CSS Secure LDAP loadbalancing

Unanswered Question
Jun 17th, 2010

I have succesfully configure the CSS to load balance ldap request to 3 Windows AD servers. However, when adding SSL to the front end only it fails.

I'm assuming it has to do with the certificate requiring extended key usages. Has anyone done this before?

How can I create a certificate requests on the CSS requiring those ext?

Any ideas or help would be gretely appreciated.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Robbie Woodley Fri, 06/18/2010 - 12:16

I just found myself in the same boat.  I got data going the the CSS fine but when I try to setup SSL on the front end (no backend SSL) I get nothing.  I'm sure it's just something minor I'm missing but having never been inside one of these CSS11500's until this project I am not sure what to focus my attention on as a likely suspect.  Appreciate any help that can be offered.

- Robbie

amyskitchen Tue, 06/22/2010 - 17:21

Finally got it working.  The config on the CSS is pretty straight forward. The problem was with certificates. I was generating my own certificates using openssl and therefore were not trusted on the client pc I was testing with.  All I did to get it working is adding the root certicate that I used to sign the ldap server certificate on the client machine.

It just worked.

Useful links that might be related to what you I was  trying to accomplish:


Good luck!

Robbie Woodley Mon, 06/28/2010 - 09:36

Would you mind sharing your config with me?  Of course the confidential stuff removed.  You can contact me off-board.


amyskitchen Tue, 07/06/2010 - 12:25

Hi Robbie,

Sorry for the delayed response. Here is the relevant config info. No backend SSL service yet, backend is still unencrypted, but at this point everything is on our data center not crossing any WAN or networks.  One thing to note is that my CSS is one armed, doing NAT as well so the load-balancing is considered full-proxy.

Hope it helps.

ssl-proxy-list ssl_list1
  ssl-server 2
  ssl-server 2 dhparam mydhparam1
  ssl-server 2 vip address
  ssl-server 2 cipher dhe-rsa-with-3des-ede-cbc-sha 389
  ssl-server 2 cipher dhe-rsa-with-des-cbc-sha 389
  ssl-server 2 cipher rsa-with-3des-ede-cbc-sha 389
  ssl-server 2 cipher rsa-with-des-cbc-sha 389
  ssl-server 2 cipher rsa-with-rc4-128-sha 389
  ssl-server 2 cipher rsa-with-rc4-128-md5 389
  ssl-server 2 port 636
  ssl-server 2 rsakey myrsakey1
  ssl-server 2 rsacert ldapxCert

service LDAP1
  ip address
  keepalive port 389
  protocol tcp
  keepalive type tcp
  port 389

service LDAP2
  ip address
  protocol tcp
  keepalive type tcp
  port 389
  keepalive port 389

service ssl_module1
  type ssl-accel
  add ssl-proxy-list ssl_list1
  slot 2
  keepalive type none

  content LDAPSSLTest
    vip address
    add service ssl_module1
    protocol tcp
    port 636

group LDAPGroup
  vip address
  add destination service LDAP1
  add destination service LDAP2



This Discussion