limitation of eight chaingroups per context in ACE 4700 Series Appliance

Answered Question
Jul 26th, 2008
User Badges:

ACE 4710 appliance currently has a limitation of 1024 virtual servers - but each context has a limitation of eight chaingroups. In my point of view limitation of eight chaingroups is far to low. Using SSL certificates from public CA often requires to deliver certificates and intermediate certificates to the client. In this szenario the limit of 8 chaingroups is reached very soon as you need a chaingroup per virtual server.

Correct Answer by sachinga.hcl about 8 years 10 months ago

HI CSCherb,


A chain groups specifies the certificate chains that the ACE sends to its peer during the handshake. A certificate chain is a hierarchal list of certificates that includes the subject's certificate, the root CA certificate, and any intermediate CA certificates. Using the information provided in a certificate chain, the certificate verifier can search for a trusted authority in the certificate hierarchal list back to the root CA. The verifier may find what it considers a trusted authority before reaching the root CA certificate, in which case, the verifier stops searching.


But as per my understanding


The ACE supports the following certificate chain group capabilities:


•A chain group can contain up to eight certificate chains.


•Each context on the ACE can contain up to eight chain groups means 8*8 Certificate chains.


• By default, your ACE provides an Admin context and five user contexts, which allows you to use multiple contexts if you choose to configure them. To increase the number of user contexts up to a maximum of 20, you must obtain a separate license from Cisco Systems.


So total number of chaingroups that can be used is 8*20=160


And the number of virtual servers is 1024.


SSL proxy termination service allows the virtual server to act as an SSL proxy server and terminate SSL sessions between it and its clients.

So


1. SSL Proxy Service =SSL Parameter map(ssl version, cipher suites, close-protocol, session ID reuse timeout, query delay), Client authentication,key pair file, CRL retrival, Certificate file, Chain Group)

2. Class maps=(layer3 and layer 4 match criterial applied to inbound traffic)=contains= Virtual IP address,source address, destination address, access list, port , any


Policy Maps = contains (1+2) i.e. (SSL proxy service + Class maps)

So you define Virtual server IP in class maps and Chain groups in SSL proxy service.

They will work when you combine these both inside a policy map (for layer 3/ layer 4)

Policy maps ---> Applies globall to all VLAN's in a context (a context can contain 8 chain groups )


You can specify the certificate chian that the ACE sends to its peer ACE during the SSL handshakeby using chaingroup command.

So this chain group is assigned to the whole context and inside the context any number of virtual server they use the same chain group .

You can configure chain groups for the context in a ace using SSL proxy service only.

All the virtual server inside the context they use the one chain group service .

Select Config > Devices > context > SSL > Chain Group Parameters. The Chain Group Parameters table appears.




SSL termination refers to configuring an ACE context for a front-end application in which the ACE operates as an SSL server that communicates with a client. When you create a Layer 3 and Layer 4 policy map to define the flow between an ACE and a client, the ACE operates as a virtual SSL server by adding security services between a web browser (the client) and the HTTP connection (the server). All inbound SSL flows from a client terminate at the ACE.


In the ANM, a viable virtual server has the following attributes:


• A default Layer 7 action


• A Layer 3/Layer 4 class map


• The virtual server multi-match policy map is associated with an interface or is global.


The name of the virtual server is derived from the name of the Layer 3/Layer 4 class map.


After the connection is terminated, the ACE decrypts the ciphertext from the client and sends the data as clear text to an HTTP server.

You need not to assign a different chaingroup to every virtual server.



I am just sharing my vision with you. Correct me if I am wrong


Kind Regards,

[email protected]



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Correct Answer
sachinga.hcl Tue, 07/29/2008 - 05:47
User Badges:
  • Silver, 250 points or more

HI CSCherb,


A chain groups specifies the certificate chains that the ACE sends to its peer during the handshake. A certificate chain is a hierarchal list of certificates that includes the subject's certificate, the root CA certificate, and any intermediate CA certificates. Using the information provided in a certificate chain, the certificate verifier can search for a trusted authority in the certificate hierarchal list back to the root CA. The verifier may find what it considers a trusted authority before reaching the root CA certificate, in which case, the verifier stops searching.


But as per my understanding


The ACE supports the following certificate chain group capabilities:


•A chain group can contain up to eight certificate chains.


•Each context on the ACE can contain up to eight chain groups means 8*8 Certificate chains.


• By default, your ACE provides an Admin context and five user contexts, which allows you to use multiple contexts if you choose to configure them. To increase the number of user contexts up to a maximum of 20, you must obtain a separate license from Cisco Systems.


So total number of chaingroups that can be used is 8*20=160


And the number of virtual servers is 1024.


SSL proxy termination service allows the virtual server to act as an SSL proxy server and terminate SSL sessions between it and its clients.

So


1. SSL Proxy Service =SSL Parameter map(ssl version, cipher suites, close-protocol, session ID reuse timeout, query delay), Client authentication,key pair file, CRL retrival, Certificate file, Chain Group)

2. Class maps=(layer3 and layer 4 match criterial applied to inbound traffic)=contains= Virtual IP address,source address, destination address, access list, port , any


Policy Maps = contains (1+2) i.e. (SSL proxy service + Class maps)

So you define Virtual server IP in class maps and Chain groups in SSL proxy service.

They will work when you combine these both inside a policy map (for layer 3/ layer 4)

Policy maps ---> Applies globall to all VLAN's in a context (a context can contain 8 chain groups )


You can specify the certificate chian that the ACE sends to its peer ACE during the SSL handshakeby using chaingroup command.

So this chain group is assigned to the whole context and inside the context any number of virtual server they use the same chain group .

You can configure chain groups for the context in a ace using SSL proxy service only.

All the virtual server inside the context they use the one chain group service .

Select Config > Devices > context > SSL > Chain Group Parameters. The Chain Group Parameters table appears.




SSL termination refers to configuring an ACE context for a front-end application in which the ACE operates as an SSL server that communicates with a client. When you create a Layer 3 and Layer 4 policy map to define the flow between an ACE and a client, the ACE operates as a virtual SSL server by adding security services between a web browser (the client) and the HTTP connection (the server). All inbound SSL flows from a client terminate at the ACE.


In the ANM, a viable virtual server has the following attributes:


• A default Layer 7 action


• A Layer 3/Layer 4 class map


• The virtual server multi-match policy map is associated with an interface or is global.


The name of the virtual server is derived from the name of the Layer 3/Layer 4 class map.


After the connection is terminated, the ACE decrypts the ciphertext from the client and sends the data as clear text to an HTTP server.

You need not to assign a different chaingroup to every virtual server.



I am just sharing my vision with you. Correct me if I am wrong


Kind Regards,

[email protected]



cscherb Tue, 07/29/2008 - 07:34
User Badges:

Ok - my initial understanding was that chaingroups should include the subject certificate. No I understand that the subject certifcate is not included in chaingroup, only intermediate and root certificates as included in chaingroup. In this constellation 8 chaingroups per context are enought as I could use certificates from 8 different CA.

sachinga.hcl Thu, 07/31/2008 - 09:52
User Badges:
  • Silver, 250 points or more

thanks for your rating.


Also keep posting and do not hesitate to write your quries.


I will be looking to give any further assistance.


sachin garg

Actions

This Discussion