HTTPS ans SSL with CSS (No SSL Module)

Similar Messages

• Client Http Connection Problems With CSS

  Hi,
  We have a pair of CSS 11050s configured in a redundant pair. We have a content service defined on both CSS's. They are configured for Layer 5 balancing, with Sticky timout configured at Layer 4 for the respective service (I don't know if this is correct).
  When doing a show service summary on both CSS boxes - the content servers are seen as alive. There do not appear to be any problems. However when clients try to connect to the content, there is often a very noticeable delay in connection.
  First attempt, the http request does not reach the web server and is not displayed in the log during this delay. On first access to the login URL, no page was returned for 50 secs, no entry in the web server logs, and the browser displayed “page cannot be displayed” after 50 seconds. On a 2nd attempt, the same happened (again 50 secs before timeout). On the 3rd attempt, after 25 seconds the request appeared in the Apache log, and the page was displayed on the browser. I can now access all areas of the HTML based application without further delays, and subsequent logins are not subject to the same delay.
  It is almost as if the CSS's need to cache information - but so far I have not managed to find any explanation for this.
  Any help would be most gratefully received.

  Hello Rus!
  I have recently experince the same issue serveral times. My fix was to reload the CSS. Not sure why this happens but it seems that all is well! Also check your "sticky-inact-timeout XX" setting in your content rule. Cisco recommed 60 min for connections to timeout.

• CSS with single SSL module.. balance option needed?

  Hi all,
  Quick question. If you have a CSS 11503 with one SSL offload module installed.. is there any point in using the "application ssl" and "advanced-balance ssl" options in the content rule? I can't find any info that tells me for sure but I'm guessing that these options can be used to balance between multiple ssl modules and provide stickiness to the modules etc.. but doesn't have any effect on the traffic distribution and stickiness to the backend server services?
  For example if I have a L5 content rule like the one below and only one SSL module, should i remove the "application ssl" and "advanced-balance ssl" options and just use the port 80 content rule which the ssl proxy lists offloads traffic too and apply the "advanced-balance sticky-srcip-dstport" and "balance leastconn" there ?
    content DEVCOM_TCP443_L5
      vip address x.x.x.x
      application ssl
      advanced-balance ssl
      protocol tcp
      port 443
      url "//dev.subdomain.domain.com/*"
      add service ssl_module1
      active
  I have read various forum postings and i read the CSS SSL config guide but the examples all seem to differ in their implementation.
  Many thanks
  Scott

  You're correct.
  There is no need to specify the application type as ssl and the advanced-balance method when using a single ssl module.
  Gilles.

• HTTPS Keepalive with the CSM & SSL Module

  Has anyone had any success getting a secured web page for a keepalive using the CSM with and SSL module. If so can post an example?
  Thank you,
  Dave

  Hi David,
  Here find some full config example for your perusal for CSM and SSL Services Module Initial Configuration Example
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a0080216c16.shtml
  2nd config example to Configuring CSM to Load Balance SSL to a Farm of SCAs for One-Armed Proxy Mode
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00801aca55.shtml
  Sachin garg

• HTTPS balance without a SSL Module

  I have read thru the forum and found a couple threads talking about this issue but didnt find a solution to my problem.
  I have 2 CSS11503s without SSL modules. I now have a need to balance a KVMoIP system that uses ssl on the servers(currently only 5 concurrent users). My balance is simply for ease of use for my customers so they dont have to know the url for the primary and secondary servers. Here is what I have right now:
  interface 1/1
  bridge vlan 241
  description "to users"
  interface 1/2
  description "to servers"
  bridge vlan 700
  circuit VLAN700
  ip address 172.20.241.181 255.255.255.192
  ip virtual-router 100 priority 1
  ip redundant-interface 100 172.20.241.183
  ip critical-service 100 css-up-down
  ip critical-reporter 100 css-sc1
  circuit VLAN241
  ip address 172.20.241.71 255.255.255.192
  ip virtual-router 1 priority 1
  ip redundant-interface 1 172.20.241.73
  ip redundant-vip 1 172.20.241.100
  ip critical-service 1 css-up-down
  ip critical-reporter 1 css-sc1
  service obsidian
  ip address 172.20.241.172
  keepalive port 80
  keepalive type tcp
  active
  owner avocent
  content kvm (Does not work)
  vip address 172.20.241.100
  protocol tcp
  port 443
  add service obsidian
  content kvm_80 (This works)
  protocol tcp
  port 80
  add service obsidian
  vip address 172.20.241.100
  active
  The http to the server works fine but the https get "The page can not be displayed" when you go to https://172.20.241.100
  Thanks for any insight into this issue.

  Hi Gill,
  thats what i?ve found:
  config-owner-content) application
  To specify the application type associated with the content rule, use the application command. The application type enables the CSS to correctly interpret the data stream matching the content rule and parse them. Otherwise, the data stream packets are rejected. Use the no form of this command to reset the application type to its default setting of HTTP.
  application type
  no application
  Syntax Description
  type
  Application type. Enter one of the following:
  ?bypass - Bypasses the matching of the content rule and send the request directly to the origin server
  ?http (default) - Processes HTTP data streams
  ?ftp-control - Processes FTP data streams
  ?sip - Processes Session Initiation Protocol (SIP) data streams
  ?ssl - Processes Secure Sockets Layer (SSL) protocol data streams

• How to Filter Initial Client HTTP Headers on a CSS11506 SSL module

  Is there any way to filter the initial client headers on a css11506 ssl module ?? (software version 8.1)
  This is one of the default options on the "old" SCA11000 appliances.

  Douglas, with an SSL module, the CSS can decrypt HTTPS traffic and see the cleartext HTTP traffic.
  We can then apply any rules to the header.
  I think in this case, the question refered to some data injected in the http header by the CSS and filter what data from the client certificate should be dropped or inserted.
  We currently do not have this option on the CSS.
  Gilles.

• Using SSL Module to Encrypt HTTP post to external Server

  I would like to know if it's possible for a CSM with its SSL module to receive an HTTP POST from our internal web servers, encrypt that POST w/ SSL, and finally to forward the newly created SSL transmission to a remote external SSL server? If it is possible, is this good practice or is it better to let the web server do the encryption?

  this is possible.
  It is good practice if you do not want to overload your server with the heavy task of encryption/decryption.
  If your server is very powerfull and far from being used to its maximum capacity, you can do it on the server.
  Another advantage of using an SSL module is that the CSM will see your request in clear text and can therefore perform so *smart* loadbalancing before it gets encrypted by the SSL module.
  [ie: cookie stickyness, url hashing, ...]
  Regards,
  Gilles.

• Load Balancing with a CSM & SSL Module

  I'm trying to understand the best way to balance traffic to two servers when decrypting and re-encrypting with the CSM and an SSL module. I take the SSL traffic hitting the first CSM VIP and forward to the SSL module for decryption. Send the decrypted traffic back to another VIP on the CSM. Send the traffic to the client proxy VIP on the SSL which encrypts the traffic and forwards to the CSM VIP. That final VIP passes the traffic to the serverfarm containing the actual servers. How do I make sure the traffic is balanced between the final VIP and my servers. It seems that sticking on SSL session ID is the only way to go at that point which made decryption pointless. I feel like I'm missing something basic here.
  Thanks..

  Hi David,
  Here find some full config example for your perusal for CSM and SSL Services Module Initial Configuration Example
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a0080216c16.shtml
  2nd config example to Configuring CSM to Load Balance SSL to a Farm of SCAs for One-Armed Proxy Mode
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00801aca55.shtml
  Sachin garg

• CSS without SSL Module needing sticky sessions

  Hello All,
  If anyone can help with this sticky situation I'd appreciate it.
  I have a customer with a CSS11501. He does not have an SSL module installed.
  He has 2 blade servers, when he adds a web site, which is accessible over SSL, the CSS load balances client requests causing lost sessions, mostly lost pop-ups, it does not want stick to the same server.
  I've configured the following:-
  service web1
  protocol tcp
  port 443
  keepalive type tcp
  ip address 192.168.200.50
  string web1
  active
  service web2
  rotocol tcp
  port 443
  eepalive type tcp
  ip address 192.168.200.51
  string web2
  active
  content SSL_Web
  add service web1
  add service web2
  rotocol tcp
  port 443
  vip address 1.2.3.4
  application ssl
  advanced-balance sticky-srcip-dstport
  active
  group web_Farm
    add service web1
    add service web2
    vip address 1.2.3.4
    active
  I was attempting to get the client to stick to the server but unfortunately, this didn't work, the CSS seems to continue to send requests to both servers and they are getting scripting errors.
  Once the customer turns off the second blade, all is ok.
  I did try adding the string value to the service and configuring 'advanced-balance arrowpoint-cookie' in the content but the clients were unable to reach any web sites.
  Best Regards Tony

  Tony,
  The config looks fine other than the "application SSL" under the content rule, and right now you are probing the servers with a tcp probe on port 80. If you want the probe to be on port 443 you should add the command "keepalive port 443" to both of the services. The CSS will default to port 80 for a tcp probe.
  Regards
  Jim

• CSS 115xx and SSL module.

  Good day, I have a general question on the SSL module. Currently we have a pair of CSS's handeling our external site web sites. We are starting to run out of external IP addresses, If we installed the SSL module and terminated the Certificates on the CSS would we be able to read the ssl header and utilize 1 ip for multiple ssl sites?
  thx
  -Rich

  Check the URL: Overview of CSS SSL:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.40/configuration/ssl/guide/overview.html
  Examples of CSS SSL Configurations:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/configuration/ssl/guide/examples.html

• CSS - 11506 - Adding New SSL Services on Single SSL Modules

  Hi,
  We are having one pair of CCS 11506 currently SSL services are running on slot4 with single SSL module.Now we are planning to add one more SSL application with different certificates & keys on different VIP.
  Can we use the same slot4 for new application & using different certicates & keys on same SSL modules.Your reponse is appriecated

  Hi Sean,
  Thanks for replying back just want few clarifcations in configuration part.
  1. If new vlan is given for new application then how to point routes to the new vlan as default routes to exisitng vlan is already present.
  2. I've prepare sample config template with details steps & let us know will it work & if changes is required kindly let us know.
  1.# ftp-record ssl_record 192.168.19.21 johndoe "abc123"
  /home/johndoe
  2.# copy ssl sftp ssl_record import rsacert.pem PEM "passwd123"
  Connecting
  Completed successfully
  3.# copy ssl sftp ssl_record import rsakey.pem PEM "passwd123"
  Connecting
  Completed successfully
  4.Enter configuration mode.
  # config
  (config) #
  4. To use RSA public key exchange and authentication:
  a. Associate the imported RSA certificate with a file.
  (config) # ssl associate cert myrsacert1 rsacert.pem
  b. Associate the imported RSA key pair with a file.
  (config) # ssl associate rsakey myrsakey1 rsakey.pem
  5. Compare the public key in the associated certificate with the public key
  stored with the associated private key and verify that they are identical.
  (config) # ssl verify myrsacert1 myrsakey1
  Certificate mycert1 matches key mykey1
  ssl associate rsakey NEWKEY newkey.pem
  ssl associate cert NEWCERT newcert.pem
  !************************* INTERFACE *************************
  interface 3/3
  description "****WEB SIDE****"
  bridge vlan _ID_X.X.X.X
  bridge port-fast enable
  interface 3/4
  bridge vlan_ID_Y.Y.Y.Y
  bridge port-fast enable
  description "****PIX SIDE****"
  !************************** CIRCUIT **************************
  circuit VLAN_ID_X
  ip address A.A.A.A B.B.B.0
  ip virtual-router 2 priority 101 preempt
  ip redundant-interface 3 C.C.C.C
  ip critical-service 3 chk-con-pix_Y.Y.Y.Y
  ip critical-service 3 chk-con-web_X.X.X.X
  circuit VLAN_ID_Y
  ip address D.D.D.D E.E.E.0
  ip virtual-router 4 priority 101 preempt
  ip redundant-vip 4 F.F.F.F
  ip critical-service 4 chk-con-pix_Y.Y.Y.Y
  ip critical-service 4 chk-con-web_X.X.X.X
  !*********************** SSL PROXY LIST ***********************
  ssl-proxy-list NEW
  ssl-server 20
  ssl-server 20 vip address F.F.F.F
  ssl-server 20 cipher rsa-with-rc4-128-sha F.F.F.F 81
  ssl-server 20 cipher rsa-with-rc4-128-md5 F.F.F.F 81
  ssl-server 20 rsacert NEWCERT
  ssl-server 20 rsakey NEWKEY
  active
  !************************** SERVICE **************************
  service FRONT_SSL
  type ssl-accel
  slot 4
  keepalive type none
  add ssl-proxy-list NEW
  active
  service WEBSERVER-03
  ip address G.G.G.G
  redundant-index 3
  protocol tcp
  port 80
  active
  service WEBSERVER-04
  ip address H.H.H.H
  redundant-index 4
  protocol tcp
  port 80
  active
  service chk-con-pix_Y.Y.Y.Y
  keepalive type script ap-kal-pinglist "N.N.N.N"
  ip address J.J.J.J
  keepalive frequency 2
  keepalive maxfailure 2
  keepalive retryperiod 2
  active
  service chk-con-web_X
  ip address K.K.K.K
  keepalive type script ap-kal-pinglist "P.P.P.P"
  keepalive frequency 2
  keepalive maxfailure 2
  keepalive retryperiod 2
  active
  !*************************** OWNER ***************************
  owner NEW
  content BACKNEW_HTTP
  vip address F.F.F.F
  add service WEBSERVER-03
  add service WEBSERVER-04
  protocol tcp
  port 81
  url "/*"
  redundant-index 5
  no persistent
  active
  content FRONTENDNEW_SSL
  vip address F.F.F.F
  protocol tcp
  port 443
  application ssl
  add service FRONT_SSL
  active
  content NEW
  url "//www.ABC.com/*"
  vip address F.F.F.F
  protocol tcp
  port 80
  redundant-index 4
  redirect "https://ABC.com"
  active
  your reply on this would be highly appericated.

• Disabling SSL 3.0 closure alerts in CSM with SSL module?

  Hi: I have a CSM with a SSL module. How do I disable the CSM from sending SSL closure alerts to the client?
  Also is there a way to increase the amount of time the CSM waits before it send the SSL closure alert. Looks like the default is 14 seconds.
  Thanks
  Ravi

  found my answer: ssl-server 20 unclean-shutdown

• Backend Encryption with SSL module & Self Signed Cert

  I am trying to configure backend encryption using the SSL module to communicate with a server using a self signed certificate. I configured Authenticate verify none. I have not copied any cert info from the server. Do I need to? The SSL module is complaining about an invalid cert. My config is basic.
  service test-service-cf8-be client
  virtual ipaddr 10.6.1.20 protocol tcp port 80
  server ipaddr 10.6.1.22 protocol tcp port 443
  log-auth-failures
  authenticate verify none
  inservice
  Thanks,
  Dave

  Yes it was up and a debug showed an invalid cert message when the service was hit. The answer turned out to be that you still need to import the root CA from the server so that the SSL mod has something to verify the cert against.
  Thanks..

• CSS 11503 SSL Module: .pfx file export to sftp

  Hello
  I wanted to know of there was a way to export the .pfx files off of the SSL Module to an SFTP server.....preferably in bulk not one at a time.  I want a central storage location for these files in the event that the CSS or the SSL module crashes.
  Thanks

  Hi Jay,
  Sure you can export the .pfx files out of the CSS but you need to do this one by one, there is no way you can get them out all at once.
  To export the files you first need to define your SFTP server IP address, username and passwd:
  CSS(config)# ftp-record SFTP_Server 10.10.10.1 username "password"
  Once you have the file name you need to enter this command:
  CSS# copy ssl sftp SFTP_Server export Certificate.pfx PKCS12 "passphrase" "password"
  : This is the password used to protect the file when it was created.
  : This is a local significant password on the CSS used when the file was
              imported into the box.
  * If you don't know these passwds you can't export the files out of the CSS.
  HTH
  Pablo

• CSS 11150 and SSL module function

  Hi, Pro:
  There is any way I could find what ssl module could be used on CSS11150?
  Thanks,

  there is none.
  The css111xx and css110xx are not modular so you can't add or remove anything from it.
  You will need a CSS115xx.
  Regards,
  Gilles.