#show ssl flows

SSL Acceleration Flows for module 2

-- No active VIPs found for module.

Certificate was surely existed on CSS even after rebooting,

#show ssl files

File Name File Type File Size

---------------- --------- ------------

key1-06.pem PEM 887

key1-09.crt PEM 1914

I found strange thing might be caused this problem.

Customer updated the certificate on CSS on February with the following procedure.

1: copied new certificate into CSS

2: confirmed config before upgrading

ssl associate rsakey key1-06.pem key1-06.pem

ssl associate cert key1-07.crt key1-07.crt

ssl-proxy-list SSL-LIST

ssl-server 10

ssl-server 10 vip address 172.16.3.32

ssl-server 10 cipher rsa-with-rc4-128-sha 172.16.3.32 80

ssl-server 10 rsakey key1-06.pem

ssl-server 10 rsacert key1-07.crt

active

3: upgraded the certificate from "key1-07.crt" to "key1-09.crt"

ssl associate cert key1-09.crt key1-09.crt

no ssl associate cert key1-07.crt

ssl-proxy-list SSL-LIST

suspend

no ssl-server 10 rsacert

ssl-server 10 rsacert key1-09.crt

active

(exited from config mode, wr mem to save)

4: confirmed config after upgrading

ssl associate cert key1-09.crt key1-09.crt

ssl associate rsakey key1-06.pem key1-06.pem

ssl-proxy-list SSL-LIST

ssl-server 10 rsacert key1-09.crt

active

ssl-server 10

ssl-server 10 vip address 172.16.3.32

ssl-server 10 cipher rsa-with-rc4-128-sha 172.16.3.32 80

ssl-server 10 rsakey key1-06.pem

I guess the cause of this problem was that "ssl-server 10 rsacert key1-09.crt" was on the top of ssl-proxy-list (4:) and the following

scenario.

Normally "ssl-server 10 vip address 172.16.3.32" must be loaded before loading "ssl-server 10 rsacert key1-09.crt".

But in this case, CSS might load "ssl-server 10 rsacert key1-09.crt" first before loading "ssl-server 10 vip address 172.16.3.32".

Therefore, CSS logged the following error and then CSS might delete "ssl-server 10 rsacert key1-09.crt".

SSL Acceleration Flows for module 2

-- No active VIPs found for module.

Have you experienced same problem?

Does CSS delete "ssl-server 10 rsacert" from its config if "ssl-server 10 vip address" hadn't loaded first?

Did the upgrading procedure of certificate make mistake?

I think CSS version 7.50.303 no longer supported by TAC and could not find any bug related it.

So I posted it to give me any information.

Best regards,

Shin

Re: CSS: "ssl-server 10 rsacert" command was deleted during boot

sachinga.hcl — Wed, 08 Apr 2009 22:35:36 GMT

Kindly Use following procedure to add certificate:

https://crystaltech.xrampsecurity.com/support.php?s=csr&sr=22

Cisco CSS 11500

Installing your Certificate on Cisco CSS 11500

Once the CSR has been signed by a CA, it is now called a Certificate. The Certificate file must be imported to the CSS.

Import Chained Certificate File

Issue the copy ssl command to facilitate the import or export of certificates and private keys from or to the CSS. The CSS stores all imported files in a secure location on the CSS. This command is available only in SuperUser mode. For example, to import the mychainedrsacert.pem certificate from a remote server to the CSS, type the following:

CSS11500# copy ssl sftp ssl_record import mychainedrsacert.pem PEM ï¿½passwd123ï¿½

Connecting Completed successfully

Note: XRamp certificates are issued using a .cer format. .pem, .cer, and .crt extensions can be interchanged, as they are the same type of file.

Associate the Certificate File

Issue the ssl associate cert command to associate a certificate name to the imported certificate. For example, to associate the certificate name mychainedrsacert1 to the imported certificate file mychainedrsacert.pem, type the following:

CSS11500(config)# ssl associate cert mychainedrsacert1 mychainedrsacert.pem

Configure the SSL Proxy List

Issue the ssl-proxy-list command to create an SSL proxy list. An SSL proxy list is a group of related virtual or backend SSL servers that are associated with an SSL service. The SSL proxy list contains all the configuration information for each virtual SSL Server. This includes the SSL Server creation, certificates and corresponding SSL key pair, Virtual IP (VIP) address and port, SSL ciphers supported, and other SSL options. For example, to create the ssl-proxy-list ssl_list1, type the following:

CSS11500(config)# ssl-proxy-list ssl_list1

Create ssl-list , [y/n]: y

Once you create an SSL proxy list, the CLI enters you into the ssl-proxy-list configuration mode. Configure your SSL server as shown below.

CSS11500(ssl-proxy-list[ssl_list1])# ssl-server 20

CSS11500(ssl-proxy-list[ssl_list1])# ssl-server 20 vip address 192.168.3.6

CSS11500(ssl-proxy-list[ssl_list1])# ssl-server 20 rsacert mychainedrsacert1

CSS11500(ssl-proxy-list[ssl_list1])# ssl-server 20 rsakey myrsakey1

CSS11500(ssl-proxy-list[ssl_list1])# ssl-server 20 cipher rsa-export-with-rc4-40-md5 192.168.11.2 80 5

CSS11500(ssl-proxy-list[ssl_list1])# active

......end PAGE 1

Re: CSS: "ssl-server 10 rsacert" command was deleted during boot

sachinga.hcl — Wed, 08 Apr 2009 22:35:59 GMT

-----start page 2

Configure Secure Socket Layer (SSL) Service and Content Rules Once the SSL proxy list is activated, a service and content rule need to be configured to allow the CSS to send SSL traffic to the SSL module. This table provides an overview of the steps required to create an SSL service for a virtual SSL server, including adding the SSL proxy list to the service and creating an SSL content rule.

Create an SSL service

CSS11500(config)# service ssl_serv1Create service , [y/n]: y

CSS11500(config-service[ssl_serv1])# type ssl-accel

CSS11500(config-service[ssl_serv1])# slot 2

CSS11500(config-service[ssl_serv1])# keepalive type none

CSS11500(config-service[ssl_serv1])# add ssl-proxy-list ssl_list1

CSS11500(config-service[ssl_serv1])# active

Create an SSL content rule

CSS11500(config)# owner ssl_owner

Create owner , [y/n]: y

CSS11500(config-owner[ssl_owner])# content ssl_rule1

Create content , [y/n]: y

CSS11500(config-owner-content[ssl-rule1]# vip address 192.168.3.6

CSS11500(config-owner-content[ssl-rule1]# port 443 CSS11500(config-owner-content[ssl_rule1])# add service ssl_serv1 CSS11500(config-owner-content[ssl_rule1])# active

Create a clear text content rule

CSS11500(config-owner[ssl_owner])# content decrypted_www Create content , [y/n]: y

CSS11500(config-owner-content[decrypted_www]# vip address 192.168.11.2

CSS11500(config-owner-content[decrypted_www]# port 80

CSS11500(config-owner-content[decrypted_www])# add service linux_http

CSS11500(config-owner-content[decrypted_www])# add service win2k_http

CSS11500(config-owner-content[decrypted_www])# active

At this point, client HTTPS traffic can be sent to the CSS at 192.168.3.6:443. The CSS decrypts the HTTPS traffic, converting it to HTTP. The CSS then chooses a service and sends the HTTP traffic to a HTTP Web server. The following is a working CSS configuration

Use the following URL for Requesting and Installing a Server Certificate on the CSS11500

http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_example09186a00801ffdcb.shtml

Regards

sachin

Re: CSS: "ssl-server 10 rsacert" command was deleted during boot

snakayama — Thu, 09 Apr 2009 00:02:56 GMT

Sachin,

Thank you very much for your information.

I'm studying your answer.

Regards,

Shin