cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2816
Views
0
Helpful
12
Replies

End to End SSL with Cookie insert for Sticky config Help

RAMAN AZIZIAN
Level 1
Level 1

Good Day all,

Got a new request from my customer to provide SSL termination (Front-end and Back-End) on the ACE module.

The following is the list of requirements:

1) SSL Termination from Client to ACE - Key size 2048

2) SSL initiation toward the Real servers - Key size 1024

3) Cookie insert for sticky - Provided by the ACE

4) Predictor - Leasconn

5) Mode - Bridge

I  have been searching the forum and other sites, and I like to get a clarification on a few things that I am having problem understanding;

Thank you in advance for taking the time to read this and provide me feedback/suggestions:

1) My customer has provided the certificate for their application, which I need to import on ACE. question about this, Do I need a certificate for every VIP that I configure on the ACE for termination for any future requirements?

2) Do I need to install a certificate on the ACE toward (initiate) the real servers? If so, do I first generate the key, and the follow the instructions to request the CSR?

3) To create the cookie insert for the sticky, is the following commands all I need to apply:

     sticky http-cookie ACE-Insert web-sticky

      cookie insert browser-expire

      timeout 5

      serverfarm my_server_farm

4) If I have lab a lab environment, can the certificate be exported first, and then imported on the Production ACE, or each environment needs to have their own certificate?

Any sample configuration that someone could share would also be greatly apprecaited.

Thanks,

-Raman

5 Accepted Solutions

Accepted Solutions

Hi Raman,

  Actually there is a little typo. Your understanding regarding probe is correct. The probe port  should be 443 as you pointed  or it should be probe http and not probe https if port 80- is being used.

Also, it is not mandatory to have two serverfarm in case of end to end ssl(if that is what you are asking after referring to the example). In short:

SSL Termination------>Client------>ace------>RSERVERS.

Communication between client and ACE is encrypted. Ace to rservers is clear text. So here you need rservers to listen on port 80 or 8081 etc. Probing should be on port 80.

SSL initiation------> In this case communication between ACE and rservers is encrypted. So probe should be port 443.

End to End SSL----> In this case you need rserver to listen on 443 and front end as well as backend is encrypted. Probing should be on 443.

Also, commands to troubleshoot ssl would be:

show stats crypto client

show stats crypto server

I hope this helps.

Regards,

Kanwal

View solution in original post

Hello Raman,

I would like to some comments to your questions:

Question 3: I guess I should have been little more clear about what I  am asking. What I meant to ask was, since there are 4 rservers in this  example, why are not all 4 rservers listed in each serverfarm configured  above.

is this by design to split the load for rservers listening on 443 or 80?

If, you have servers hearing on port 80 and 443, etc. When the ACE is taking the load balance decision it does not care that need to go to a server hearing on port 80 like in ssl termination or on port 443 like in end-to-end, it just picks one -good luck- if it chooses the correct port but also it might possible it selects another port which will fail, then that´s why it is not recommended to mix ports

Q 6: Are the probe configs correct and have they been applied to the right SF?

You can just leave the default values and test it and then progressively start adding features.

Jorge

View solution in original post

Hello Raman,

Can you copy and paste the current configuration to take a look?(You can change the ip address due to security if you want)

Here you have a sample about how a END-TO-END SSL should look like:

class-map match-all L4-CLASS-HTTPS

  2 match virtual-address 172.16.0.15 tcp eq https

policy-map multi-match VIPs

  class L4-CLASS-HTTPS

    loadbalance vip inservice

    loadbalance policy HTTPS-POLICY

    loadbalance vip icmp-reply

    loadbalance vip advertise active

    appl-parameter http advanced-options http_parameter_map

    ssl-proxy server CISCO-SSL-PROXY

policy-map type loadbalance http first-match HTTPS-POLICY

  class class-default

    serverfarm SF-1

    ssl-proxy client CLIENT-SSL-PROXY

serverfarm host SF-1

  rserver S1 443

    inservice

  rserver S2 443

    inservice

  rserver S3 443

    inservice

  rserver S4 443

    inservice

rserver host S1

  ip address 192.168.0.200

  inservice

rserver host S2

  ip address 192.168.0.201

  inservice

rserver host S3

  ip address 192.168.0.202

  inservice

rserver host S4

  ip address 192.168.0.203

  inservice

ssl-proxy service CLIENT-SSL-PROXY

ssl-proxy service CISCO-SSL-PROXY

  key rsakey.pem

  cert slot2-2tier.pem

  chaingroup Chaingroup1

  ssl advanced-options PARAMETER_SSL

crypto chaingroup Chaingroup1

  cert inter.pem

parameter-map type http http_parameter_map

  persistence-rebalance

  set content-maxparse-length 8192

  set header-maxparse-length 8192

parameter-map type ssl PARAMETER_SSL

session-cache timeout 300

queue-delay timeout 1

Here you have a link about it:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/ssl/guide/endtoend.pdf

Jorge

View solution in original post

Hello Raman,

Do you have something like this?

interface vlan 351

  description NDC private Client side interface

  bridge-group 35

  mac-sticky enable

  access-group input NDC-IEMP-IN

  access-group output NDC-IEMP-OUT

  service-policy input LAB-IEMP-SP

  no shutdown

interface vlan 451

  description NDC private Real server

  bridge-group 35

  access-group input NDC-IEMP-IN

  access-group output NDC-IEMP-OUT

  service-policy input LAB-IEMP-SP

  no shutdown

class-map match-all LAB-IEMP-HTTPS-VIP

  description LAB-IEMP-HTTPS-VIP 192.168.1.50

  2 match virtual-address 192.168.1.50 tcp eq https

policy-map multi-match LAB-IEMP-SP

  class LAB-IEMP-HTTPS-VIP

    loadbalance vip inservice

    loadbalance policy LAB-IEMP-HTTPS-PM

    loadbalance vip icmp-reply

    loadbalance vip advertise active

    appl-parameter http advanced-options http_parameter_map

    ssl-proxy server CISCO-SSL-PROXY

ssl-proxy service CLIENT-SSL-PROXY

ssl-proxy service CISCO-SSL-PROXY

  key tac-key.pem

  cert tac-cert.pem

  chaingroup tac-Chaingroup

  ssl advanced-options PARAMETER_SSL

crypto chaingroup tac-Chaingroup

cert tac-root.pem 

cert tac-intermediate.pem

parameter-map type http http_parameter_map 

case-insensitive

  persistence-rebalance

  set header-maxparse-length 65535

  set content-maxparse-length 65535

  length-exceed continue

  parsing non-strict

parameter-map type ssl PARAMETER_SSL

session-cache timeout 300

queue-delay timeout 1

policy-map type loadbalance first-match LAB-IEMP-HTTPS-PM

  class class-default

  sticky-serverfarm launchpad_dev_secure

  ssl-proxy client CLIENT-SSL-PROXY

sticky http-cookie ACE-insert launchpad_dev_secure

  cookie insert browser-expire

  timeout 5

  serverfarm LAB-IEMP-HTTPS

serverfarm host LAB-IEMP-HTTPS

  description LAB-IEMP-HTTPS

  predictor leastconns

  rserver RS01 443

    inservice

  rserver RS02 443

    inservice

  rserver RS03 443

    inservice

  rserver RS04 443

    inservice

  rserver RS05 443

    inservice

rserver host RS01

  description RS01 192.168.1.194

  ip address 192.168.1.194

  inservice

rserver host RS02

  description RS02 192.168.1.195

  ip address 192.168.1.195

  inservice

rserver host RS03

  description RS03 192.168.1.196

  ip address 192.168.1.196

  inservice

rserver host RS04

  description RS04 192.168.1.197

  ip address 192.168.1.197

  inservice

rserver host RS05

  description RS05 192.168.1.198

  ip address 192.168.1.198

  inservice

Jorge

View solution in original post

Hello Raman,

Yes, something like this:

ACE-M2/Admin# crypto import terminal tac-key

Please enter PEM formatted data. End with "quit" on a new line.

-----BEGIN RSA PRIVATE KEY-----

MIICXQIBAAKBgQCnNV6UrlF62uVVkJYJhdHfxh3G5nMojhBCO1dsO0MwKDCBryq8

YvAKkyA5C6zB7rP+HSDvEXKVNW6EN2k4+wnpR2hbnyVlQKKEL63OUbxFRPwl2iN2

CVxFSaI+/g7ondZkRKCCOXJCxRaDC3k/lDGENSUwNL4+wP8vsM7fmtZ6VQIDAQAB

AoGATIKbOKVbG0A2WCTEwq69Dgv1bCHe59u5jNTid9/WKp75Mx4YDAOpmu0ffXre

Hg8/xTNG8p2lNKkyXMWOHEiii6J1ENk5L6r05YHy6XfvTqFpdUQsjtW8+nWmb1f9

SJfOdpwhbLmCdcJRpOu2ObHPnM3C6QaIWzVSy/055NRTZwECQQDVlICIfAr8ARvC

EoCyks8wS+YZ1kqJI2quboL2aChCI8slq1XCSYr26pz4wr/07Lp+msIKH3ziCq75

dUpuRXslAkEAyqC504DB+4VZpWdL7javgrSDT8s/KZ64sBLJqFJ1VTsHcLkmGNE

Llq0+o2OfvzcQJAJh3KkpEQpMjN22TR8wygTU4+Un4b7z2S3G58kN0l0ifxKVfah

kH5uvdD7GFVQLC+17lmx8e20eB2Oa7lCaj8wQJBALbuop6cxRsu/IhJfvbU/KucqJi/QUg3r75a6G0ZS2T47jCzRLFPT9TiBQlcZQtY49GfZ22OIv9P7sVM

84ALi9ECQQCLIGX9AwUBMJ9TQBbSOQkC0C5bxJ6jKeceTAxByYAF

-----END RSA PRIVATE KEY-----

quit

ACE-M2/Admin# crypto import terminal tac-cert

Please enter PEM formatted data. End with "quit" on a new line.

-----BEGIN CERTIFICATE-----

.

.

.

-----END CERTIFICATE-----

quit

ACE-M2/Admin# crypto import terminal tac-inter

Please enter PEM formatted data. End with "quit" on a new line.

-----BEGIN CERTIFICATE-----

.

.

.

-----END CERTIFICATE-----

quit

ACE-M2/Admin# crypto import terminal tac-root

Please enter PEM formatted data. End with "quit" on a new line.

-----BEGIN CERTIFICATE-----

.

.

.

-----END CERTIFICATE-----

quit

ACE-M2/Admin# sh crypto files

Filename                                 File  File    Expor      Key/

                                         Size  Type    table      Cert

-----------------------------------------------------------------------

tac-cert                              1874  PEM     Yes        CERT

tac-inter                             1964  PEM     Yes        CERT

tac-key                               887   PEM     Yes         KEY

tac-root                              1566  PEM     Yes        CERT

ACE-M2/Admin#

ACE-M2/Admin# crypto verify tac-key tac-cert

Keypair in tac-key matches certificate in tac-cert.

ACE-M2/Admin#

2) Now, we are going to configure the chain-group:

ACE-M2/Admin(config)# crypto chaingroup tac-chaingroup

ACE-M2/Admin(config-chaingroup)# cert tac-root

ACE-M2/Admin(config-chaingroup)# cert tac-inter

ACE-M2/Admin(config-chaingroup)# exit

ACE-M2/Admin(config)#

ACE-M2/Admin# sh crypto chaingroup all

chaingroup tac-chaingroup contains:

  tac-root

  tac-inter

ACE-M2/Admin#

3) Now we are going to configure the ssl-proxy service:

ACE-M2/Admin(config)# ssl-proxy service tac-ssl-proxy

ACE-M2/Admin(config-ssl-proxy)# chaingroup tac-chaingroup

ACE-M2/Admin(config-ssl-proxy)# cert tac-cert

ACE-M2/Admin(config-ssl-proxy)# key tac-key

ACE-M2/Admin(config-ssl-proxy)# end

ssl-proxy service tac-ssl-proxy

  key tac-key

  cert tac-cert

  chaingroup tac-chaingroup

It sounds great it is working now.

Hope this helps.

Jorge

View solution in original post

12 Replies 12

Kanwaljeet Singh
Cisco Employee
Cisco Employee

Hi Raman,

Below is an example :

The following example illustrates an end-to-end SSL configuration, which combines front-end SSL and back-end SSL. The ACE receives encrypted text from an HTTP client, and also transmits the encrypted data as cipher text to the SSL server. On the reverse side, the ACE decrypts the cipher text that it receives from the SSL server and sends the data to the client as clear text. The SSL-specific configuration elements appear in bold in the example.

access-list ACL1 line 10 extended permit ip any any

probe https GEN-HTTPS

  port 80

  interval 50

  faildetect 5

  expect status 200 200

probe http GEN-HTTP

  port 80

  interval 50

  faildetect 5

  expect status 200 200

rserver SERVER1

  ip address 172.27.16.11

    inservice

rserver SERVER2

  ip address 172.27.16.12

    inservice

rserver SERVER3

  ip address 172.27.16.13

    inservice

rserver SERVER4

  ip address 172.27.16.14

    inservice

serverfarm host SFARM1

  description SERVER FARM 1 FOR SSL TERMINATION

  probe GEN-HTTPS

  rserver SERVER1 80

    inservice

  rserver SERVER2 80

    inservice

serverfarm host SFARM2

  description SERVER FARM 2 FOR SSL INITIATION

  probe GEN_HTTP

  rserver SERVER3 443

    inservice

  rserver SERVER4 443

    inservice

parameter-map type ssl PARAMMAP_SSL_TERMINATION

  cipher RSA_WITH_3DES_EDE_CBC_SHA

  cipher RSA_WITH_AES_128_CBC_SHA priority 2

  cipher RSA_WITH_AES_256_CBC_SHA priority 3

  version all

parameter-map type connection TCP_PARAM

  syn-data drop

  exceed-mss allow

parameter-map type http PARAMMAP_HTTP

  server-conn reuse

  case-insensitive

  persistence-rebalance

parameter-map type ssl PARAMMAP_SSL_INITIATION

  cipher RSA_WITH_RC4_128_MD5

  cipher RSA_WITH_RC4_128_SHA

  cipher RSA_WITH_DES_CBC_SHA

  cipher RSA_WITH_3DES_EDE_CBC_SHA

  cipher RSA_WITH_AES_128_CBC_SHA

  cipher RSA_WITH_AES_256_CBC_SHA

  cipher RSA_EXPORT_WITH_RC4_40_MD5

  cipher RSA_EXPORT1024_WITH_RC4_56_MD5

  cipher RSA_EXPORT_WITH_DES40_CBC_SHA

  cipher RSA_EXPORT1024_WITH_DES_CBC_SHA

  cipher RSA_EXPORT1024_WITH_RC4_56_SHA

  version all

ssl-proxy service SSL_PSERVICE_SERVER

  ssl advanced-options PARAMMAP_SSL_TERMINATION

  key MYKEY.PEM

  cert MYCERT.PEM

ssl-proxy service SSL_PSERVICE_CLIENT

  ssl advanced-options PARAMMAP_SSL_INITIATION

class-map type http loadbalance match-all L7_SERVER_CLASS

  description Sticky for SSL Testing

  2 match http url .*.jpg

  3 match source-address 192.168.130.0 255.255.255.0

class-map type http loadbalance match-all L7_SLB-HTTP_CLASS

  2 match http url .*

  3 match source-address 192.168.130.0 255.255.255.0

class-map match-all L4_SSL-TERM_CLASS

  description SSL Termination VIP

  2 match virtual-address 192.168.130.11 tcp eq https

policy-map type loadbalance first-match L7_SSL-TERM_POLICY

  class L7_SERVER_CLASS1

    serverfarm SFARM1

    insert-http I_AM header-value "SSL_TERM"

    insert-http SRC_Port header-value "%ps"

    insert-http DEST_IP header-value "%id"

    insert-http DEST_Port header-value "%pd"

    insert-http SRC_IP header-value "is"

  class L7_SLB-HTTP_CLASS1

    serverfarm SFARM1

    insert-http I_AM header-value "SSL_TERM"

    insert-http SRC_Port header-value "%ps"

    insert-http DEST_IP header-value "%id"

    insert-http DEST_Port header-value "%pd"

    insert-http SRC_IP header-value "is"

class-map match-all L4_SSL-INIT_CLASS

  description SSL Initiation VIP

  2 match virtual-address 192.168.130.12 tcp eq www

policy-map type loadbalance first-match L7_SSL-INIT_POLICY

  class L7_SERVER_CLASS2

    serverfarm SFARM2

    insert-http SRC_IP header-value "%is"

    insert-http I_AM header-value "SSL_INIT"

    insert-http SRC_Port header-value "%ps"

    insert-http DEST_IP header-value "%id"

    insert-http DEST_Port header-value "%pd"

    ssl-proxy client SSL_PSERVICE_CLIENT

  class L7_SLB-HTTP_CLASS2

    serverfarm SFARM2

    insert-http SRC_IP header-value "%is"

    insert-http I_AM header-value "SSL_INIT"

    insert-http DEST_Port header-value "%pd"

    insert-http DEST_IP header-value "%id"

    insert-http SRC_Port header-value "%ps"

    ssl-proxy client SSL_PSERVICE_CLIENT

policy-map multi-match L4_SSL-VIP_POLICY

  class L4_SSL-TERM_CLASS

    loadbalance vip inservice

    loadbalance policy L7_SSL-TERM_POLICY

    loadbalance vip icmp-reply

    ssl-proxy server SSL_PSERVICE_SERVER

    connection advanced-options TCP_PARAM

  class L4_SSL-INIT_CLASS

    loadbalance vip inservice

    loadbalance policy L7_SSL-INIT_POLICY

    loadbalance vip icmp-reply active

    appl-parameter http advanced-options PARAMMAP_HTTP

interface vlan 120

  description Upstream VLAN_120 - Clients and VIPs

  ip address 192.168.120.1 255.255.255.0

  fragment chain 20

  fragment min-mtu 68

  access-group input ACL1

  nat-pool 1 192.168.120.70 192.168.120.80 netmask 255.255.255.0 pat

  service-policy input L4_SSL-VIP_POLICY

  no shutdown

ip route 10.1.0.0 255.255.255.0 192.168.120.254

Regarding your questions:

Actually it depends on your requirement. You can use the same certificate but customer may not permit that.

You don't need a certificate installed on ACE for SSL initiation.

The commands for sticky insert by ACE are correct.

For testing purpose you can generate demo certs from verisign and various other CA's website. You can also take the actual certificate from the server and import it on the ACE for testing. You can use the same certificate for testing with various VIP's and serverfarms but in production it all depends iupon customer requirement.

Regards,

Kanwal

Hello Raman,

Just to add some comments to what Kawal said:

What you are trying to do is called: "END TO END SSL configuration"

Here you have a link about it: http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Configuration_Examples_--_SSL_Configuration_Examples#Examples_of_End-to-End_SSL_Configurations

Then you just need the certificates for the first part but not for the ssl initiation.

Your sticky configuration looks fine.

In my testing lab, we have used the same certificates for different VIPs but you can test it anyway.

Since you have bridge mode, please make sure your servers point at the router in front of the ACE as their default gateway and not necessary the ACE.

Hope this helps, please check it out and let´s us know your feedback

Jorge

Hi Jorge and Kawal,

Thanks for providing this information.

I have been working in my lab trying to establish the test bed to run through the  SSL end to end topology.

Currently I have connected the ACE Module to IXIA test appliance, establishing a basic L4 SLB.

I am able to generate client traffic toward the VIP and the five Real servers I have configured in the serverfaram, and the test are all successful.

Of course when I configured the ACE for SSL termination/Initiation, I was not able to successfully run through the test.

Here's some questions that I like to get additional information:

1) Can the Cert and Key which comes with ACE be utilized for a test bed such as the one I have established, or do i need to import the Cert that my customer has provided. I will import the key/cert on the production ACE.

2) If the client is establishing connection via  HTTPS and not HTTP do I need to configure the Server farm for HTTP as shown in the example you have provided.?


3) Why are there two rservers assigned to each SF? Is this normal/best practice?


4) Why is there two different VIPs configured? Shouldnt the same IP address be used, but binded with each designated TCP port?


5) For parameter-map type ssl PARAMMAP_SSL_INITIATION, and Termination, do I need to list all the ciphers as shown in example or will ACE by default respond to the Cipher?


6) The probes associated with each SF, they appear to be reversed, meaning, if the rservers are using the port inheritance attribute (80, or 443), shouldnt the correct probe be applied to each one based on the protocol.

My apology for posting long questions on this, but I am unfortunately on a time crunch and I need to have this completed. Any additional feedback will be much appreciated.

Thanks,

raman


Hi Raman,

Please find the answers inline:

1) Can the Cert and Key which comes with ACE be utilized for a test bed such as the one I have established, or do i need to import the Cert that my customer has provided. I will import the key/cert on the production ACE.

Yes you can use the key and cert which are there in ACE. Is this ACE30? Because there is no cert in ACE 20 or ACE10.


2) If the client is establishing connection via  HTTPS and not HTTP do I need to configure the Server farm for HTTP as shown in the example you have provided.?


You need to have a serverfarm listening on port 443 if you want to configure end to end ssl termination while for ssl termination you have serverfarm listening on port 80 since only front end is encrypted or 443 traffic while the backend is port 80 traffic.


3) Why are there two rservers assigned to each SF? Is this normal/best practice?

If you have only one rserver and it fails, nothing will work. If you have two rservers, load will be shared between the two and if one fails other will bear the full load. It is generally a good practice to have multiple rserver. In fact if you have only one server why bother to have a server load balancer unless you got it just for SSL offloading.


4) Why is there two different VIPs configured? Shouldnt the same IP address be used, but binded with each designated TCP port?

You can use the same IP address.


5) For parameter-map type ssl PARAMMAP_SSL_INITIATION, and Termination, do I need to list all the ciphers as shown in example or will ACE by default respond to the Cipher?

It should by default respond to all the ciphers that are there in ACE.


6) The probes associated with each SF, they appear to be reversed, meaning, if the rservers are using the port inheritance attribute (80, or 443), shouldnt the correct probe be applied to each one based on the protocol.


Please explain this question. I didn't get you on this.

Regards,

Kanwal

RAMAN AZIZIAN
Level 1
Level 1

Hi Kanwal,

Please see the inline answers.. sorry I wasn't very clear. It has been a long day.. I am sure  you can relate.

Question 3: I guess I should have been little more clear about what I am asking. What I meant to ask was, since there are 4 rservers in this example, why are not all 4 rservers listed in each serverfarm configured above.

is this by design to split the load for rservers listening on 443 or 80?

Q 6: Are the probe configs correct and have they been applied to the right SF?

probe https GEN-HTTPS

  port 80 ----> Should this be 443

---  snip----

serverfarm host SFARM1

  description SERVER FARM 1 FOR SSL TERMINATION

  probe GEN-HTTPS -------> should this be HTTP probe

  rserver SERVER1 80

    inservice

  rserver SERVER2 80

    inservice

serverfarm host SFARM2

  description SERVER FARM 2 FOR SSL INITIATION

  probe GEN_HTTP --------- should this be HTTPS probe

  rserver SERVER3 443

    inservice

  rserver SERVER4 443

    inservice

What are some good commands to use to verify the SSL Connections are being established, other than

Show service-policy summary or show serverfarm {SF_Name}

Thanks again for helping me out.

have a good day.

raman

Hi Raman,

  Actually there is a little typo. Your understanding regarding probe is correct. The probe port  should be 443 as you pointed  or it should be probe http and not probe https if port 80- is being used.

Also, it is not mandatory to have two serverfarm in case of end to end ssl(if that is what you are asking after referring to the example). In short:

SSL Termination------>Client------>ace------>RSERVERS.

Communication between client and ACE is encrypted. Ace to rservers is clear text. So here you need rservers to listen on port 80 or 8081 etc. Probing should be on port 80.

SSL initiation------> In this case communication between ACE and rservers is encrypted. So probe should be port 443.

End to End SSL----> In this case you need rserver to listen on 443 and front end as well as backend is encrypted. Probing should be on 443.

Also, commands to troubleshoot ssl would be:

show stats crypto client

show stats crypto server

I hope this helps.

Regards,

Kanwal

Hello Raman,

I would like to some comments to your questions:

Question 3: I guess I should have been little more clear about what I  am asking. What I meant to ask was, since there are 4 rservers in this  example, why are not all 4 rservers listed in each serverfarm configured  above.

is this by design to split the load for rservers listening on 443 or 80?

If, you have servers hearing on port 80 and 443, etc. When the ACE is taking the load balance decision it does not care that need to go to a server hearing on port 80 like in ssl termination or on port 443 like in end-to-end, it just picks one -good luck- if it chooses the correct port but also it might possible it selects another port which will fail, then that´s why it is not recommended to mix ports

Q 6: Are the probe configs correct and have they been applied to the right SF?

You can just leave the default values and test it and then progressively start adding features.

Jorge

Hi Jorge/Kanwal,

So, I wish I could share good news and say I got it to work, but unfortunately I am still having problems. ••L

The attached document has the configs I have been using in my lab.

File name L4 SLB HTTP HTTPS is my base config that I used in my test be to have a good know working environment. This config provides L4 loadbalancing, where the SSL sessions are established between the Client and Real servers. The ACE does basic load-balancing. I have not applied any Sticky to either one of the configs, until I will be able to make it work in SSL. Trying to keep it as simple as possible.

The File ACE SSL Config is the actual configs for End to End SSL.

Here’s what I get when I apply the config.

All serverfarms are up (Real servers in operation mode)

Service Policy for each VIPS are up.

In my lab I have created a basic Web page on a Server, and I am able to pull it up when I type in the VIP IP address in the URL of the client.

However, looking at the wireshark capture, I don’t see the SSL traffic between the ACE and Real servers. It’s all appears to be in clear.

I also look at the stats on the ACE, like Show conn, and I am not able to see the connection between the two devices (client and Real server)

Anyway, could you guys look over the configs (ACE SSL Config) and let me know if I am doing the configs correctly.

I forgot to get the Wireshark capture from the server, so I can provide that as well if you need to see it.

Much thanks for your continue support!

Hello Raman,

Can you copy and paste the current configuration to take a look?(You can change the ip address due to security if you want)

Here you have a sample about how a END-TO-END SSL should look like:

class-map match-all L4-CLASS-HTTPS

  2 match virtual-address 172.16.0.15 tcp eq https

policy-map multi-match VIPs

  class L4-CLASS-HTTPS

    loadbalance vip inservice

    loadbalance policy HTTPS-POLICY

    loadbalance vip icmp-reply

    loadbalance vip advertise active

    appl-parameter http advanced-options http_parameter_map

    ssl-proxy server CISCO-SSL-PROXY

policy-map type loadbalance http first-match HTTPS-POLICY

  class class-default

    serverfarm SF-1

    ssl-proxy client CLIENT-SSL-PROXY

serverfarm host SF-1

  rserver S1 443

    inservice

  rserver S2 443

    inservice

  rserver S3 443

    inservice

  rserver S4 443

    inservice

rserver host S1

  ip address 192.168.0.200

  inservice

rserver host S2

  ip address 192.168.0.201

  inservice

rserver host S3

  ip address 192.168.0.202

  inservice

rserver host S4

  ip address 192.168.0.203

  inservice

ssl-proxy service CLIENT-SSL-PROXY

ssl-proxy service CISCO-SSL-PROXY

  key rsakey.pem

  cert slot2-2tier.pem

  chaingroup Chaingroup1

  ssl advanced-options PARAMETER_SSL

crypto chaingroup Chaingroup1

  cert inter.pem

parameter-map type http http_parameter_map

  persistence-rebalance

  set content-maxparse-length 8192

  set header-maxparse-length 8192

parameter-map type ssl PARAMETER_SSL

session-cache timeout 300

queue-delay timeout 1

Here you have a link about it:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/ssl/guide/endtoend.pdf

Jorge

Hello Raman,

Do you have something like this?

interface vlan 351

  description NDC private Client side interface

  bridge-group 35

  mac-sticky enable

  access-group input NDC-IEMP-IN

  access-group output NDC-IEMP-OUT

  service-policy input LAB-IEMP-SP

  no shutdown

interface vlan 451

  description NDC private Real server

  bridge-group 35

  access-group input NDC-IEMP-IN

  access-group output NDC-IEMP-OUT

  service-policy input LAB-IEMP-SP

  no shutdown

class-map match-all LAB-IEMP-HTTPS-VIP

  description LAB-IEMP-HTTPS-VIP 192.168.1.50

  2 match virtual-address 192.168.1.50 tcp eq https

policy-map multi-match LAB-IEMP-SP

  class LAB-IEMP-HTTPS-VIP

    loadbalance vip inservice

    loadbalance policy LAB-IEMP-HTTPS-PM

    loadbalance vip icmp-reply

    loadbalance vip advertise active

    appl-parameter http advanced-options http_parameter_map

    ssl-proxy server CISCO-SSL-PROXY

ssl-proxy service CLIENT-SSL-PROXY

ssl-proxy service CISCO-SSL-PROXY

  key tac-key.pem

  cert tac-cert.pem

  chaingroup tac-Chaingroup

  ssl advanced-options PARAMETER_SSL

crypto chaingroup tac-Chaingroup

cert tac-root.pem 

cert tac-intermediate.pem

parameter-map type http http_parameter_map 

case-insensitive

  persistence-rebalance

  set header-maxparse-length 65535

  set content-maxparse-length 65535

  length-exceed continue

  parsing non-strict

parameter-map type ssl PARAMETER_SSL

session-cache timeout 300

queue-delay timeout 1

policy-map type loadbalance first-match LAB-IEMP-HTTPS-PM

  class class-default

  sticky-serverfarm launchpad_dev_secure

  ssl-proxy client CLIENT-SSL-PROXY

sticky http-cookie ACE-insert launchpad_dev_secure

  cookie insert browser-expire

  timeout 5

  serverfarm LAB-IEMP-HTTPS

serverfarm host LAB-IEMP-HTTPS

  description LAB-IEMP-HTTPS

  predictor leastconns

  rserver RS01 443

    inservice

  rserver RS02 443

    inservice

  rserver RS03 443

    inservice

  rserver RS04 443

    inservice

  rserver RS05 443

    inservice

rserver host RS01

  description RS01 192.168.1.194

  ip address 192.168.1.194

  inservice

rserver host RS02

  description RS02 192.168.1.195

  ip address 192.168.1.195

  inservice

rserver host RS03

  description RS03 192.168.1.196

  ip address 192.168.1.196

  inservice

rserver host RS04

  description RS04 192.168.1.197

  ip address 192.168.1.197

  inservice

rserver host RS05

  description RS05 192.168.1.198

  ip address 192.168.1.198

  inservice

Jorge

Hi Jorge,

Great News, I was finally able to make this work!!!

However, I did have to make a couple of changes to successfully establish the end to end SSL.

I removed the following parameter-map type http http_parameter_map from policy-map multi-match LAB-IEMP-SP

I didn't get a chance to investigate to see why the removing of this command helped the overall connectivity. I will be able to have more information tomorrow when I get back to work.

I have one more question to ask you in regard to importing the certificate and Key. Currently I am using the cert and key that came with the ACE30 Module. I am planning on importing the certificate that was provided to me by my customer.

The key file that I need to import, should that contain the Private Key info, or the public key, or both?

Thanks again for all your help to resolve this.

Best Regards,

-raman

Hello Raman,

Yes, something like this:

ACE-M2/Admin# crypto import terminal tac-key

Please enter PEM formatted data. End with "quit" on a new line.

-----BEGIN RSA PRIVATE KEY-----

MIICXQIBAAKBgQCnNV6UrlF62uVVkJYJhdHfxh3G5nMojhBCO1dsO0MwKDCBryq8

YvAKkyA5C6zB7rP+HSDvEXKVNW6EN2k4+wnpR2hbnyVlQKKEL63OUbxFRPwl2iN2

CVxFSaI+/g7ondZkRKCCOXJCxRaDC3k/lDGENSUwNL4+wP8vsM7fmtZ6VQIDAQAB

AoGATIKbOKVbG0A2WCTEwq69Dgv1bCHe59u5jNTid9/WKp75Mx4YDAOpmu0ffXre

Hg8/xTNG8p2lNKkyXMWOHEiii6J1ENk5L6r05YHy6XfvTqFpdUQsjtW8+nWmb1f9

SJfOdpwhbLmCdcJRpOu2ObHPnM3C6QaIWzVSy/055NRTZwECQQDVlICIfAr8ARvC

EoCyks8wS+YZ1kqJI2quboL2aChCI8slq1XCSYr26pz4wr/07Lp+msIKH3ziCq75

dUpuRXslAkEAyqC504DB+4VZpWdL7javgrSDT8s/KZ64sBLJqFJ1VTsHcLkmGNE

Llq0+o2OfvzcQJAJh3KkpEQpMjN22TR8wygTU4+Un4b7z2S3G58kN0l0ifxKVfah

kH5uvdD7GFVQLC+17lmx8e20eB2Oa7lCaj8wQJBALbuop6cxRsu/IhJfvbU/KucqJi/QUg3r75a6G0ZS2T47jCzRLFPT9TiBQlcZQtY49GfZ22OIv9P7sVM

84ALi9ECQQCLIGX9AwUBMJ9TQBbSOQkC0C5bxJ6jKeceTAxByYAF

-----END RSA PRIVATE KEY-----

quit

ACE-M2/Admin# crypto import terminal tac-cert

Please enter PEM formatted data. End with "quit" on a new line.

-----BEGIN CERTIFICATE-----

.

.

.

-----END CERTIFICATE-----

quit

ACE-M2/Admin# crypto import terminal tac-inter

Please enter PEM formatted data. End with "quit" on a new line.

-----BEGIN CERTIFICATE-----

.

.

.

-----END CERTIFICATE-----

quit

ACE-M2/Admin# crypto import terminal tac-root

Please enter PEM formatted data. End with "quit" on a new line.

-----BEGIN CERTIFICATE-----

.

.

.

-----END CERTIFICATE-----

quit

ACE-M2/Admin# sh crypto files

Filename                                 File  File    Expor      Key/

                                         Size  Type    table      Cert

-----------------------------------------------------------------------

tac-cert                              1874  PEM     Yes        CERT

tac-inter                             1964  PEM     Yes        CERT

tac-key                               887   PEM     Yes         KEY

tac-root                              1566  PEM     Yes        CERT

ACE-M2/Admin#

ACE-M2/Admin# crypto verify tac-key tac-cert

Keypair in tac-key matches certificate in tac-cert.

ACE-M2/Admin#

2) Now, we are going to configure the chain-group:

ACE-M2/Admin(config)# crypto chaingroup tac-chaingroup

ACE-M2/Admin(config-chaingroup)# cert tac-root

ACE-M2/Admin(config-chaingroup)# cert tac-inter

ACE-M2/Admin(config-chaingroup)# exit

ACE-M2/Admin(config)#

ACE-M2/Admin# sh crypto chaingroup all

chaingroup tac-chaingroup contains:

  tac-root

  tac-inter

ACE-M2/Admin#

3) Now we are going to configure the ssl-proxy service:

ACE-M2/Admin(config)# ssl-proxy service tac-ssl-proxy

ACE-M2/Admin(config-ssl-proxy)# chaingroup tac-chaingroup

ACE-M2/Admin(config-ssl-proxy)# cert tac-cert

ACE-M2/Admin(config-ssl-proxy)# key tac-key

ACE-M2/Admin(config-ssl-proxy)# end

ssl-proxy service tac-ssl-proxy

  key tac-key

  cert tac-cert

  chaingroup tac-chaingroup

It sounds great it is working now.

Hope this helps.

Jorge

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: