topic Re: CSS Secure LDAP loadbalancing in Application Networking

CSS Secure LDAP loadbalancing

amyskitchen — Thu, 17 Jun 2010 22:08:51 GMT

I have succesfully configure the CSS to load balance ldap request to 3 Windows AD servers. However, when adding SSL to the front end only it fails.

I'm assuming it has to do with the certificate requiring extended key usages. Has anyone done this before?

How can I create a certificate requests on the CSS requiring those ext?

Any ideas or help would be gretely appreciated.

-Eric

Re: CSS Secure LDAP loadbalancing

Robbie Woodley — Fri, 18 Jun 2010 19:16:42 GMT

I just found myself in the same boat. I got data going the the CSS fine but when I try to setup SSL on the front end (no backend SSL) I get nothing. I'm sure it's just something minor I'm missing but having never been inside one of these CSS11500's until this project I am not sure what to focus my attention on as a likely suspect. Appreciate any help that can be offered.

- Robbie

Re: CSS Secure LDAP loadbalancing

amyskitchen — Wed, 23 Jun 2010 00:21:02 GMT

Finally got it working. The config on the CSS is pretty straight forward. The problem was with certificates. I was generating my own certificates using openssl and therefore were not trusted on the client pc I was testing with. All I did to get it working is adding the root certicate that I used to sign the ldap server certificate on the client machine.

It just worked.

Useful links that might be related to what you I was trying to accomplish:

http://www.cs.bham.ac.uk/~smp/projects/peap/

Good luck!

Re: CSS Secure LDAP loadbalancing

Robbie Woodley — Mon, 28 Jun 2010 16:36:29 GMT

Would you mind sharing your config with me? Of course the confidential stuff removed. You can contact me off-board.

Thx

Re: CSS Secure LDAP loadbalancing

amyskitchen — Tue, 06 Jul 2010 19:25:03 GMT

Hi Robbie,

Sorry for the delayed response. Here is the relevant config info. No backend SSL service yet, backend is still unencrypted, but at this point everything is on our data center not crossing any WAN or networks. One thing to note is that my CSS is one armed, doing NAT as well so the load-balancing is considered full-proxy.

Hope it helps.

ssl-proxy-list ssl_list1
ssl-server 2
ssl-server 2 dhparam mydhparam1
ssl-server 2 vip address 10.1.6.12
ssl-server 2 cipher dhe-rsa-with-3des-ede-cbc-sha 10.1.6.12 389
ssl-server 2 cipher dhe-rsa-with-des-cbc-sha 10.1.6.12 389
ssl-server 2 cipher rsa-with-3des-ede-cbc-sha 10.1.6.12 389
ssl-server 2 cipher rsa-with-des-cbc-sha 10.1.6.12 389
ssl-server 2 cipher rsa-with-rc4-128-sha 10.1.6.12 389
ssl-server 2 cipher rsa-with-rc4-128-md5 10.1.6.12 389
ssl-server 2 port 636
ssl-server 2 rsakey myrsakey1
ssl-server 2 rsacert ldapxCert
active

service LDAP1
ip address 10.1.1.4
keepalive port 389
protocol tcp
keepalive type tcp
port 389
active

service LDAP2
ip address 10.10.6.5
protocol tcp
keepalive type tcp
port 389
keepalive port 389
active

service ssl_module1
type ssl-accel
add ssl-proxy-list ssl_list1
slot 2
keepalive type none
active

content LDAPSSLTest
    vip address 10.1.6.12
    add service ssl_module1
    protocol tcp
    port 636
    active

group LDAPGroup
vip address 10.1.6.12
add destination service LDAP1
add destination service LDAP2
active

Eric