Cisco ACE - Exempt HTTP URL from SSL Offloading

Similar Messages

• How to do Handshake with tired party(bank) HTTPS URL from SAP PI server

  Dear Expert,
  I have developed bunch of scenarios, all are synchronous ABAP proxy to HTTP_AAE with bank on PI 7.4(dual stack). Bank web server is HTTPS enabled server. Our ABAP developments are still in progress also we have few issue in connection from ECC to PI.but that is not the focus of discussion here.
  we want to do the handshake to check the connectivity with bank on their HTTPS URL from PI. Bank has provided the privet key for SSL from their server and corresponding public key they have maintained on their server. I have imported the private key under NWA -> Certificates -> Key Storage -> TrustedCA->Import Entry->Entry Type->PKCS#12->select the SSL.p12 file->import , also I have selected the option to "Use SSL" in HTTP_AAE receiver communication channel and selected the corresponding entryin  "keystore view" and "keystore entry". All these I have done in our DEV system, and we are trying to connect our PI dev to bank Dev server.
  Questions
  Is there any specific steps to do the handshake with third party HTTPS(bank in my case) server? if not, how can we just test the HTTPS connectivity by using the SSL private installed on our PI server, without running the complete scenarios. Our PI has been installed on UNIX, and "telnet https url 443" is working, as network team has opened the HTTPS port.
  We have not enabled the SSL technically on our PI server, and we have not installed any generated certificate from our PI server. Moreover, we have not made our PI url as "https:hostname:port" as we just need to communicate with bank by using their private key. Do you guys think we should enable the SSL? if yes, please explain why.
  What is the best practice to test the connection with third party having HTTPS URL? how can I just assure HTTPS communication is working fine, before testing my actual scenarios.
  Thanks for helping always.
  Regards,
  Farhan

  Hi Farhan,
  Some part of the blog is applicable for sending HTTPS request to partners/third party (Receiver SOAP Adapter).
  If banks certificates are already in trustedCA, then,  can you check if it also imported under user PIISuser under Identity management in NWA. If above 2 steps are done then i think your are good to go. But be careful when you install certificate, it should be in proper order.
  As you already mentioned, connectivity is already established and you are able to PIng/telnet from pi server, connectivity looks ok.
  While sending request, if you are getting 401 unauthorized, below might be the reason -
  1. Certificate not installed correctly or some missing steps
  2. Partner or TP is not ready to receive it, some certificate issue in there side.
  other than 401 means you are ok (As per certificate and Connectivity) - 403 and 500 errors are next stops.
  403 - error because of encoding method.
  500 - data issue.
  Regards
  Aashish Sinha

• ACE match http url with post data

  I need to make a layer-7 load balancing decision at the ACE module based on a URL string that includes form POST data. It is important that the balancing decision include and parse the part of the URL after the question mark. This doesn't seem to work with the "match http url" config on the ACE. My interpretation is that the ACE does not consider the POST data to be part of the URL string, and therefore does not include it in the regular expression matching. Am I missing something here, or have I run into a limitation of the ACE module?
  class-map type http loadbalance match-any L7__URL_MATCH_CLASS
  2 match http url index.php\?field=content.*

  Hi
  The '?' has a special meaning in the URL. It means the end of the main URL and the beginning of the URL query.
  Its not possible to match ? in the url.
  One option could be using secondary cookie matching in ACE.
  class-map type http loadbalance match-any xyz
  2 match http cookie secondary field cookie-value content
  Thanks
  Syed

• Hitting a HTTPS url from SAP PI

  Dear All,
  Please let me know how to hit a HTTPS url using plain HTTP adapter in SAP PI. I was just provided with a url and user credentials.
  Regards
  Koti Reddy

  Hi Koti,
  Please perform the HTTPS settings mentioned in the below link before you start the using.
  http://scn.sap.com/docs/DOC-26145
  Regards,
  Naveen

• How to pass client IP address via CSS with SSL offload?

  Hello,
  We use Cisco CSS 11501S to do the SSL offload of web servers in one-armed mode. So we have to SNAT client IP in order to guaranty correct return path via the CSS. In this case web server can see only the IP address of the VIP used for SNAT. If there is a way to pass customer?s IP to the web server - i.e insert customized HTTP HEADER something like HTTP_REMOTEADDRESS:<IP address of the client> - similar to what is possible with BIG IP device for instance?
  Second question if there is a way to get from the CSS access log data similar to what we have in Apache access.log file to be used by Webalizer or similar application to analyze web traffic.

  Scott,
  if you're not doing src nat, the css will spoof the client ip and therefore, there is no need to save the client ip in the http header.
  Gilles.

• Call http url in Abap - Should not open Browser

  Hi Friends,
     I have a requirement where i need to check whether a perticular http service is running or not. For that i need a some code to call http url from abap and it should not open the browser. If that perticular url is not found or time out then i should know that in program...
  Is there any way to do that..

  just run the following url (after changing the values for host,etc) from browser
  http://<abaphost>.<domain>.com:<port>/sap/public/ping
  to get the values for http://<abaphost>.<domain>.com:<port> just go to transaction se80 and choose bsp application option and choose any existing bsp application and then doubl click on a page. on the right side click on the attributes tab and at the end you can find the url
  Regards
  Raja

• Reading from a HTTP site from PL/SQL

  Hi,
  Can we able to access a http: URL from PL/SQL and read an XML from there?
  Regards
  Praveen Padala

  http://download-west.oracle.com/docs/cd/B10501_01/appdev.920/a96612/u_http.htm#ARPLS070

• Cisco ACE SSL Offloading not working

  Dear All,
    I have configured SSL  offloading on ACE when i tried to test it from the PC i found that:
  1. when i try to test the SSL Offloading by   (https://192.168.69.110)  i can reach the main page on WEB1 but i can't open any virual directory or any link inside this server (ex: https://192.168.69.110/web).
  Thanks,
  Bader

  Hello Mohammed,
  The behavior which you are getting is totally expected since you are NOT matching the url.
  Why do not you try this?
  (config-cmap-http-lb)# class-map type http loadbalance match-all MATCH-URL
  (config-cmap-http-lb)# match http url /.*
  class-map type http loadbalance match-all MATCH-URL
    2 match http url /.*
  Also you can try this one instead of the one above, since this one will be more specific:
  class-map type http loadbalance match-all MATCH-URL
    2 match http url /web.*
  policy-map type loadbalance first-match WEB-SERVERS-LB
  class MATCH-URL
      sticky-serverfarm Sticky-WEB-SERVERS
  class class-default
      sticky-serverfarm Sticky-WEB-SERVERS
  Please mark it, if it fixes your issue.
  Jorge

• ACE 4710 & SSL Offloading

  I testing the 4710 for load balancing between 2 web servers. I have the http portion working just fine but would like to get some input on the SSL portion.
  We have a section of our site that requires user login and the whole session is https from when they login and when they are browsing through our site.
  My questions are within the design aspects. Would this best be designed using SSL offloading and then using clear text from the ACE to the web servers? Also, what would the differences be with configuring ssl offloading with stickiness if configured with http server load balancing on the same server farm versus creating a new server farm just for https? Would end-to-end ssl be best in this scenario?
  Description of the web application usage:
  Users log in and their whole session is https. Users will be filling out forms, inputting data, registering for events and uploading some files.

  Okay so that makes sense to me now. When the client requests an HTTPS page and the ACE terminates the connection, the ACE uses SSL rewrite/redirect to send the request back to the client so that the client still maintains the SSL connection. Otherwise it will request an HTTP page instead of the HTTPS page.
  Am I correct?

• ACE SSL offloading troubleshooting

  Hi All,
  I need a help on trobleshooting ACE SSL offloading. Can anybody post the link to know about the commands for troubleshooting?
  Regards,
  Thiyagu

  Hi Thiyagu
  Have a read on the following link, what is the issue you are seeing?
  http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Troubleshooting_Guide_--_Troubleshooting_SSL#Troubleshooting_ACE_SSL
  Regards Craig

• Is it possible to call API over http(not on ssl) from inside a secure page which is on HTTPS

  Hi Guys
  We are running a httplistner on localhost exposing http based end point. can we call this url from a website which is exposed over https when it opens from the same machine.
  Note: the site is being opened in browser is using HTTPS and is on SSL.
  if possible can some one please help.
  regards
  Mukesh V

  hjuarez wrote:
  Please re-read my first post. I think it is clear.I disagree.
  I want to import a dll It is not clear if you are aware that .dll files are a windows thing.
  but I have to run the java code on a solaris box
  in order to use its methods in java, It is not clear if you are aware using .dll files in a Solaris environment has nothing to do with Java.
  My question was if there is a solution -or not- that faces this kind of issues.It is not clear if you are talking about Sun Solaris or x86 Solaris.
  I don't know if it makes any difference, but it might.
  Maybe your question is: why this guy wants to do something like this?No. I am not concerned with that.
  Just trying to help you ask the right questions.
  And maybe you will find the answers yourself once you have the right questions.
  I'm integrating some biometric solutions on Sun Access Manager. But the biometrics vendor only provides windows ocx's and DLL's. And Access Manager is running in a Solaris box.
  I want to know if I can do something by myself or just tell the biometrics vendor that they must provide a Java solution.
  I have been trying to find something on the web, but I asked this forum because maybe someone has tried to do something similar.The suggestion by jschell is probably your most promising option.
  Integrating the .dll files with Java on a Windows box
  and communicating between Access Manager / Java on the Solaris box and your Java code on the Windows box
  (possibly using RMI).

• How can i convert a url from https to http?

  Hi,
  SSL is enabled in WLS 9.2 and its wrkng fine. And iam able to access login page in secure(https)mode. After this page i need to convert the url from https mode to http. For enabling https i added some code in web.xml. For switchinng https to http i dn't knw anythng.
  Pls gve me suggetion.
  Thanks in advance.

  Export it from iPhoto. This process will make a QuickTime movie of it. That will play on an PC that has QuickTime installed - and that's a free download for PC, and comes with iTunes for PC
  Regards
  TD

• Can any body help me in reading from HTTPS URL

  I need to read an HTTPS URL and store the response within a table .
  How will I manage to do it from within a servlet using URLConnection and openStream as it does'nt work .
  How will JSSE help in this regard .
  Since I also need to give the userid and password to get into the file and read the file
  https://anyhost.com/readthisfile.html
  somnath
  Web Developer

  Hi,
  The Java Secure Socket Extension (JSSE) library from Sun Microsystems lets you access a secure Web server from behind a firewall via
  proxy tunneling. To do this, the JSSE application needs to set the https.ProxyHost and https.ProxyPort system properties. The
  tunneling code in JSSE checks for "HTTP 1.0" in the proxy's response. If your proxy, like many, returns "HTTP 1.1", you will get an
  IOException. In this case, you need to implement your own HTTPS tunneling protocol.
  In this article, I will show you how to create a secure socket that tunnels through the firewall, and pass it to the HTTPS stream handler to
  open HTTPS URLs using the URLConnection class.
  Open the http tunnel socket to the proxy
  The first step to creating your secure socket is to open the tunneling socket to the proxy port. The code needed to do this proxy
  handshaking can be found in the sample code SSLClientSocketWithTunneling.java that comes with the JSSE distribution. First, a normal socket is created that connects to
  the proxy port on the proxy host (line 65). After the socket is created, it is passed to the doTunnelHandshake() method where the proxy's tunneling protocol is called:
  54 SSLSocketFactory factory =
  55 (SSLSocketFactory)SSLSocketFactory.getDefault();
  56
  57 /*
  58 * Set up a socket to do tunneling through the proxy.
  59 * Start it off as a regular socket, then layer SSL
  60 * over the top of it.
  61 */
  62 tunnelHost = System.getProperty("https.proxyHost");
  63 tunnelPort = Integer.getInteger("https.proxyPort").intValue();
  64
  65 Socket tunnel = new Socket(tunnelHost, tunnelPort);
  66 doTunnelHandshake(tunnel, host, port);
  In doTunnelHandshake(), an http "CONNECT" command is sent to the proxy, with the secure site's hostname and port number as the parameters (line 161). In the original
  tunneling code on line 206 in JSSE, it then checks for "HTTP/1.0 200" in the proxy's reply. If your organization's proxy replies with "HTTP 1.1", an IOException will be
  thrown. To get around this, the code here checks for the reply "200 Connection Established", which indicates that tunneling is successful (line 207). You can modify the
  code to check for the expected corresponding response from your proxy:
  139 private void doTunnelHandshake(Socket tunnel, String host, int port)
  140 throws IOException
  141 {
  142 OutputStream out = tunnel.getOutputStream();
  143 String msg = "CONNECT " + host + ":" + port + " HTTP/1.0\n"
  144 + "User-Agent: "
  145 + sun.net.www.protocol.http.HttpURLConnection.userAgent
  146 + "\r\n\r\n";
  147 byte b[];
  148 try {
  149 /*
  150 * We really do want ASCII7 -- the http protocol doesn't change
  151 * with locale.
  152 */
  153 b = msg.getBytes("ASCII7");
  154 } catch (UnsupportedEncodingException ignored) {
  155 /*
  156 * If ASCII7 isn't there, something serious is wrong, but
  157 * Paranoia Is Good (tm)
  158 */
  159 b = msg.getBytes();
  160 }
  161 out.write(b);
  162 out.flush();
  163
  164 /*
  165 * We need to store the reply so we can create a detailed
  166 * error message to the user.
  167 */
  168 byte reply[] = new byte[200];
  169 int replyLen = 0;
  170 int newlinesSeen = 0;
  171 boolean headerDone = false; /* Done on first newline */
  172
  173 InputStream in = tunnel.getInputStream();
  174 boolean error = false;
  175
  176 while (newlinesSeen < 2) {
  177 int i = in.read();
  178 if (i < 0) {
  179 throw new IOException("Unexpected EOF from proxy");
  180 }
  181 if (i == '\n') {
  182 headerDone = true;
  183 ++newlinesSeen;
  184 } else if (i != '\r') {
  185 newlinesSeen = 0;
  186 if (!headerDone && replyLen < reply.length) {
  187 reply[replyLen++] = (byte) i;
  188 }
  189 }
  190 }
  191
  192 /*
  193 * Converting the byte array to a string is slightly wasteful
  194 * in the case where the connection was successful, but it's
  195 * insignificant compared to the network overhead.
  196 */
  197 String replyStr;
  198 try {
  199 replyStr = new String(reply, 0, replyLen, "ASCII7");
  200 } catch (UnsupportedEncodingException ignored) {
  201 replyStr = new String(reply, 0, replyLen);
  202 }
  203
  204 /* We check for Connection Established because our proxy returns
  205 * HTTP/1.1 instead of 1.0 */
  206 //if (!replyStr.startsWith("HTTP/1.0 200")) {
  207 if(replyStr.toLowerCase().indexOf(
  208 "200 connection established") == -1){
  209 throw new IOException("Unable to tunnel through "
  210 + tunnelHost + ":" + tunnelPort
  211 + ". Proxy returns \"" + replyStr + "\"");
  212 }
  213
  214 /* tunneling Handshake was successful! */
  215 }
  Overlay http tunnel socket with SSL socket
  After you have successfully created the tunneling socket, you overlay it with the SSL socket. Again, this is not difficult to do:
  54 SSLSocketFactory factory =
  55 (SSLSocketFactory)SSLSocketFactory.getDefault();
  56
  57 /*
  58 * Set up a socket to do tunneling through the proxy.
  59 * Start it off as a regular socket, then layer SSL
  60 * over the top of it.
  61 */
  62 tunnelHost = System.getProperty("https.proxyHost");
  63 tunnelPort = Integer.getInteger("https.proxyPort").intValue();
  64
  65 Socket tunnel = new Socket(tunnelHost, tunnelPort);
  66 doTunnelHandshake(tunnel, host, port);
  67
  68 /*
  69 * Ok, let's overlay the tunnel socket with SSL.
  70 */
  71 SSLSocket socket =
  72 (SSLSocket)factory.createSocket(tunnel, host, port, true);
  73
  74 /*
  75 * register a callback for handshaking completion event
  76 */
  77 socket.addHandshakeCompletedListener(
  78 new HandshakeCompletedListener() {
  79 public void handshakeCompleted(
  80 HandshakeCompletedEvent event) {
  81 System.out.println("Handshake finished!");
  82 System.out.println(
  83 "\t CipherSuite:" + event.getCipherSuite());
  84 System.out.println(
  85 "\t SessionId " + event.getSession());
  86 System.out.println(
  87 "\t PeerHost " + event.getSession().getPeerHost());
  88 }
  89 }
  90 );
  The code had called the SSLSocketFactory's getDefault() method earlier to get an instance of the SSLSocketFactory (line 54, repeated above). Next, it passes the
  tunneling socket that was created in the previous step to the createSocket() method of the SSLSocketFactory. The createSocket() method returns an SSLSocket that is
  connected to the destination host and port via the proxy tunnel. You can optionally add a HandshakeCompletedListener to the socket if you wish to be informed when the
  SSL handshaking is completed.
  The SSLSocket created is basically ready for use to transfer secure contents. The startHandshake() method is called to start the SSL handshaking (line 98). After which, you
  can issue the http "GET" command to retrieve the secure pages (line 105):
  91
  92 /*
  93 * send http request
  94 *
  95 * See SSLSocketClient.java for more information about why
  96 * there is a forced handshake here when using PrintWriters.
  97 */
  98 socket.startHandshake();
  99
  100 PrintWriter out = new PrintWriter(
  101 new BufferedWriter(
  102 new OutputStreamWriter(
  103 socket.getOutputStream())));
  104
  105 out.println("GET http://www.verisign.com/index.html HTTP/1.0");
  106 out.println();
  107 out.flush();
  However, issuing http commands to the tunneling SSL socket to access Webpages is not ideal because it would mean having to rewrite the whole http protocol handler from
  scratch. Instead, you should use the HTTPS URL APIs that the JSSE already includes for that purpose. To do this, you have to pass the tunneling SSL socket to the HTTPS URL
  stream handler.
  Pass SSL socket to HTTPS URL stream handler
  The JSSE library has an HttpsURLConnection class that is in the com.sun.net.ssl package, which extends the java.net.URLConnection class. An HttpsURLConnection object
  is returned by the URL object's openConnection() method when "HTTPS" is specified as the protocol. The HttpsURLConnection class has a method, setSSLSocketFactory(),
  that lets you set an SSLSocketFactory of your choice. To pass the tunneling SSL socket to the HTTPS URL stream handler, you would set the setSSLSocketFactory()
  method's parameter with a socket factory that returns the tunneling SSL socket that you created previously.
  To do this, you would wrap the code discussed previously in an SSLTunnelSocketFactory class that extends from the SSLSocketFactory class. The SSLSocketFactory is an
  abstract class. To extend it, you must implement the createSocket() method to return the tunneling SSL socket that you created earlier:
  12 public SSLTunnelSocketFactory(String proxyhost, String proxyport){
  13 tunnelHost = proxyhost;
  14 tunnelPort = Integer.parseInt(proxyport);
  15 dfactory = (SSLSocketFactory)SSLSocketFactory.getDefault();
  16 }
  44 public Socket createSocket(Socket s, String host, int port,
  45 boolean autoClose)
  46 throws IOException,UnknownHostException
  47 {
  48
  49 Socket tunnel = new Socket(tunnelHost,tunnelPort);
  50
  51 doTunnelHandshake(tunnel,host,port);
  52
  53 SSLSocket result = (SSLSocket)dfactory.createSocket(
  54 tunnel,host,port,autoClose);
  55
  56 result.addHandshakeCompletedListener(
  57 new HandshakeCompletedListener() {
  58 public void handshakeCompleted(HandshakeCompletedEvent event) {
  59 System.out.println("Handshake finished!");
  60 System.out.println(
  61 "\t CipherSuite:" + event.getCipherSuite());
  62 System.out.println(
  63 "\t SessionId " + event.getSession());
  64 System.out.println(
  65 "\t PeerHost " + event.getSession().getPeerHost());
  66 }
  67 }
  68 );
  69
  70 result.startHandshake();
  71
  72 return result;
  73 }
  Notice that the SSLTunnelSocketFactory contains a default SSLSocketFactory object. The default SSLSocketFactory object can be instantiated from a call to the static
  method getDefault() (line 15). You need this SSLSocketFactory object to overlay the tunnel socket with the SSL socket, as discussed earlier. You also call the default
  object's getDefaultCipherSuites() and getSupportedCipherSuites() methods when implementing the corresponding abstract methods of the SSLSocketFactory super
  class. For implementation details, please refer to the complete source code for the SSLTunnelSocketFactory in Resources.
  Tunnel through the proxy via URLConnection
  To tunnel through the proxy via URLConnection in your JSSE application, after you call the openConnection() method, check if the returned object is that of the
  HttpsURLConnection. If so, you instantiate your SSLTunnelSocketFactory object and set it in the setSSLSocketFactory() method (lines 22 through 25):
  10 public class URLTunnelReader {
  11 private final static String proxyHost = "proxy.sg.ibm.com";
  12 private final static String proxyPort = "80";
  13
  14 public static void main(String[] args) throws Exception {
  15 System.setProperty("java.protocol.handler.pkgs",
  16 "com.sun.net.ssl.internal.www.protocol");
  17 //System.setProperty("https.proxyHost",proxyHost);
  18 //System.setProperty("https.proxyPort",proxyPort);
  19
  20 URL verisign = new URL("https://www.verisign.com");
  21 URLConnection urlc = verisign.openConnection(); //from secure site
  22 if(urlc instanceof com.sun.net.ssl.HttpsURLConnection){
  23 ((com.sun.net.ssl.HttpsURLConnection)urlc).setSSLSocketFactory
  24 (new SSLTunnelSocketFactory(proxyHost,proxyPort));
  25 }
  26
  27 BufferedReader in = new BufferedReader(
  28 new InputStreamReader(
  29 urlc.getInputStream()));
  30
  31 String inputLine;
  32
  33 while ((inputLine = in.readLine()) != null)
  34 System.out.println(inputLine);
  35
  36 in.close();
  37 }
  38 }
  You can then access the HTTPS URLs using the APIs provided by the URLConnection class. You don't need to worry about the format of the http GET and POST commands,
  which you would if you used the SSL Socket APIs.
  The complete source code for the SSLTunnelSocketFactory and the application code that connects to a secure URL using proxy tunneling is included in Resources. To
  compile and run the application, you would need to download and install Sun's JSSE from its Website, also listed in Resources.
  Conclusion
  If your JSSE application could not tunnel through your organization's firewall, you need to implement your own tunneling socket. The sample code included with the JSSE
  distribution shows you how to open an SSL socket tunnel. This article goes one step further to show you how to pass the tunneling socket to the HTTPS URL stream handler,
  and saves you the trouble of rewriting a http handler
  I hope this will help you.
  Thanks
  Bakrudeen

• ACE ssl offloading

  Hi,
  I need to configure ssl offloading so that user will send request on port 443 while ACE will so ssl offload so servers will handle http connection. my current config is as below(i haven't copied probe port80 here):
  rserver server1:80
  ip add 192.168.1.1
  inservice
  serverfarm secure-rediect-SF
    probe port80
    reserver server1:80
    inservice
  class-map match-any  secure-rediect-CM
    match virtual-address 10.10.1.1 tcp 80
  policy-map type loadbalance first-match  secure-rediect-PM
    class class-default
     sticky-serverfarm secure-rediect-SG
  policy-map multi-match LBR-LB
    class  secure-rediect-CM
     loadbalance vip inservice
     loadbalance policy secure-rediect-PM
     loadbalance vip icmp-reply
  could you help! how do I configure SSL offloading? what is required to configure it?

  Hello, Gavin
  Here you have some additional examples which might help you out:
  Admin# sh crypto files
  Filename                                 File  File    Expor      Key/
                                           Size  Type    table      Cert
  cert-test                                2088  PEM     Yes        CERT
  key-test                                 1675  PEM     Yes         KEY
  # crypto verify key-test cert-test
  Keypair in key-test matches certificate in cert-test
  Admin(config)# crypto chaingroup my-chaingroup
  Admin(config-chaingroup)# cert my-root
  Admin(config-chaingroup)# cert my-intermediate
  ACE-M2/Admin(config-chaingroup)# exit
  Admin# sh crypto chaingroup all
  chaingroup muflas contains:
  my-root
  my-intermediate
  (config)# ssl-proxy service my-ssl-proxy
  Admin(config-ssl-proxy)# chaingroup my-chaingroup
  Admin(config-ssl-proxy)# cert cert-test
  Admin(config-ssl-proxy)# key key-test 
  Admin(config-ssl-proxy)# end
  Then finally, your configuration should like this:
  interface vlan 100
    ip address 10.198.16.75 255.255.255.192
    access-group input Allow_Access
    nat-pool 1 10.198.16.103 10.198.16.103 netmask 255.255.255.192 pat
    service-policy input MGMT
    service-policy input my-multimatch
    no shutdown
  policy-map multi-match my-multimatch
    class vip
      loadbalance vip inservice
      loadbalance policy http
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 100
  class ssl
      loadbalance vip inservice
      loadbalance policy http
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 100
      ssl-proxy server my-ssl-proxy
  class-map match-all ssl
    2 match virtual-address 10.198.16.103 tcp eq https
  class-map match-all vip
    10 match virtual-address 10.198.16.103 tcp eq www
  policy-map type loadbalance http first-match http
    class class-default
      serverfarm http
  serverfarm host http  
    rserver 1-80 80
      inservice
    rserver 2-80 80
      inservice
  rserver host 1-80
    ip address 10.198.16.99
    inservice
  rserver host 2-80
    ip address 10.198.16.100
    inservice
  ssl-proxy service my-ssl-proxy
    key key-test
    cert cert-test
    chaingroup my-chaingroup
  Hope this helps!!!

• Cisco ACE SSL termination

  Hello Friends,
  Need ur help on cisco ACE SSL termination.
  If i import the certificate and key (.PEM), where this files will be saved ?
  can we able to download the .PEM file any time as we need(back-up)?
  suppose if my .PEM is got hacked, hacker is sniffing the data packet which going through the web server, can it be possiable to deencrypt the packet and see the exact packet ?
  Regards,
  Naren

  Naren,
  1. In order to import certs and keys, please see the following link to the command reference.  To summarize, any time you import/export/delete keys/certs, you are doing so via commands in exec mode.  Regarding how and where the ACE actually saves this information, I do not know this answer.
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/command/reference/execmds.html#wp1616651
  2. You can import a key as non-exportable if you do not want it to be able to be exported. If you import it as exportable, you can always export it later for backups or what not.
  3. You can decrypt captured HTTPS traffic if you have the private key.  It is important to limit access to it.  Please see this link for more info on using Wireshark to view decrypted HTTPS traffic: http://wiki.wireshark.org/SSL
  Hope this helps!
  Regards,
  Matt