https://community.cisco.com/t5/application-networking/ace-topic-how-to-allow-ace-to-login-to-an-app-server-with/m-p/1485616#M30683 <HTML><HEAD></HEAD><BODY><P>Yes. Thanks for the quick reply. In my case the app is Tomcat/Apache and somehow IIS is involved initially. IIS does a redirect back to tomcat. All that to say a 443 porbe would pass due to IIS being up, and they are trying to detect apache/tomcat failure. I am trying to get them to script some internal checks and put their Up or DOWN status on a static IIS page.</P></BODY></HTML> Fri, 11 Jun 2010 19:17:27 GMT duane.smith 2010-06-11T19:17:27Z https://community.cisco.com/t5/application-networking/ace-topic-how-to-allow-ace-to-login-to-an-app-server-with/m-p/1485612#M30679 <P>Fellow specialist,</P><P></P><P>I have a new requirement from my customer and I like to find out if anyone has had a similiar request or possible solution.</P><P>As always thanks for your valuable inputs.</P><P></P><P>Requirement:</P><P>Customer would like to for the ACE to login to an App server with the required certificate and perform healthcheck. The Application does require the client to logon with certificate.</P><P></P><P>Our current Production network design Model:</P><P>Cisco 6500, 10/100/1000, VSS model, ACE module (25 context and 10k license SSL)</P><P>ACE SSL (no SSL termination on the ACE).</P><P>ACE SLB Mode: Bridged Mode</P><P>Sticky: IP SRC/DST sticky</P><P>prediction: leastconn</P><P>Basic Class map, policy map, service policy</P><P></P><P></P><P>Questions:</P><P>1) Can a certificat be loaded on the ACE without the use of SSL termination on the ACE card</P><P>2) Can you recommend probs with this type of request (client logon with cert requirement)</P><P>3) How many certificates can be loaded on the ACE if there are several requirements like this</P><P>4) If FT (Fault Tollerant)&nbsp; is in the current topology, will the same certificate be applied to each ACE module?</P><P>5)Sticky should not be an issue in this design, Right?</P><P></P><P>Please let me know if you need me to provide any more information.</P><P></P><P>Thanks,</P><P>Raman Azizian</P> Fri, 11 Jun 2010 12:21:20 GMT https://community.cisco.com/t5/application-networking/ace-topic-how-to-allow-ace-to-login-to-an-app-server-with/m-p/1485612#M30679 RAMAN AZIZIAN 2010-06-11T12:21:20Z https://community.cisco.com/t5/application-networking/ace-topic-how-to-allow-ace-to-login-to-an-app-server-with/m-p/1485613#M30680 <HTML><HEAD></HEAD><BODY><P>Hello Raman,</P><P></P><P>Let me see if I can help here:</P><P></P><P><STRONG><EM>Questions:</EM></STRONG></P><P><STRONG><EM>1) Can a certificat be loaded on the ACE without the&nbsp; use of SSL termination on the ACE card</EM></STRONG></P><P></P><P>Yes, but the certificate can not be used for client certificate authentication for a HTTPS probe.</P><P></P><P><STRONG><EM>2) Can you recommend probs&nbsp; with this type of request (client logon with cert requirement)</EM></STRONG></P><P></P><P>The ACE does not currently support client certificate authentication for HTTPS probes, and it doesn't appear to be on the roadmap.&nbsp; You may want to reach out to your Cisco partner or representative and see about getting a product enhancement request for this feature.</P><P></P><P><EM><STRONG>3)&nbsp; How many certificates can be loaded on the ACE if there are several&nbsp; requirements like this</STRONG></EM></P><P></P><P>You can have up to 3800 certs and 3800 keys installed on the ACE module or 4710 appliance.&nbsp; You can see this limit and others <A href="http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Module_Troubleshooting_Guide%2C_Release_A2%28x%29_--_ACE_Module_Resource_Limits">here</A>.</P><P></P><P><STRONG><EM>4) If FT (Fault Tollerant)&nbsp; is in the&nbsp; current topology, will the same certificate be applied to each ACE&nbsp; module?</EM></STRONG></P><P></P><P>SSL certificates and keys loaded on one ACE are not automatically applied to the FT peer ACE.&nbsp; They must be manually imported to both ACE in the FT environment.</P><P></P><P><STRONG><EM>5) Sticky should not be an issue in this design, Right?</EM></STRONG></P><P></P><P>Sticky is not an issue with SSL, unless you need to do some layer-7 sticky other than SSL Session ID sticky.&nbsp; This is because when using HTTPS, the HTTP headers are encrypted.&nbsp; When load balancing SSL, the only real sticky options are source-IP or SSL Session ID.</P><P></P><P>Hope this helps,</P><P>Sean</P></BODY></HTML> Fri, 11 Jun 2010 14:13:10 GMT https://community.cisco.com/t5/application-networking/ace-topic-how-to-allow-ace-to-login-to-an-app-server-with/m-p/1485613#M30680 Sean Merrow 2010-06-11T14:13:10Z https://community.cisco.com/t5/application-networking/ace-topic-how-to-allow-ace-to-login-to-an-app-server-with/m-p/1485614#M30681 <HTML><HEAD></HEAD><BODY><P>That brings up the question of how one would do health check probes on any application that uses SSL client auth.</P><P></P><P>Any ideas?</P></BODY></HTML> Fri, 11 Jun 2010 19:04:43 GMT https://community.cisco.com/t5/application-networking/ace-topic-how-to-allow-ace-to-login-to-an-app-server-with/m-p/1485614#M30681 duane.smith 2010-06-11T19:04:43Z https://community.cisco.com/t5/application-networking/ace-topic-how-to-allow-ace-to-login-to-an-app-server-with/m-p/1485615#M30682 <HTML><HEAD></HEAD><BODY><P>Hi Duane,</P><P></P><P>Well, if the server won't allow you to do the HTTPS probe without doing client certificate authentication, then you might have to drop down to just doing a TCP probe on port 443.&nbsp; Certainly not as thorough as a full blown HTTPS probe, but would get your load balancing working.</P><P></P><P>Sean</P></BODY></HTML> Fri, 11 Jun 2010 19:11:22 GMT https://community.cisco.com/t5/application-networking/ace-topic-how-to-allow-ace-to-login-to-an-app-server-with/m-p/1485615#M30682 Sean Merrow 2010-06-11T19:11:22Z https://community.cisco.com/t5/application-networking/ace-topic-how-to-allow-ace-to-login-to-an-app-server-with/m-p/1485616#M30683 <HTML><HEAD></HEAD><BODY><P>Yes. Thanks for the quick reply. In my case the app is Tomcat/Apache and somehow IIS is involved initially. IIS does a redirect back to tomcat. All that to say a 443 porbe would pass due to IIS being up, and they are trying to detect apache/tomcat failure. I am trying to get them to script some internal checks and put their Up or DOWN status on a static IIS page.</P></BODY></HTML> Fri, 11 Jun 2010 19:17:27 GMT https://community.cisco.com/t5/application-networking/ace-topic-how-to-allow-ace-to-login-to-an-app-server-with/m-p/1485616#M30683 duane.smith 2010-06-11T19:17:27Z https://community.cisco.com/t5/application-networking/ace-topic-how-to-allow-ace-to-login-to-an-app-server-with/m-p/1485617#M30684 <HTML><HEAD></HEAD><BODY><P>Nice.&nbsp; That might be a plan then.&nbsp; You could then use <STRONG><A href="http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/probe.html#wp1075645">expect regex</A></STRONG> to look for your UP or DOWN string in the body of the html using a HTTP probe.&nbsp; Just make sure the server includes a <STRONG>content-length</STRONG> header in the response, or it won't work.</P><P></P><P>Sean</P></BODY></HTML> Fri, 11 Jun 2010 19:28:53 GMT https://community.cisco.com/t5/application-networking/ace-topic-how-to-allow-ace-to-login-to-an-app-server-with/m-p/1485617#M30684 Sean Merrow 2010-06-11T19:28:53Z