cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7770
Views
0
Helpful
4
Replies

ACE ssl offloading

gavin han
Level 1
Level 1

Hi,

I need to configure ssl offloading so that user will send request on port 443 while ACE will so ssl offload so servers will handle http connection. my current config is as below(i haven't copied probe port80 here):

rserver server1:80

ip add 192.168.1.1

inservice

serverfarm secure-rediect-SF

  probe port80

  reserver server1:80

  inservice

class-map match-any  secure-rediect-CM

  match virtual-address 10.10.1.1 tcp 80

policy-map type loadbalance first-match  secure-rediect-PM

  class class-default

   sticky-serverfarm secure-rediect-SG

policy-map multi-match LBR-LB

  class  secure-rediect-CM

   loadbalance vip inservice

   loadbalance policy secure-rediect-PM

   loadbalance vip icmp-reply

could you help! how do I configure SSL offloading? what is required to configure it?

4 Replies 4

eszuniga
Level 1
Level 1

Hi Gavin,

This process implies the request coming from a specific client on port 443, ACE will then decrypt data and forward it to the HTTP server as clear text now.

As of requirements you would obviously require to deploy the Server Load Balancing and modify it then for the SSL Termination to take place.

Based on the config you have you should create the following:

This is just a basic sample of requirements and SSL Termination based on the config seen. Remember you may play around and do stickyness based on source IP among other features.

-Parameter type SSL (name). You must create these only if required. If not, the SSL Proxy Service will use its defaults. ACE does support all.

-SSL Proxy Service which defines the key, certificate and chain group. You must deploy this because of this ACE will play role as an SSL Server.

So in config mode you apply: ssl-proxy service (name). Once you are under the SSL Proxy Service command you must specify the key and cert to it. Parameter is only to be specified if created one, if not, it's going to use its default.

-To specify key under the SSL Proxy Service mode do: key (name assigned to it). Process to associate cert is the same: cert (name assigned to it).

-As of you configuration you are missing the following for SSL Termination:

ssl-proxy service SAMPLE

key KEY.PEM

cert CERT.PEM

rserver server1:80

ip add 192.168.1.1

inservice

serverfarm secure-rediect-SF

probe https

reserver server1:80

inservice

class-map match-any  secure-rediect-CM

2 match virtual-address 10.10.1.1 tcp eq https

policy-map type loadbalance first-match  secure-rediect-PM

  class class-default

    sticky-serverfarm secure-rediect-SG

policy-map multi-match LBR-LB

class  secure-rediect-CM

   loadbalance vip inservice

   loadbalance policy secure-rediect-PM

   loadbalance vip icmp-reply

   ssl-proxy server SAMPLE

interface vlan xxx

service-policy input LBR-LB

Regards,

Esteban Z.

Hi Thanks for your reply.

will I have to get cert and key from our CA team? could you advise how it works? how do I upload cert and key on ACE?

Hi,

Yes, the cert and key are requirements from your CA in order to import them to the ACE device so it will use its certificate and  corresponding public key together to prove its identity during the SSL  handshake.

I would personally suggest the terminal import, instead of FTP or such. Since it's way easier and time-saving.

You must use the terminal method to display PEM files.

The syntax goes as follows:

crypto import terminal (local_filename) [passphrase passphrase]

Should look something like this:

ACE-4710F/Admin#crypto import terminal keytest Please enter PEM formatted data. End with"quit" on a new line.

-----BEGIN RSA PRIVATE KEY-----

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-----END RSA PRIVATE KEY-----

quit

Now import the certificate using the terminal as the previous step.

ACE-4710F/Admin# crypto import terminal certest Please enter PEM formatteddata. End with "quit" on a new line. -----BEGIN CERTIFICATE-----

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

 -----END CERTIFICATE-----
 quit

Finally verify that the key and the certificate match.

ACE-4710F/Admin# crypto verify ?

ACE-4710F/Admin# show crypto files

You may also refer to the following:

http://www.cisco.com/en/US/customer/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/certkeys.html#wp1052415

http://www.cisco.com/en/US/customer/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/terminat.html

Regards,

Jorge Bejarano
Level 4
Level 4

Hello, Gavin

Here you have some additional examples which might help you out:

Admin# sh crypto files

Filename                                 File  File    Expor      Key/

                                         Size  Type    table      Cert

-----------------------------------------------------------------------

cert-test                                2088  PEM     Yes        CERT

key-test                                 1675  PEM     Yes         KEY

# crypto verify key-test cert-test

Keypair in key-test matches certificate in cert-test

Admin(config)# crypto chaingroup my-chaingroup

Admin(config-chaingroup)# cert my-root

Admin(config-chaingroup)# cert my-intermediate

ACE-M2/Admin(config-chaingroup)# exit

Admin# sh crypto chaingroup all

chaingroup muflas contains:

my-root

my-intermediate

(config)# ssl-proxy service my-ssl-proxy

Admin(config-ssl-proxy)# chaingroup my-chaingroup

Admin(config-ssl-proxy)# cert cert-test

Admin(config-ssl-proxy)# key key-test 

Admin(config-ssl-proxy)# end

Then finally, your configuration should like this:

interface vlan 100

  ip address 10.198.16.75 255.255.255.192

  access-group input Allow_Access

  nat-pool 1 10.198.16.103 10.198.16.103 netmask 255.255.255.192 pat

  service-policy input MGMT

  service-policy input my-multimatch

  no shutdown

policy-map multi-match my-multimatch

  class vip

    loadbalance vip inservice

    loadbalance policy http

    loadbalance vip icmp-reply active

    nat dynamic 1 vlan 100

class ssl

    loadbalance vip inservice

    loadbalance policy http

    loadbalance vip icmp-reply active

    nat dynamic 1 vlan 100

    ssl-proxy server my-ssl-proxy

class-map match-all ssl

  2 match virtual-address 10.198.16.103 tcp eq https

class-map match-all vip

  10 match virtual-address 10.198.16.103 tcp eq www

policy-map type loadbalance http first-match http

  class class-default

    serverfarm http

serverfarm host http  

  rserver 1-80 80

    inservice

  rserver 2-80 80

    inservice

rserver host 1-80

  ip address 10.198.16.99

  inservice

rserver host 2-80

  ip address 10.198.16.100

  inservice

ssl-proxy service my-ssl-proxy

  key key-test

  cert cert-test

  chaingroup my-chaingroup

Hope this helps!!!

Review Cisco Networking for a $25 gift card