ACE 4710 in failover - ssl offload, cert for second ACE
Hi,
I'm testing two ACE 4710 appliances that should work in active/standby mode and do ssl offload in bridged mode.
At the moment I have configured one of the devices to do basic load balancing (without ssl offload).
Now I would like to move further and configure ssl offload and configure High availability.
I read that the certificate for ssl can be localy generated on the ACE device but I couldn't find any information regarding the cert that should be used on the second ACE.
Should I generate a new cert od the standby unit or somehow use the one on the first ACE?
Is it better to first set up high availability and then configure ssl offload or vice versa?
Does anyone have a config example of ssl offload and active/standby configuration?
Thank you in advance.
You simply need to generate keys & CSR on the primary ACE. Export the Keys from Primary ACE, Import these keys to Standby ACE and once you recieve the certs from CA then simply import the cert to both ACEs.
FOllowing will be steps to achive that
On primary Ace
1. create RSA Keys
crypto generate key 2048 app1.key
2. Create CSR & send it to CA
ace/Admin(config)# crypto csr-params app1-csr
ace/Admin(config-csr-params)# common-name www.app1.com
ace/Admin(config-csr-params)# country US
ace/Admin(config-csr-params)# email [email protected]
ace/Admin(config-csr-params)# locality xyz
ace/Admin(config-csr-params)# organization-name xyz
ace/Admin(config-csr-params)# organization-unit xyz
ace/Admin(config-csr-params)# state CA
ace/Admin(config-csr-params)# serial-number 1234
ace/Admin(config-csr-params)# end
ace/Admin(config)# crypto generate csr app1-csr app1.key
(copy the result to a file)
4. Import certificate recieved from CA
crypto import terminal app1.cert
(pasted the content from the cert)
5. verify the cert & keys match
crypto verify app1.key app1.cert
6. Export the keys from Active
crypto export app1.key
(copy the result to a file)
ON Standby ACE:
1. Import the keys
crypto import terminal app1.key
2. Import the cert
crypto import terminal app1.cert
3.verify the cert & keys match
crypto verify app1.key app1.cert
Hope this helps
Syed
Similar Messages
-
I testing the 4710 for load balancing between 2 web servers. I have the http portion working just fine but would like to get some input on the SSL portion.
We have a section of our site that requires user login and the whole session is https from when they login and when they are browsing through our site.
My questions are within the design aspects. Would this best be designed using SSL offloading and then using clear text from the ACE to the web servers? Also, what would the differences be with configuring ssl offloading with stickiness if configured with http server load balancing on the same server farm versus creating a new server farm just for https? Would end-to-end ssl be best in this scenario?
Description of the web application usage:
Users log in and their whole session is https. Users will be filling out forms, inputting data, registering for events and uploading some files.Okay so that makes sense to me now. When the client requests an HTTPS page and the ACE terminates the connection, the ACE uses SSL rewrite/redirect to send the request back to the client so that the client still maintains the SSL connection. Otherwise it will request an HTTP page instead of the HTTPS page.
Am I correct? -
Hi,
I need to configure ssl offloading so that user will send request on port 443 while ACE will so ssl offload so servers will handle http connection. my current config is as below(i haven't copied probe port80 here):
rserver server1:80
ip add 192.168.1.1
inservice
serverfarm secure-rediect-SF
probe port80
reserver server1:80
inservice
class-map match-any secure-rediect-CM
match virtual-address 10.10.1.1 tcp 80
policy-map type loadbalance first-match secure-rediect-PM
class class-default
sticky-serverfarm secure-rediect-SG
policy-map multi-match LBR-LB
class secure-rediect-CM
loadbalance vip inservice
loadbalance policy secure-rediect-PM
loadbalance vip icmp-reply
could you help! how do I configure SSL offloading? what is required to configure it?Hello, Gavin
Here you have some additional examples which might help you out:
Admin# sh crypto files
Filename File File Expor Key/
Size Type table Cert
cert-test 2088 PEM Yes CERT
key-test 1675 PEM Yes KEY
# crypto verify key-test cert-test
Keypair in key-test matches certificate in cert-test
Admin(config)# crypto chaingroup my-chaingroup
Admin(config-chaingroup)# cert my-root
Admin(config-chaingroup)# cert my-intermediate
ACE-M2/Admin(config-chaingroup)# exit
Admin# sh crypto chaingroup all
chaingroup muflas contains:
my-root
my-intermediate
(config)# ssl-proxy service my-ssl-proxy
Admin(config-ssl-proxy)# chaingroup my-chaingroup
Admin(config-ssl-proxy)# cert cert-test
Admin(config-ssl-proxy)# key key-test
Admin(config-ssl-proxy)# end
Then finally, your configuration should like this:
interface vlan 100
ip address 10.198.16.75 255.255.255.192
access-group input Allow_Access
nat-pool 1 10.198.16.103 10.198.16.103 netmask 255.255.255.192 pat
service-policy input MGMT
service-policy input my-multimatch
no shutdown
policy-map multi-match my-multimatch
class vip
loadbalance vip inservice
loadbalance policy http
loadbalance vip icmp-reply active
nat dynamic 1 vlan 100
class ssl
loadbalance vip inservice
loadbalance policy http
loadbalance vip icmp-reply active
nat dynamic 1 vlan 100
ssl-proxy server my-ssl-proxy
class-map match-all ssl
2 match virtual-address 10.198.16.103 tcp eq https
class-map match-all vip
10 match virtual-address 10.198.16.103 tcp eq www
policy-map type loadbalance http first-match http
class class-default
serverfarm http
serverfarm host http
rserver 1-80 80
inservice
rserver 2-80 80
inservice
rserver host 1-80
ip address 10.198.16.99
inservice
rserver host 2-80
ip address 10.198.16.100
inservice
ssl-proxy service my-ssl-proxy
key key-test
cert cert-test
chaingroup my-chaingroup
Hope this helps!!! -
ACE SSL offloading troubleshooting
Hi All,
I need a help on trobleshooting ACE SSL offloading. Can anybody post the link to know about the commands for troubleshooting?
Regards,
ThiyaguHi Thiyagu
Have a read on the following link, what is the issue you are seeing?
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Troubleshooting_Guide_--_Troubleshooting_SSL#Troubleshooting_ACE_SSL
Regards Craig -
ACE SSL Reverse Proxy for multible URLs
Hi,
I am trying to setup an ACE as a reverse proxy (one-arm mode) for HTTPS connections for multiple URLs to multiple serverfarms. From what i know i have two options:
1. Use different VIP for each URL and do
L4 loadbalancing or use a
combination of IP address and port.
2. Use different VIP for each URL, do
SSL offloading and do L7 URL based
loadbalancing.
So with these options i am bind to use different IPs for each site. Is there a way i can use one VIP and then offload SSL and do URL based loadbalancing? From my knowledge we are restricted by the nature of the SSL. The reason is that the SSL protocol is a separate layer which encapsulates the HTTP protocol. So the problem is that the SSL session is a separate transaction that takes place before the HTTP session even starts so there is no visibility of the HTTP header.
Any comments appreciated
George GeorgiouGeroge,
your understanding is absolutely correct.
We need to know the site in order to decrypt te traffic because the certificate is associated to a domain name.
But without decrypting, we can't see the domain name.
So, the only way to know the domain without decrypting is to allocate a single ip to each domain.
There is no other solution.
Gilles. -
Using internal SSL Certs for Webview and Reskill (ICM 7.2.X)
Hi,
I would like to use corporate ssl certs for webview and reskill to avoid the user having to install the self signed certificate on the local machine. Has anyone any experience of this? Can it cause any unforseen problems?
My plan for webview is to create the certificate request in IIS for the default website, use this csr to generate the cert, then complete it by uploading the certificate.
For reskilling, I will assume I will have to do some command line stuff here ...
eg: keytool -genkey -keyalg RSA -keystore hostname.key
to create the key,
keytool -certreq -keyalg RSA -keystore hostname.key -file hostname.csr
to create the csr, and
keytool -import -trustcacerts -alias tomcat -file hostname.cer -keystore hostname.key
to import the new cert
Suggestions or comments for anyone who has tried this before would be appreciated.
Regards,
BrianI've never done it on a version so old, but at the end of the day it's just IIS and Tomcat and importing an SSL cert is very standard.
david -
How to setup SSL cert for SharePoint apps in a three tier farm with nlb
I am having trouble understanding how to setup the SSL certificate on SharePoint apps or in general its configuration
Please check the below thread..
https://social.technet.microsoft.com/Forums/sharepoint/en-US/53465d30-10b2-48c9-9541-5ade738156b4/how-to-setup-ssl-cert-for-apps
Don't forget to mark it as an Answer if it resolves your issue and Vote Me as helpful if it useful.
Mahesh -
Cisco ACE SSL Offloading not working
Dear All,
I have configured SSL offloading on ACE when i tried to test it from the PC i found that:
1. when i try to test the SSL Offloading by (https://192.168.69.110) i can reach the main page on WEB1 but i can't open any virual directory or any link inside this server (ex: https://192.168.69.110/web).
Thanks,
BaderHello Mohammed,
The behavior which you are getting is totally expected since you are NOT matching the url.
Why do not you try this?
(config-cmap-http-lb)# class-map type http loadbalance match-all MATCH-URL
(config-cmap-http-lb)# match http url /.*
class-map type http loadbalance match-all MATCH-URL
2 match http url /.*
Also you can try this one instead of the one above, since this one will be more specific:
class-map type http loadbalance match-all MATCH-URL
2 match http url /web.*
policy-map type loadbalance first-match WEB-SERVERS-LB
class MATCH-URL
sticky-serverfarm Sticky-WEB-SERVERS
class class-default
sticky-serverfarm Sticky-WEB-SERVERS
Please mark it, if it fixes your issue.
Jorge -
Cisco ACE - Exempt HTTP URL from SSL Offloading
Hi,
I have a cisco ACE module A2 (3.6). I am offloading url www.abc.com on cisco ACE. HTTP redirection to https is working & over https I am able to browse website perfectly. real servers are redirecting some pages over http. Due to page redirection from webserver I have to exempt one URL (http://www.abc.com/modules/docs/abc.aspx) from ssl offloading. It is possible or as a work around i have to rewrite complete url www.abc.com as ssl port.
Your inputs highly appreciated.
Regards,Hi Masif,
In case you have not gotten assistance with this one, you just need to specify the specific URL and match it on top of the loadbalance policy that is already doing the redirection.
class-map type http loadbalance match-any No-Redirect
2 match http url /docs/abc.aspx
policy-map type loadbalance first-match ABC
class No-Redirect
serverfarm HTTP-Servers
class class-default
serverfarm Redirect
Hope this helps.
Pablo -
When using any loadbalancer, CSS, CSM or ACE and doing SSL offload, how does the request to the backend server get created? For example if the client requests https://secure.example.com/privatedata.html and that url is configured for SSL offload on the loadbalancer, it the request from the LB to the server just http://secure.example.com/privatedata.html ? What would the request look like if SSL offload and backend SSL are both configured? Are there methods to modify the default behavior on any of the platforms?
TIAFirst you have to understand that a url is not sent the way you type it in http.
So the request actually looks like this :
GET /privatedata.html
Host: secure.example.com
This request is encrypted with SSL if you enter the url with HTTPS:// and is sent in cleartext if you don't use SSL.
So, what the offloader will do is simply decrypt the traffic and whatever the request will send it in cleartext to the server ip address.
The offloader can't change the content of the request. However, it can add some lines in the header.
Also, instead of just transmitting in cleartext, the loadbalancer can re-encrypt so the communication between offloader and server is also SSL.
Again, the request (see above) does not change.
Gilles. -
1. ssl offload - how do I secure clear text pwd sent from ACE to serverfarm?
2. If 2 DR site say CA and UK, and CA has earthquake, can pair of ACE be design to keep website going in UK.Hi,
1/ ACE can be configured to setup a second ssl tunnel and encrypt data between ACE and server. For more details:
http://www.cisco.com/en/US/partner/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/ssl/guide/initiate.html
Is this what you are looking for?
2/ Where are the ACEs? Are they load balancing traffic to servers in both CA and UK?
--Olivier -
Hi
I've a question about SSL offloading.
According to the documentation on the web i need to generate a CRL (certification revocation list) to get a certificate from a CA.
In our test environment we have a CA on a Microsoft Server.
What i want to know is it possible to take this CRL from the ACE and import it in the CA to verify it, and afterwards copy the certificate back to the ACE?
Thanks for your advice.
cheers
patrickI think that when you configure an appliance to perform SSL offloading you are actually setting up one or more logical secure servers whose SSL-related configurations reside in the appliance.
For more information on SSL please click following URL:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11000series/sca/v4.20/configuration/guide/SCA_AP_F.html#wp1004454 -
Does ADFS work with SharePoint 2013 with WFEs SSL-offloaded to a F5 load balancer?
Currently we are implementing a SharePoint 2013 Production environment with 2 WFEs load-balanced by F5. SSL is offloaded to F5 and is currently working fine with Integrated Windows Authentication with NTLM. We would like to implement ADFS 3.0
later for Single Sign-on, and we are wondering if ADFS supports SSL offload.
Do we need to bind the certificate to the WFEs as well to use ADFS?
Thank you!Just got it confirmed that ADFS supports SSL offload. There is no direct communication between SharePoint and ADFS server during the authentication process. It is always the browser that's talking to ADFS server. We just need to do the following:
Configure SharePoint URLs in ADFS as replying parties with https.
Configure AAM in SharePoint to make sure internal URL is http and public URL is https. -
SSL Offloading and Certificate Errors
I am attempting to offload SSL on an F5 load balancer. I made the certificate request from the load balancer, procured the certificate from Entrust, and installed on the load balancer. I then followed SSL Offloading TechNet instructions here:
http://technet.microsoft.com/en-us/library/dn635115(v=exchg.150).aspx. My two CAS servers still have the self-signed certificates bound in IIS. I am getting certificate
errors when making RPC over HTTPs connections in Outlook and the self-signed certificate is popping up.
My question is what do I do with the certificates on my 2 CAS servers? Do I leave the self-signed certificates on there and export the Entrust certificate from my F5 and then import it to my CAS servers and change the bindings in IIS?
Or do I have to make the CSR from a CAS server, issue a new Entrust certificate from that, import to both CAS servers, then import to the F5 and make sure all bindings are correct in IIS?
Or am I completely misunderstanding how this works and need to do something different entirely?
Thanks in advance for any guidance.As I previously mentioned, I have already followed the SSL Offloading guide from technet, which included unticking Require SSL for all the various objects in IIS (OWA, ECP, EWS, RPC etc.)
Additionally I made sure SSL Offloading was enabled for Outlook Anywhere in Powershell. See for example output of Get-OutlookAnywhere:
RunspaceId : 1bdf6a03-d43d-4478-84cc-95e18806b11b
ServerName : TSTEXCG2013
SSLOffloading : True
ExternalHostname : tstowa.XXXX.com
InternalHostname : tstowa.XXXX.com
ExternalClientAuthenticationMethod : Ntlm
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
XropUrl :
ExternalClientsRequireSsl : True
InternalClientsRequireSsl : True
MetabasePath : IIS://TSTEXCG2013.tstXXX.tstXXXX.tst/W3SVC/1/ROOT/Rpc
Path : D:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\rpc
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags : {}
ExtendedProtectionSPNList : {}
AdminDisplayVersion : Version 15.0 (Build 847.32)
Server : TSTEXCG2013
AdminDisplayName :
ExchangeVersion : 0.20 (15.0.0.0)
Name : Rpc (Default Web Site)
DistinguishedName : CN=Rpc (Default Web
Site),CN=HTTP,CN=Protocols,CN=TSTEXCG2013,CN=Servers,CN=Exchange
Administrative
Group (FYDIBOHF23SPDLT),CN=Administrative
Groups,CN=XXX XXXX,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=tstXXXX,DC=tst
Identity : TSTEXCG2013\Rpc (Default Web Site)
Guid : 9b2bc5e2-41c1-4219-9186-8e6b8cb63dc0
ObjectCategory : tstXXXX.tst/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged : 7/10/2014 7:38:58 PM
WhenCreated : 6/23/2014 2:54:36 PM
WhenChangedUTC : 7/11/2014 12:38:58 AM
WhenCreatedUTC : 6/23/2014 7:54:36 PM
OrganizationId :
OriginatingServer : TSTXXXXDC02.tstXXXX.tst
IsValid : True
ObjectState : Changed -
CSS11500 SSL handling question for multiple url/FQDNs with the same ip address
I know that it's possible on the CSS to handle multiple incoming HTTP requests that terminate on the same IP address and port and balance them to various servers based on the url. For instance, I can set up www.cats.com and www.dogs.com at the same 192.168.35.12 address in DNS, and set up two different content rules:
content cats
vip address 192.168.35.12
port 80
url "//www.cats.com/*"
add server cats1
add server cats2
active
content dogs
vip 192.168.35.12
port 80
url "//www.dogs.com/*"
add server dogs1
add server dogs2
active.
Easy and straightforward.
But what if I want to add SSL handling for https://www.cats.com and https://www.dogs.com?
I'm not sure how to create the ssl-proxy-list where one content rule (ip address/port) combination needs to pass through the ssl module and get matched with the proper ssl certificate.
Can this be done? Can one associate multiple certs and keys with a single ssl-server entry and a single ssl accelerator service? Or do I have to create multiple ssl-proxy-lists for cats and dogs and build multiple ssl services each referring to a unique ssl-proxy-list, and then use the url parameter in the https content rule to determine which ssl service (and therefore which key/cert pair) gets the traffic?
Thanks in advance for any insights.Hi Tim,
Unfortunately this is not possible; you can't associate multiple certificates to a single proxy list due to the fact that SSL handshake is done first with no visibility of the URL being requested, so the CSS won't know which public server to use in order to perform the traffic decryption.
But there are a couple of options that you may want to look at (depending on the URL string)
If your URLs are subdomains and you hold a wildcard SSL certficate to match multiple requests, i.e your domain being "pets.com" you can have a certficate that will match request for dogs.pets.com or cats.pets.com because the cert will be in the form *.pets.com
The second option is SAN (Subject alternative names) certificates; which give you the option to include up to 4 flavors of the domain within the same file, such as pets.com, pets.net, www.1pets.com.
I hope this helps.
Pablo
Maybe you are looking for
-
Regarding the internet breech as seen on the news. What advice is Apple giving to its computer, iPad, and phone users?
-
Can different icloud accounts be linked to the same apple id
I'm not exactly sure how to word this, but we have one apple ID for iTunes - I have an iPod, along with my son and husband. We share the library. Well, we all downloaded ios5 which includes the iCloud, and now my son is seeing my contacts and calen
-
Help on Multiple Event Listeners
Hi: How do you implement both ItemListener and ListSelectionListener in the same interface? In another word, how do I put JRadioButton, JList, JComboBox...etc,each one with its own listener in init() method? I came up with the following program. Anyo
-
What does Payment terms means in SD
Hello SD Experts I am implementing a project that requires a report on payment terms of an order. This is a BW project but however, it is an SD report. I need to know what field represents payment terms in SD tables - header or item table? Which fiel
-
ITunes music library goes blank
When I open my iTunes, the music library appears blank - as if I have no music. For quite a while now I have been having these problems! I contacted apple and they recommended uninstalling and reinstalling all the apple applications I had, in a parti