Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1079
Views
3
Helpful
2
Replies

Modifying an "ssl-proxy-list" without disturbing the active sessions.

Go to solution
fsteininger
Level 1
Level 1

‎09-24-2007 01:02 AM

Hello,

I would like to know if it is possible to have two SSL modules installed in a CSS11503 with each one having it's own "ssl-proxy-list" ("ssl-proxy-list list1" and "ssl-proxy-list list2"), but the two lists (list1 and list2) are exactly the same.

I will explain my idea:

In normal situation the two "ssl-proxy-list" are active and the user's encrypted sessions are load balanced between the two SSL modules. But when we need to make a change to the "ssl-proxy-list", like changing a server's certificate, I would like to be able to suspend one service (type ssl-accel with the "ssl-proxy-list List1" attached to it for example) and wait for all active sessions to terminate before suspending the "ssl-proxy-list list1" for applying the changes.

Once the first "ssl-proxy-list" is updated I would make it active again and apply the same changes to the second "ssl-proxy-list".

Doing this this way I would like to be able to upgrade the servers's certificate during the working houres without disturbing the connected users...

Do you think this way of doing would be possible, or do you have an other solution to modify a "ssl-proxy-list" without disturbing the active running sessions ?

Thank you for your answer,

Best regards

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee

‎09-25-2007 08:48 AM

sounds like a good solution to me.

Gilles.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee

‎09-25-2007 08:48 AM

sounds like a good solution to me.

Gilles.

0 Helpful

Go to solution
sachinga.hcl
Level 4
Level 4

‎10-04-2008 12:09 PM

Hi Francois,

An SSL proxy list may belong to multiple SSL services (one SSL proxy list per service), and an SSL service may belong to multiple content rules. You can apply the services to content rules that allow the CSS to direct SSL requests for content.

The CSS supports one active SSL service for each SSL module in the CSS, one SSL service per slot. You can configure more than one SSL service for a slot but only a single SSL service can be active at a time.

No modifications to an SSL proxy list are permitted on an active list. Suspend the list prior to making changes, and then reactivate the SSL proxy list once the changes are complete. Once you have modified the SSL proxy list, suspend the SSL service, reactivate the SSL proxy list, and then reactivate the SSL service.

You can use maximum 4 different certificates at a time.

Use the suspend command to suspend an active SSL proxy list.

To suspend an active SSL proxy list, enter:

(config-ssl-proxy-list[ssl_list1])# suspend

use the url below for your reference:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.10/command/reference/CmdSSLC.html

Kind regards,

Sachin Garg

Senior Specialist Security

HCL Comnet Ltd.

http://www.hclcomnet.co.in

A-10, Sector 3, Noida- 201301

INDIA

Mob: +91-9911757733

Email: sachinga@hcl.in

Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Top