HI Ullas upendran ,

A chain groups specifies the certificate chains that the ACE sends to its peer during the handshake. A certificate chain is a hierarchal list of certificates that includes the subject's certificate, the root CA certificate, and any intermediate CA certificates. Using the information provided in a certificate chain, the certificate verifier can search for a trusted authority in the certificate hierarchal list back to the root CA. The verifier may find what it considers a trusted authority before reaching the root CA certificate, in which case, the verifier stops searching.

But as per my understanding

The ACE supports the following certificate chain group capabilities:

•A chain group can contain up to eight certificate chains.

•Each context on the ACE can contain up to eight chain groups means 8*8 Certificate chains.

• By default, your ACE provides an Admin context and five user contexts, which allows you to use multiple contexts if you choose to configure them. To increase the number of user contexts up to a maximum of 20, you must obtain a separate license from Cisco Systems.

So total number of chaingroups that can be used is 8*20=160

And the number of virtual servers is 1024.

SSL proxy termination service allows the virtual server to act as an SSL proxy server and terminate SSL sessions between it and its clients.

So

1. SSL Proxy Service =SSL Parameter map(ssl version, cipher suites, close-protocol, session ID reuse timeout, query delay), Client authentication,key pair file, CRL retrival, Certificate file, Chain Group)

2. Class maps=(layer3 and layer 4 match criterial applied to inbound traffic)=contains= Virtual IP address,source address, destination address, access list, port , any

Policy Maps = contains (1+2) i.e. (SSL proxy service + Class maps)

So you define Virtual server IP in class maps and Chain groups in SSL proxy service.

They will work when you combine these both inside a policy map (for layer 3/ layer 4)

Policy maps ---> Applies globall to all VLAN's in a context (a context can contain 8 chain groups )

You can specify the certificate chian that the ACE sends to its peer ACE during the SSL handshakeby using chaingroup command.

So this chain group is assigned to the whole context and inside the context any number of virtual server they use the same chain group .

You can configure chain groups for the context in a ace using SSL proxy service only.

All the virtual server inside the context they use the one chain group service .

Select Config > Devices > context > SSL > Chain Group Parameters. The Chain Group Parameters table appears.

SSL termination refers to configuring an ACE context for a front-end application in which the ACE operates as an SSL server that communicates with a client. When you create a Layer 3 and Layer 4 policy map to define the flow between an ACE and a client, the ACE operates as a virtual SSL server by adding security services between a web browser (the client) and the HTTP connection (the server). All inbound SSL flows from a client terminate at the ACE.

In the ANM, a viable virtual server has the following attributes:

• A default Layer 7 action

• A Layer 3/Layer 4 class map

• The virtual server multi-match policy map is associated with an interface or is global.

The name of the virtual server is derived from the name of the Layer 3/Layer 4 class map.

After the connection is terminated, the ACE decrypts the ciphertext from the client and sends the data as clear text to an HTTP server.

You need not to assign a different chaingroup to every virtual server.

Sachin Garg