08-27-2011 10:12 AM
Hi,
I need to configure ssl offloading so that user will send request on port 443 while ACE will so ssl offload so servers will handle http connection. my current config is as below(i haven't copied probe port80 here):
rserver server1:80
ip add 192.168.1.1
inservice
serverfarm secure-rediect-SF
probe port80
reserver server1:80
inservice
class-map match-any secure-rediect-CM
match virtual-address 10.10.1.1 tcp 80
policy-map type loadbalance first-match secure-rediect-PM
class class-default
sticky-serverfarm secure-rediect-SG
policy-map multi-match LBR-LB
class secure-rediect-CM
loadbalance vip inservice
loadbalance policy secure-rediect-PM
loadbalance vip icmp-reply
could you help! how do I configure SSL offloading? what is required to configure it?
08-27-2011 12:14 PM
Hi Gavin,
This process implies the request coming from a specific client on port 443, ACE will then decrypt data and forward it to the HTTP server as clear text now.
As of requirements you would obviously require to deploy the Server Load Balancing and modify it then for the SSL Termination to take place.
Based on the config you have you should create the following:
This is just a basic sample of requirements and SSL Termination based on the config seen. Remember you may play around and do stickyness based on source IP among other features.
-Parameter type SSL (name). You must create these only if required. If not, the SSL Proxy Service will use its defaults. ACE does support all.
-SSL Proxy Service which defines the key, certificate and chain group. You must deploy this because of this ACE will play role as an SSL Server.
So in config mode you apply: ssl-proxy service (name). Once you are under the SSL Proxy Service command you must specify the key and cert to it. Parameter is only to be specified if created one, if not, it's going to use its default.
-To specify key under the SSL Proxy Service mode do: key (name assigned to it). Process to associate cert is the same: cert (name assigned to it).
-As of you configuration you are missing the following for SSL Termination:
ssl-proxy service SAMPLE
key KEY.PEM
cert CERT.PEM
rserver server1:80
ip add 192.168.1.1
inservice
serverfarm secure-rediect-SF
probe https
reserver server1:80
inservice
class-map match-any secure-rediect-CM
2 match virtual-address 10.10.1.1 tcp eq https
policy-map type loadbalance first-match secure-rediect-PM
class class-default
sticky-serverfarm secure-rediect-SG
policy-map multi-match LBR-LB
class secure-rediect-CM
loadbalance vip inservice
loadbalance policy secure-rediect-PM
loadbalance vip icmp-reply
ssl-proxy server SAMPLE
interface vlan xxx
service-policy input LBR-LB
Regards,
Esteban Z.
08-28-2011 08:13 AM
Hi Thanks for your reply.
will I have to get cert and key from our CA team? could you advise how it works? how do I upload cert and key on ACE?
08-29-2011 05:36 PM
Hi,
Yes, the cert and key are requirements from your CA in order to import them to the ACE device so it will use its certificate and corresponding public key together to prove its identity during the SSL handshake.
I would personally suggest the terminal import, instead of FTP or such. Since it's way easier and time-saving.
You must use the terminal method to display PEM files.
The syntax goes as follows:
crypto import terminal (local_filename) [passphrase passphrase]
Should look something like this:
ACE-4710F/Admin#crypto import terminal keytest Please enter PEM formatted data. End with"quit" on a new line.
-----BEGIN RSA PRIVATE KEY-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END RSA PRIVATE KEY-----
quit
Now import the certificate using the terminal as the previous step.
ACE-4710F/Admin# crypto import terminal certest Please enter PEM formatteddata. End with "quit" on a new line. -----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE----- quit
Finally verify that the key and the certificate match.
ACE-4710F/Admin# crypto verify ?
ACE-4710F/Admin# show crypto files
You may also refer to the following:
Regards,
08-29-2011 07:27 PM
Hello, Gavin
Here you have some additional examples which might help you out:
Admin# sh crypto files
Filename File File Expor Key/
Size Type table Cert
-----------------------------------------------------------------------
cert-test 2088 PEM Yes CERT
key-test 1675 PEM Yes KEY
# crypto verify key-test cert-test
Keypair in key-test matches certificate in cert-test
Admin(config)# crypto chaingroup my-chaingroup
Admin(config-chaingroup)# cert my-root
Admin(config-chaingroup)# cert my-intermediate
ACE-M2/Admin(config-chaingroup)# exit
Admin# sh crypto chaingroup all
chaingroup muflas contains:
my-root
my-intermediate
(config)# ssl-proxy service my-ssl-proxy
Admin(config-ssl-proxy)# chaingroup my-chaingroup
Admin(config-ssl-proxy)# cert cert-test
Admin(config-ssl-proxy)# key key-test
Admin(config-ssl-proxy)# end
Then finally, your configuration should like this:
interface vlan 100
ip address 10.198.16.75 255.255.255.192
access-group input Allow_Access
nat-pool 1 10.198.16.103 10.198.16.103 netmask 255.255.255.192 pat
service-policy input MGMT
service-policy input my-multimatch
no shutdown
policy-map multi-match my-multimatch
class vip
loadbalance vip inservice
loadbalance policy http
loadbalance vip icmp-reply active
nat dynamic 1 vlan 100
class ssl
loadbalance vip inservice
loadbalance policy http
loadbalance vip icmp-reply active
nat dynamic 1 vlan 100
ssl-proxy server my-ssl-proxy
class-map match-all ssl
2 match virtual-address 10.198.16.103 tcp eq https
class-map match-all vip
10 match virtual-address 10.198.16.103 tcp eq www
policy-map type loadbalance http first-match http
class class-default
serverfarm http
serverfarm host http
rserver 1-80 80
inservice
rserver 2-80 80
inservice
rserver host 1-80
ip address 10.198.16.99
inservice
rserver host 2-80
ip address 10.198.16.100
inservice
ssl-proxy service my-ssl-proxy
key key-test
cert cert-test
chaingroup my-chaingroup
Hope this helps!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide