• Introduction
• Certificate and key export
• With IIS
• With Apache
• Setting up SSLAO
• Opening secure stores
• Importing the CA certificate
• Create your SSL Accelerated Service
• Enable SSL Accelerator
• Verify the optimization
• SSL/HTTP Accelerators chaining
• Further info

Introduction

This document will explain how you can optimize your HTTPS traffic when you have a topology looking like this:

By default, HTTPS traffic is only TFO optimized on WAAS so if you pass such a connection through a WAAS setup, you'll get the following output from a "show statistics connection":

This is due to the fact that the encrypted traffic is by definition very random and thus does not get any benefit from the DRE/LZ optimization.

To overcome this limitation, the SSL Accelerator was introduced in WAAS 4.1.3. This will allow the edge WAE to decrypt the traffic, optimize it then re-encrypt it. Same happens on the Core WAE which decrypt the traffic, give it back it's original format then re-encrypt it to the destination server.

Certificate and key export

To be able to optimize the SSL traffic, we will need to export the certificate/key of the Server and of the Certificate of the CA that you used to generate the Server certificate. Here is how it can be done:

With IIS

Here is how you can export your certificates/key from your IIS server:

-Launch the Start menu and click on Run

-Type mmc in the Windows that popped in then click on Ok. This will launch the Management Console

-Once it appears, go to the File menu and select Add/Remove Snap-in

-Follow this path to add the computer certificates view:

-Once the Snap-in is added, you can go into it in the Personal > Certificates Folder and right click on the certificate which is used by IIS and click on Export. Follow those steps afterwards:

If the "Yes, export the private key" is greyed out in this process, this means that your original key was marked as non exportable and that you won't be able to export it.

-You will then be asked for a password to protect the private key. Once it is entered, you'll be able to save the data in pfx format.

-WAAS is using PEM format for certificates so you'll need to put your file on a machine with OpenSSL installed and convert it with the following command:

This will generate a single file that will looks like this:

cert.pem

You'll need to Copy/Paste those parts in Red in three different files:

File Name
Content

You can refer to the Bag Attributes before the actual data to see which part is what.

This whole document assumes that your Server certificate was directly generated by your Root CA. In case of a multiple levels CA architecture, you'll have to put the whole chain and not a single certificate in the CAcert.crt file.

With Apache

The procedure with Apache is much simpler since the input it uses is in the same format as the one used by WAAS. You just need to figure out where the files are stored and this can be done by looking at the VirtualHost entry of your server in the httpd.conf  file used by Apache.

It will look something like this:

httpd.conf VirtualHost entry

As you can see, we already have there the three files we ended up with in the IIS procedure.

Setting up SSLAO

Opening secure stores

The secure store is where the certificates and keys are held on the WAAS devices.

To be able to use it, you'll need to initialize and open it. First on the Central Manager itself:

The passphrase you enter here wil be needed to re-open the CM Secure Store after a reboot so make sure you don't loose it !!!

Then on the Edge and Core WAEs themselves:

Importing the CA certificate

Once all the stores are initialized and opened, it is time to import the CA certificate on the Core WAE. To do so, go to the following menu and select the CA.crt file that was generated previously:

Once you submit it, you should see your CA certificate imported on the device:

Create your SSL Accelerated Service

On the Core WAE, go to the SSL Accelerated Services and first start by importing the client certificate and key (client.crt and client.key exported from the Web server):

Once the certificate/key are imported, you can setup the rest of the service by matching the interesting traffic  and by putting it "In Service":

Congratulations, you now have your SSL Service up and running:

Enable SSL Accelerator

Last step is to make sure that the SSL Accelerator is running on both your Core and Edge WAEs:

Verify the optimization

First of all, verify that the accelerated service has been created on your Core WAE:

Verify that the SSL AO is running on both you Core and Edge WAE:

If those conditions are met, here is what you should do when you pass an HTTPS connection through your setup:

As you can see, our connection is now taking benefit from TFO, SSL, DRE and LZ optimization.

SSL/HTTP Accelerators chaining

If you are running WAAS version 4.3.1 or above, there is a new feature that could also be useful here: AO chaining. This allows us to pass the traffic which is optimized not only through one accelerator but through multiple ones. In our case the SSL and the HTTP ones.

Enabling this chaining is pretty simple, you just need to tick the Enable HTTPS metadatacache caching checkbox from the HTTP/HTTPS Settings and this on both the Core and Edge WAE:

You can also check the Suppress server compression or/and Enable DRE hints if you want to take advantage of those. For more info, see the link in the Further Info part.

Once this is done, you should see that the connection is also taking benefit of the HTTP accelerator together wit SSL, TFO, DRE and LZ:

You can also verify that the SSL AO is successfully passing the request to the HTTP AO through the show statistics accelerator ssl payload http command:

Further info

If you want to get more info on SSL AO optimization or AO chaining, here are a couple of documents you might want to have a look at:

DescriptionLink