07-23-2012 03:01 PM
Good Day all,
Got a new request from my customer to provide SSL termination (Front-end and Back-End) on the ACE module.
The following is the list of requirements:
1) SSL Termination from Client to ACE - Key size 2048
2) SSL initiation toward the Real servers - Key size 1024
3) Cookie insert for sticky - Provided by the ACE
4) Predictor - Leasconn
5) Mode - Bridge
I have been searching the forum and other sites, and I like to get a clarification on a few things that I am having problem understanding;
Thank you in advance for taking the time to read this and provide me feedback/suggestions:
1) My customer has provided the certificate for their application, which I need to import on ACE. question about this, Do I need a certificate for every VIP that I configure on the ACE for termination for any future requirements?
2) Do I need to install a certificate on the ACE toward (initiate) the real servers? If so, do I first generate the key, and the follow the instructions to request the CSR?
3) To create the cookie insert for the sticky, is the following commands all I need to apply:
sticky http-cookie ACE-Insert web-sticky
cookie insert browser-expire
timeout 5
serverfarm my_server_farm
4) If I have lab a lab environment, can the certificate be exported first, and then imported on the Production ACE, or each environment needs to have their own certificate?
Any sample configuration that someone could share would also be greatly apprecaited.
Thanks,
-Raman
Solved! Go to Solution.
07-25-2012 11:07 PM
Hi Raman,
Actually there is a little typo. Your understanding regarding probe is correct. The probe port should be 443 as you pointed or it should be probe http and not probe https if port 80- is being used.
Also, it is not mandatory to have two serverfarm in case of end to end ssl(if that is what you are asking after referring to the example). In short:
SSL Termination------>Client------>ace------>RSERVERS.
Communication between client and ACE is encrypted. Ace to rservers is clear text. So here you need rservers to listen on port 80 or 8081 etc. Probing should be on port 80.
SSL initiation------> In this case communication between ACE and rservers is encrypted. So probe should be port 443.
End to End SSL----> In this case you need rserver to listen on 443 and front end as well as backend is encrypted. Probing should be on 443.
Also, commands to troubleshoot ssl would be:
show stats crypto client
show stats crypto server
I hope this helps.
Regards,
Kanwal
07-26-2012 06:54 PM
Hello Raman,
I would like to some comments to your questions:
Question 3: I guess I should have been little more clear about what I am asking. What I meant to ask was, since there are 4 rservers in this example, why are not all 4 rservers listed in each serverfarm configured above.
is this by design to split the load for rservers listening on 443 or 80?
If, you have servers hearing on port 80 and 443, etc. When the ACE is taking the load balance decision it does not care that need to go to a server hearing on port 80 like in ssl termination or on port 443 like in end-to-end, it just picks one -good luck- if it chooses the correct port but also it might possible it selects another port which will fail, then that´s why it is not recommended to mix ports
Q 6: Are the probe configs correct and have they been applied to the right SF?
You can just leave the default values and test it and then progressively start adding features.
Jorge
07-26-2012 07:45 PM
Hello Raman,
Can you copy and paste the current configuration to take a look?(You can change the ip address due to security if you want)
Here you have a sample about how a END-TO-END SSL should look like:
class-map match-all L4-CLASS-HTTPS
2 match virtual-address 172.16.0.15 tcp eq https
policy-map multi-match VIPs
class L4-CLASS-HTTPS
loadbalance vip inservice
loadbalance policy HTTPS-POLICY
loadbalance vip icmp-reply
loadbalance vip advertise active
appl-parameter http advanced-options http_parameter_map
ssl-proxy server CISCO-SSL-PROXY
policy-map type loadbalance http first-match HTTPS-POLICY
class class-default
serverfarm SF-1
ssl-proxy client CLIENT-SSL-PROXY
serverfarm host SF-1
rserver S1 443
inservice
rserver S2 443
inservice
rserver S3 443
inservice
rserver S4 443
inservice
rserver host S1
ip address 192.168.0.200
inservice
rserver host S2
ip address 192.168.0.201
inservice
rserver host S3
ip address 192.168.0.202
inservice
rserver host S4
ip address 192.168.0.203
inservice
ssl-proxy service CLIENT-SSL-PROXY
ssl-proxy service CISCO-SSL-PROXY
key rsakey.pem
cert slot2-2tier.pem
chaingroup Chaingroup1
ssl advanced-options PARAMETER_SSL
crypto chaingroup Chaingroup1
cert inter.pem
parameter-map type http http_parameter_map
persistence-rebalance
set content-maxparse-length 8192
set header-maxparse-length 8192
parameter-map type ssl PARAMETER_SSL
session-cache timeout 300
queue-delay timeout 1
Here you have a link about it:
Jorge
07-26-2012 08:03 PM
Hello Raman,
Do you have something like this?
interface vlan 351
description NDC private Client side interface
bridge-group 35
mac-sticky enable
access-group input NDC-IEMP-IN
access-group output NDC-IEMP-OUT
service-policy input LAB-IEMP-SP
no shutdown
interface vlan 451
description NDC private Real server
bridge-group 35
access-group input NDC-IEMP-IN
access-group output NDC-IEMP-OUT
service-policy input LAB-IEMP-SP
no shutdown
class-map match-all LAB-IEMP-HTTPS-VIP
description LAB-IEMP-HTTPS-VIP 192.168.1.50
2 match virtual-address 192.168.1.50 tcp eq https
policy-map multi-match LAB-IEMP-SP
class LAB-IEMP-HTTPS-VIP
loadbalance vip inservice
loadbalance policy LAB-IEMP-HTTPS-PM
loadbalance vip icmp-reply
loadbalance vip advertise active
appl-parameter http advanced-options http_parameter_map
ssl-proxy server CISCO-SSL-PROXY
ssl-proxy service CLIENT-SSL-PROXY
ssl-proxy service CISCO-SSL-PROXY
key tac-key.pem
cert tac-cert.pem
chaingroup tac-Chaingroup
ssl advanced-options PARAMETER_SSL
crypto chaingroup tac-Chaingroup
cert tac-root.pem
cert tac-intermediate.pem
parameter-map type http http_parameter_map
case-insensitive
persistence-rebalance
set header-maxparse-length 65535
set content-maxparse-length 65535
length-exceed continue
parsing non-strict
parameter-map type ssl PARAMETER_SSL
session-cache timeout 300
queue-delay timeout 1
policy-map type loadbalance first-match LAB-IEMP-HTTPS-PM
class class-default
sticky-serverfarm launchpad_dev_secure
ssl-proxy client CLIENT-SSL-PROXY
sticky http-cookie ACE-insert launchpad_dev_secure
cookie insert browser-expire
timeout 5
serverfarm LAB-IEMP-HTTPS
serverfarm host LAB-IEMP-HTTPS
description LAB-IEMP-HTTPS
predictor leastconns
rserver RS01 443
inservice
rserver RS02 443
inservice
rserver RS03 443
inservice
rserver RS04 443
inservice
rserver RS05 443
inservice
rserver host RS01
description RS01 192.168.1.194
ip address 192.168.1.194
inservice
rserver host RS02
description RS02 192.168.1.195
ip address 192.168.1.195
inservice
rserver host RS03
description RS03 192.168.1.196
ip address 192.168.1.196
inservice
rserver host RS04
description RS04 192.168.1.197
ip address 192.168.1.197
inservice
rserver host RS05
description RS05 192.168.1.198
ip address 192.168.1.198
inservice
Jorge
07-29-2012 08:15 PM
Hello Raman,
Yes, something like this:
ACE-M2/Admin# crypto import terminal tac-key
Please enter PEM formatted data. End with "quit" on a new line.
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQCnNV6UrlF62uVVkJYJhdHfxh3G5nMojhBCO1dsO0MwKDCBryq8
YvAKkyA5C6zB7rP+HSDvEXKVNW6EN2k4+wnpR2hbnyVlQKKEL63OUbxFRPwl2iN2
CVxFSaI+/g7ondZkRKCCOXJCxRaDC3k/lDGENSUwNL4+wP8vsM7fmtZ6VQIDAQAB
AoGATIKbOKVbG0A2WCTEwq69Dgv1bCHe59u5jNTid9/WKp75Mx4YDAOpmu0ffXre
Hg8/xTNG8p2lNKkyXMWOHEiii6J1ENk5L6r05YHy6XfvTqFpdUQsjtW8+nWmb1f9
SJfOdpwhbLmCdcJRpOu2ObHPnM3C6QaIWzVSy/055NRTZwECQQDVlICIfAr8ARvC
EoCyks8wS+YZ1kqJI2quboL2aChCI8slq1XCSYr26pz4wr/07Lp+msIKH3ziCq75
dUpuRXslAkEAyqC504DB+4VZpWdL7javgrSDT8s/KZ64sBLJqFJ1VTsHcLkmGNE
Llq0+o2OfvzcQJAJh3KkpEQpMjN22TR8wygTU4+Un4b7z2S3G58kN0l0ifxKVfah
kH5uvdD7GFVQLC+17lmx8e20eB2Oa7lCaj8wQJBALbuop6cxRsu/IhJfvbU/KucqJi/QUg3r75a6G0ZS2T47jCzRLFPT9TiBQlcZQtY49GfZ22OIv9P7sVM
84ALi9ECQQCLIGX9AwUBMJ9TQBbSOQkC0C5bxJ6jKeceTAxByYAF
-----END RSA PRIVATE KEY-----
quit
ACE-M2/Admin# crypto import terminal tac-cert
Please enter PEM formatted data. End with "quit" on a new line.
-----BEGIN CERTIFICATE-----
.
.
.
-----END CERTIFICATE-----
quit
ACE-M2/Admin# crypto import terminal tac-inter
Please enter PEM formatted data. End with "quit" on a new line.
-----BEGIN CERTIFICATE-----
.
.
.
-----END CERTIFICATE-----
quit
ACE-M2/Admin# crypto import terminal tac-root
Please enter PEM formatted data. End with "quit" on a new line.
-----BEGIN CERTIFICATE-----
.
.
.
-----END CERTIFICATE-----
quit
ACE-M2/Admin# sh crypto files
Filename File File Expor Key/
Size Type table Cert
-----------------------------------------------------------------------
tac-cert 1874 PEM Yes CERT
tac-inter 1964 PEM Yes CERT
tac-key 887 PEM Yes KEY
tac-root 1566 PEM Yes CERT
ACE-M2/Admin#
ACE-M2/Admin# crypto verify tac-key tac-cert
Keypair in tac-key matches certificate in tac-cert.
ACE-M2/Admin#
2) Now, we are going to configure the chain-group:
ACE-M2/Admin(config)# crypto chaingroup tac-chaingroup
ACE-M2/Admin(config-chaingroup)# cert tac-root
ACE-M2/Admin(config-chaingroup)# cert tac-inter
ACE-M2/Admin(config-chaingroup)# exit
ACE-M2/Admin(config)#
ACE-M2/Admin# sh crypto chaingroup all
chaingroup tac-chaingroup contains:
tac-root
tac-inter
ACE-M2/Admin#
3) Now we are going to configure the ssl-proxy service:
ACE-M2/Admin(config)# ssl-proxy service tac-ssl-proxy
ACE-M2/Admin(config-ssl-proxy)# chaingroup tac-chaingroup
ACE-M2/Admin(config-ssl-proxy)# cert tac-cert
ACE-M2/Admin(config-ssl-proxy)# key tac-key
ACE-M2/Admin(config-ssl-proxy)# end
ssl-proxy service tac-ssl-proxy
key tac-key
cert tac-cert
chaingroup tac-chaingroup
It sounds great it is working now.
Hope this helps.
Jorge
07-23-2012 05:30 PM
Hi Raman,
Below is an example :
The following example illustrates an end-to-end SSL configuration, which combines front-end SSL and back-end SSL. The ACE receives encrypted text from an HTTP client, and also transmits the encrypted data as cipher text to the SSL server. On the reverse side, the ACE decrypts the cipher text that it receives from the SSL server and sends the data to the client as clear text. The SSL-specific configuration elements appear in bold in the example.
access-list ACL1 line 10 extended permit ip any any
probe https GEN-HTTPS
port 80
interval 50
faildetect 5
expect status 200 200
probe http GEN-HTTP
port 80
interval 50
faildetect 5
expect status 200 200
rserver SERVER1
ip address 172.27.16.11
inservice
rserver SERVER2
ip address 172.27.16.12
inservice
rserver SERVER3
ip address 172.27.16.13
inservice
rserver SERVER4
ip address 172.27.16.14
inservice
serverfarm host SFARM1
description SERVER FARM 1 FOR SSL TERMINATION
probe GEN-HTTPS
rserver SERVER1 80
inservice
rserver SERVER2 80
inservice
serverfarm host SFARM2
description SERVER FARM 2 FOR SSL INITIATION
probe GEN_HTTP
rserver SERVER3 443
inservice
rserver SERVER4 443
inservice
parameter-map type ssl PARAMMAP_SSL_TERMINATION
cipher RSA_WITH_3DES_EDE_CBC_SHA
cipher RSA_WITH_AES_128_CBC_SHA priority 2
cipher RSA_WITH_AES_256_CBC_SHA priority 3
version all
parameter-map type connection TCP_PARAM
syn-data drop
exceed-mss allow
parameter-map type http PARAMMAP_HTTP
server-conn reuse
case-insensitive
persistence-rebalance
parameter-map type ssl PARAMMAP_SSL_INITIATION
cipher RSA_WITH_RC4_128_MD5
cipher RSA_WITH_RC4_128_SHA
cipher RSA_WITH_DES_CBC_SHA
cipher RSA_WITH_3DES_EDE_CBC_SHA
cipher RSA_WITH_AES_128_CBC_SHA
cipher RSA_WITH_AES_256_CBC_SHA
cipher RSA_EXPORT_WITH_RC4_40_MD5
cipher RSA_EXPORT1024_WITH_RC4_56_MD5
cipher RSA_EXPORT_WITH_DES40_CBC_SHA
cipher RSA_EXPORT1024_WITH_DES_CBC_SHA
cipher RSA_EXPORT1024_WITH_RC4_56_SHA
version all
ssl-proxy service SSL_PSERVICE_SERVER
ssl advanced-options PARAMMAP_SSL_TERMINATION
key MYKEY.PEM
cert MYCERT.PEM
ssl-proxy service SSL_PSERVICE_CLIENT
ssl advanced-options PARAMMAP_SSL_INITIATION
class-map type http loadbalance match-all L7_SERVER_CLASS
description Sticky for SSL Testing
2 match http url .*.jpg
3 match source-address 192.168.130.0 255.255.255.0
class-map type http loadbalance match-all L7_SLB-HTTP_CLASS
2 match http url .*
3 match source-address 192.168.130.0 255.255.255.0
class-map match-all L4_SSL-TERM_CLASS
description SSL Termination VIP
2 match virtual-address 192.168.130.11 tcp eq https
policy-map type loadbalance first-match L7_SSL-TERM_POLICY
class L7_SERVER_CLASS1
serverfarm SFARM1
insert-http I_AM header-value "SSL_TERM"
insert-http SRC_Port header-value "%ps"
insert-http DEST_IP header-value "%id"
insert-http DEST_Port header-value "%pd"
insert-http SRC_IP header-value "is"
class L7_SLB-HTTP_CLASS1
serverfarm SFARM1
insert-http I_AM header-value "SSL_TERM"
insert-http SRC_Port header-value "%ps"
insert-http DEST_IP header-value "%id"
insert-http DEST_Port header-value "%pd"
insert-http SRC_IP header-value "is"
class-map match-all L4_SSL-INIT_CLASS
description SSL Initiation VIP
2 match virtual-address 192.168.130.12 tcp eq www
policy-map type loadbalance first-match L7_SSL-INIT_POLICY
class L7_SERVER_CLASS2
serverfarm SFARM2
insert-http SRC_IP header-value "%is"
insert-http I_AM header-value "SSL_INIT"
insert-http SRC_Port header-value "%ps"
insert-http DEST_IP header-value "%id"
insert-http DEST_Port header-value "%pd"
ssl-proxy client SSL_PSERVICE_CLIENT
class L7_SLB-HTTP_CLASS2
serverfarm SFARM2
insert-http SRC_IP header-value "%is"
insert-http I_AM header-value "SSL_INIT"
insert-http DEST_Port header-value "%pd"
insert-http DEST_IP header-value "%id"
insert-http SRC_Port header-value "%ps"
ssl-proxy client SSL_PSERVICE_CLIENT
policy-map multi-match L4_SSL-VIP_POLICY
class L4_SSL-TERM_CLASS
loadbalance vip inservice
loadbalance policy L7_SSL-TERM_POLICY
loadbalance vip icmp-reply
ssl-proxy server SSL_PSERVICE_SERVER
connection advanced-options TCP_PARAM
class L4_SSL-INIT_CLASS
loadbalance vip inservice
loadbalance policy L7_SSL-INIT_POLICY
loadbalance vip icmp-reply active
appl-parameter http advanced-options PARAMMAP_HTTP
interface vlan 120
description Upstream VLAN_120 - Clients and VIPs
ip address 192.168.120.1 255.255.255.0
fragment chain 20
fragment min-mtu 68
access-group input ACL1
nat-pool 1 192.168.120.70 192.168.120.80 netmask 255.255.255.0 pat
service-policy input L4_SSL-VIP_POLICY
no shutdown
ip route 10.1.0.0 255.255.255.0 192.168.120.254
Regarding your questions:
Actually it depends on your requirement. You can use the same certificate but customer may not permit that.
You don't need a certificate installed on ACE for SSL initiation.
The commands for sticky insert by ACE are correct.
For testing purpose you can generate demo certs from verisign and various other CA's website. You can also take the actual certificate from the server and import it on the ACE for testing. You can use the same certificate for testing with various VIP's and serverfarms but in production it all depends iupon customer requirement.
Regards,
Kanwal
07-23-2012 09:59 PM
Hello Raman,
Just to add some comments to what Kawal said:
What you are trying to do is called: "END TO END SSL configuration"
Here you have a link about it: http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Configuration_Examples_--_SSL_Configuration_Examples#Examples_of_End-to-End_SSL_Configurations
Then you just need the certificates for the first part but not for the ssl initiation.
Your sticky configuration looks fine.
In my testing lab, we have used the same certificates for different VIPs but you can test it anyway.
Since you have bridge mode, please make sure your servers point at the router in front of the ACE as their default gateway and not necessary the ACE.
Hope this helps, please check it out and let´s us know your feedback
Jorge
07-25-2012 05:53 PM
Hi Jorge and Kawal,
Thanks for providing this information.
I have been working in my lab trying to establish the test bed to run through the SSL end to end topology.
Currently I have connected the ACE Module to IXIA test appliance, establishing a basic L4 SLB.
I am able to generate client traffic toward the VIP and the five Real servers I have configured in the serverfaram, and the test are all successful.
Of course when I configured the ACE for SSL termination/Initiation, I was not able to successfully run through the test.
Here's some questions that I like to get additional information:
1) Can the Cert and Key which comes with ACE be utilized for a test bed such as the one I have established, or do i need to import the Cert that my customer has provided. I will import the key/cert on the production ACE.
2) If the client is establishing connection via HTTPS and not HTTP do I need to configure the Server farm for HTTP as shown in the example you have provided.?
3) Why are there two rservers assigned to each SF? Is this normal/best practice?
4) Why is there two different VIPs configured? Shouldnt the same IP address be used, but binded with each designated TCP port?
5) For parameter-map type ssl PARAMMAP_SSL_INITIATION, and Termination, do I need to list all the ciphers as shown in example or will ACE by default respond to the Cipher?
6) The probes associated with each SF, they appear to be reversed, meaning, if the rservers are using the port inheritance attribute (80, or 443), shouldnt the correct probe be applied to each one based on the protocol.
My apology for posting long questions on this, but I am unfortunately on a time crunch and I need to have this completed. Any additional feedback will be much appreciated.
Thanks,
raman
07-25-2012 07:42 PM
Hi Raman,
Please find the answers inline:
1) Can the Cert and Key which comes with ACE be utilized for a test bed such as the one I have established, or do i need to import the Cert that my customer has provided. I will import the key/cert on the production ACE.
Yes you can use the key and cert which are there in ACE. Is this ACE30? Because there is no cert in ACE 20 or ACE10.
2) If the client is establishing connection via HTTPS and not HTTP do I need to configure the Server farm for HTTP as shown in the example you have provided.?
You need to have a serverfarm listening on port 443 if you want to configure end to end ssl termination while for ssl termination you have serverfarm listening on port 80 since only front end is encrypted or 443 traffic while the backend is port 80 traffic.
3) Why are there two rservers assigned to each SF? Is this normal/best practice?
If you have only one rserver and it fails, nothing will work. If you have two rservers, load will be shared between the two and if one fails other will bear the full load. It is generally a good practice to have multiple rserver. In fact if you have only one server why bother to have a server load balancer unless you got it just for SSL offloading.
4) Why is there two different VIPs configured? Shouldnt the same IP address be used, but binded with each designated TCP port?
You can use the same IP address.
5) For parameter-map type ssl PARAMMAP_SSL_INITIATION, and Termination, do I need to list all the ciphers as shown in example or will ACE by default respond to the Cipher?
It should by default respond to all the ciphers that are there in ACE.
6) The probes associated with each SF, they appear to be reversed, meaning, if the rservers are using the port inheritance attribute (80, or 443), shouldnt the correct probe be applied to each one based on the protocol.
Please explain this question. I didn't get you on this.
Regards,
Kanwal
07-25-2012 09:26 PM
Hi Kanwal,
Please see the inline answers.. sorry I wasn't very clear. It has been a long day.. I am sure you can relate.
Question 3: I guess I should have been little more clear about what I am asking. What I meant to ask was, since there are 4 rservers in this example, why are not all 4 rservers listed in each serverfarm configured above.
is this by design to split the load for rservers listening on 443 or 80?
Q 6: Are the probe configs correct and have they been applied to the right SF?
probe https GEN-HTTPS
port 80 ----> Should this be 443
--- snip----
serverfarm host SFARM1
description SERVER FARM 1 FOR SSL TERMINATION
probe GEN-HTTPS -------> should this be HTTP probe
rserver SERVER1 80
inservice
rserver SERVER2 80
inservice
serverfarm host SFARM2
description SERVER FARM 2 FOR SSL INITIATION
probe GEN_HTTP --------- should this be HTTPS probe
rserver SERVER3 443
inservice
rserver SERVER4 443
inservice
What are some good commands to use to verify the SSL Connections are being established, other than
Show service-policy summary or show serverfarm {SF_Name}
Thanks again for helping me out.
have a good day.
raman
07-25-2012 11:07 PM
Hi Raman,
Actually there is a little typo. Your understanding regarding probe is correct. The probe port should be 443 as you pointed or it should be probe http and not probe https if port 80- is being used.
Also, it is not mandatory to have two serverfarm in case of end to end ssl(if that is what you are asking after referring to the example). In short:
SSL Termination------>Client------>ace------>RSERVERS.
Communication between client and ACE is encrypted. Ace to rservers is clear text. So here you need rservers to listen on port 80 or 8081 etc. Probing should be on port 80.
SSL initiation------> In this case communication between ACE and rservers is encrypted. So probe should be port 443.
End to End SSL----> In this case you need rserver to listen on 443 and front end as well as backend is encrypted. Probing should be on 443.
Also, commands to troubleshoot ssl would be:
show stats crypto client
show stats crypto server
I hope this helps.
Regards,
Kanwal
07-26-2012 06:54 PM
Hello Raman,
I would like to some comments to your questions:
Question 3: I guess I should have been little more clear about what I am asking. What I meant to ask was, since there are 4 rservers in this example, why are not all 4 rservers listed in each serverfarm configured above.
is this by design to split the load for rservers listening on 443 or 80?
If, you have servers hearing on port 80 and 443, etc. When the ACE is taking the load balance decision it does not care that need to go to a server hearing on port 80 like in ssl termination or on port 443 like in end-to-end, it just picks one -good luck- if it chooses the correct port but also it might possible it selects another port which will fail, then that´s why it is not recommended to mix ports
Q 6: Are the probe configs correct and have they been applied to the right SF?
You can just leave the default values and test it and then progressively start adding features.
Jorge
07-26-2012 07:30 PM
Hi Jorge/Kanwal,
So, I wish I could share good news and say I got it to work, but unfortunately I am still having problems. ••L
The attached document has the configs I have been using in my lab.
File name L4 SLB HTTP HTTPS is my base config that I used in my test be to have a good know working environment. This config provides L4 loadbalancing, where the SSL sessions are established between the Client and Real servers. The ACE does basic load-balancing. I have not applied any Sticky to either one of the configs, until I will be able to make it work in SSL. Trying to keep it as simple as possible.
The File ACE SSL Config is the actual configs for End to End SSL.
Here’s what I get when I apply the config.
All serverfarms are up (Real servers in operation mode)
Service Policy for each VIPS are up.
In my lab I have created a basic Web page on a Server, and I am able to pull it up when I type in the VIP IP address in the URL of the client.
However, looking at the wireshark capture, I don’t see the SSL traffic between the ACE and Real servers. It’s all appears to be in clear.
I also look at the stats on the ACE, like Show conn, and I am not able to see the connection between the two devices (client and Real server)
Anyway, could you guys look over the configs (ACE SSL Config) and let me know if I am doing the configs correctly.
I forgot to get the Wireshark capture from the server, so I can provide that as well if you need to see it.
Much thanks for your continue support!
07-26-2012 07:45 PM
Hello Raman,
Can you copy and paste the current configuration to take a look?(You can change the ip address due to security if you want)
Here you have a sample about how a END-TO-END SSL should look like:
class-map match-all L4-CLASS-HTTPS
2 match virtual-address 172.16.0.15 tcp eq https
policy-map multi-match VIPs
class L4-CLASS-HTTPS
loadbalance vip inservice
loadbalance policy HTTPS-POLICY
loadbalance vip icmp-reply
loadbalance vip advertise active
appl-parameter http advanced-options http_parameter_map
ssl-proxy server CISCO-SSL-PROXY
policy-map type loadbalance http first-match HTTPS-POLICY
class class-default
serverfarm SF-1
ssl-proxy client CLIENT-SSL-PROXY
serverfarm host SF-1
rserver S1 443
inservice
rserver S2 443
inservice
rserver S3 443
inservice
rserver S4 443
inservice
rserver host S1
ip address 192.168.0.200
inservice
rserver host S2
ip address 192.168.0.201
inservice
rserver host S3
ip address 192.168.0.202
inservice
rserver host S4
ip address 192.168.0.203
inservice
ssl-proxy service CLIENT-SSL-PROXY
ssl-proxy service CISCO-SSL-PROXY
key rsakey.pem
cert slot2-2tier.pem
chaingroup Chaingroup1
ssl advanced-options PARAMETER_SSL
crypto chaingroup Chaingroup1
cert inter.pem
parameter-map type http http_parameter_map
persistence-rebalance
set content-maxparse-length 8192
set header-maxparse-length 8192
parameter-map type ssl PARAMETER_SSL
session-cache timeout 300
queue-delay timeout 1
Here you have a link about it:
Jorge
07-26-2012 08:03 PM
Hello Raman,
Do you have something like this?
interface vlan 351
description NDC private Client side interface
bridge-group 35
mac-sticky enable
access-group input NDC-IEMP-IN
access-group output NDC-IEMP-OUT
service-policy input LAB-IEMP-SP
no shutdown
interface vlan 451
description NDC private Real server
bridge-group 35
access-group input NDC-IEMP-IN
access-group output NDC-IEMP-OUT
service-policy input LAB-IEMP-SP
no shutdown
class-map match-all LAB-IEMP-HTTPS-VIP
description LAB-IEMP-HTTPS-VIP 192.168.1.50
2 match virtual-address 192.168.1.50 tcp eq https
policy-map multi-match LAB-IEMP-SP
class LAB-IEMP-HTTPS-VIP
loadbalance vip inservice
loadbalance policy LAB-IEMP-HTTPS-PM
loadbalance vip icmp-reply
loadbalance vip advertise active
appl-parameter http advanced-options http_parameter_map
ssl-proxy server CISCO-SSL-PROXY
ssl-proxy service CLIENT-SSL-PROXY
ssl-proxy service CISCO-SSL-PROXY
key tac-key.pem
cert tac-cert.pem
chaingroup tac-Chaingroup
ssl advanced-options PARAMETER_SSL
crypto chaingroup tac-Chaingroup
cert tac-root.pem
cert tac-intermediate.pem
parameter-map type http http_parameter_map
case-insensitive
persistence-rebalance
set header-maxparse-length 65535
set content-maxparse-length 65535
length-exceed continue
parsing non-strict
parameter-map type ssl PARAMETER_SSL
session-cache timeout 300
queue-delay timeout 1
policy-map type loadbalance first-match LAB-IEMP-HTTPS-PM
class class-default
sticky-serverfarm launchpad_dev_secure
ssl-proxy client CLIENT-SSL-PROXY
sticky http-cookie ACE-insert launchpad_dev_secure
cookie insert browser-expire
timeout 5
serverfarm LAB-IEMP-HTTPS
serverfarm host LAB-IEMP-HTTPS
description LAB-IEMP-HTTPS
predictor leastconns
rserver RS01 443
inservice
rserver RS02 443
inservice
rserver RS03 443
inservice
rserver RS04 443
inservice
rserver RS05 443
inservice
rserver host RS01
description RS01 192.168.1.194
ip address 192.168.1.194
inservice
rserver host RS02
description RS02 192.168.1.195
ip address 192.168.1.195
inservice
rserver host RS03
description RS03 192.168.1.196
ip address 192.168.1.196
inservice
rserver host RS04
description RS04 192.168.1.197
ip address 192.168.1.197
inservice
rserver host RS05
description RS05 192.168.1.198
ip address 192.168.1.198
inservice
Jorge
07-29-2012 06:11 PM
Hi Jorge,
Great News, I was finally able to make this work!!!
However, I did have to make a couple of changes to successfully establish the end to end SSL.
I removed the following parameter-map type http http_parameter_map from policy-map multi-match LAB-IEMP-SP
I didn't get a chance to investigate to see why the removing of this command helped the overall connectivity. I will be able to have more information tomorrow when I get back to work.
I have one more question to ask you in regard to importing the certificate and Key. Currently I am using the cert and key that came with the ACE30 Module. I am planning on importing the certificate that was provided to me by my customer.
The key file that I need to import, should that contain the Private Key info, or the public key, or both?
Thanks again for all your help to resolve this.
Best Regards,
-raman
07-29-2012 08:15 PM
Hello Raman,
Yes, something like this:
ACE-M2/Admin# crypto import terminal tac-key
Please enter PEM formatted data. End with "quit" on a new line.
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQCnNV6UrlF62uVVkJYJhdHfxh3G5nMojhBCO1dsO0MwKDCBryq8
YvAKkyA5C6zB7rP+HSDvEXKVNW6EN2k4+wnpR2hbnyVlQKKEL63OUbxFRPwl2iN2
CVxFSaI+/g7ondZkRKCCOXJCxRaDC3k/lDGENSUwNL4+wP8vsM7fmtZ6VQIDAQAB
AoGATIKbOKVbG0A2WCTEwq69Dgv1bCHe59u5jNTid9/WKp75Mx4YDAOpmu0ffXre
Hg8/xTNG8p2lNKkyXMWOHEiii6J1ENk5L6r05YHy6XfvTqFpdUQsjtW8+nWmb1f9
SJfOdpwhbLmCdcJRpOu2ObHPnM3C6QaIWzVSy/055NRTZwECQQDVlICIfAr8ARvC
EoCyks8wS+YZ1kqJI2quboL2aChCI8slq1XCSYr26pz4wr/07Lp+msIKH3ziCq75
dUpuRXslAkEAyqC504DB+4VZpWdL7javgrSDT8s/KZ64sBLJqFJ1VTsHcLkmGNE
Llq0+o2OfvzcQJAJh3KkpEQpMjN22TR8wygTU4+Un4b7z2S3G58kN0l0ifxKVfah
kH5uvdD7GFVQLC+17lmx8e20eB2Oa7lCaj8wQJBALbuop6cxRsu/IhJfvbU/KucqJi/QUg3r75a6G0ZS2T47jCzRLFPT9TiBQlcZQtY49GfZ22OIv9P7sVM
84ALi9ECQQCLIGX9AwUBMJ9TQBbSOQkC0C5bxJ6jKeceTAxByYAF
-----END RSA PRIVATE KEY-----
quit
ACE-M2/Admin# crypto import terminal tac-cert
Please enter PEM formatted data. End with "quit" on a new line.
-----BEGIN CERTIFICATE-----
.
.
.
-----END CERTIFICATE-----
quit
ACE-M2/Admin# crypto import terminal tac-inter
Please enter PEM formatted data. End with "quit" on a new line.
-----BEGIN CERTIFICATE-----
.
.
.
-----END CERTIFICATE-----
quit
ACE-M2/Admin# crypto import terminal tac-root
Please enter PEM formatted data. End with "quit" on a new line.
-----BEGIN CERTIFICATE-----
.
.
.
-----END CERTIFICATE-----
quit
ACE-M2/Admin# sh crypto files
Filename File File Expor Key/
Size Type table Cert
-----------------------------------------------------------------------
tac-cert 1874 PEM Yes CERT
tac-inter 1964 PEM Yes CERT
tac-key 887 PEM Yes KEY
tac-root 1566 PEM Yes CERT
ACE-M2/Admin#
ACE-M2/Admin# crypto verify tac-key tac-cert
Keypair in tac-key matches certificate in tac-cert.
ACE-M2/Admin#
2) Now, we are going to configure the chain-group:
ACE-M2/Admin(config)# crypto chaingroup tac-chaingroup
ACE-M2/Admin(config-chaingroup)# cert tac-root
ACE-M2/Admin(config-chaingroup)# cert tac-inter
ACE-M2/Admin(config-chaingroup)# exit
ACE-M2/Admin(config)#
ACE-M2/Admin# sh crypto chaingroup all
chaingroup tac-chaingroup contains:
tac-root
tac-inter
ACE-M2/Admin#
3) Now we are going to configure the ssl-proxy service:
ACE-M2/Admin(config)# ssl-proxy service tac-ssl-proxy
ACE-M2/Admin(config-ssl-proxy)# chaingroup tac-chaingroup
ACE-M2/Admin(config-ssl-proxy)# cert tac-cert
ACE-M2/Admin(config-ssl-proxy)# key tac-key
ACE-M2/Admin(config-ssl-proxy)# end
ssl-proxy service tac-ssl-proxy
key tac-key
cert tac-cert
chaingroup tac-chaingroup
It sounds great it is working now.
Hope this helps.
Jorge
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide