ACE: Multiple vHost with SSL in a single context?

Answered Question
Apr 22nd, 2010
User Badges:
  • Bronze, 100 points or more

Just had a conversation with our application team. They are thinking/planning about moving a construct of approximate 10+ real servers that host around 70+ vhost to a single ACE context.


So far we only configured 1:1 relations in terms of context to ssl proxy.



Questions:


    1. Is it possible to ssl-terminate multiple websites with multiple certificates in one context?
    2. Do you have to distinguish those different vhosts (websites) and the related SSL traffic through separate SSL proxy services?
    3. If you have to use separate ssl proxies, is it sufficient to bind them via different class maps into one single (multi match) policy map?
    4. What would be the best practice approach for this scenario?



Thanks for reading


Roble

Correct Answer by ciscocsoc about 7 years 2 months ago

Hi,


If your server certificates have a common CA chain (or no CA chain) then the limit of 8 doesn't apply. AFAIK except for the general resource limits there are no restrictions on the number of SSL proxy servers per context.


Kind Regards


Cathy

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
ciscocsoc Thu, 04/22/2010 - 07:14
User Badges:
  • Silver, 250 points or more

Hi,


1. Yes - but there are limitations. Each context can only support 8 chaingroups. The SSL proxy server references the certificate and the chain group so I suspect you're likely to hit a limit unless most of the websites have a common chain.  Each webserver will need its own Proxy server definition unless you use a wildcard certificate. It really depends on what you're hosting.


2. As above - yes unless you can use a wildcard certificate.


3. Works for me.


4. Not sure - it really depends on the exact requirements for the websites.


HTH


Cathy

Roble Mumin Thu, 04/22/2010 - 07:38
User Badges:
  • Bronze, 100 points or more

Hey Cathy,


thanks for the quick answer.


When i am talking about multiple certificates i am not talking about intermediate certificates and therefore chaingroups. So if i stick to single certificate which can be verified by a known root cert the limit shouldn't apply.


Does the limit of 8 chaingroups also to proxy services?


The resource overview on the following link only mentions a total limit of 3800 certs.


http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Module_Troubleshooting_Guide,_Release_A2%28x%29_--_ACE_Module_Resource_Limits



Thanks for reading


Roble

Correct Answer
ciscocsoc Thu, 04/22/2010 - 07:46
User Badges:
  • Silver, 250 points or more

Hi,


If your server certificates have a common CA chain (or no CA chain) then the limit of 8 doesn't apply. AFAIK except for the general resource limits there are no restrictions on the number of SSL proxy servers per context.


Kind Regards


Cathy

Actions

This Discussion