Certs on ACE
We have a cert and a key pair in conjunction with it for the ACE, however they are only visible from the admin context. We're configuring the SSL Termination on a different context than Admin - should the cert and the key be moved to that context or all of the certs/key pairs are residing in the Admin context.
Thanks..
You need keys & certs in the context where you want to use them.
Syed Iftekhar Ahmed
Similar Messages
-
ACE client authentication performance degredation
Hi,
If possible is anybody able to provide any advice & guidance WRT the below:
According to; http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA4_1_0/command/reference/sslproxy.html “When you enable client authentication, a significant performance decrease may occur in the ACE module.”
The statement raises a lot of questions;
1. Presumably the degradation can only happen as a result of an SSL client performing a handshake with the ACE (SSL server), the ACE requesting a client certificate and the client responding with a certificate at which stage the ACE has to verify the Client certificate?
2. Some metrics are needed from Cisco around the degradation – for example how many certificate verifications per second can the ACE support (1,10,100,1000)? If this is dependent on RSA key size then metrics are needed for 1024 and 2048 keys.
3. The Cisco ACE supports partitioning of resources (http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Module_Troubleshooting_Guide,_Release_A2%28x%29_--_Managing_Resources_ and therefore I assume that the ACE can be protected from degradation by setting a limit on SSL handshakes per second which is well below the limit from 2?
4. Any references to some relevant documentation ?Hello Preck-
As a first point, we don't generally document ever possible aspect of performance numbers on products because there are many factors that play into the numbers. This is one of the grey areas where we cannot pin down any hard numbers due to too many outside factors.
Here is the full story on SSL client authentication:
Under a normal SSL handshake, the SSL server exchanges the public key and certificate file to the client, and a cipher is chosen to encrypt the communication between the two entities. Past that communication, there are a few things that could result in extra packets, or a new SSL handshake i.e. SSL version negotiation and/or cipher related issues. Some things can shorten the handshake time like SSL session ID's and using specific SSL protocols (i.e. if the client and server only ever used TLS v1.1 and never had to negotiate from SSL v3.0 to TLS).
Once the handshake is done, the performance only depends on network latency and the amount of time it takes to encrypt/decypt the traffic which is dependent on the SSL version, cipher, and SSL strength (key bits). This is important to your questions because the only thing that effects performance is the initial handshake process.
When you enable client authentication, before the handshake is complete, the server requests the client to send a certificate. The client may send multiple certificates, or just 1. When the server recieves the certificate, it checks that it matches the certificate that it has installed for client authentication. As well, the server may do an extra check against the CRL to see if the certificate has been revoked (this is an external call to the CA via TCP or LDAP generally) The amount of certs, size of the certs, and size of the CRL are not known to the server, hence, it has to work with what it recieves. The larger the files, the longer the handshake takes to complete.
Specific to ACE:
The degredation you are going to see is exactly what I stated in the last paragraph - it will be related to how many certs the ACE has to parse, how long it takes to get the CRL and check it all the way through. Because every client could give the ACE a different amount of certificates and the CRL could be any size/take any amount of time to retrieve and scan, there is no such thing as a common metric we can state about the difference in performance.
We can tell you that the performance degredation is limited to the VIP that you have this enabled on and should not effect any other vips/context/the whole ACE in general. It also only relates to the amount of possible transactions per second, and not to total SSL concurrent connections or throughput. Throughput is not effected because the SSL Nitrox and Cadvium engines are not used to scan the client certificate - the XScale Microengine is, so the throughput of the SSL daughter cards are not effected here.
The bit count within the keypair is non-effecting to the performance when enabling client authentication if you are comparing the same as without client authentication. Certainly, you will see a drop in performance when moving from 1024 to 2048 bit keys due to the extra complexity involved in encrypting/decrypting - but no additional loss with client authentication. On a side note, keep in mind that doubling you key bit strength means your performance will take an exponential drop - not a linear drop. If you are planning on deploying 2048bit keys, make sure you test your environment prior to production release so that you know exactly what kind of performance to expect.
About your question on partitioning resources, because this only effects the vip you have the authentication on, you don't need to worry about sandboxing off a context to handle this.
Regards,
Chris Higgins -
ACE SSL - Modifying certs and keys
I'm having a problem updating the certs and keys I have in my ssl-proxy service.
My cert is about to expire and I've purchased a new cert. I've uploaded the new cert and key, but I still see the old cert when I go to the VIP with my browser. I thought that by deleting the proxy-service and re-adding I could get the ACE to recognize that it's got new certs but that didn't seem to work.
Is there a trick to make the ACE see the new certs? Does it cache the certs instead of reading them from flash? What's going on here.
Thanks!I changed my certs hot while the application was still running worked like a charm.
What i did was.
- import the new certificate into the crypto store (pkcs12)
- prepare a textfile with the necessary commands
no key old
key new
no cert old
cert new
- paste the commands into the running config.
I had several Customers and Application Admins test the App. while i was changing certs. They didn't even notice something happened. After approx. 60 seconds all new connections were using the new cert old connections were using the old cert. No trouble at all.
And yes the ACE caches the certs if i am not mistaken.
If you want to make sure that it works just create a test context or try it on a test farm first. That's what i did prior to changing the certs and the config on the production enviroment.
Hope it helps.
Roble -
ACE SSL Initiation - no check of server cert?
SW 3.0(0)A1(4)
I've configured SSL initiation and noticed that a successful session is established despite no valid root CA cert installed on the ACE.
Does client SSL just work regardless without any cert validation?this is currently how it works.
It will change in version 2.0
Gilles. -
ACE 4710 in failover - ssl offload, cert for second ACE
Hi,
I'm testing two ACE 4710 appliances that should work in active/standby mode and do ssl offload in bridged mode.
At the moment I have configured one of the devices to do basic load balancing (without ssl offload).
Now I would like to move further and configure ssl offload and configure High availability.
I read that the certificate for ssl can be localy generated on the ACE device but I couldn't find any information regarding the cert that should be used on the second ACE.
Should I generate a new cert od the standby unit or somehow use the one on the first ACE?
Is it better to first set up high availability and then configure ssl offload or vice versa?
Does anyone have a config example of ssl offload and active/standby configuration?
Thank you in advance.You simply need to generate keys & CSR on the primary ACE. Export the Keys from Primary ACE, Import these keys to Standby ACE and once you recieve the certs from CA then simply import the cert to both ACEs.
FOllowing will be steps to achive that
On primary Ace
1. create RSA Keys
crypto generate key 2048 app1.key
2. Create CSR & send it to CA
ace/Admin(config)# crypto csr-params app1-csr
ace/Admin(config-csr-params)# common-name www.app1.com
ace/Admin(config-csr-params)# country US
ace/Admin(config-csr-params)# email [email protected]
ace/Admin(config-csr-params)# locality xyz
ace/Admin(config-csr-params)# organization-name xyz
ace/Admin(config-csr-params)# organization-unit xyz
ace/Admin(config-csr-params)# state CA
ace/Admin(config-csr-params)# serial-number 1234
ace/Admin(config-csr-params)# end
ace/Admin(config)# crypto generate csr app1-csr app1.key
(copy the result to a file)
4. Import certificate recieved from CA
crypto import terminal app1.cert
(pasted the content from the cert)
5. verify the cert & keys match
crypto verify app1.key app1.cert
6. Export the keys from Active
crypto export app1.key
(copy the result to a file)
ON Standby ACE:
1. Import the keys
crypto import terminal app1.key
2. Import the cert
crypto import terminal app1.cert
3.verify the cert & keys match
crypto verify app1.key app1.cert
Hope this helps
Syed -
ACE: Single SSL Cert for two domains with same VIP
At present I have a design that will use individual SSL cert per domain and link both certs to (two or one) serverfarm.
policy-map multi-match popvip_01
class POP_VIP01
loadbalance vip inservice
loadbalance policy POP-POp3_PMT or popPMT1
loadbalance vip icmp-reply
ssl-proxy server GINPOP_SSLPROXY
connection advanced-options TCP_PARAM_Y
class POP3_VIP02
loadbalance vip inservice
loadbalance policy POP-POp3_PMT or POPPMT2
loadbalance vip icmp-reply
ssl-proxy server GINPOP3_SSLPROXY
connection advanced-options TCP_PARAM_Y
however,
if I can get one single certificate to process both pop and pop3 domains, that use the same VIP/port, and if this will work with ACE, i'm inclined to design using this alternative.
ie,
pop.mydomain.com = 10.10.10.1 995
pop3.mydomain.com = 10.10.10.1 995
Any suggestions would be appriciated.Hello,
In order to achieve this then you will need to order a wildcard certifictae ie
*.mydomain.com
These certificates are more expensive and so you will probably find it cheaper to buy two certificates than one wildcard certificate.
Regards -
Hi all,
We currently use a Cisco SCA for SSL off load. When adding client certificates to the SCA, there is an option to "Add Client Certificate Info" - which uses a check box to enable this feature. This feature, to the best of my knowledge, sends the headers to the server. We have configured a new service on an ACE context but need to enable this feature, is this possible and how do we enable the same feature on the ACE.
ACE version A2(2.3)
Thanks in advance for any assistant with this matter.Hello,
it is possible on ACE too, at least in recent sw versions:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/ssl/guide/terminat.html#wp1169219
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/ssl/guide/terminat.html#wp1169832
as you can see here:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_x/Release/Note/RACEA2_3_X.html#wp586054
this was introduced in A2(3.0) so if you'll need to use the feature you'll have to upgrade.
Hope it helps,
Francesco -
How to update certificate into ACE
need to upload cert file (.pem) received fro CA and getting bellow error message:
LB1# crypto import terminal wwwtest.domain.com
Please enter PEM formatted data. End with "quit" on a new line.
-----BEGIN CERTIFICATE-----MIIG3zCCBcegDb2x1bWJpYTEQMA4GA1UEBxQHQnVybmFieTEiMCAGA1UEChQZUklUQ0hJRSBCUk9TLiBBVUNwY
=-----END CERTIFICATE-----quit
input string too long
Error: File not of recognized types - PEM, DER or PKCS12, import failed.
ASE version: version A5(1.1)
can someone provide proper procedure to upload/install certificate?
Appreciated.Hi,
Please go to the below link:
https://www.sslshopper.com/ssl-converter.html
Convert your file that you have received from your CA into PEM format and try importing from terminal again and see if that resolves the issue.
The error indicates that CA file format is different than supported by ACE. The certificate should be in PEM format.
Regards,
Kanwal -
ACE SSL terminate not working ... please help
Hello, I configured cisco ace 4710 with ssl-proxy and it is not working, but http://10.1.40.2 and http://10.1.40.3 is OK. When i put https://10.1.41.20 the output is: "There is a problem with this website's security certificate", so i click in "Continue to this website (not recommended)" and the ace dont balance the output show error "Internet Explorer cannot display the webpage".
The configuration:
ace-demo/Admin# sh run
Generating configuration....
boot system image:c4710ace-mz.A3_2_4.bin
boot system image:c4710ace-mz.A3_2_1.bin
login timeout 0
hostname ace-demo
interface gigabitEthernet 1/1
channel-group 1
no shutdown
interface gigabitEthernet 1/2
channel-group 1
no shutdown
interface gigabitEthernet 1/3
channel-group 1
no shutdown
interface gigabitEthernet 1/4
channel-group 1
no shutdown
interface port-channel 1
switchport trunk allowed vlan 400-401,450
no shutdown
crypto csr-params testparams
country PE
state Lima
locality Lima
organization-name TI
organization-unit TI
common-name www.yyy.com
serial-number 1000
access-list anyone line 8 extended permit ip any any
access-list anyone line 16 extended permit icmp any any
parameter-map type ssl sslparams
cipher RSA_WITH_RC4_128_MD5
version SSL3
rserver host rsrv1
ip address 10.1.40.2
inservice
rserver host rsrv2
ip address 10.1.40.3
inservice
serverfarm host farm-demo
rserver rsrv1
inservice
rserver rsrv2
inservice
serverfarm host site-A
rserver rsrv1
inservice
serverfarm host site-B
rserver rsrv2
inservice
ssl-proxy service testssl
key testkey.key
cert testcert.pem
ssl advanced-options sslparams
class-map type management match-any MGMT
2 match protocol icmp any
3 match protocol http any
4 match protocol https any
5 match protocol snmp any
6 match protocol telnet any
7 match protocol ssh any
class-map match-any VIP
6 match virtual-address 10.1.41.10 any
class-map type generic match-any WAN-site-A
2 match source-address 192.168.10.106 255.255.255.255
3 match source-address 192.168.10.125 255.255.255.255
class-map type generic match-any WAN-site-B
2 match source-address 192.168.10.96 255.255.255.255
3 match source-address 192.168.10.93 255.255.255.255
class-map type management match-any icmp
2 match protocol icmp any
class-map match-any vip-ssl-10.1.41.20
2 match virtual-address 10.1.41.20 tcp eq https
policy-map type management first-match ICMP
class icmp
permit
policy-map type management first-match MGMT
class MGMT
permit
policy-map type loadbalance first-match vip-ssl-10.1.41.20
class class-default
serverfarm farm-demo
policy-map type loadbalance generic first-match lb-server
class WAN-site-A
serverfarm site-A
class WAN-site-B
serverfarm site-B
class class-default
serverfarm farm-demo
policy-map multi-match client-side
class VIP
loadbalance vip inservice
loadbalance policy lb-server
policy-map multi-match lb-vip
class vip-ssl-10.1.41.20
loadbalance vip inservice
loadbalance policy vip-ssl-10.1.41.20
loadbalance vip icmp-reply
ssl-proxy server testssl
interface vlan 400
description side-server
ip address 10.1.40.1 255.255.255.0
access-group input anyone
service-policy input ICMP
no shutdown
interface vlan 401
description side-client
ip address 10.1.41.1 255.255.255.0
access-group input anyone
access-group output anyone
service-policy input ICMP
service-policy input client-side
service-policy input lb-vip
no shutdown
interface vlan 450
description mgmt
ip address 10.1.45.1 255.255.255.0
access-group input anyone
service-policy input MGMT
no shutdown
ip route 192.168.10.0 255.255.255.0 10.1.45.10
And the proof:
ace-demo/Admin# sh serverfarm farm-demo
serverfarm : farm-demo, type: HOST
total rservers : 2
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: rsrv1
10.1.40.2:0 8 OPERATIONAL 0 25 19
rserver: rsrv2
10.1.40.3:0 8 OPERATIONAL 0 23 18
ace-demo/Admin# sh crypto files
Filename File File Expor Key/
Size Type table Cert
admin 887 PEM Yes KEY
testcert.pem 709 PEM Yes CERT
testkey.key 497 PEM Yes KEY
ace-demo/Admin#
ace-demo/Admin# sh service-policy lb-vip class-map vip-ssl-10.1.41.20
Status : ACTIVE
Interface: vlan 1 401
service-policy: lb-vip
class: vip-ssl-10.1.41.20
ssl-proxy server: testssl
loadbalance:
L7 loadbalance policy: vip-ssl-10.1.41.20
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
Persistence Rebalance: DISABLED
curr conns : 0 , hit count : 38
dropped conns : 18
client pkt count : 159 , client byte count: 12576
server pkt count : 16 , server byte count: 640
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0
bytes_out : 0
Compression ratio : 0.00%
in other time:
ace-demo/Admin# sh service-policy lb-vip class-map vip-ssl-10.1.41.20
Status : ACTIVE
Interface: vlan 1 401
service-policy: lb-vip
class: vip-ssl-10.1.41.20
ssl-proxy server: testssl
loadbalance:
L7 loadbalance policy: vip-ssl-10.1.41.20
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
Persistence Rebalance: DISABLED
curr conns : 0 , hit count : 170
dropped conns : 89
client pkt count : 703 , client byte count: 60089
server pkt count : 85 , server byte count: 3400
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0
bytes_out : 0
Compression ratio : 0.00%
ace-demo/Admin#
ace-demo/Admin# sh stats crypto server
+----------------------------------------------+
+---- Crypto server termination statistics ----+
+----------------------------------------------+
SSLv3 negotiated protocol: 43
TLSv1 negotiated protocol: 0
SSLv3 full handshakes: 37
SSLv3 resumed handshakes: 0
SSLv3 rehandshakes: 0
TLSv1 full handshakes: 0
TLSv1 resumed handshakes: 0
TLSv1 rehandshakes: 0
SSLv3 handshake failures: 6
SSLv3 failures during data phase: 0
TLSv1 handshake failures: 0
TLSv1 failures during data phase: 0
Handshake Timeouts: 0
total transactions: 0
SSLv3 active connections: 0
SSLv3 connections in handshake phase: 0
SSLv3 conns in renegotiation phase: 0
SSLv3 connections in data phase: 0
TLSv1 active connections: 0
TLSv1 connections in handshake phase: 0
TLSv1 conns in renegotiation phase: 0
TLSv1 connections in data phase: 0
+----------------------------------------------+
+------- Crypto server alert statistics -------+
+----------------------------------------------+
SSL alert CLOSE_NOTIFY rcvd: 0
SSL alert UNEXPECTED_MSG rcvd: 0
SSL alert BAD_RECORD_MAC rcvd: 0
SSL alert DECRYPTION_FAILED rcvd: 0
SSL alert RECORD_OVERFLOW rcvd: 0
SSL alert DECOMPRESSION_FAILED rcvd: 0
SSL alert HANDSHAKE_FAILED rcvd: 0
SSL alert NO_CERTIFICATE rcvd: 0
SSL alert BAD_CERTIFICATE rcvd: 0
SSL alert UNSUPPORTED_CERTIFICATE rcvd: 0
SSL alert CERTIFICATE_REVOKED rcvd: 0
SSL alert CERTIFICATE_EXPIRED rcvd: 0
SSL alert CERTIFICATE_UNKNOWN rcvd: 6
SSL alert ILLEGAL_PARAMETER rcvd: 0
SSL alert UNKNOWN_CA rcvd: 0
SSL alert ACCESS_DENIED rcvd: 0
SSL alert DECODE_ERROR rcvd: 0
SSL alert DECRYPT_ERROR rcvd: 0
SSL alert EXPORT_RESTRICTION rcvd: 0
SSL alert PROTOCOL_VERSION rcvd: 0
SSL alert INSUFFICIENT_SECURITY rcvd: 0
SSL alert INTERNAL_ERROR rcvd: 0
SSL alert USER_CANCELED rcvd: 0
SSL alert NO_RENEGOTIATION rcvd: 0
SSL alert CLOSE_NOTIFY sent: 0
SSL alert UNEXPECTED_MSG sent: 0
SSL alert BAD_RECORD_MAC sent: 0
SSL alert DECRYPTION_FAILED sent: 0
SSL alert RECORD_OVERFLOW sent: 0
SSL alert DECOMPRESSION_FAILED sent: 0
SSL alert HANDSHAKE_FAILED sent: 0
SSL alert NO_CERTIFICATE sent: 0
SSL alert BAD_CERTIFICATE sent: 0
SSL alert UNSUPPORTED_CERTIFICATE sent: 0
SSL alert CERTIFICATE_REVOKED sent: 0
SSL alert CERTIFICATE_EXPIRED sent: 0
SSL alert CERTIFICATE_UNKNOWN sent: 0
SSL alert ILLEGAL_PARAMETER sent: 0
SSL alert UNKNOWN_CA sent: 0
SSL alert ACCESS_DENIED sent: 0
SSL alert DECODE_ERROR sent: 0
SSL alert DECRYPT_ERROR sent: 0
SSL alert EXPORT_RESTRICTION sent: 0
SSL alert PROTOCOL_VERSION sent: 47
SSL alert INSUFFICIENT_SECURITY sent: 0
SSL alert INTERNAL_ERROR sent: 0
SSL alert USER_CANCELED sent: 0
SSL alert NO_RENEGOTIATION sent: 0
+-----------------------------------------------+
+--- Crypto server authentication statistics ---+
+-----------------------------------------------+
Total SSL client authentications: 0
Failed SSL client authentications: 0
SSL client authentication cache hits: 0
SSL static CRL lookups: 0
SSL best effort CRL lookups: 0
SSL CRL lookup cache hits: 0
SSL revoked certificates: 0
Total SSL server authentications: 0
Failed SSL server authentications: 0
+-----------------------------------------------+
+------- Crypto server cipher statistics -------+
+-----------------------------------------------+
Cipher sslv3_rsa_rc4_128_md5: 43
Cipher sslv3_rsa_rc4_128_sha: 0
Cipher sslv3_rsa_des_cbc_sha: 0
Cipher sslv3_rsa_3des_ede_cbc_sha: 0
Cipher sslv3_rsa_exp_rc4_40_md5: 0
Cipher sslv3_rsa_exp_des40_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_md5: 0
Cipher sslv3_rsa_exp1024_des_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_sha: 0
Cipher sslv3_rsa_aes_128_cbc_sha: 0
Cipher sslv3_rsa_aes_256_cbc_sha: 0
Cipher tlsv1_rsa_rc4_128_md5: 0
Cipher tlsv1_rsa_rc4_128_sha: 0
Cipher tlsv1_rsa_des_cbc_sha: 0
Cipher tlsv1_rsa_3des_ede_cbc_sha: 0
Cipher tlsv1_rsa_exp_rc4_40_md5: 0
Cipher tlsv1_rsa_exp_des40_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_md5: 0
Cipher tlsv1_rsa_exp1024_des_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_sha: 0
Cipher tlsv1_rsa_aes_128_cbc_sha: 0
Cipher tlsv1_rsa_aes_256_cbc_sha: 0
ace-demo/Admin# crypto verify testkey.key testcert.pem
Keypair in testkey.key matches certificate in testcert.pem.
ace-demo/Admin#
ace-demo/Admin# sh conn
total current connections : 0
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+Hello Alvaro,
The issue here is that your config is missing the clear text port the ACE should use to send the traffic to the backend servers; in this case port 80.
Remove the rservers from the SF "farm-demo" and then configure them back like this:
serverfarm host farm-demo
rserver rsrv1 80
inservice
rserver rsrv2 80
inservice
That should do the trick =)
HTH
Pablo -
Best Practice to use one Key on ACE for new CSR?
We generate multiple CSR on our ACE....but our previous network admin was only using
one key for all new CSR requests.
i.e.......we have samplekey.pem key on our ACE
we use samplekey.pem to generate CSR's for multiple certs..
is this best practice or should we be using new keys for each new CSR
also .is it ok to delete old CSR on the lb..since the limit is only 8?..thxWe generate multiple CSR on our ACE....but our previous network admin was only using
one key for all new CSR requests.
i.e.......we have samplekey.pem key on our ACE
we use samplekey.pem to generate CSR's for multiple certs..
is this best practice or should we be using new keys for each new CSR
also .is it ok to delete old CSR on the lb..since the limit is only 8?..thx -
ACE 4700 configuring SSL termination weblogic server 10.3.6
Hello,
Im trying to configure an ACE 4700 so that SSL termination is done on the ACE and HTTP reaches the weblogic server instance.
I have a working setup of a Apache reverse proxy doing SSL offloading and using a weblogic module and that works fine
Was reading http://docs.oracle.com/cd/E23943_01/web.1111/e13709/load_balancing.htm#i1045186
Can anyone point me to a working config example for doing this with the ACE4700 or give me some directions here?
Kind regards,
LaurensHi Laurens,
Here is a basic configuration for SSL termination:
rserver host test
ip address 10.198.16.98
inservice
rserver host test2
ip address 10.198.16.93
inservice
serverfarm host test
rserver test 80
inservice
rserver test2 80
inservice
ssl-proxy service TEST
key cert
cert cert
class-map match-all VIPSSL
2 match virtual-address 10.198.16.122 tcp eq https
policy-map type loadbalance first-match test
class class-default
serverfarm test
policy-map multi-match clients
class VIPSSL
loadbalance vip inservice
loadbalance policy test
loadbalance vip icmp-reply active
nat dynamic 1 vlan 112
ssl-proxy server TEST
interface vlan 112
ip address 10.198.16.91 255.255.255.192
access-group input Allow_Access
nat-pool 1 10.198.16.122 10.198.16.122 netmask 255.255.255.192 pat
service-policy input NSS_MGMT
service-policy input clients
no shutdown
Cesar R
ANS Team -
Presenting a Client Certificate from ACE?
Hi Folks,
This is a bit of an odd one, so please stick with me!
A bit of background:
We currently visit a secure 3rd party website from our company, in order to identify our company to the website we have to use a client-side certificate to authenticate us (before we then login to the website).
As we have a large number of machines loading a client-certificate on to each one has not proved agile enough (this is more a legacy thing). So to work around this we have used a Stunnel proxy which the clients are forwared too (HTTP), which then proxies the connection as HTTPS and provides the end website with the Client Cert and does all the bits for SSL. The Stunnel service was meant to be a tempory workaround, about 3 or so years ago (don't you just love those?) and is hosted on a desktop PC which has recently started to crash - there's no real support on this either - which leads me onto the question:
Can the ACE module replace the Stunnel Box in this scenario?
Is it possibile to load a client certificate onto the ACE and get it to provide this to an end webserver. I realise that the ACE is probably not designed for this function, however this would get us onto something more stable and has a better internal support function.
I've attached a really basic diagram of how the connectivity operates - but I'm happy to consider suggestions on alternative ways of doing it.
Thanks in advance
KevHi.
It seems to be not possible : http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/initiate.html
I have to check if other products can do what you want, but I have some doubts... -
Use ACE to redirect or insert a WWW in a client request
I am using ACE 4710s running 4.1 to load balance web traffic across our web server farms. Redirection is configured to redirect http to https. There is a new requirement to redirect a request that does not include the "www" in the URL to include the "www". In other words, if a client merely types "mytesturl.com/test1" the ACE is to redirect or rewrite and insert the www so the request becomes"www.mytesturl.com/test1". I am searching through the documentation, but thought I would pick the collective brains of the community at the same time to see who can come up with the correct answer first. Below is a sample of the working config.
Thanks in advance,
mb
rserver host RS_TEST_01
description ***Test Producation Host***
ip address 10.64.64.45
inservice
rserver redirect RD_EC
description ***TEST Sub-Site***
webhost-redirection https://www.test.com/EC/
inservice
rserver redirect http
webhost-redirection https://%h%p 301
inservice
serverfarm redirect REDIRECT
rserver http
inservice
serverfarm host SF_TEST
rserver RS_TEST_01 80
inservice
serverfarm redirect SF_EC
description ***Test Sub-Site***
rserver RD_EC
inservice
sticky ip-netmask 255.255.255.0 address both STICKY_TEST_1
timeout 600
replicate sticky
serverfarm SF_TEST
ssl-proxy service SSL_TEST_1
key TEST_KEY
cert TEST_CERT
chaingroup VERISIGN
ssl advanced-options SSL_TERMINATION
class-map match-any TEST_VIP_01
description ***VIP for TEST***
2 match virtual-address 10.64.74.45 tcp eq https
class-map type http loadbalance match-all TEST_EC
2 match http url /ec*
policy-map type loadbalance first-match LB_TEST_01
description ***Load Balancing Policy for Test***
class TEST_EC
serverfarm SF_EC
policy-map type loadbalance first-match LB_REDIRECT
description L7SLBPolicy-Redirect
class class-default
serverfarm REDIRECT
policy-map multi-match NEW_WEB_POLICY
class TEST_VIP_01
loadbalance vip inservice
loadbalance policy LB_TEST_01
loadbalance vip icmp-reply active
ssl-proxy server SSL_TEST_1
interface vlan 474
description ***Front End VIP interface***
ip address 10.64.74.254 255.255.255.0
alias 10.64.74.252 255.255.255.0
peer ip address 10.64.74.253 255.255.255.0
access-group input TEST_WEB
service-policy input TEST_WEB_POLICY
no shutdownHi Michael,
The configuration to achieve this would be something like the one below. I wrote it without trying it in the lab first, so, make sure to test it before putting it in production (specially the syntax of the regular expressions)
rserver redirect http
webhost-redirection https://%h%p 301
inservice
rserver redirect http_and_www
webhost-redirection https://www.%h%p 301
inservice
serverfarm redirect REDIRECT
rserver http
inservice
serverfarm redirect REDIRECT_and_www
rserver http_and_www
inservice
class-map type http loadbalance match-all http_with_www
2 match http header Host header-value www.*
policy-map type loadbalance first-match LB_REDIRECT
description L7SLBPolicy-Redirect
class http_with_www
serverfarm REDIRECT
class class-default
serverfarm REDIRECT_AND_WWW
I hope this helps
Daniel -
ACE - FQDN in a class map or other suggestions
It appears it is only possible to use an IP address when creating match conditions in a class map which makes sense.
We are using this basically as a NAT.
ie, server sends an HTTP message to the ACE containing XML
ACE then encrypts with an SSL cert and substitutes a public IP address and sends the XML out to a customer IP on the public internet
Problem is when customer changes the IP address, we need to change the configuration on the ACE. Ideally if I could use a DNS name, then the customer can manage any changes via DNS and not involve us.
Disclaimer: I'm a complete novice to the ACE
Any ideas appreciated!Hi Rob,
Can you share the current configuration and also the traffic flow here.
Regards,
Kanwal -
Hi all,
herei is my conf/version :
Software
loader: Version 12.2[123]
system: Version A2(3.2) [build 3.0(0)A2(3.2)]
system image file: [LCP] disk0:c6ace-t1k9-mz.A2_3_2.bin
installed license: no feature license is installed
crypto chaingroup myurl.chain
cert myurl.chain
ssl-proxy service MYURL
key myurl.key
cert myurl.cert
chaingroup myurl.chain
yesterday :
# sh crypto files
Filename File File Expor Key/
Size Type table Cert
myurl.cert 16346 PEM Yes CERT
myurl.key 1679 PEM Yes KEY
myurl.chain 4972 PEM Yes CERT
$ curl https://myurl.com
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
today, no problem with curl :
# sh crypto files
Filename File File Expor Key/
Size Type table Cert
myurl.cert 16253 PEM Yes CERT
myurl.key 1675 PEM Yes KEY
myurl.chain 4972 PEM Yes CERT
Is there an issue with cert or key size ?Sorry, the question was "how did you fix it the first time ?"
Or are you talking about different devices ?
Also, be aware that ACE loads your key/cert in memory and stops using the one in flash.
Even if you modify the files in flash, that does not mean ACE update the info it has in memory.
So if the files got corrupted and you upload new ones using the same name, it is possible that ACE kept using the old ones it has in memory.
I usually recommend to use different names and update the ssl-proxy config with the new names in order to force to reload the new info.
Or remove completely the ssl-proxy config, upload new files and reconfigure the proxy.
Gilles.
Maybe you are looking for
-
Recording crackle with Line6 POD HD
Running iMAC (late 2009) with 16 gig, USB interface with a line6 pod hd. OSX is Mountain Lion. Up to date on all latest drivers and maintenance. Consistently getting crackle(s) when recording using Logic Pro. Any guidenced to troubleshoot or fix wou
-
Function module for current year
Hi , Is there any function module which will give current year only ?? Regards rahul
-
Exporting data in a format other than Excel
HI, I am exporting data displayed on UI/JSPX page to an excel sheet using exportCollectionActionListener. what other types are supported to export the data and whats the procedure. I am specifically interested in PDF , CSV and txt formats. Thanks, Sa
-
AQ message status is UNDELIVERABLE
Hi, We have a Oracle database version 9.2.0.8 say A, in which we are using AQ to propagate as well as receive messages from two different databases say B and C. The propagation was working fine untill the database 'B' were running in 9.2.0.8 version,
-
How do I delete a partition so that I recover the disk space?
I partitioned my terabyte hard drive to run Mavericks (as well as Yosemite). I followed the Genius instructions from the local store and used Disk Utility to delete Macintosh HD Mavericks. The Disk Utility message said the partition was deleted but i