02-05-2014 03:42 PM
Hi all, I have a problem regarding configuration of certificates on ACE, I have one serverfarm with two realservers, those server runs three different domains on same VIP (Apache handle which one is presented to the user), we want to put https to those servers running SSL Termination, but I cant figure it out if that can be achieved with only one VIP or if I need three VIPs, one for each one and associate each of those to one certificate. (With only one I can use certificate chains?). Other thing that sounds reasonable to me is use class maps with L7 policys matching URLs, in that case I believe that can be achieved with one VIP, but if anyone knows please help.
Thanks!
Solved! Go to Solution.
02-05-2014 05:17 PM
Hi,
You are welcome. Yes if you have multiple domains you should have different certificates for reason obvious to security. If you have one domain and many sub-domains you can use a wildcard certificate. If you have domains which differ like abc.com and abc.net, abc.org, you can use SANS certificates and yes ACE can take L7 decisions/read L7 data like cookie etc after SSL handshake and take decisions accordingly as illustrated in the config example i have pasted above. If you have any questions in future related to this please feel free to ask:)
Regards,
Kanwal
02-05-2014 04:28 PM
Hi,
You can use a wildcard certificate for multiple related domains like mail.abc.com, test.abc.com,abc.com etc. but all your domains should resolve to one VIP. If the url's are completely different then you need to have different VIPS and certs.
L7 classification here will come only after ssl handshake since you are terminating SSL on ACE. Honestly i didn't get your requirement and have answered to the best of my understanding of your question.
Let me know if you have further questions.
Regards,
Kanwal
Sent from Cisco Technical Support iPhone App
02-05-2014 04:45 PM
Sure, I believe the same, actually I dont have a formal requirement, I have to implement it (there are different domains, no option to use wildcard domain), but Im not sure if I have to use multiple VIPs (using SSL Termination on ACE) or can I achieve the same with only one VIP in this scenario.
For l7 classification what I've figure it out is to use end to end ssl, but not sure, please someone confirm.
02-05-2014 05:06 PM
Hi,
Okay. You can have L7 classification even with SSL termination since ACE is handling decryption and encryption. I think i misunderstood your question/requirement. But L7 classification will only happen after SSL handshake has happened. So your certificate should hold good for the URL which clients will be using. If there are muliple URL's you need to get a WILDCARD certificate or SANS certs. I am pasting one example configuration for you where L7 classification is being done along with SSL termination. Let me know if you have any questions.
==================================================================== Multi-tier Server Load Balancing with SSL Termination and URL LB ==================================================================== |-- 30.30.30.11/24 APP_SERVER_01 |---|30.30.30.0/24 |-- 30.30.30.12/24 APP_SERVER_02 | |--------------|-- 30.30.30.21/24 DB_SERVER_01 10.10.10.1/24 .2| A | |-- 30.30.30.21/24 DB_SERVER_02 MSFC------------------| C | | E |20.20.20.0/24 |-- 20.20.20.11/24 WEB_SERVER_01 | |--------------|-- 20.20.20.12/24 WEB_SERVER_02 |---| |-- 20.20.20.13/24 WEB_SERVER_03 (images) |-- 20.20.20.14/24 WEB_SERVER_04 (images) <---Client--->|<---Server---> - Clients connect to HTTPS VIP using SSL termination - HTTP traffic balanced to image and content servers appropriately using URL load balancing - Web content servers intiate connections to application servers - Application servers initiate connections to database servers (requires client SNAT) Configuration ============== login timeout 0 access-list ANYONE line 10 extended permit tcp any any parameter-map type ssl SSL_DEFAULT_PARAMS ssl-proxy service SSL_SERVICE key mykey.pem cert mycert.pem ssl advanced-options SSL_DEFAULT_PARAMS rserver host WEB_SERVER_01 description Web Content Server 1 ip address 20.20.20.11 inservice rserver host WEB_SERVER_02 description Web Content Server 2 ip address 20.20.20.12 inservice rserver host WEB_SERVER_03 description Web Image Server 1 ip address 20.20.20.13 inservice rserver host WEB_SERVER_04 description Web Image Server 2 ip address 20.20.20.14 inservice rserver host APP_SERVER_01 description Application Server 1 ip address 30.30.30.11 inservice rserver host APP_SERVER_02 description Application Server 2 ip address 30.30.30.12 inservice rserver host DB_SERVER_01 description Database Server 1 ip address 30.30.30.21 inservice rserver host DB_SERVER_02 description Database Server 2 ip address 30.30.30.22 inservice serverfarm host HTTP_CONTENT description Web Content Servers rserver WEB_SERVER_01 inservice rserver WEB_SERVER_02 inservice serverfarm host HTTP_IMAGES description Web Image Servers rserver WEB_SERVER_03 inservice rserver WEB_SERVER_04 inservice serverfarm host APP_SERVERS description Application Servers rserver APP_SERVER_01 inservice rserver APP_SERVER_02 inservice serverfarm host DB_SERVERS description Database Servers rserver DB_SERVER_01 inservice rserver DB_SERVER_02 inservice class-map match-all VIP_WWW 2 match virtual-address 10.10.10.100 tcp eq https class-map match-all VIP_APP 2 match virtual-address 20.20.20.100 any class-map match-all VIP_DB 2 match virtual-address 30.30.30.100 any class-map type http loadbalance match-any WEB_IMAGES 2 match http url *.jpg 3 match http url *.jpeg 4 match http url *.gif class-map type management match-any REMOTE_ACCESS description remote-access-traffic-match 3 match protocol ssh any 4 match protocol icmp any policy-map type management first-match REMOTE_MGT class REMOTE_ACCESS permit policy-map type loadbalance first-match WWW_SLB_LOGIC description Separate Web Content and Images Traffic class WEB_IMAGES serverfarm HTTP_IMAGES class class-default serverfarm HTTP_CONTENT policy-map type loadbalance first-match APP_SLB_LOGIC class class-default serverfarm APP_SERVERS policy-map type loadbalance first-match DB_SLB_LOGIC class class-default serverfarm DB_SERVERS policy-map multi-match WEB class VIP_WWW loadbalance vip inservice loadbalance policy WWW_SLB_LOGIC loadbalance vip icmp-reply active ssl-proxy server SSL_SERVICE policy-map multi-match APPLICATION class VIP_APP loadbalance vip inservice loadbalance policy APP_SLB_LOGIC loadbalance vip icmp-reply active policy-map multi-match DATABASE class VIP_DB loadbalance vip inservice loadbalance policy DB_SLB_LOGIC loadbalance vip icmp-reply active nat dynamic 1 vlan 30 interface vlan 10 description Client VLAN ip address 10.10.10.2 255.255.255.0 access-group input ANYONE service-policy input WEB no shutdown interface vlan 20 description Web Servers VLAN ip address 20.20.20.1 255.255.255.0 access-group input ANYONE service-policy input REMOTE_MGT service-policy input APPLICATION no shutdown interface vlan 30 description DB and App Servers VLAN ip address 30.30.30.1 255.255.255.0 access-group input ANYONE service-policy input REMOTE_MGT service-policy input DATABASE nat-pool 1 30.30.30.110 30.30.30.110 netmask 255.255.255.0 pat no shutdown ip route 0.0.0.0 0.0.0.0 10.10.10.1
Regards,
Kanwal
02-05-2014 05:13 PM
Thanks Kanwal,
So I extract of your post as my answer "If there are muliple URL's you need to get a WILDCARD certificate or SANS certs", I dont have a SANS cert so I understand that I will need to use different VIPs (based on that L7 applies after handshake). Is that correct?
Thanks for all! great post
02-05-2014 05:17 PM
Hi,
You are welcome. Yes if you have multiple domains you should have different certificates for reason obvious to security. If you have one domain and many sub-domains you can use a wildcard certificate. If you have domains which differ like abc.com and abc.net, abc.org, you can use SANS certificates and yes ACE can take L7 decisions/read L7 data like cookie etc after SSL handshake and take decisions accordingly as illustrated in the config example i have pasted above. If you have any questions in future related to this please feel free to ask:)
Regards,
Kanwal
02-05-2014 07:22 PM
One more and for clarify, you mention "if you have multiple domains you should have different certificates for reason obvious to security." and I add, all of them running over a dedicated VIP or port (should be able to classify it over a class map). I guess that i'm correct, but please confirm.
02-05-2014 07:25 PM
Hi,
Yes you can classify different vips( belonging to different domains) and ports etc at class map level.
Regards,
Kanwal
Sent from Cisco Technical Support iPhone App
02-05-2014 07:34 PM
Hi,
Let me put in simple way. If you have two different domains you should have two different vips and two different certificates.If you have a domain and its subdomains you can have one vip and a wildcard certificate.
For example, a client types xyz.com it will resolve to 1.1.1.1 ans if a client types abc.com it will resolve to 2.2.2.2, two different domains two different VIPS
Regards,
Kanwal
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide