Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1623
Views
0
Helpful
1
Replies

SSL termination on ACE for Management purpose

subingsam
Level 1
Level 1

‎12-29-2010 02:52 AM

Can anybody let me know the steps / Commands to terminate SSL certifcate and key for ACE management purpose. It will help me to access the ACE box through explorer using https.

Labels:
0 Helpful
1 Reply 1

sachinga.hcl
Level 4
Level 4

‎01-01-2011 09:45 PM

Hi Subin,

You can use Cisco Application Networking Manager 4.1 for accessing/managing/adminstering ACE through web browser using https.

http://www.cisco.com/en/US/prod/collateral/contnetw/ps5719/ps6904/product_bulletin_c25_622538.html

http://www.cisco.com/en/US/prod/collateral/contnetw/ps5719/ps6904/product_bulletin_c25-572614.html

Use the following links for installation:

http://www.cisco.com/en/US/products/ps6904/prod_installation_guides_list.html

End-User Guides

http://www.cisco.com/en/US/products/ps6904/products_user_guide_list.html

User Guide for the Cisco Application Networking Manager 4.1

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/application_networking_manager/4.1/user/guide/User_Guide.html

The following steps are needed to configure SSL termination on the Cisco ACE:

1. Generate or import the key.

The syntax to generate the key on the Cisco ACE follows:

crypto generate key 1024

Example: crypto generate key 1024 testkey

The syntax to import the key to the Cisco ACE follows:

crypto import [non-exportable] [ ftp | sftp | tftp | terminal] [passphrase:passphrase] [ipaddr] [username] [password] [remote_filename] [local_filename]

2. Then Generate the certificate sign request (CSR).

The CSR can either be generated externally or on the Cisco ACE.

The following are sample steps that show how to generate CSR on the Cisco ACE:

Configure CSR parameters on the Cisco ACE:

crypto csr-params test123

  country US

  state CA

  organization-unit IT

  common-name aceapp.ccc.com

  serial-number 1000

  email user@ccc.com

3. Generate CSR using key and CSR parameters:

crypto generate csr test123 testkey

-----BEGIN CERTIFICATE REQUEST-----

MIIBnTCCAQYCAQAwXTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQswCQYDVQQLEwJJVDEXMBUGA1UEAxMOYWNlY

XBwLmNjYy5jb20xGzAZBgkqhkiG9w0BCQEWDHVzZXJAY2NjLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgY

EA1eaM318pX10/G8FYpi0cBRHdZA1Lxd9Q1vz2/nedQnNOkt0ZWQogH1Zgd5sxLHlPtn5afADhXmVreoY3c+s7TSG

vMLLXTIKxTbcURlw/0Y6CGpI/e3ASUBeLtMg7LE2C1EG6ZUL9HJyhUrZNXwOBXFAFL9DwrEx9CQJTmnKzj/8CAwEA

AaAAMA0GCSqGSIb3DQEBBAUAA4GBAJbKwzS/vuKhiu+PvEySUzCCHclA+x4KiON26txzKyog7YF7D0ZMKMcQjxrKW

ZRWtQgZPjv43Yzwqz4L8w8PyGsmBl7EYi7bOHQjcoKitfL4LJ9Qro8tf/tdn5DC1rGd3BP4XQ9SlxNBgHxzlzFS2f

WI/ynCmv5rbMtG+f/LHyKA

-----END CERTIFICATE REQUEST-----

3. Now Transfer the CSR request to Certificate Authority (CA) for signing

4. Load the CA signed certificate on the Cisco ACE

The syntax to import the certificate to the Cisco ACE follows:

crypto import [non-exportable] [ ftp | sftp | tftp | terminal] [passphrase:passphrase]

[ipaddr] [username] [password] [remote_filename] [local_filename]

5. If needed, chain the certificates using a chain group:

The chain consists of the certificates in the chain group, plus the configured certificate.

crypto chaingroup CCCSSLCA-group

  cert CCCSSLCA.PEM

  cert DSTROOTCA.PEM

cert ACEAPP-CERT.PEM

6. Configure the SSL parameter map, which is used to define parameters for SSL connections:

parameter-map type ssl PARAMMAP_SSL

cipher RSA_WITH_AES_128_CBC_SHA priority 2

7. Configure SSL proxy service:

ssl-proxy service PSERVICE_SERVER

  key ACEKEY.PEM

  cert ACEIDM-CERT.PEM

  chaingroup CISCOSSLCA-group

  ssl advanced-options PARAMMAP_SSL

Note: When you are creating a certificate signing request (CSR) at the ACE CLI using the csr-generate command, you cannot use the space character in the State value. Workaround: Use the state abbreviation.

Like here in the example California is said by abbrevation CA. So use similar types for states only one word withour space.

Kindly find below mentioned URL for your further information :

1.

http://docwiki.cisco.com/wiki/SSL_Termination_on_the_Cisco_Application_Control_Engine_Without_an_Existing_Chained_Certificate_and_Key_in_Routed_Mode_Configuration_Example

2.

http://docwiki.cisco.com/wiki/SSL_Termination_on_the_Cisco_Application_Control_Engine_Without_an_Existing_Chained_Certificate_and_Key_in_One_Arm_Mode_Configuration_Example

3.

http://cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/ssl/guide/certkeys.html

4. Command line : CSR Parameters Configuration Mode Commands

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/command/reference/csrparam.html

5.

Configure ACE with SSL Termination and URL Rewrite

http://docwiki.cisco.com/wiki/Category:Data_Center_Application_Services_Configuration_Examples

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3045.shtml

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Configuration_Examples

http://www.cisco.com/en/US/products/hw/modules/ps2706/prod_configuration_examples_list.html

Kindly rate if find useful.

HTH

Sachin Garg

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card