ACE 4710 (1) SSL Certificate Import ( 2 ) Issue with Load Balancing
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-04-2012 04:06 AM
Dear Techies,
I am performing a deployment, in which i require clarity on the following. Our setup has DC and DR , in each site we have two devices for HA.
- We have received One SSL Certificate from Public CA, Kindly clarify the following doubts i have on this
- In Doc, i found Cert.pem and key.pem is required to generate the pair ,do i receive both Cert.pem and key.pem from the CA or we can generate key.pem from Cert.pem ?
- SSL Offloading is planned for the X application, and it is running in both DC and DR ( Considering each having their own Public IP address ) , do i need to have two different public certificates or a single certificate can i use in both DC and DR.
- In Doc, i found Cert.pem and key.pem is required to generate the pair ,do i receive both Cert.pem and key.pem from the CA or we can generate key.pem from Cert.pem ?
- Load Balancing Issue
- Is it possible to configure in ACE to access the service in Business hours and in non Business hours to display HTML page showing this is available only during these hours ?
- In DC we have Three Web Servers ( only in One physical server the service is active, other two are backup ), and these three servers are under cluster and shares one cluster IP , In ACE we have created the VIP and Pointed to only Cluster IP ( like pass through only ). The issue we face is if active web server is down, even then ACE is sending the traffic to that webserver only instead of sending it to the new Active web server. let us know if any solution is there to overcome this issue ?
- as per my understanding instead of giving cluster IP as real server IP we can issue the three physical servers. now i dont require load balancing between three servers instead require failover king like if first server is down then it should forward to Second server ? Kindly throw some light on it how we can achieve it
- Is it possible to configure in ACE to access the service in Business hours and in non Business hours to display HTML page showing this is available only during these hours ?
Thanks and Regards... Arun
- Labels:
-
Application Networking
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-04-2012 06:52 PM
Hi Arun,
1) You will generate the key and CSR request and give this CSR to a public CA which in turn will provide you with a Cert or chain of certificates, root, intermediate etc. And yes you need both private key and public key(cert) for setting up SSL proxy.
2) You can use the same certificate as long as the CN remains the same. You can infact use it for multiple domain names by using wildcards or you may also be interested in SAN certs.
3) Not that i am aware of.
4)You can make one server as the primary server and others as its back up in a serverfarm and your requirment would be met.
Let me know if you have any questions.
Regards,
Kanwal
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-05-2012 04:59 AM
Dear Kanwal,
Thanks for throwing light, Today i got the SSL certificate from the CA , i got the certificate in .cer extension.
I have still few queris.
- Can i import certificate with .cer extension in ACE ? if not what is the other option ?
- By default what we can expect from the CA ( like is it .pem or .cer ) , when we request for SSL Certificate ?
Thanks.. Arun
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-05-2012 08:46 AM
Hi Arun,
In latest versions you should be able to import .cer extension cert. You can always convert certificates received from your CA in any format you want or in format supported by the device you have.
https://www.sslshopper.com/ssl-converter.html
If the .cer doesn't work you can convert it into .Pem format and use crypto import terminal to import it. In any case you will need to convert your cert to PEM if you use terminal to import it. I would suggest going through SSL guide of ACE for more details. Pasting the link here for your reference. Of course please free to ask if you have any doubts.
Latest version:
Regards,
Kanwal
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-07-2012 10:46 AM
Dear Kanwal,
Thanks for your continous support and glad that you share your expertise on this. I have uploaded successfully the Key and Certificate file into ACE, since my certificate is not signed by valid CA, so have configured the chain certificate for termination SSL
As mentioned earlier i have DC , Near DC ( Both Share the two ACE in HA ) and DR ( two ACE in HA ) The following are my requirement
I have three real servers in each site, consider last octect .5, .6 and .7
I am running two set of application, in the first set of applications where in am going to offload the SSL, the real servers are in Port 80, but am going to do the SSL offloading in the ACE box and for the same requirement have uploaded the SSL certificate from CA
I am running one more application say ABC, wherein these three servers .5,.6 & .7 are running under Clustering , and consider the cluster IP is .8 , In my setup the ABC will be hosted in only one physical server out of three due to license restrication. When i give the cluster IP as Real Server IP address in my Load Balancer, am facing the issue like if the server hosting ABC goes down and via Cluster we are making the application ABC in other server eventhen the traffic is pointing to the earlier active only, so the application is not coming up. It is up again when the original server is up having the application ABC.
To overcome the above issue i thought of implementing Backup server like consider .5 is primarily hosting the application where as .6 and .7 should be configured as backup servers to .5 , so that if .5 fails the .6 will be come active for hosting ABC application. But that didnt worked out because i cant configure two backup server for a single real server.
One more requirement is if DC ( all server .5,.6,.7 goes down ) then Near DC (NDC) should serve the purpose of the two application, i tried to configure NDC servers as Backup server farm to DC server farm which have created. But the command shown in the configuration file is not accepted.
I have attached the template which i have prepared, which is almost self explanatory. As per my requirement NDC should be the Backup for all the Services in DC, in additon for application ABC the load balancer should point to only one server under the cluster if the server is down then it has to move to the other server under the same server farm. If all the three servers in the DC is down then NDC should be active.
Kindly check if the configuration is ok,.. some of the commands are not accepted anyhow included in the config template
rserver host ABC_SERVER_DC_1
ip address 10.10.100.5
inservice
rserver host ABC_SERVER_DC_2
ip address 10.10.100.6
inservice
rserver host ABC_SERVER_DC_3
ip address 10.10.100.7
inservice
rserver host ABC_SERVER_NDC_1
ip address 10.10.101.15
inservice
rserver host ABC_SERVER_NDC_2
ip address 10.10.101.16
inservice
rserver host ABC_SERVER_NDC_3
ip address 10.10.101.17
inservice
xxxxxxxx----------xxxxxxxxxx--------xxxxxxxxxxxx
serverfarm host ABC_FARM_DC
rserver ABC_SERVER_1 8083
backup-rserver ABC_SERVER_2 8083
backup-rserver ABC_SERVER_3 8083
inservice
serverfarm host ABC_FARM_NDC
rserver ABC_SERVER_NDC_1 8083
backup-rserver ABC_SERVER_NDC_2 8083
backup-rserver ABC_SERVER_NDC_3 8083
inservice
xxxxxxxx----------xxxxxxxxxx---------xxxxxxxxxxxxx
serverfarm host HTTP_FARM_DC
DCobe WEB
rserver ABC_SERVER_DC_1 80
DCobe WEB
inservice
rserver ABC_SERVER_DC_2 80
DCobe WEB
inservice
rserver ABC_SERVER_DC_3 80
DCobe WEB
inservice
serverfarm host HTTP_FARM_NDC
DCobe WEB
rserver ABC_SERVER_1_NDC 80
DCobe WEB
inservice
rserver ABC_SERVER_2_NDC 80
DCobe WEB
inservice
rserver ABC_SERVER_3_NDC 80
DCobe WEB
inservice
xxxxxxxx---------xxxxxxxxx------------xxxxxxxxxxxxxx
crypto chaingroup ChainCertificate_1
cert ACA.cer
cert AACA.cer
ssl-DCoxy service SSL_DCoxy-ABC
cert aaa.cer
key bbb.PEM
chaingroup ChainCertificate_1
xxxxxxx----------xxxxxxxxx------------xxxxxxxxxxxxxxx
policy-map type loadbalance first-match L7SLBPOLICY_HTTP
class HTTP_VIP
serverfarm HTTP_FARM_DC backup HTTP_FARM_NDC
policy-map type loadbalance first-match L7SLBPOLICY_ABC
class ABC_VIP
serverfarm ABC_FARM_DC backup ABC_FARM_NDC
xxxxxxxx----------xxxxxxxxx-----------xxxxxxxxxxxxxxxxx
class-map match-all HTTP_VIP
2 match virtual-address 10.10.100.14 443 any
class-map match-all ABC_VIP
2 match virtual-address 10.10.100.14 8083 any
xxxxxxxx----------xxxxxxxxx-----------xxxxxxxxxxxxxxxxxx
policy-map multi-match VIPs
class HTTP_VIP
loadbalance vip inservice
ssl-DCoxy service SSL_DCoxy-ABC
loadbalance vip icmp-reply active
nat dynamic 1 vlan 100
class ABC_VIP
loadbalance vip inservice
loadbalance vip icmp-reply active
nat dynamic 1 vlan 100
xxxxxxxx--------------xxxxxxxxxxx----------xxxxxxxxxxxxxxx
interface vlan 100
ip address 10.10.100.11 255.255.255.192
alias 10.10.100.13 255.255.255.192
peer ip address 10.10.100.12 255.255.255.192
no normalization
no icmp-guard
access-group input VLAN100
nat-pool 1 10.10.100.14 10.10.100.14 netmask 255.255.255.255 pat
service-policy input VIPs
no shutdown
xxxxxxx----------xxxxxxxxxx-----------xxxxxxxxxxxxxxxxx
Thanks for Reading ... Arun
