12-04-2012 04:06 AM
Dear Techies,
I am performing a deployment, in which i require clarity on the following. Our setup has DC and DR , in each site we have two devices for HA.
Thanks and Regards... Arun
12-04-2012 06:52 PM
Hi Arun,
1) You will generate the key and CSR request and give this CSR to a public CA which in turn will provide you with a Cert or chain of certificates, root, intermediate etc. And yes you need both private key and public key(cert) for setting up SSL proxy.
2) You can use the same certificate as long as the CN remains the same. You can infact use it for multiple domain names by using wildcards or you may also be interested in SAN certs.
3) Not that i am aware of.
4)You can make one server as the primary server and others as its back up in a serverfarm and your requirment would be met.
Let me know if you have any questions.
Regards,
Kanwal
12-05-2012 04:59 AM
Dear Kanwal,
Thanks for throwing light, Today i got the SSL certificate from the CA , i got the certificate in .cer extension.
I have still few queris.
Thanks.. Arun
12-05-2012 08:46 AM
Hi Arun,
In latest versions you should be able to import .cer extension cert. You can always convert certificates received from your CA in any format you want or in format supported by the device you have.
https://www.sslshopper.com/ssl-converter.html
If the .cer doesn't work you can convert it into .Pem format and use crypto import terminal to import it. In any case you will need to convert your cert to PEM if you use terminal to import it. I would suggest going through SSL guide of ACE for more details. Pasting the link here for your reference. Of course please free to ask if you have any doubts.
Latest version:
Regards,
Kanwal
12-07-2012 10:46 AM
Dear Kanwal,
Thanks for your continous support and glad that you share your expertise on this. I have uploaded successfully the Key and Certificate file into ACE, since my certificate is not signed by valid CA, so have configured the chain certificate for termination SSL
As mentioned earlier i have DC , Near DC ( Both Share the two ACE in HA ) and DR ( two ACE in HA ) The following are my requirement
I have three real servers in each site, consider last octect .5, .6 and .7
I am running two set of application, in the first set of applications where in am going to offload the SSL, the real servers are in Port 80, but am going to do the SSL offloading in the ACE box and for the same requirement have uploaded the SSL certificate from CA
I am running one more application say ABC, wherein these three servers .5,.6 & .7 are running under Clustering , and consider the cluster IP is .8 , In my setup the ABC will be hosted in only one physical server out of three due to license restrication. When i give the cluster IP as Real Server IP address in my Load Balancer, am facing the issue like if the server hosting ABC goes down and via Cluster we are making the application ABC in other server eventhen the traffic is pointing to the earlier active only, so the application is not coming up. It is up again when the original server is up having the application ABC.
To overcome the above issue i thought of implementing Backup server like consider .5 is primarily hosting the application where as .6 and .7 should be configured as backup servers to .5 , so that if .5 fails the .6 will be come active for hosting ABC application. But that didnt worked out because i cant configure two backup server for a single real server.
One more requirement is if DC ( all server .5,.6,.7 goes down ) then Near DC (NDC) should serve the purpose of the two application, i tried to configure NDC servers as Backup server farm to DC server farm which have created. But the command shown in the configuration file is not accepted.
I have attached the template which i have prepared, which is almost self explanatory. As per my requirement NDC should be the Backup for all the Services in DC, in additon for application ABC the load balancer should point to only one server under the cluster if the server is down then it has to move to the other server under the same server farm. If all the three servers in the DC is down then NDC should be active.
Kindly check if the configuration is ok,.. some of the commands are not accepted anyhow included in the config template
rserver host ABC_SERVER_DC_1
ip address 10.10.100.5
inservice
rserver host ABC_SERVER_DC_2
ip address 10.10.100.6
inservice
rserver host ABC_SERVER_DC_3
ip address 10.10.100.7
inservice
rserver host ABC_SERVER_NDC_1
ip address 10.10.101.15
inservice
rserver host ABC_SERVER_NDC_2
ip address 10.10.101.16
inservice
rserver host ABC_SERVER_NDC_3
ip address 10.10.101.17
inservice
xxxxxxxx----------xxxxxxxxxx--------xxxxxxxxxxxx
serverfarm host ABC_FARM_DC
rserver ABC_SERVER_1 8083
backup-rserver ABC_SERVER_2 8083
backup-rserver ABC_SERVER_3 8083
inservice
serverfarm host ABC_FARM_NDC
rserver ABC_SERVER_NDC_1 8083
backup-rserver ABC_SERVER_NDC_2 8083
backup-rserver ABC_SERVER_NDC_3 8083
inservice
xxxxxxxx----------xxxxxxxxxx---------xxxxxxxxxxxxx
serverfarm host HTTP_FARM_DC
DCobe WEB
rserver ABC_SERVER_DC_1 80
DCobe WEB
inservice
rserver ABC_SERVER_DC_2 80
DCobe WEB
inservice
rserver ABC_SERVER_DC_3 80
DCobe WEB
inservice
serverfarm host HTTP_FARM_NDC
DCobe WEB
rserver ABC_SERVER_1_NDC 80
DCobe WEB
inservice
rserver ABC_SERVER_2_NDC 80
DCobe WEB
inservice
rserver ABC_SERVER_3_NDC 80
DCobe WEB
inservice
xxxxxxxx---------xxxxxxxxx------------xxxxxxxxxxxxxx
crypto chaingroup ChainCertificate_1
cert ACA.cer
cert AACA.cer
ssl-DCoxy service SSL_DCoxy-ABC
cert aaa.cer
key bbb.PEM
chaingroup ChainCertificate_1
xxxxxxx----------xxxxxxxxx------------xxxxxxxxxxxxxxx
policy-map type loadbalance first-match L7SLBPOLICY_HTTP
class HTTP_VIP
serverfarm HTTP_FARM_DC backup HTTP_FARM_NDC
policy-map type loadbalance first-match L7SLBPOLICY_ABC
class ABC_VIP
serverfarm ABC_FARM_DC backup ABC_FARM_NDC
xxxxxxxx----------xxxxxxxxx-----------xxxxxxxxxxxxxxxxx
class-map match-all HTTP_VIP
2 match virtual-address 10.10.100.14 443 any
class-map match-all ABC_VIP
2 match virtual-address 10.10.100.14 8083 any
xxxxxxxx----------xxxxxxxxx-----------xxxxxxxxxxxxxxxxxx
policy-map multi-match VIPs
class HTTP_VIP
loadbalance vip inservice
ssl-DCoxy service SSL_DCoxy-ABC
loadbalance vip icmp-reply active
nat dynamic 1 vlan 100
class ABC_VIP
loadbalance vip inservice
loadbalance vip icmp-reply active
nat dynamic 1 vlan 100
xxxxxxxx--------------xxxxxxxxxxx----------xxxxxxxxxxxxxxx
interface vlan 100
ip address 10.10.100.11 255.255.255.192
alias 10.10.100.13 255.255.255.192
peer ip address 10.10.100.12 255.255.255.192
no normalization
no icmp-guard
access-group input VLAN100
nat-pool 1 10.10.100.14 10.10.100.14 netmask 255.255.255.255 pat
service-policy input VIPs
no shutdown
xxxxxxx----------xxxxxxxxxx-----------xxxxxxxxxxxxxxxxx
Thanks for Reading ... Arun
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide