CSS - 11506 - Adding New SSL Services on Single SSL Modules

Answered Question
Feb 10th, 2010

Hi,

We are having one pair of CCS 11506 currently SSL services are running on slot4 with single SSL module.Now we are planning to add one more SSL application with different certificates & keys on different VIP.

Can we use the same slot4 for new application & using different certicates & keys on same SSL modules.Your reponse is appriecated

I have this problem too.
0 votes
Correct Answer by Sean Merrow about 6 years 10 months ago

Hello,

Yes, you can use the same SSL module for multiple applications.  No need to add a second SSL module.  Below are the typical and general steps:

  1. Import the new certificate and key onto the CSS
  2. Associate the new certificate and key to filenames
  3. Create your new ssl-server on the existing ssl-proxy-list (including VIPs, cert, key, etc.)
  4. Add any necessary content rules, services, groups, and redundant VIPs

You can find more details on the SSL configuration at the link below:

CSS SSL Configuration Guide

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20/configuration/ssl/guide/sslgd.html

Hope this helps,

Sean

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Sean Merrow Thu, 02/11/2010 - 09:38

Hello,

Yes, you can use the same SSL module for multiple applications.  No need to add a second SSL module.  Below are the typical and general steps:

  1. Import the new certificate and key onto the CSS
  2. Associate the new certificate and key to filenames
  3. Create your new ssl-server on the existing ssl-proxy-list (including VIPs, cert, key, etc.)
  4. Add any necessary content rules, services, groups, and redundant VIPs

You can find more details on the SSL configuration at the link below:

CSS SSL Configuration Guide

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20/configuration/ssl/guide/sslgd.html

Hope this helps,

Sean

Dulal Ray Thu, 02/11/2010 - 11:32

Hi Sean,

Thanks for the reply.

Pl. can you confirm the statement which is given in CSS admin guide which states the CSS supports one active SSL service for each SSL module in the CSS (one SSL service per slot). You can configure more than one SSL service for a slot but only a single SSL service can be active at a time.

Pl. find the below URL for your reference.
Sean Merrow Thu, 02/11/2010 - 11:52

Hello,

Yes, I can see how that statement could lead to a bit of confusion.

Although the SSL module is inserted into the CSS, you can think of it as an external device.  For example, a connection coming into the CSS on port 443 for SSL termination would first hit a content rule on the CSS.  The CSS would then load balance that connection to the internal SSL module.  In order to do this, you would have to configure a service under that content rule.  This service would represent the have a type of ssl-accel, specify the slot that the SSL module is in, and specify the ssl-proxy-list that is applied to that SSL module.  After the SSL module terminates the SSL connection, the connection is sent back to the CSS.  The statement you are referring to means that you can only have one active service in your CSS configuration per SSL module.

This is completely different from having multiple applications or VIPs on your SSL module. The ssl-proxy-list that is applied to the SSL module is where you would configure your various applications.  Each application can use the same or a different set of keys and certs.  Below is an example of a ssl-proxy-list that contains two different applications/VIPs.  Notice that each one is using a unique key and certificate.  Also notice that this ssl-proxy-list, with two applications in it, is applied to a single SSL module via the service that represents this module.

!*********************** SSL PROXY LIST ***********************
ssl-proxy-list SSL_PROXY
  ssl-server 1
  ssl-server 1 cipher rsa-with-rc4-128-md5 10.86.179.198 81
  ssl-server 1 vip address 10.86.178.198
  ssl-server 1 rsakey site-1-key
  ssl-server 1 rsacert site-1-cert
  ssl-server 2
  ssl-server 2 cipher rsa-with-rc4-128-md5 10.86.179.199 81
  ssl-server 2 vip address 10.86.178.199
  ssl-server 2 rsakey site-2-key
  ssl-server 2 rsacert site-2-cert
  active


!************************** SERVICE **************************
service SSL_SLOT_3
  type ssl-accel
  add ssl-proxy-list SSL_PROXY
  slot 3
  keepalive type none
  active

I hope this helps clear it up for you.

Thank you,

Sean

Dulal Ray Thu, 02/11/2010 - 21:57

Hi Sean,

Thanks a lot for your wonderful explanation.

However a small clarification on the configuration below:-

Instead of having it as you suggested, (i.e. Add the new virtual SSL Server in the same proxy-list),

Can we have a different proxy-list for the new Virtual Server and then add this list as-well in the exisisting Service? and with the other corresponding Config.

e.g:

!*********************** SSL PROXY LIST ***********************
ssl-proxy-list SSL_PROXY
  ssl-server 1
  ssl-server 1 cipher rsa-with-rc4-128-md5 10.86.179.198 81
  ssl-server 1 vip address 10.86.178.198
  ssl-server 1 rsakey site-1-key
  ssl-server 1 rsacert site-1-cert
  active

ssl-proxy-list SSL_PROXY_NEW

  ssl-server 2
  ssl-server 2 cipher rsa-with-rc4-128-md5 10.86.179.199 81
  ssl-server 2 vip address 10.86.178.199
  ssl-server 2 rsakey site-2-key
  ssl-server 2 rsacert site-2-cert
  active

!************************** SERVICE **************************
service SSL_SLOT_3
  type ssl-accel
  add ssl-proxy-list SSL_PROXY

  add ssl-proxy-list SSL_PROXY_NEW
  slot 3
  keepalive type none
  active

Thanks a lot for your time... Awaiting your response.!!

Sean Merrow Fri, 02/12/2010 - 05:56

Hello,

I like the way you think ;- )

You probably want to do that so that you don't have to suspend all the applications on the ssl-proxy-list when making changes.  However, the service will only allow you to add a single ssl-proxy-list to it.  So if you only have a single SSL module, then you would only have a single ssl-proxy-list and it would be added to the service for the SSL module. If you try to add a second ssl-proxy-list to the service, you'll see this:

CSS11503(config)# service SSL_SLOT_3
CSS11503(config-service[SSL_SLOT_3])# add ssl-proxy-list SSL_PROXY
CSS11503(config-service[SSL_SLOT_3])# add ssl-proxy-list SSL_PROXY_NEW
%% Maximum number of Ssl Proxy Lists added to service
CSS11503(config-service[SSL_SLOT_3])#

In most cases, even if customers have more than one SSL module, they will still only have a single ssl-proxy-list containing all their applications using SSL, add it to both services (one for each SSL module) and add both of those services to the content.rule.  This way, both SSL modules handle the same traffic and the CSS will load balance them.  If one SSL module fails, the other will handle the load and there is no outage.  The CSS will allow you to assign a unique ssl-proxy-list to each SSL module in the chassis, but then you lose the benefits of load balancing and redundancy.

Regards,

Sean

Dulal Ray Thu, 02/18/2010 - 22:39

Hi Sean,

Thanks for replying back just want few clarifcations in configuration part.

1. If new vlan is given for new application then how to point routes to the new vlan as default routes to exisitng vlan is already present.

2. I've prepare sample config template with details steps & let us know will it work & if changes is required kindly let us know.

1.# ftp-record ssl_record 192.168.19.21 johndoe "abc123"

/home/johndoe

2.# copy ssl sftp ssl_record import rsacert.pem PEM "passwd123"

Connecting

Completed successfully

3.# copy ssl sftp ssl_record import rsakey.pem PEM "passwd123"

Connecting

Completed successfully

4.Enter configuration mode.

# config

(config) #

4. To use RSA public key exchange and authentication:

a. Associate the imported RSA certificate with a file.

(config) # ssl associate cert myrsacert1 rsacert.pem

b. Associate the imported RSA key pair with a file.

(config) # ssl associate rsakey myrsakey1 rsakey.pem

5. Compare the public key in the associated certificate with the public key

stored with the associated private key and verify that they are identical.

(config) # ssl verify myrsacert1 myrsakey1

Certificate mycert1 matches key mykey1

ssl associate rsakey NEWKEY newkey.pem

ssl associate cert NEWCERT newcert.pem

!************************* INTERFACE *************************

interface 3/3

description "****WEB SIDE****"

bridge vlan _ID_X.X.X.X

bridge port-fast enable

interface 3/4

bridge vlan_ID_Y.Y.Y.Y

bridge port-fast enable

description "****PIX SIDE****"

!************************** CIRCUIT **************************

circuit VLAN_ID_X

ip address A.A.A.A B.B.B.0

ip virtual-router 2 priority 101 preempt

ip redundant-interface 3 C.C.C.C

ip critical-service 3 chk-con-pix_Y.Y.Y.Y

ip critical-service 3 chk-con-web_X.X.X.X

circuit VLAN_ID_Y

ip address D.D.D.D E.E.E.0

ip virtual-router 4 priority 101 preempt

ip redundant-vip 4 F.F.F.F

ip critical-service 4 chk-con-pix_Y.Y.Y.Y

ip critical-service 4 chk-con-web_X.X.X.X

!*********************** SSL PROXY LIST ***********************

ssl-proxy-list NEW

ssl-server 20

ssl-server 20 vip address F.F.F.F

ssl-server 20 cipher rsa-with-rc4-128-sha F.F.F.F 81

ssl-server 20 cipher rsa-with-rc4-128-md5 F.F.F.F 81

ssl-server 20 rsacert NEWCERT

ssl-server 20 rsakey NEWKEY

active

!************************** SERVICE **************************

service FRONT_SSL

type ssl-accel

slot 4

keepalive type none

add ssl-proxy-list NEW

active

service WEBSERVER-03

ip address G.G.G.G

redundant-index 3

protocol tcp

port 80

active

service WEBSERVER-04

ip address H.H.H.H

redundant-index 4

protocol tcp

port 80

active

service chk-con-pix_Y.Y.Y.Y

keepalive type script ap-kal-pinglist "N.N.N.N"

ip address J.J.J.J

keepalive frequency 2

keepalive maxfailure 2

keepalive retryperiod 2

active

service chk-con-web_X

ip address K.K.K.K

keepalive type script ap-kal-pinglist "P.P.P.P"

keepalive frequency 2

keepalive maxfailure 2

keepalive retryperiod 2

active

!*************************** OWNER ***************************

owner NEW

content BACKNEW_HTTP

vip address F.F.F.F

add service WEBSERVER-03

add service WEBSERVER-04

protocol tcp

port 81

url "/*"

redundant-index 5

no persistent

active

content FRONTENDNEW_SSL

vip address F.F.F.F

protocol tcp

port 443

application ssl

add service FRONT_SSL

active

content NEW

url "//www.ABC.com/*"

vip address F.F.F.F

protocol tcp

port 80

redundant-index 4

redirect "https://ABC.com"

active

your reply on this would be highly appericated.

Sean Merrow Fri, 02/19/2010 - 06:39

Hello,

1. If new vlan is given for new application then how to point routes to the new vlan as default routes to exisitng vlan is already present.

Ideally, you'll keep your configuration as simple as possible, and use only one default gateway.  This is the most common configuration.  However, if you need multiple default gateways (one for each client VLAN), then you can do this.  By default, when a client connection comes in from one gateway, the CSS will send the server's response back to the same gateway.  For server initiated connections, you might want to enable ECMP.  See the CSS documentation for details on Configuring IP Equal-Cost Multipath

2. I've prepare sample config template with details steps & let us know will it work & if changes is required kindly let us know.

I would say that your config looks good. However, there are some lines in it that can be removed that I've put in bold.  redundant-index is only used for connection replication, which cannot be used for SSL terminated connections.  Since it cannot be used for SSL, then there is no gain in configuring for the non-SSL related connections .  application ssl is only needed when you are doing sticky on SSL session ID.  This would only be needed if you had more than one SSL module.  Adding the url statement in the BACKNEW_HTTP rule unnecessarily makes this rule a layer-5 rule.

content BACKNEW_HTTP

  vip address F.F.F.F

  add service WEBSERVER-03

  add service WEBSERVER-04

  protocol tcp

  port 81

  url "/*"

  redundant-index 5

  no persistent

  active

content FRONTENDNEW_SSL

  vip address F.F.F.F

  protocol tcp

  port 443

  application ssl

  add service FRONT_SSL

  active

content NEW

  url "//www.ABC.com/*"

  vip address F.F.F.F

  protocol tcp

  port 80

  redundant-index 4

  redirect "https://ABC.com"

  active

You can also remove the redundant-index lines from the services configs.

While I have made some observations and offered some recommendations regarding your config, until it has been thoroughly tested in a staging environment, or in the production environment, I make no guarrantees that you won't need to make further modifications to reach the ultimately desired operation.

Regards,

Sean

Dulal Ray Thu, 03/04/2010 - 03:44

Hi Sean,

Thanks for the information & sharing the depth knowledge on this niche CSS products.

However i'm yet to configure the new application but yet to confirm two things as follow

1. Whether CSS will support two default routes as there are different VLAN for each application & already one default routes is configured for previous application & for new application can we configured kindly confirm.You had explain it earlier but still the things not so clarfied to me.

2. I have certifcate in .pfx format if i import the same in CSS whether CSS will convert it into Keys & Certifcates as the.pfx file contains boths.

Your reply is highy appriecated as the activity is already planned

Sean Merrow Thu, 03/04/2010 - 08:45

Hello,

You did not specify what you are still unclear on with regard to the multiple default routes.  The CSS supports multiple default gateways, and by default, it will use the same gateway for the response to a client as was used for the incoming connection.

For the .pfx file, if it contains both the certificate and key, then you would first import the file, then associate both a cert and key to that same file as such:

ssl associate cert client-cert client.pfx
ssl associate rsakey client-key client.pfx

Hope this helps clear it up.

Sean

Dulal Ray Mon, 03/08/2010 - 06:50

Hi Sean,

Thanks for the support thru out the entire discussion.

I was able to complete the activity the only challegen i faced was the ceritfcate & key was a single file in .pfx format which exported from Windows server & due to this i was unable to assoicate the keys & certifcates in CSS after uploadig the files.

I used open SSL tool to create Key & Ceritficate in files separtely afterwhich we were able to assoicate the files but really like to appericate the support given thru out the issues.

Dulal Ray Fri, 03/26/2010 - 05:21

Hi Sean,

We shifted the setup to production & faced issue from local lan of web & app communication below are detial explanation.

We are using two default routes as there two different applications in different Vlans old application is working fine after configuring new application with new default routes,

ip route 0.0.0.0 0.0.0.0 10.250.Y.Y  - Old application
ip route 0.0.0.0 0.0.0.0 10.30.X.X - New Application

Following is the issues


Web1 - APP1 - Able to ping & Telnet to port 8080 or 80
Web 1 - App2 - Unable to ping & Telnet to port 8080 or 80
Web1 - NLB - Able to ping & Telnet to port 8080 or 80

Web2 - App1 -Unable to ping & Telnet to port 8080 or 80
Web2 - App2 - Able to ping & Telnet to port 8080 or 80
Web2 - NLB - Unable to ping & Telnet to port 8080 or 80

But we configured static route from app segment towards firewall the above ping/telnet started working fine ive attached n/w block diagram just want to understand where is the issues.

Actions

This Discussion