topic Re: CSS - 11506 - Adding New SSL Services on Single SSL Modules in Application Networking

CSS - 11506 - Adding New SSL Services on Single SSL Modules

Dulal Ray — Thu, 11 Feb 2010 07:19:11 GMT

Hi,

We are having one pair of CCS 11506 currently SSL services are running on slot4 with single SSL module.Now we are planning to add one more SSL application with different certificates & keys on different VIP.

Can we use the same slot4 for new application & using different certicates & keys on same SSL modules.Your reponse is appriecated

Re: CSS - 11506 - Adding New SSL Services on Single SSL Modules

Dulal Ray — Thu, 11 Feb 2010 07:41:40 GMT

Pl. reply we need confirm on urgent basis.

Re: CSS - 11506 - Adding New SSL Services on Single SSL Modules

Sean Merrow — Thu, 11 Feb 2010 17:38:43 GMT

Hello,

Yes, you can use the same SSL module for multiple applications. No need to add a second SSL module. Below are the typical and general steps:

Import the new certificate and key onto the CSS
Associate the new certificate and key to filenames
Create your new ssl-server on the existing ssl-proxy-list (including VIPs, cert, key, etc.)
Add any necessary content rules, services, groups, and redundant VIPs

You can find more details on the SSL configuration at the link below:

CSS SSL Configuration Guide

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20/configuration/ssl/guide/sslgd.html

Hope this helps,

Sean

Re: CSS - 11506 - Adding New SSL Services on Single SSL Modules

Dulal Ray — Thu, 11 Feb 2010 19:32:04 GMT

Hi Sean,

Thanks for the reply.

Pl. can you confirm the statement which is given in CSS admin guide which states the CSS supports one active SSL service for each SSL module in the CSS (one SSL service per slot). You can configure more than one SSL service for a slot but only a single SSL service can be active at a time.

Pl. find the below URL for your reference.

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.50/configuration/ssl/guide/terminat.html#wp999928https://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20/configuration/ssl/guide/sslcggde.pdf

Re: CSS - 11506 - Adding New SSL Services on Single SSL Modules

Sean Merrow — Thu, 11 Feb 2010 19:52:30 GMT

Hello,

Yes, I can see how that statement could lead to a bit of confusion.

Although the SSL module is inserted into the CSS, you can think of it as an external device. For example, a connection coming into the CSS on port 443 for SSL termination would first hit a content rule on the CSS. The CSS would then load balance that connection to the internal SSL module. In order to do this, you would have to configure a service under that content rule. This service would represent the have a type of ssl-accel, specify the slot that the SSL module is in, and specify the ssl-proxy-list that is applied to that SSL module. After the SSL module terminates the SSL connection, the connection is sent back to the CSS. The statement you are referring to means that you can only have one active service in your CSS configuration per SSL module.

This is completely different from having multiple applications or VIPs on your SSL module. The ssl-proxy-list that is applied to the SSL module is where you would configure your various applications. Each application can use the same or a different set of keys and certs. Below is an example of a ssl-proxy-list that contains two different applications/VIPs. Notice that each one is using a unique key and certificate. Also notice that this ssl-proxy-list, with two applications in it, is applied to a single SSL module via the service that represents this module.

!*********************** SSL PROXY LIST ***********************
ssl-proxy-list SSL_PROXY
ssl-server 1
ssl-server 1 cipher rsa-with-rc4-128-md5 10.86.179.198 81
ssl-server 1 vip address 10.86.178.198
ssl-server 1 rsakey site-1-key
ssl-server 1 rsacert site-1-cert
ssl-server 2
ssl-server 2 cipher rsa-with-rc4-128-md5 10.86.179.199 81
ssl-server 2 vip address 10.86.178.199
ssl-server 2 rsakey site-2-key
ssl-server 2 rsacert site-2-cert
active

!************************** SERVICE **************************
service SSL_SLOT_3
type ssl-accel
add ssl-proxy-list SSL_PROXY
slot 3
keepalive type none
active

I hope this helps clear it up for you.

Thank you,

Sean

Re: CSS - 11506 - Adding New SSL Services on Single SSL Modules

Dulal Ray — Fri, 12 Feb 2010 05:57:18 GMT

Hi Sean,

Thanks a lot for your wonderful explanation.

However a small clarification on the configuration below:-

Instead of having it as you suggested, (i.e. Add the new virtual SSL Server in the same proxy-list),

Can we have a different proxy-list for the new Virtual Server and then add this list as-well in the exisisting Service? and with the other corresponding Config.

e.g:

ssl-proxy-list SSL_PROXY_NEW

ssl-server 2
ssl-server 2 cipher rsa-with-rc4-128-md5 10.86.179.199 81
ssl-server 2 vip address 10.86.178.199
ssl-server 2 rsakey site-2-key
ssl-server 2 rsacert site-2-cert
active

!************************** SERVICE **************************
service SSL_SLOT_3
type ssl-accel
add ssl-proxy-list SSL_PROXY

add ssl-proxy-list SSL_PROXY_NEW
slot 3
keepalive type none
active

Thanks a lot for your time... Awaiting your response.!!

Re: CSS - 11506 - Adding New SSL Services on Single SSL Modules

Sean Merrow — Fri, 12 Feb 2010 13:56:42 GMT

Hello,

I like the way you think ;- )

You probably want to do that so that you don't have to suspend all the applications on the ssl-proxy-list when making changes. However, the service will only allow you to add a single ssl-proxy-list to it. So if you only have a single SSL module, then you would only have a single ssl-proxy-list and it would be added to the service for the SSL module. If you try to add a second ssl-proxy-list to the service, you'll see this:

CSS11503(config)# service SSL_SLOT_3
CSS11503(config-service[SSL_SLOT_3])# add ssl-proxy-list SSL_PROXY
CSS11503(config-service[SSL_SLOT_3])# add ssl-proxy-list SSL_PROXY_NEW
%% Maximum number of Ssl Proxy Lists added to service
CSS11503(config-service[SSL_SLOT_3])#

In most cases, even if customers have more than one SSL module, they will still only have a single ssl-proxy-list containing all their applications using SSL, add it to both services (one for each SSL module) and add both of those services to the content.rule. This way, both SSL modules handle the same traffic and the CSS will load balance them. If one SSL module fails, the other will handle the load and there is no outage. The CSS will allow you to assign a unique ssl-proxy-list to each SSL module in the chassis, but then you lose the benefits of load balancing and redundancy.

Regards,

Sean

Re: CSS - 11506 - Adding New SSL Services on Single SSL Modules

Dulal Ray — Fri, 19 Feb 2010 06:39:06 GMT

Hi Sean,

Thanks for replying back just want few clarifcations in configuration part.

1. If new vlan is given for new application then how to point routes to the new vlan as default routes to exisitng vlan is already present.

2. I've prepare sample config template with details steps & let us know will it work & if changes is required kindly let us know.

1.# ftp-record ssl_record 192.168.19.21 johndoe "abc123"

/home/johndoe

2.# copy ssl sftp ssl_record import rsacert.pem PEM "passwd123"

Connecting

Completed successfully

3.# copy ssl sftp ssl_record import rsakey.pem PEM "passwd123"

Connecting

Completed successfully

4.Enter configuration mode.

# config

(config) #

4. To use RSA public key exchange and authentication:

a. Associate the imported RSA certificate with a file.

(config) # ssl associate cert myrsacert1 rsacert.pem

b. Associate the imported RSA key pair with a file.

(config) # ssl associate rsakey myrsakey1 rsakey.pem

5. Compare the public key in the associated certificate with the public key

stored with the associated private key and verify that they are identical.

(config) # ssl verify myrsacert1 myrsakey1

Certificate mycert1 matches key mykey1

ssl associate rsakey NEWKEY newkey.pem

ssl associate cert NEWCERT newcert.pem

!************************* INTERFACE *************************

interface 3/3

description "****WEB SIDE****"

bridge vlan _ID_X.X.X.X

bridge port-fast enable

interface 3/4

bridge vlan_ID_Y.Y.Y.Y

bridge port-fast enable

description "****PIX SIDE****"

!************************** CIRCUIT **************************

circuit VLAN_ID_X

ip address A.A.A.A B.B.B.0

ip virtual-router 2 priority 101 preempt

ip redundant-interface 3 C.C.C.C

ip critical-service 3 chk-con-pix_Y.Y.Y.Y

ip critical-service 3 chk-con-web_X.X.X.X

circuit VLAN_ID_Y

ip address D.D.D.D E.E.E.0

ip virtual-router 4 priority 101 preempt

ip redundant-vip 4 F.F.F.F

ip critical-service 4 chk-con-pix_Y.Y.Y.Y

ip critical-service 4 chk-con-web_X.X.X.X

!*********************** SSL PROXY LIST ***********************

ssl-proxy-list NEW

ssl-server 20

ssl-server 20 vip address F.F.F.F

ssl-server 20 cipher rsa-with-rc4-128-sha F.F.F.F 81

ssl-server 20 cipher rsa-with-rc4-128-md5 F.F.F.F 81

ssl-server 20 rsacert NEWCERT

ssl-server 20 rsakey NEWKEY

active

!************************** SERVICE **************************

service FRONT_SSL

type ssl-accel

slot 4

keepalive type none

add ssl-proxy-list NEW

active

service WEBSERVER-03

ip address G.G.G.G

redundant-index 3

protocol tcp

port 80

active

service WEBSERVER-04

ip address H.H.H.H

redundant-index 4

protocol tcp

port 80

active

service chk-con-pix_Y.Y.Y.Y

keepalive type script ap-kal-pinglist "N.N.N.N"

ip address J.J.J.J

keepalive frequency 2

keepalive maxfailure 2

keepalive retryperiod 2

active

service chk-con-web_X

ip address K.K.K.K

keepalive type script ap-kal-pinglist "P.P.P.P"

keepalive frequency 2

keepalive maxfailure 2

keepalive retryperiod 2

active

!*************************** OWNER ***************************

owner NEW

content BACKNEW_HTTP

vip address F.F.F.F

add service WEBSERVER-03

add service WEBSERVER-04

protocol tcp

port 81

url "/*"

redundant-index 5

no persistent

active

content FRONTENDNEW_SSL

vip address F.F.F.F

protocol tcp

port 443

application ssl

add service FRONT_SSL

active

content NEW

url "//www.ABC.com/*"

vip address F.F.F.F

protocol tcp

port 80

redundant-index 4

redirect "https://ABC.com"

active

your reply on this would be highly appericated.

Re: CSS - 11506 - Adding New SSL Services on Single SSL Modules

Sean Merrow — Fri, 19 Feb 2010 14:39:52 GMT

Hello,

1. If new vlan is given for new application then how to point routes to the new vlan as default routes to exisitng vlan is already present.

Ideally, you'll keep your configuration as simple as possible, and use only one default gateway. This is the most common configuration. However, if you need multiple default gateways (one for each client VLAN), then you can do this. By default, when a client connection comes in from one gateway, the CSS will send the server's response back to the same gateway. For server initiated connections, you might want to enable ECMP. See the CSS documentation for details on Configuring IP Equal-Cost Multipath

2. I've prepare sample config template with details steps & let us know will it work & if changes is required kindly let us know.

I would say that your config looks good. However, there are some lines in it that can be removed that I've put in bold. redundant-index is only used for connection replication, which cannot be used for SSL terminated connections. Since it cannot be used for SSL, then there is no gain in configuring for the non-SSL related connections . application ssl is only needed when you are doing sticky on SSL session ID. This would only be needed if you had more than one SSL module. Adding the url statement in the BACKNEW_HTTP rule unnecessarily makes this rule a layer-5 rule.

content BACKNEW_HTTP

vip address F.F.F.F

add service WEBSERVER-03

add service WEBSERVER-04

protocol tcp

port 81

url "/*"

redundant-index 5

no persistent

active

content FRONTENDNEW_SSL

vip address F.F.F.F

protocol tcp

port 443

application ssl

add service FRONT_SSL

active

content NEW

url "//www.ABC.com/*"

vip address F.F.F.F

protocol tcp

port 80

redundant-index 4

redirect "https://ABC.com"

active

You can also remove the redundant-index lines from the services configs.

While I have made some observations and offered some recommendations regarding your config, until it has been thoroughly tested in a staging environment, or in the production environment, I make no guarrantees that you won't need to make further modifications to reach the ultimately desired operation.

Regards,

Sean

Re: CSS - 11506 - Adding New SSL Services on Single SSL Modules

Dulal Ray — Thu, 04 Mar 2010 11:44:56 GMT

Hi Sean,

Thanks for the information & sharing the depth knowledge on this niche CSS products.

However i'm yet to configure the new application but yet to confirm two things as follow

1. Whether CSS will support two default routes as there are different VLAN for each application & already one default routes is configured for previous application & for new application can we configured kindly confirm.You had explain it earlier but still the things not so clarfied to me.

2. I have certifcate in .pfx format if i import the same in CSS whether CSS will convert it into Keys & Certifcates as the.pfx file contains boths.

Your reply is highy appriecated as the activity is already planned

Re: CSS - 11506 - Adding New SSL Services on Single SSL Modules

Sean Merrow — Thu, 04 Mar 2010 16:45:31 GMT

Hello,

You did not specify what you are still unclear on with regard to the multiple default routes. The CSS supports multiple default gateways, and by default, it will use the same gateway for the response to a client as was used for the incoming connection.

For the .pfx file, if it contains both the certificate and key, then you would first import the file, then associate both a cert and key to that same file as such:

ssl associate cert client-cert client.pfx
ssl associate rsakey client-key client.pfx

Hope this helps clear it up.

Sean

Re: CSS - 11506 - Adding New SSL Services on Single SSL Modules

Dulal Ray — Mon, 08 Mar 2010 14:50:28 GMT

Hi Sean,

Thanks for the support thru out the entire discussion.

I was able to complete the activity the only challegen i faced was the ceritfcate & key was a single file in .pfx format which exported from Windows server & due to this i was unable to assoicate the keys & certifcates in CSS after uploadig the files.

I used open SSL tool to create Key & Ceritficate in files separtely afterwhich we were able to assoicate the files but really like to appericate the support given thru out the issues.

Re: CSS - 11506 - Adding New SSL Services on Single SSL Modules

Sean Merrow — Mon, 08 Mar 2010 14:53:59 GMT

:- ) Glad I could help.

Sean

Re: CSS - 11506 - Adding New SSL Services on Single SSL Modules

Dulal Ray — Fri, 26 Mar 2010 12:21:44 GMT

Hi Sean,

We shifted the setup to production & faced issue from local lan of web & app communication below are detial explanation.

We are using two default routes as there two different applications in different Vlans old application is working fine after configuring new application with new default routes,

ip route 0.0.0.0 0.0.0.0 10.250.Y.Y - Old application
ip route 0.0.0.0 0.0.0.0 10.30.X.X - New Application

Following is the issues

Web1 - APP1 - Able to ping & Telnet to port 8080 or 80
Web 1 - App2 - Unable to ping & Telnet to port 8080 or 80
Web1 - NLB - Able to ping & Telnet to port 8080 or 80

Web2 - App1 -Unable to ping & Telnet to port 8080 or 80
Web2 - App2 - Able to ping & Telnet to port 8080 or 80
Web2 - NLB - Unable to ping & Telnet to port 8080 or 80

But we configured static route from app segment towards firewall the above ping/telnet started working fine ive attached n/w block diagram just want to understand where is the issues.