Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5582
Views
0
Helpful
4
Replies

ACE 4710 (1) SSL Certificate Import ( 2 ) Issue with Load Balancing

ARUNPRABHU A
Level 1
Level 1

‎12-04-2012 04:06 AM

Dear Techies,

I am performing a deployment, in which i require clarity on the following. Our setup has DC and DR , in each site we have two devices for HA.

  1. We have received One SSL Certificate from Public CA, Kindly clarify the following doubts i have on this
    • In Doc, i found Cert.pem and key.pem is required to generate the pair ,do i receive both Cert.pem and key.pem from the CA or we can generate key.pem from Cert.pem ?
    • SSL Offloading is planned for the X application, and it is running in both DC and DR ( Considering each having their own Public IP address ) , do i need to have two different public certificates or a single certificate can i use in both DC and DR.
  2. Load Balancing Issue
    • Is it possible to configure in ACE to access the service in Business hours and in non Business hours to display HTML page showing this is available only during these hours ?
    • In DC we have Three Web Servers ( only in One physical server the service is active, other two are backup ), and these three servers are under cluster and shares one cluster IP , In ACE we have created the VIP and Pointed to only Cluster IP ( like pass through only ). The issue we face is if active web server is down, even then ACE is sending the traffic to that webserver only instead of sending it to the new Active web server. let us know if any solution is there to overcome this issue ?
    • as per my understanding instead of giving cluster IP as real server IP we can issue the three physical servers. now i dont require load balancing between three servers instead require failover king like if first server is down then it should forward to Second server ? Kindly throw some light on it how we can achieve it

Thanks and Regards... Arun

Labels:
0 Helpful
4 Replies 4

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎12-04-2012 06:52 PM

Hi Arun,

1) You will generate the key and CSR request and give this CSR to a public CA which in turn will provide you with a Cert or chain of certificates, root, intermediate etc. And yes you need both private key and public key(cert) for setting up SSL proxy.

2) You can use the same certificate as long as the CN remains the same. You can infact use it for multiple domain names by using wildcards or you may also be interested in SAN certs.

3) Not that i am aware of.

4)You can make one server as the primary server and others as its back up in a serverfarm and your requirment would be met.

Let me know if you have any questions.

Regards,

Kanwal

0 Helpful

ARUNPRABHU A
Level 1
Level 1
In response to Kanwaljeet Singh

‎12-05-2012 04:59 AM

Dear Kanwal,

    Thanks for throwing light, Today i got the  SSL certificate from the CA , i got the certificate in .cer extension. 

 

     I have still few queris.

  • Can i import certificate with .cer extension in ACE ? if not what is the other option ?
  • By default what we can expect from the CA ( like is it .pem or .cer ) , when we request for SSL Certificate ?

Thanks.. Arun

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to ARUNPRABHU A

‎12-05-2012 08:46 AM

Hi Arun,

In latest versions you should be able to import .cer extension cert. You can always convert certificates received from your CA in any format you want or in format supported by the device you have.

https://www.sslshopper.com/ssl-converter.html

If the .cer doesn't work you can convert it into .Pem format and use crypto import terminal to import it. In any case you will need to convert your cert to PEM if you use terminal to import it. I would suggest going through SSL guide of ACE for more details. Pasting the link here for your reference. Of course please free to ask if you have any doubts.

Latest version:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/ssl/guide/terminat.html#wp1220223

Regards,

Kanwal

0 Helpful

ARUNPRABHU A
Level 1
Level 1
In response to Kanwaljeet Singh

‎12-07-2012 10:46 AM

Dear Kanwal,

          Thanks for your continous support and glad that you share your expertise on this. I have uploaded successfully the Key and Certificate file into ACE, since my certificate is not signed by valid CA, so have configured the chain certificate for termination SSL

          As mentioned earlier  i have DC , Near DC ( Both Share the two ACE in HA ) and DR ( two ACE in HA )  The following are my requirement

         I have three real servers in each site,  consider last octect .5, .6 and .7 

         I am running two set of application, in the first set of applications where in am going to offload the SSL, the real servers are in Port 80, but am going to do the SSL offloading in the ACE box and for the same requirement have uploaded the SSL certificate from CA

         I am running one more application say ABC, wherein these three servers .5,.6 & .7 are running under Clustering , and consider the cluster IP is .8 , In my setup the ABC will be hosted in only one physical server out of three due to license restrication. When i give the cluster IP as Real Server IP address in my Load Balancer, am facing the issue like if the server hosting ABC goes down and via Cluster we are making the application ABC in other server eventhen the traffic is pointing to the earlier active only, so the application is not coming up. It is up again when the original server is up having the application ABC.

      To overcome the above issue i thought of implementing Backup server like consider .5 is primarily hosting the application where as .6 and .7 should be configured as backup servers to .5 , so that if .5 fails the .6  will be come active for hosting ABC application.  But that didnt worked out because i cant configure two backup server for a single real server. 

     One more requirement is if DC ( all server .5,.6,.7 goes down ) then Near DC (NDC) should serve the purpose of the two application, i tried to configure NDC servers as Backup server farm to DC server farm which have created. But the command shown in the configuration file is not accepted.

     I have attached the template which i have prepared, which is almost self explanatory. As per my requirement NDC should be the Backup for all the Services in DC, in additon for application ABC the load balancer should point to only one server under the cluster if the server is down then it has to move to the other server under the same server farm. If all the three servers in the DC is down then NDC should be active.

  Kindly check if the configuration is ok,.. some of the commands are not accepted anyhow included in the config template

rserver host ABC_SERVER_DC_1
  ip address 10.10.100.5
  inservice
rserver host ABC_SERVER_DC_2
  ip address 10.10.100.6
  inservice
rserver host ABC_SERVER_DC_3
  ip address 10.10.100.7
  inservice
rserver host ABC_SERVER_NDC_1
  ip address 10.10.101.15
  inservice
rserver host ABC_SERVER_NDC_2
  ip address 10.10.101.16
  inservice
rserver host ABC_SERVER_NDC_3
  ip address 10.10.101.17 
  inservice

xxxxxxxx----------xxxxxxxxxx--------xxxxxxxxxxxx

serverfarm host ABC_FARM_DC
rserver ABC_SERVER_1 8083
  backup-rserver ABC_SERVER_2 8083
  backup-rserver ABC_SERVER_3 8083
  inservice


serverfarm host ABC_FARM_NDC
rserver ABC_SERVER_NDC_1 8083
  backup-rserver ABC_SERVER_NDC_2 8083
  backup-rserver ABC_SERVER_NDC_3 8083
  inservice

xxxxxxxx----------xxxxxxxxxx---------xxxxxxxxxxxxx

serverfarm host HTTP_FARM_DC
  DCobe WEB
  rserver ABC_SERVER_DC_1 80
    DCobe WEB
    inservice
  rserver ABC_SERVER_DC_2 80
    DCobe WEB
    inservice
  rserver ABC_SERVER_DC_3 80
    DCobe WEB
    inservice

serverfarm host HTTP_FARM_NDC
  DCobe WEB
  rserver ABC_SERVER_1_NDC 80
    DCobe WEB
    inservice
  rserver ABC_SERVER_2_NDC 80
    DCobe WEB
    inservice
  rserver ABC_SERVER_3_NDC 80
    DCobe WEB
    inservice
xxxxxxxx---------xxxxxxxxx------------xxxxxxxxxxxxxx

crypto chaingroup ChainCertificate_1
cert ACA.cer
cert AACA.cer

ssl-DCoxy service SSL_DCoxy-ABC
cert aaa.cer
key  bbb.PEM
chaingroup ChainCertificate_1

xxxxxxx----------xxxxxxxxx------------xxxxxxxxxxxxxxx

policy-map type loadbalance first-match L7SLBPOLICY_HTTP
class HTTP_VIP
  serverfarm HTTP_FARM_DC backup HTTP_FARM_NDC

policy-map type loadbalance first-match L7SLBPOLICY_ABC
class ABC_VIP
  serverfarm ABC_FARM_DC backup ABC_FARM_NDC

xxxxxxxx----------xxxxxxxxx-----------xxxxxxxxxxxxxxxxx

class-map match-all HTTP_VIP
  2 match virtual-address 10.10.100.14 443 any

class-map match-all ABC_VIP
  2 match virtual-address 10.10.100.14 8083 any

xxxxxxxx----------xxxxxxxxx-----------xxxxxxxxxxxxxxxxxx

policy-map multi-match VIPs
  class HTTP_VIP
    loadbalance vip inservice
    ssl-DCoxy service SSL_DCoxy-ABC
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 100
  class ABC_VIP
    loadbalance vip inservice
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 100
xxxxxxxx--------------xxxxxxxxxxx----------xxxxxxxxxxxxxxx

interface vlan 100
  ip address 10.10.100.11 255.255.255.192
  alias 10.10.100.13 255.255.255.192
  peer ip address 10.10.100.12 255.255.255.192
  no normalization
  no icmp-guard
  access-group input VLAN100
  nat-pool 1 10.10.100.14 10.10.100.14 netmask 255.255.255.255 pat
  service-policy input VIPs
  no shutdown
xxxxxxx----------xxxxxxxxxx-----------xxxxxxxxxxxxxxxxx

Thanks for Reading ... Arun

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card