Solved: Certificates on ACE at same VIP

liguoriariel · ‎02-05-2014

Hi all, I have a problem regarding configuration of certificates on ACE, I have one serverfarm with two realservers, those server runs three different domains on same VIP (Apache handle which one is presented to the user), we want to put https to those servers running SSL Termination, but I cant figure it out if that can be achieved with only one VIP or if I need three VIPs, one for each one and associate each of those to one certificate. (With only one I can use certificate chains?). Other thing that sounds reasonable to me is use class maps with L7 policys matching URLs, in that case I believe that can be achieved with one VIP, but if anyone knows please help.

Thanks!

Kanwaljeet Singh · ‎02-05-2014

Hi,

You are welcome. Yes if you have multiple domains you should have different certificates for reason obvious to security. If you have one domain and many sub-domains you can use a wildcard certificate. If you have domains which differ like abc.com and abc.net, abc.org, you can use SANS certificates and yes ACE can take L7 decisions/read L7 data like cookie etc after SSL handshake and take decisions accordingly as illustrated in the config example i have pasted above. If you have any questions in future related to this please feel free to ask:)

Regards,

Kanwal

View solution in original post

Kanwaljeet Singh · ‎02-05-2014

Hi,

You can use a wildcard certificate for multiple related domains like mail.abc.com, test.abc.com,abc.com etc. but all your domains should resolve to one VIP. If the url's are completely different then you need to have different VIPS and certs.

L7 classification here will come only after ssl handshake since you are terminating SSL on ACE. Honestly i didn't get your requirement and have answered to the best of my understanding of your question.

Let me know if you have further questions.

Regards,
Kanwal

Sent from Cisco Technical Support iPhone App

liguoriariel · ‎02-05-2014

Sure, I believe the same, actually I dont have a formal requirement, I have to implement it (there are different domains, no option to use wildcard domain), but Im not sure if I have to use multiple VIPs (using SSL Termination on ACE) or can I achieve the same with only one VIP in this scenario.

For l7 classification what I've figure it out is to use end to end ssl, but not sure, please someone confirm.

Kanwaljeet Singh · ‎02-05-2014

Hi,

Okay. You can have L7 classification even with SSL termination since ACE is handling decryption and encryption. I think i misunderstood your question/requirement. But L7 classification will only happen after SSL handshake has happened. So your certificate should hold good for the URL which clients will be using. If there are muliple URL's you need to get a WILDCARD certificate or SANS certs. I am pasting one example configuration for you where L7 classification is being done along with SSL termination. Let me know if you have any questions.

           ====================================================================
          Multi-tier Server Load Balancing with SSL Termination and URL LB
           ====================================================================

                                         |-- 30.30.30.11/24  APP_SERVER_01
                      |---|30.30.30.0/24 |-- 30.30.30.12/24  APP_SERVER_02  
                      |   |--------------|-- 30.30.30.21/24  DB_SERVER_01
10.10.10.1/24       .2| A |              |-- 30.30.30.21/24  DB_SERVER_02
MSFC------------------| C |
                      | E |20.20.20.0/24 |-- 20.20.20.11/24  WEB_SERVER_01
                      |   |--------------|-- 20.20.20.12/24  WEB_SERVER_02
                      |---|              |-- 20.20.20.13/24  WEB_SERVER_03 (images)
                                         |-- 20.20.20.14/24  WEB_SERVER_04 (images)
          
          <---Client--->|<---Server--->




-  Clients connect to HTTPS VIP using SSL termination
-  HTTP traffic balanced to image and content servers appropriately using URL load balancing
-  Web content servers intiate connections to application servers
-  Application servers initiate connections to database servers (requires client SNAT)


Configuration
==============
login timeout 0

access-list ANYONE line 10 extended permit tcp any any

parameter-map type ssl SSL_DEFAULT_PARAMS

ssl-proxy service SSL_SERVICE
  key mykey.pem
  cert mycert.pem
  ssl advanced-options SSL_DEFAULT_PARAMS

rserver host WEB_SERVER_01
  description Web Content Server 1
  ip address 20.20.20.11
  inservice
rserver host WEB_SERVER_02
  description Web Content Server 2
  ip address 20.20.20.12
  inservice
rserver host WEB_SERVER_03
  description Web Image Server 1
  ip address 20.20.20.13
  inservice
rserver host WEB_SERVER_04
  description Web Image Server 2
  ip address 20.20.20.14
  inservice
rserver host APP_SERVER_01
  description Application Server 1
  ip address 30.30.30.11
  inservice
rserver host APP_SERVER_02
  description Application Server 2
  ip address 30.30.30.12
  inservice
rserver host DB_SERVER_01
  description Database Server 1
  ip address 30.30.30.21
  inservice
rserver host DB_SERVER_02
  description Database Server 2
  ip address 30.30.30.22
  inservice

serverfarm host HTTP_CONTENT
  description Web Content Servers
  rserver WEB_SERVER_01
    inservice
  rserver WEB_SERVER_02
    inservice
serverfarm host HTTP_IMAGES
  description Web Image Servers
  rserver WEB_SERVER_03
    inservice
  rserver WEB_SERVER_04
    inservice
serverfarm host APP_SERVERS
  description Application Servers
  rserver APP_SERVER_01
    inservice
  rserver APP_SERVER_02
    inservice
serverfarm host DB_SERVERS
  description Database Servers
  rserver DB_SERVER_01
    inservice
  rserver DB_SERVER_02
    inservice

class-map match-all VIP_WWW
  2 match virtual-address 10.10.10.100 tcp eq https
class-map match-all VIP_APP
  2 match virtual-address 20.20.20.100 any
class-map match-all VIP_DB
  2 match virtual-address 30.30.30.100 any

class-map type http loadbalance match-any WEB_IMAGES
  2 match http url *.jpg
  3 match http url *.jpeg
  4 match http url *.gif

class-map type management match-any REMOTE_ACCESS
  description remote-access-traffic-match
  3 match protocol ssh any
  4 match protocol icmp any

policy-map type management first-match REMOTE_MGT
  class REMOTE_ACCESS
    permit
policy-map type loadbalance first-match WWW_SLB_LOGIC
  description Separate Web Content and Images Traffic
  class WEB_IMAGES
    serverfarm HTTP_IMAGES
  class class-default
    serverfarm HTTP_CONTENT
policy-map type loadbalance first-match APP_SLB_LOGIC
  class class-default
    serverfarm APP_SERVERS
policy-map type loadbalance first-match DB_SLB_LOGIC
  class class-default
    serverfarm DB_SERVERS

policy-map multi-match WEB
  class VIP_WWW
    loadbalance vip inservice
    loadbalance policy WWW_SLB_LOGIC
    loadbalance vip icmp-reply active
    ssl-proxy server SSL_SERVICE
policy-map multi-match APPLICATION
  class VIP_APP
    loadbalance vip inservice
    loadbalance policy APP_SLB_LOGIC
    loadbalance vip icmp-reply active
policy-map multi-match DATABASE
  class VIP_DB
    loadbalance vip inservice
    loadbalance policy DB_SLB_LOGIC
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 30
    
interface vlan 10
  description Client VLAN
  ip address 10.10.10.2 255.255.255.0
  access-group input ANYONE
  service-policy input WEB
  no shutdown
interface vlan 20
  description Web Servers VLAN
  ip address 20.20.20.1 255.255.255.0
  access-group input ANYONE
  service-policy input REMOTE_MGT
  service-policy input APPLICATION
  no shutdown
interface vlan 30
  description DB and App Servers VLAN
  ip address 30.30.30.1 255.255.255.0
  access-group input ANYONE
  service-policy input REMOTE_MGT
  service-policy input DATABASE
  nat-pool 1 30.30.30.110 30.30.30.110 netmask 255.255.255.0 pat
  no shutdown

ip route 0.0.0.0 0.0.0.0 10.10.10.1

 
 Regards,
 Kanwal

liguoriariel · ‎02-05-2014

Thanks Kanwal,

So I extract of your post as my answer "If there are muliple URL's you need to get a WILDCARD certificate or SANS certs", I dont have a SANS cert so I understand that I will need to use different VIPs (based on that L7 applies after handshake). Is that correct?

Thanks for all! great post

Kanwaljeet Singh · ‎02-05-2014

Hi,

You are welcome. Yes if you have multiple domains you should have different certificates for reason obvious to security. If you have one domain and many sub-domains you can use a wildcard certificate. If you have domains which differ like abc.com and abc.net, abc.org, you can use SANS certificates and yes ACE can take L7 decisions/read L7 data like cookie etc after SSL handshake and take decisions accordingly as illustrated in the config example i have pasted above. If you have any questions in future related to this please feel free to ask:)

Regards,

Kanwal

liguoriariel · ‎02-05-2014

One more and for clarify, you mention "if you have multiple domains you should have different certificates for reason obvious to security." and I add, all of them running over a dedicated VIP or port (should be able to classify it over a class map). I guess that i'm correct, but please confirm.

Kanwaljeet Singh · ‎02-05-2014

Hi,

Yes you can classify different vips( belonging to different domains) and ports etc at class map level.

Regards,
Kanwal

Sent from Cisco Technical Support iPhone App

Kanwaljeet Singh · ‎02-05-2014

Hi,

Let me put in simple way. If you have two different domains you should have two different vips and two different certificates.If you have a domain and its subdomains you can have one vip and a wildcard certificate.

For example, a client types xyz.com it will resolve to 1.1.1.1 ans if a client types abc.com it will resolve to 2.2.2.2, two different domains two different VIPS

Regards,
Kanwal

Sent from Cisco Technical Support iPhone App