SSL initiation for SMPP on ACE module
Hi Community,
we have a new requirement to enable a connection to a server with SMPP protocol wrapped inside a SSL channel for transport over internet. Can any one suggest if the ACE module support to do SSL initiation to secure standard SMPP (3.4) servers?
Kind regards
Hi,
ACE does support SSL initiation. Please visit the below link for details. Ace also supports SSL termination and End-to-End SSL.
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/ssl/guide/initiate.html
Regards,
Kanwal
Similar Messages
-
SSL Termination not working in ACE
Hi,
The context was configured for Load Balancing Port 80 and 443 traffic before the SSL Configs was Applied.
The SSL Termination is configured on ACE module running the software version A2(1.6a) [build 3.0(0)A2(1.6a)
The load balacing is working without no issues, But when i do a https://abc.www.abc.qa/wps/portal/login
the browser reconganizes the certificate from ACE, but does not show up any thing, just shows this symbol €
in a blank page.
Plese let me know if you have any suggestions.
Thanks in Advance.
Here is the relevant config.
===================
crypto csr-params ABC-II-PRAMS
country XX
state XXXX
locality XXXX
organization-name abc council
common-name abc.www.abc.qa
serial-number 1
email [email protected]
rserver host abcserver1
ip address 10.14.1.165
inservice
rserver host abcserver2
ip address 10.14.1.177
inservice
ssl-proxy service abc.www.proxy
key abc-II-key.pem
cert abc-II-cert.pem
serverfarm host abc.www.abc.qa-443
failaction purge
rserver abcserver1
probe abcicmp
inservice
rserver abcserver2
probe abcicmp
inservice
serverfarm host abc.www.abc.qa-80
failaction purge
rserver abcserver1
probe abcicmp
inservice
rserver abcserver2
probe abcicmp
inservice
sticky ip-netmask 255.255.255.255 address source abc.www.abc.qa-sticky-80
timeout 120
serverfarm abc.www.abc.qa-80
sticky ip-netmask 255.255.255.255 address source abc.www.abc.qa-sticky-443
timeout 120
serverfarm abc.www.abc.qa-443
class-map match-all abc.www.abc.qa-443
match virtual-address 10.14.1.203 tcp eq https
class-map match-all abc.www.abc.qa-80
match virtual-address 10.14.1.203 tcp eq www
policy-map type loadbalance first-match abc.www.abc.qa-VIP-443
class class-default
sticky-serverfarm abc.www.abc.qa-sticky-443
policy-map type loadbalance first-match abc.www.abc.qa-VIP-80
class class-default
sticky-serverfarm abc.www.abc.qa-sticky-80
policy-map multi-match abc-POLICY
class abc.www.abc.qa-80
loadbalance vip inservice
loadbalance policy abc.www.abc.qa-VIP-80
loadbalance vip icmp-reply
class abc.www.abc.qa-443
loadbalance vip inservice
loadbalance policy abc.www.abc.qa-VIP-443
loadbalance vip icmp-reply
ssl-proxy server abc.www.proxy
=============================Hi,
You may want to check this thread I think it would be very helpful.
https://supportforums.cisco.com/thread/2027253
HTH
Pablo
Cisco TAC -
Want to know about ACE module in 6509 : load-balancing concept
Hi,
I am quite new in this field , where i need to configure and understand the concept of load-balancing through ACE.
In my existing network set-up , i have some application servers as well as some other servers where i am looking for load-balancing.
I have gone through some of the site and cisco site as well and i came across ACE module which can be installed in 6509 switch.
I have 6509 switch as well but before going for installing the ACE module I am keen to understand below things:
1) what is difference between CSM or any other product load-balancer and ACE module :
Gone through site as well , but not getting proper answer or comparison.
1) I have some of the server configured with clustering and getting one virtual IP, In this case , will ACE work ?
2) If suppose i go for configuring different IP address with all server IP :
How do i achieve it ?
3) what is Virtual IP concept in ACE because i do not have and other ACE module then why do i need virtual IP ?
4) will the load-balancing happens based on destination based or session based ?
Please share the knowledge. It would be great help for me to go ahead with ACE and configure it and understand all the application ?Hello,
1) what is difference between CSM or any other product load-balancer and ACE module :
There are several differences but to say simply, you get higher performance and more features with ACE module/appliance comparing others.
One big difference is that with ACE seriese, you can configure multiple contexts on one box (virtual load-balancers on one box) that makes us possible to provide a virtual load-balancer to a customer. In that way, the customer can access and makes changes on only the virtual box. You can split management domain for each customers. Also using contexts, you can assign certain resources available on the hardware for each contexts according to their service contract.
ACE serise has specific hardware chip for supporting SSL termination but some others do not.
For instance, you need a CSM-S, or a CSM and a SSL module to terminate SSL.
The other thing I should mention is that our most recent product is ACE serise that means it has longer product roadmap.
Let me try clarifying your other questions.
3) what is Virtual IP concept in ACE because i do not have and other ACE module then why do i need virtual IP ?
4) will the load-balancing happens based on destination based or session based ?
I think I'd better to put 3) and 4) first.
Virtual ip address (VIP) is the address to which client accesses.
VIP is tied with a serverfarm or serverfarms, in a serverfarm one or multiple rservers can be configured.
"serverfarm" is a group of "rservers".
"rserver" means real-server that has an ip address and processes transactions.
When a client accesses to the VIP, ACE picks up a rserver according to algorithm.
If you configure a VIP that is tied with a serverfarm where only one rsever is configured, client accesses to the virtual ip address are
all forwarded to the rserver.
If you configure a VIP that is tied with a serverfarm where multiple rsevers are configured, client accesses to the virtual ip address are
balanced among those rservers.
If you configure multiple VIPs, client accesses to those VIPs are forwareded to corresponding rservers according to configuration.
1) I have some of the server configured with clustering and getting one virtual IP, In this case , will ACE work ?
ACE load-balances connections to configured rservers.
If the clustered servers are sharing one virtual ip address and you configure the virtual ip address as a rserver, all connections are
sent to the virtual ip address. That is not "load-balancing" on ACE... You need multiple rservers to which ACE load-balances connections.
2) If suppose i go for configuring different IP address with all server IP :
How do i achieve it ?
You can configure those ip addresses as rserver ip address.
Multiple rservers are tied into a group, "serverfarm".
I'm not certain about your culstered servers but I guess you can configure each ip addresses in the culster as rservers.
Then put those rservers in a serverfarm.Client accesses to a virtual ip address configured on ACE for the serverfarm.
This way connections are load-balanced among those rservers depending on load-balancing algorithm you choose.
Above is just an overveiw. ACE gives you granular control not mentioned above.
I can provide more specific information if you tell me details of what you are trying to archive with ACE.
Regards,
Kimihito. -
ACE module, TLS and smtp
Hello,
On a ACE module running software version ACE2(1.0), I have defined a virtual smtp server that is load-balanced to a serverfarm containing 2 SMTP servers. Normal SMTP connexions on port 25 work fine. SMTPS connexions to port 465 of a second vserver also work fine: SSL termination occurs at the ACE module and SMTP connexions to the real servers are in clear text on port 25. But I am having problems with TLS.
If a client connecting to port 25 of the first vserver tries to negotiate TLS, it works but it's the real server that handles TLS encryption. This is normal behavior - but the certificate has to be installed on each of the real servers. I would like the ACE module to handle TLS (it's supported according to the documentation). That way the certificate would only have to be installed on the ACE module.
So I tried to setup a third vserver on port 587 with the same "proxy-service" as the second vserver used for SSL. If a client connects to port 587 of the vserver via TLS, we only see the 3-way handshake between the client and the vserver, then a pause of a few seconds, then a FIN from the client and finally an ACK and a RESET from the vserver.
There are absolutely no lines in the log that could help me find out what's happening.
I found the "debug ssl" command in the documentation but I don't know how to use it - I entered the command and nothing happened; I don't know where the debugging information goes. This is probably why there's a warning that says that "The ACE debug commands are intended for use by trained Cisco personnel only."...
So my questions are: why is TLS not working? How can I find out why it's not working? Where does the "debug" information go when we use the "debug" commands?
Thanks a lot for any help you can give me!
Regards,
Marc.SMTP over TLS is not supported in ACE currently.
SMTP doesnt use SSL/TLS simply as a secure transport like LDAP, IMAP, POP, HTTP.
In case of SMTP client needs to open a new conn.
So ACE or for that matter any other SMTP relay device needs to terminate conn, look in to the SMTP pkts and punch hole according to the new client conns.
You can get more details at
http://tools.ietf.org/html/rfc2487
Syed -
ACE module support for IPv6 ?
what is the latest on IPv6 support for ACE module? I saw something saying 2HCY10, but that's where we are now. Any documentation pointers to current compatability and or roadmap are greatly appreciated.
thanks
Bob O.As mklemovitch described in the following thread, IPv6 will be
supported on ACE30 module but not in the initial release.
There is no plan for ACE20 module.
https://supportforums.cisco.com/message/3192517#3192517
I'm not sure but maybe around Q3 CY11 or later.
I cannot see the documentation regarding this feature on CCO.
I would suggest to contact your account team for details.
Regards,
Yuji -
Configuring ACE Module for Redundancy
Hi Sir,
I'm configuring fault tolerance between two ACE modules installed on two different Catalyst 6513 switches. I have one Admin context and 3 user contexts.
Do I need to configure 4 "ft group", i.e. one context per group? E.g. config:
ft group 1
peer 1
priority 110
peer priority 105
associate-context Admin
inservice
ft group 2
peer 1
priority 110
peer priority 105
associate-context ace-context1
inservice
ft group 3
peer 1
priority 105
peer priority 110
associate-context ace-context2
inservice
ft group 4
peer 1
priority 105
peer priority 110
associate-context ace-context3
inservice
Can you also explain the purpose of configuring an alias IP address on the client-facing VLAN interface? I understand we need an alias IP address on the server-facing VLAN interface to provide a virtual gateway address to the servers. But what's the use of an alias IP on the client-side?
Thank you.
B.Rgds,
Lim TSHi Gilles,
I have configured FT for all user contexts as well as for the admin context. It works. My FT config is identical to the one I posted in this thread. Of course, one has to define the "ft interface vlan" and "ft peer" before configuring FT groups.
I noticed a few things:
(1) After the initial FT config, subsequent FT groups just need to be configured on the active Admin context and it will be replicated to the standby ACE, with the priority correctly reversed.
(2) You will get the message "NOTE: Configuration mode has been disabled on all sessions" when you log in to a standby context.
(3) The hostname of the active Admin context is not synced to the standby ACE. Do you know why?
One issue I encountered in one of the user contexts is as follows:
ace1/ace-context-1# sh run int
Generating configuration....
interface vlan 950
description *** Client-Facing VLAN ***
ip address 10.1.35.5 255.255.255.0
alias 10.1.35.4 255.255.255.0
peer ip address 10.1.35.6 255.255.255.0
access-group input ACL_VL950_IN
service-policy input REMOTE_MGMT
service-policy input MY_LB
no shutdown
interface vlan 951
description *** Connection to Real Servers ***
ip address 10.1.36.2 255.255.255.0
alias 10.1.36.1 255.255.255.0
peer ip address 10.1.36.3 255.255.255.0
access-group input ACL_VL951_IN
service-policy input NAT_REAL
no shutdown
This is the active context. It can ping to 10.1.35.4 (alias) and 10.1.35.6 (peer) over VLAN 950 (client-side). It can ping alias 10.1.36.1 over VLAN 951 (server-side) but can't ping to peer 10.1.36.3. The ACL_VL951_IN permits ip any any. Do you know why?
Secondly, I can remotely ping to alias 10.1.35.4 but can't telnet to it (I'm expecting it to telnet to the active context). I have to telnet to 10.1.35.5. Is this normal behavior?
Please advise.
Thank you.
B.Rgds,
Lim TS -
ACE SSL initiation via Proxy server (squid)
Hi,
is it possible to configure ACE with SSL initiation if the connection goes via http/https proxy (squid) ?
I mean local host is requesting http://xyz.com, ACE doing SSL and requesting https://xyz.com, not directly but via http/https proxy server (squid).
ThanksHi Ryszard,
Yes, ACE can initiate SSL traffic and maintain SSL connection. So in SSL initiation ACE will act as a CLIENT receiving clear text HTTP traffic at the front end and sending traffic encrypted over the backend.
For more details please visit the below link and let me know if you have any questions.
http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/ssl/guide/sslgd/initiate.html#wp1010343
Regards,
Kanwal -
Have done ssl init on the CSS before.
It can be easily configured to present a client cert to the remote end like a browser would.
I can't see how this is done on the ACE.
Do I just apply an authgroup referring to the client cert in the ssl proxy configuration ?Hi,
For SSL intiation ACE shall act as a client. So you will define a SSL-Proxy and just bind it with the policy map.
Below config is for end-to-end SSL but look at bold part that is for SSL initiation and here is the link for your reference.
access-list allow_all line 10 extended permit ip any any
probe http KEEPALIVE-WEBS
description Test for Webs Servers
interval 15
passdetect interval 30
request method head url /ping.jsp
expect status 200 200
parameter-map type ssl ssl_ciphers
cipher RSA_WITH_RC4_128_MD5
cipher RSA_WITH_RC4_128_SHA
cipher RSA_WITH_DES_CBC_SHA
cipher RSA_WITH_AES_128_CBC_SHA
cipher RSA_WITH_AES_256_CBC_SHA
rserver host WEB001
description Web Servers
ip address 10.0.130.253
probe KEEPALIVE-WEBS
inservice
rserver host WEB002
description Web Servers
ip address 10.0.130.252
probe KEEPALIVE-WEBS
inservice
rserver host WEB003
description Web Servers
ip address 10.0.130.254
probe KEEPALIVE-WEBS
inservice
rserver redirect OLD_SITE_REDIR
webhost-redirection
https://www.newsite.com 301
inservice
ssl-proxy service SERVER_SSL
key www-server.key
cert www-server.crt
ssl advanced-options ssl_ciphers
ssl-proxy service CLIENT_SSL
ssl advanced-options ssl_ciphers
serverfarm redirect REDIRECT
rserver OLD_SITE_REDIR
inservice
serverfarm host VIP-WWW-443
description servers-for-https
rserver WEB001 443
inservice
rserver WEB002 443
inservice
rserver WEB003 443
inservice
serverfarm host VIP-WWW-80
description servers-for-www
rserver WEB001 80
inservice
rserver WEB002 80
inservice
rserver WEB003 80
inservice
sticky http-cookie wwwservers WWW-P80
cookie insert
timeout 720
replicate sticky
serverfarm VIP-WWW-80
sticky http-cookie wwwservers WWW-P443
cookie insert
timeout 720
replicate sticky
serverfarm VIP-WWW-443
class-map type http loadbalance match-all CLA7REDIR
2 match http url http://www.oldsite.com/.*
class-map type http loadbalance match-all CLA7WWW
2 match http url http://www.newsite.com/.*
class-map match-any VIP-P443
2 match virtual-address 10.0.128.211 tcp eq https
class-map match-any VIP-P80
2 match virtual-address 10.0.128.211 tcp eq www
policy-map type loadbalance first-match VIP_SERVER_P443
class CLA7REDIR
serverfarm REDIRECT
class CLA7WWW
sticky-serverfarm WWW-P443
ssl-proxy client CLIENT_SSL
policy-map type loadbalance first-match VIP_SERVER_P80
class class-default
sticky-serverfarm WWW-P80
policy-map multi-match WWW_LB
class VIP-P80
loadbalance vip inservice
loadbalance policy VIP_SERVER_P80
loadbalance vip icmp-reply active
loadbalance vip advertise active
class VIP-P443
loadbalance vip inservice
loadbalance policy VIP_SERVER_P443
loadbalance vip icmp-reply active
loadbalance vip advertise active
ssl-proxy server SERVER_SSL
interface vlan 128
ip address 10.0.128.15 255.255.255.0
access-group input allow_all
service-policy input WWW_LB
no shutdown
interface vlan 130
ip address 10.0.130.15 255.255.255.0
access-group input allow_all
no shutdown
ip route 0.0.0.0 0.0.0.0 10.0.128.1
Regards,
Kanwal -
ACE module SSL url rewrite and path rewrite
Hi all,
I'm hoping some of you helpful people on this forum can guide me or suggest a solution to a problem I'm faced with.
I am currently load balancing exchange 2010 traffic via an ACE module. Software version is A2(3.3). I have most parts of it working fine however I am having an issue when it comes to SSL termination for Outlook Web Access (OWA).
The problem comes down to a HTTP header (field is location). I have configured an action list to re-write the SSL pure URL as per page 96 of the "Cisco Application Control Engine Module SSL Configuration Guide". example:
ssl url rewrite location bnecas\.mycompany\.com sslport 443
That part works, the http header location field that comes back from the GET request is changed to https://cas.mycompany.com which is great. However, in addition to that url, there is also a path or something following that part. The actual string that is returned is:
https://cas.mycompany.com/owa/auth/logon.aspx?url=http://cas.mycompany.com/owa/&reason=0
The first bit of it, (https://cas.mycompany.com) is changed by the ssl url rewrite command, however the last part (http://cas.mycompany.com/owa/&reason=0) isn't changed.
This is where I've been trying to get the http Header Rewrite command to do something. I don't know if it can work in conjunction with the ssl url rewrite function however with the ssl rewrite function it seems it can't change bits of the string that aren't the pure URL at the front.
The end result is that while I have an SSL connection to the OWA login page, when I do login to OWA it reverts back to HTTP. I'm fairly sure it is because of the last part of the location string above. Is there a way to change that location string to do the following:
1. change the first part of the string to be https://cas.mycompany.com (like the ssl url rewrite function)
2. change the last part of the location string to put https in there instead of http
Ideally I would love to have this string
http://cas.mycompany.com/owa/auth/logon.aspx?url=http://cas.mycompany.com/owa/&reason=0
replaced with this one
https://cas.mycompany.com/owa/auth/logon.aspx?url=https://cas.mycompany.com/owa/&reason=0
I had originally tried the following in the action list:
header rewrite response location header-value "(owa/auth/logon\.aspx\?url=)http(://bnecas\.thiess\.aus/owa/&reason=0)" replace "%1https%2"
ssl url rewrite location bnecas\.mycompany\.com sslport 443
but it didn't work. I'm probably screwing up the regex somewhere however there doesn't seem to be very clear examples anywhere I can find.
Any help will be greatly appreciated and of course I will be sure to rate every post that responds to my plea for help.
BradHi Brad,
try this:
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
action-list type modify http X
header rewrite response Location header-value "http://(.*url=)http://(.*)" replace "https://%1https://%2"
we wont be using ssl url rewrite in this case
Also we will be needing persistence rebalance applied through application parameter map and apply that under the VIP class -
[UDP fast age support for ACE Module]
Hello,
I'm testing 2 ACE modules running A3.0.0 for DNS load balancing (UDP). We're testing this by using a DNS query generator that (always) seems to use the same UDP source port when originating these queries. At the moment, the ACE module is hardly doing any load-balancing.
It looks to me like, that because of this, the ACE believes it's the same session (connection) and doesn't really load-balance, so I started looking for a solution and found the fast-age udp feature. But, it seems this is not supported on my ACE modules. Can any one offer another solution and/or look at my config and see if there is another way to achieve load balancing in a testing environment when using a tool like the one I described?
(I put it that way because i believe in real life since queries come from different IP addresses and randomized udp ports, the ACE module will be just fine).
Thanks in advance!
c.Hi Carlos,
Correct. The 3.0(0) is really misleading. You need to start with the "A" - so you really have 1.6.3a installed.
The "show version" for V2 is slightly better -
system: Version A2(1.2) [build 3.0(0)A2(1.2)
Cathy -
Inventory collection fails for ACE module (RME 4.3.1)
I am trying to collect the inventory and ultimately the configurations for my ace modules. When i try to do an inventory collection I get the error
Device sensed, but collection failed
Anybody have any ideas?
ChrisPost your IC_Server.log.
Please support CSC Helps Haiti
https://supportforums.cisco.com/docs/DOC-8895
https://supportforums.cisco.com -
ACE issue with compression when SSL Initiation is turned on?
We currently doing an evaluation of the Cisco ACE 4710 and have some sites where the backend is Tomcat and SSL is turned on. When we set Default L7 Load-Balancing Action to Load Balance with Compression Method Deflate (I haven't tried gzip yet), requests to these sites return badly mangled stuff. Like a gif image at 7,700 bytes comes back as a 7 bytes file, even default should only try compression on text/*.
Has anyone seen a similar issue?It turned out the problem was a configuration issue and my understanding of the ACE works with compression, policies, etc.
In conjunction with this I seemed to have found a bug in the GUI, which is also still present in A3 (2.3). I now have a default L7 policy which just set SSL Initiation to ssl client. Added another L7 policy but when looking at the virtual server afterwards the GUI doesn't show that policy.
switch/Development# show running-config policy-map FORD-APP.PERF.AUTC.COM-l7slb
Generating configuration....
policy-map type loadbalance first-match F-APP.PERF.AUTC.COM-l7slb
class default-compression-exclusion-mime-type
serverfarm F-APP.PERF.AUTC.COM
compress default-method deflate
insert-http rl_client_ip header-value "%is"
ssl-proxy client Backend
class class-default
serverfarm F-APP.PERF.AUTC.COM
insert-http rl_client_ip header-value "%is"
ssl-proxy client Backend
See attachment with screen shot of GUI -
Does ACS for Windows 3.3 support AAA for the ACE module?
I don't think that is correct. I am still
having issues with ACE and ACS. See below:
ACE version Software
loader: Version 0.95
system: Version A1(7b) [build 3.0(0)A1(7b)
Cisco ACS version 4.0.1
I am trying to authenticate admin users with AAA authentication for ACE management.
This is what I've done:
ACE-lab/Admin(config)# tacacs-server host 192.168.3.10 key 123456 port 49
warning: numeric key will not be encrypted
ACE-lab/Admin(config)# aaa group server tacacs+ cciesec
ACE-lab/Admin(config-tacacs+)# server ?
TACACS+ server name
ACE-lab/Admin(config-tacacs+)# server 192.168.3.10
can not find the TACACS+ server
specified TACACS+ server not found, please configure it using tacacs-server host ... and then retry
ACE-lab/Admin(config-tacacs+)# -
Question in regard to management VLAN for each Context in ACE module
Dear Pros,
I know this will be a simple questions to answer, and I have searched the forum, but I am not able to find the answer I need.
1) Does the ACE module require an Management IP address for each Context? Should the same VLAN be applied to each context, with larger size subnet to supply host address?
2) If it does require that, what IP address should I used for default route in each context.
I will be utilizing "Bridge Mode" for my application to transition the current network from Foundry to ACE. I will later on apply the "Routed Mode" model.
Each ACE module will have 3 seperate Context, for a total of 4 including the Admin.
Any suggestions or if you can point me to location as always will be greatly apprecaited.
Thanks and best regards.
Raman AzizianHi,
you have several options to choose from.
1. Use Admin context for management
You can use the Admin context for management. Give it an IP address in your managment VLAN, default route to upstream router, and login and change to contexts from there.
+ Easy and straightforward
- snmp and syslog are using the ip from each individual context and not the management IP
2. Use a Large subnet and assign an IP address in each context for management.
You can configure 1 managment VLAN and assign an IP address to each context in this subnet. Create static routes to the management stations that need to access this management address.
+ each context has its own managment address
- static routes need to be added
3. Use your client-side ip address (or BVI) as management address.
You management traffic will be inline and use the same path as your data. Default route is already configured and also valid for the management.
+ no static routes needed
- inline management
Personally, I choose option 1. That is, if the people that need to manage the ACE is the same team.
If other teams (serverteam for context 1, other serverteam for context 2) need to manage the ACE, than I would choose option 3.
HTH,
Dario -
Hello,
I'm in the process of setting up an end to end SSL configuration but it doesn't work and I'm getting a bit confused at this stage.I imported a cert using the terminal (copy/paste) then I imported a key using the same method and the tftp. The TFTP failed and the terminal was displaying a message telling me there was topo many lines.
I checked with the crypto verify command and it failed telling me "Error: invalid or unsupported key".
Is there any clear documentation on how to configure an end to end SSL ?
I used the ACE ssl guide, but it is not really accurate and looks more like a reminder to me rather than a guide.
I attached the existing config to this post although it does not show the cert and key I imported to the ACE module, it gives a better understanding of what the idea is.
Did anybody came across the same issues on the first time configuring end-to-end ssl with ACE?just don't know where to start.
I feel like you do not have the right key/cert.
This would be the very first thing to verify.
Where did you get your key and cert ?
What certificate authority signed your certificate ?
The creation of the session key requires the use of an RSA key pair (private/public).
Every server must have a public and a private key associated with a certificate signed by a certificate authority.
If you're not familiar with those concepts, configuring an SSL offloaded like ACE won't be easy.
Maybe you should start be reading on the subject from various article available on the WEB.
openssl is a great tool to generate keys and certficates.
I would suggest maybe to get this free tool and start by creating your own RSA key pair and a self signed certificate.
Then import everything into ACE.
Once you have valid key/cert we can continue with the configuration.
Gilles
Maybe you are looking for
-
Just today, about an hour ago, I can no longer work the hotmail site. I can't upgrade my system, it's windows 98. I use firefox 2.0.0.20 == URL of affected sites == http://www.hotmail.com
-
Why cant I login to my Mac Pro?
Hi, when I try to login to my Mac Pro from wakeup screensaver (it asks for the password), it no longer accepts my password. When I erase the username on that screen and try to type it in, it does not echo the characters on the screen either. It just
-
Hi All, I implemented the "Exporting table data to MS-Excel Sheet(enhanced Web Dynpro Binary Cache)" blog. An exception: "you must flush before accessing the resource content" occurs. Any ideas on how to overcome this problem? Regards, Motaz
-
Logout Processing Properties in the Policy Agent 2.2
Hi, Did anyone ever used these properties? I have a case in which I need to use them but there are no examples and the documentation is a bit laconic. What is this handler? Any ideas? My app has just a simple /Logout.do url that when requested should
-
Hi Guys: Anyone has a knowledge in Lotus Notes R5 One of LAN users received this error message while her calendar. "Insufficient Memory - Local Heap is full" I tried adding additional memory module to boost pc performace but it did't solve the probl