Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
718
Views
0
Helpful
2
Replies

Question about SSL initiation

Go to solution
nygenxny123
Level 1
Level 1

‎04-02-2011 12:34 PM

it seems that basically you configure ssl proxy client under layer 7 map

and a parameter map if you are concerned about keys

but does the ACE initiatiate based on IP address of the server and not the common name of the website/cert?

and wouldnt this cause an error?

What about Trusted Authorities? how will the ACE know if this is a trusted cert

And key validation

We have implemented ssl initation without any issues with just the "ssl proxy client x" command under layer 7

but now we are having issues with another implementation and the developers are wondering about the questions i just posted

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Daniel Arrondo Ostiz
Cisco Employee
Cisco Employee

‎04-06-2011 07:10 AM

Good afternoon,

it seems that basically you configure ssl proxy client under layer 7 map and a parameter map if you are concerned about keys

Yes, this is the only thing that is required for the most basic setup

but does the ACE initiatiate based on IP address of the server and not the common name of the website/cert?

As you said, the ssl-proxy client is configured under a L7 map, and therefore, you can do any L7 load-balancing decisions before you choose the serverfarm to which the connection will go. At this point you could match on the hostname of the original HTTP request and based on that send the connection to one farm or another

What about Trusted Authorities? how will the ACE know if this is a trusted cert

By default, the ACE will only check if the certificate is a server one and not expired, but you can also configure the ACE to test it against a set of preconfigured certificate authorities. For more details, check http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/ssl/guide/initiate.html#wp1084113

If you have any other questions, please, do not hesitate to contact me again

Regards

Daniel

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Daniel Arrondo Ostiz
Cisco Employee
Cisco Employee

‎04-06-2011 07:10 AM

Good afternoon,

it seems that basically you configure ssl proxy client under layer 7 map and a parameter map if you are concerned about keys

Yes, this is the only thing that is required for the most basic setup

but does the ACE initiatiate based on IP address of the server and not the common name of the website/cert?

As you said, the ssl-proxy client is configured under a L7 map, and therefore, you can do any L7 load-balancing decisions before you choose the serverfarm to which the connection will go. At this point you could match on the hostname of the original HTTP request and based on that send the connection to one farm or another

What about Trusted Authorities? how will the ACE know if this is a trusted cert

By default, the ACE will only check if the certificate is a server one and not expired, but you can also configure the ACE to test it against a set of preconfigured certificate authorities. For more details, check http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/ssl/guide/initiate.html#wp1084113

If you have any other questions, please, do not hesitate to contact me again

Regards

Daniel

0 Helpful

Go to solution
nygenxny123
Level 1
Level 1
In response to Daniel Arrondo Ostiz

‎04-11-2011 12:09 PM

thx!

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card