cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
779
Views
4
Helpful
3
Replies

limitation of eight chaingroups per context in ACE 4700 Series Appliance

cscherb
Level 1
Level 1

ACE 4710 appliance currently has a limitation of 1024 virtual servers - but each context has a limitation of eight chaingroups. In my point of view limitation of eight chaingroups is far to low. Using SSL certificates from public CA often requires to deliver certificates and intermediate certificates to the client. In this szenario the limit of 8 chaingroups is reached very soon as you need a chaingroup per virtual server.

1 Accepted Solution

Accepted Solutions

sachinga.hcl
Level 4
Level 4

HI CSCherb,

A chain groups specifies the certificate chains that the ACE sends to its peer during the handshake. A certificate chain is a hierarchal list of certificates that includes the subject's certificate, the root CA certificate, and any intermediate CA certificates. Using the information provided in a certificate chain, the certificate verifier can search for a trusted authority in the certificate hierarchal list back to the root CA. The verifier may find what it considers a trusted authority before reaching the root CA certificate, in which case, the verifier stops searching.

But as per my understanding

The ACE supports the following certificate chain group capabilities:

•A chain group can contain up to eight certificate chains.

•Each context on the ACE can contain up to eight chain groups means 8*8 Certificate chains.

• By default, your ACE provides an Admin context and five user contexts, which allows you to use multiple contexts if you choose to configure them. To increase the number of user contexts up to a maximum of 20, you must obtain a separate license from Cisco Systems.

So total number of chaingroups that can be used is 8*20=160

And the number of virtual servers is 1024.

SSL proxy termination service allows the virtual server to act as an SSL proxy server and terminate SSL sessions between it and its clients.

So

1. SSL Proxy Service =SSL Parameter map(ssl version, cipher suites, close-protocol, session ID reuse timeout, query delay), Client authentication,key pair file, CRL retrival, Certificate file, Chain Group)

2. Class maps=(layer3 and layer 4 match criterial applied to inbound traffic)=contains= Virtual IP address,source address, destination address, access list, port , any

Policy Maps = contains (1+2) i.e. (SSL proxy service + Class maps)

So you define Virtual server IP in class maps and Chain groups in SSL proxy service.

They will work when you combine these both inside a policy map (for layer 3/ layer 4)

Policy maps ---> Applies globall to all VLAN's in a context (a context can contain 8 chain groups )

You can specify the certificate chian that the ACE sends to its peer ACE during the SSL handshakeby using chaingroup command.

So this chain group is assigned to the whole context and inside the context any number of virtual server they use the same chain group .

You can configure chain groups for the context in a ace using SSL proxy service only.

All the virtual server inside the context they use the one chain group service .

Select Config > Devices > context > SSL > Chain Group Parameters. The Chain Group Parameters table appears.

SSL termination refers to configuring an ACE context for a front-end application in which the ACE operates as an SSL server that communicates with a client. When you create a Layer 3 and Layer 4 policy map to define the flow between an ACE and a client, the ACE operates as a virtual SSL server by adding security services between a web browser (the client) and the HTTP connection (the server). All inbound SSL flows from a client terminate at the ACE.

In the ANM, a viable virtual server has the following attributes:

• A default Layer 7 action

• A Layer 3/Layer 4 class map

• The virtual server multi-match policy map is associated with an interface or is global.

The name of the virtual server is derived from the name of the Layer 3/Layer 4 class map.

After the connection is terminated, the ACE decrypts the ciphertext from the client and sends the data as clear text to an HTTP server.

You need not to assign a different chaingroup to every virtual server.

I am just sharing my vision with you. Correct me if I am wrong

Kind Regards,

Sachinga@hcl.in

View solution in original post

3 Replies 3

sachinga.hcl
Level 4
Level 4

HI CSCherb,

A chain groups specifies the certificate chains that the ACE sends to its peer during the handshake. A certificate chain is a hierarchal list of certificates that includes the subject's certificate, the root CA certificate, and any intermediate CA certificates. Using the information provided in a certificate chain, the certificate verifier can search for a trusted authority in the certificate hierarchal list back to the root CA. The verifier may find what it considers a trusted authority before reaching the root CA certificate, in which case, the verifier stops searching.

But as per my understanding

The ACE supports the following certificate chain group capabilities:

•A chain group can contain up to eight certificate chains.

•Each context on the ACE can contain up to eight chain groups means 8*8 Certificate chains.

• By default, your ACE provides an Admin context and five user contexts, which allows you to use multiple contexts if you choose to configure them. To increase the number of user contexts up to a maximum of 20, you must obtain a separate license from Cisco Systems.

So total number of chaingroups that can be used is 8*20=160

And the number of virtual servers is 1024.

SSL proxy termination service allows the virtual server to act as an SSL proxy server and terminate SSL sessions between it and its clients.

So

1. SSL Proxy Service =SSL Parameter map(ssl version, cipher suites, close-protocol, session ID reuse timeout, query delay), Client authentication,key pair file, CRL retrival, Certificate file, Chain Group)

2. Class maps=(layer3 and layer 4 match criterial applied to inbound traffic)=contains= Virtual IP address,source address, destination address, access list, port , any

Policy Maps = contains (1+2) i.e. (SSL proxy service + Class maps)

So you define Virtual server IP in class maps and Chain groups in SSL proxy service.

They will work when you combine these both inside a policy map (for layer 3/ layer 4)

Policy maps ---> Applies globall to all VLAN's in a context (a context can contain 8 chain groups )

You can specify the certificate chian that the ACE sends to its peer ACE during the SSL handshakeby using chaingroup command.

So this chain group is assigned to the whole context and inside the context any number of virtual server they use the same chain group .

You can configure chain groups for the context in a ace using SSL proxy service only.

All the virtual server inside the context they use the one chain group service .

Select Config > Devices > context > SSL > Chain Group Parameters. The Chain Group Parameters table appears.

SSL termination refers to configuring an ACE context for a front-end application in which the ACE operates as an SSL server that communicates with a client. When you create a Layer 3 and Layer 4 policy map to define the flow between an ACE and a client, the ACE operates as a virtual SSL server by adding security services between a web browser (the client) and the HTTP connection (the server). All inbound SSL flows from a client terminate at the ACE.

In the ANM, a viable virtual server has the following attributes:

• A default Layer 7 action

• A Layer 3/Layer 4 class map

• The virtual server multi-match policy map is associated with an interface or is global.

The name of the virtual server is derived from the name of the Layer 3/Layer 4 class map.

After the connection is terminated, the ACE decrypts the ciphertext from the client and sends the data as clear text to an HTTP server.

You need not to assign a different chaingroup to every virtual server.

I am just sharing my vision with you. Correct me if I am wrong

Kind Regards,

Sachinga@hcl.in

Ok - my initial understanding was that chaingroups should include the subject certificate. No I understand that the subject certifcate is not included in chaingroup, only intermediate and root certificates as included in chaingroup. In this constellation 8 chaingroups per context are enought as I could use certificates from 8 different CA.

thanks for your rating.

Also keep posting and do not hesitate to write your quries.

I will be looking to give any further assistance.

sachin garg

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: