11-04-2009 02:54 PM
Hi,
I'm testing two ACE 4710 appliances that should work in active/standby mode and do ssl offload in bridged mode.
At the moment I have configured one of the devices to do basic load balancing (without ssl offload).
Now I would like to move further and configure ssl offload and configure High availability.
I read that the certificate for ssl can be localy generated on the ACE device but I couldn't find any information regarding the cert that should be used on the second ACE.
Should I generate a new cert od the standby unit or somehow use the one on the first ACE?
Is it better to first set up high availability and then configure ssl offload or vice versa?
Does anyone have a config example of ssl offload and active/standby configuration?
Thank you in advance.
11-04-2009 04:03 PM
You simply need to generate keys & CSR on the primary ACE. Export the Keys from Primary ACE, Import these keys to Standby ACE and once you recieve the certs from CA then simply import the cert to both ACEs.
FOllowing will be steps to achive that
On primary Ace
1. create RSA Keys
crypto generate key 2048 app1.key
2. Create CSR & send it to CA
ace/Admin(config)# crypto csr-params app1-csr
ace/Admin(config-csr-params)# common-name www.app1.com
ace/Admin(config-csr-params)# country US
ace/Admin(config-csr-params)# email xx@xx.com
ace/Admin(config-csr-params)# locality xyz
ace/Admin(config-csr-params)# organization-name xyz
ace/Admin(config-csr-params)# organization-unit xyz
ace/Admin(config-csr-params)# state CA
ace/Admin(config-csr-params)# serial-number 1234
ace/Admin(config-csr-params)# end
ace/Admin(config)# crypto generate csr app1-csr app1.key
(copy the result to a file)
4. Import certificate recieved from CA
crypto import terminal app1.cert
(pasted the content from the cert)
5. verify the cert & keys match
crypto verify app1.key app1.cert
6. Export the keys from Active
crypto export app1.key
(copy the result to a file)
ON Standby ACE:
1. Import the keys
crypto import terminal app1.key
2. Import the cert
crypto import terminal app1.cert
3.verify the cert & keys match
crypto verify app1.key app1.cert
Hope this helps
Syed
11-04-2009 11:22 PM
Hi Syed,
thank you for taking the time to reply.
What if I don't want to get a key from a CA? I just need the sessions to be encrypted but the key does not have to be from a well known CA.
I plan to generate a self signed certificate using
[root@admin]# openssl genrsa -out key.pem 102 and
[root@admin]# openssl req -new -x509 -nodes -sha1 -days 365
-key key.pem -out cert.pem
Should I export the generated keys and transfer them to the standby ACE?
Can you please provide some info regarding the keys export procedure?
Thank you!
11-05-2009 12:25 AM
Hi Again,
I generated the keys on a linux machine using openssl.
I then imported the keys into the ACE and configured ssl offload but now when I go to the VIP address IE dows not work and Firefox displays the error:
An error occurred during a connection to 192.168.20.20.
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)
I checked with the show crypto commands and everything seems to be fine with the keys.
Do you have an idea what might be wrong?
11-05-2009 05:22 AM
Well I reconfigured it again and now it is working fine. :)
All I need now is to add the second ACE as failover device.
If I understood correctly I should import the same keys on the second ACE before configuring HA?
11-05-2009 12:30 AM
11-05-2009 11:24 AM
You got it right.
If you are using Openssl then you simply need to import the same keys & certs to both ACE appliances.
Thanks
Syed Iftekhar Ahmed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide