Solved: Re: ACE with SSL with One ARM deployment

melcara · ‎11-04-2010

I am working with a ACE 4710 in the one arm configuration. I am trying to enable SSL and well to be honest...am just not getting it.

below is the config...

crypto chaingroup prd_SSLChainGroup

cert sub_root_2.crt

cert root.crt

crypto csr-params prdSSL

country US

state ST

locality SMALL TOWN

organization-name SOME ORG

common-name www.name.int

access-list allow line 8 extended permit ip any any

probe icmp PROBE_SERVICE_ICMP

interval 60

passdetect interval 5

receive 5

parameter-map type ssl prd_SSL_Parmeter_Map

cipher RSA_WITH_RC4_128_MD5

cipher RSA_WITH_3DES_EDE_CBC_SHA

cipher RSA_WITH_AES_128_CBC_SHA

cipher RSA_EXPORT1024_WITH_RC4_56_MD5

cipher RSA_EXPORT1024_WITH_DES_CBC_SHA

cipher RSA_EXPORT1024_WITH_RC4_56_SHA

rserver host 21-XYZ8-PA-prd-S02

ip address a.b.c.21

rserver host 25-XYZ8host1

ip address a.b.c.25

rserver host 26-XYZ8host2

ip address a.b.c.26

rserver host 27-XYZ8host3

ip address a.b.c.27

rserver host 29-XYZ10host1

ip address a.b.c.29

rserver host 30-XYZ10host2

ip address a.b.c.30

rserver host 31-XYZ10host3

ip address a.b.c.31

rserver host 32-XYZ8-PA-prd-S03

ip address a.b.c.32

rserver host 33-XYZ8-PA-prd-S04

ip address a.b.c.33

inservice

rserver host PA-prd-VS05

serverfarm host XYZ10-7001

probe PROBE_SERVICE_ICMP

rserver 21-XYZ8-PA-prd-S02 7001

rserver 25-XYZ8host1 7001

rserver 26-XYZ8host2 7001

rserver 27-XYZ8host3 7001

rserver 29-XYZ10host1 7001

rserver 30-XYZ10host2 7001

rserver 31-XYZ10host3 7001

rserver 32-XYZ8-PA-prd-S03 7001

rserver 33-XYZ8-PA-prd-S04 7001

inservice

ssl-proxy service prd_SSLProxy

key KEYPAIR.PEM

cert mycert.pem

ssl advanced-options prd_SSL_Parmeter_Map

sticky http-cookie ACE_COOKIE-7001 7001_STICKY

cookie insert browser-expire

replicate sticky

serverfarm XYZ10-7001

class-map match-any XYZ10-HTTP-80-CLASS

2 match virtual-address a.b.c.10 tcp eq www

class-map match-any XYZ10-HTTPS-CLASS

2 match virtual-address a.b.c.10 tcp eq https

policy-map type loadbalance first-match HTTP

class class-default

serverfarm XYZ10-7001

policy-map type loadbalance first-match HTTPS

class class-default

serverfarm XYZ10-7001

policy-map multi-match XYZ10-SLB

class XYZ10-HTTPS-CLASS

loadbalance vip inservice

loadbalance policy HTTPS

loadbalance vip icmp-reply

nat dynamic 1 vlan 1000

ssl-proxy server prd_SSLProxy

class XYZ10-HTTP-80-CLASS

loadbalance vip inservice

loadbalance policy HTTP

loadbalance vip icmp-reply

nat dynamic 1 vlan 1000

interface vlan 1000

ip address a.b.c.11 255.255.255.0

access-group input allow

nat-pool 1 a.b.c.200 a.b.c.203 netmask 255.255.255.0 pat

service-policy input XYZ10-SLB

no shutdown

ip route 0.0.0.0 0.0.0.0 a.b.c.1

I did see these errors in the debug SSL output...

2010 Nov 4 04:45:01.732206 ssl mgr: (ctx:1)ssl_pki_verify: key in KEYPAIR.PEM does not match cert in root_2.crt

2010 Nov 4 04:45:01.812870 ssl mgr: (ctx:1)ssl_pki_verify: key in KEYPAIR.PEM does not match cert in sub_root_2.crt

but as they are the ROOT and SUB Root...I was not to concerned about it

Any thoughts

ThibaultMean · ‎11-04-2010

Once you have imported the cert and generated a key, check your certs en keys using the command crypto verify and replace

the crypto files if command failed.

I couldn't find something specific to the chaingroup in this link but you might find it useful :

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Module_Troubleshooting_Guide%2C_Release_A2%28x%29_--_Troubleshooting_SSL

Your config looks fine to me.

View solution in original post

Pablo · ‎11-04-2010

Hi Cody,

Did you already assign the resources for the Context in question?

Is HTTP working fine?

__ __

Pablo

View solution in original post

ThibaultMean · ‎11-04-2010

Once you have imported the cert and generated a key, check your certs en keys using the command crypto verify and replace

the crypto files if command failed.

I couldn't find something specific to the chaingroup in this link but you might find it useful :

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Module_Troubleshooting_Guide%2C_Release_A2%28x%29_--_Troubleshooting_SSL

Your config looks fine to me.

melcara · ‎11-04-2010

the cert looks good

the isse seems to be like the SSL proxy service is not working on the ACE.

Pablo · ‎11-04-2010

Hi Cody,

Did you already assign the resources for the Context in question?

Is HTTP working fine?

__ __

Pablo

melcara · ‎11-04-2010

The HTTP works fine....now I am not sure about assigning the resources to the Context...can you explain more please.

Pablo · ‎11-04-2010

Cody,

When dealing with virtualization ACE hardware resources are allocated to individual contexts under the control of
resource-level controls configured in the Admin context.

resource-class LB
limit-resource all minimum 10.00 maximum unlimited

context Production

member LB

You can dig further on resource usage and configuration here: http://xrl.us/bh6v6g

Let us know if this does the trick.

HTH

__ __

Pablo

melcara · ‎11-04-2010

we did this...and upgrade A4.1 ...and it is almost working....

melcara · ‎11-05-2010

When we did the upgrade to 4.1, all the mapping of the SSL proxy was removed...once those setting were replaced, we were good....

Finally....Yeah....thank you all your help