CSM/SCA -- XML Inspection and Certificate delivery

opwvconsulting · ‎09-21-2005

Hi:

Does the CSM with a SCA have the capability to perform the following?

1. Inspect inbound TLS connection requests from a client.

2. Parse (regex/pattern match) XML headers conatined within the client packet.

3. upon finding a given string or pattern, serve-up a specific Self-Signed TLS Certificate and terminate the SSL (HTTPS) session with the requesting client.

4. next, based upon the TCP Port received from the client packet header, established/terminate a non-secure HTTP session to a specific backend Web App Server.

5. Proxy the HTTPS (FE) and the HTTP (BE) sessions -- for the the duration of the communications.

If so, can anyone recommend the Hardware configuration where the CSM and SCA are housed in a catalyst 6500 chasis; or posssible a newer/better options?

I look forward to your responses...

Regards,

OPWV Consulting

Gilles Dufour · ‎09-21-2005

No device in the world can do what you're looking for in point #2 and #3.

The reason is that to see the XML data, you need to decrypt the traffic and to decryt the traffic you first need to terminate the SSL connection and to terminate the connection you need to know the certificate.

So, you can't use XML data to select the certificate.

This is no hardware/software limitation but just how SSL has been designed.

Point #4 is ok, you can use the tcp port to determine which server to use in the backend.

Regards,

Gilles.

opwvconsulting · ‎09-22-2005

yep -- exactly what I thought/knew -- it was a customer request ----

opwvconsulting