CSS backend SSL

Unanswered Question
Nov 4th, 2008
User Badges:

still i have doubt in css backend ssl configuration i am going to buy certificate from verisign should i buy two certificate one for webserver another for css or i can use the same certificate why we need to create the front end ssl and backend ssl in ssl proxy i am confused?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Tue, 11/04/2008 - 06:28
User Badges:
  • Cisco Employee,

The certificate is associated to a website (ie: www.cisco.com)

The same certificate can then be installed on all required devices.


So, you only need 1 cert from verisign.


Backend-ssl is not required unless you do not trust the link between css and servers.

You could simply have HTTP between CSS and servers (this is the most common practice).


Usually banks require backend-ssl because they have to guarantee end-to-end encryption.


Gilles.

waltermavely Tue, 11/04/2008 - 12:33
User Badges:

hi Gilles thanks for your reply, i have one question in my configuration client accessing through vip 192.168.7.100 right? so what about 192.168.7.101 ??? thank you very much

waltermavely Tue, 11/04/2008 - 12:39
User Badges:

yes this is bank there webservers running with ssl only they have some security policy

Gilles Dufour Tue, 11/04/2008 - 23:55
User Badges:
  • Cisco Employee,

ssl-server 20 cipher rsa-with-rc4-128-md5 192.168.7.101 81


This means your traffic is decrypted and sent to 192.168.7.101:81

This is normally another VIP where you do backend ssl.

So, I feel like your config is incorrect.



Under


owner KIB-SSL


content SSL-BACKEND


vip address 192.168.201.100



The vip is incorrect.

It should be 192.168.7.101


Gilles.


Actions

This Discussion