Optimizing HTTPS traffic with SSLAO on WAAS 4.1.3 and above

Document

May 5, 2011 2:52 AM
May 5th, 2011

Introduction

This document will explain how you can optimize your HTTPS traffic when you have a topology looking like this:

CSCSSLAOWeb.jpg

By default, HTTPS traffic is only TFO optimized on WAAS so if you pass such a connection through a WAAS setup, you'll get the following output from a "show statistics connection":

EDGE-WAE-1#sh statistics connection

Current Active Optimized Flows:                      1
   Current Active Optimized TCP Plus Flows:          0
   Current Active Optimized TCP Only Flows:          1
   Current Active Optimized TCP Preposition Flows:   0
Current Active Auto-Discovery Flows:                 1
Current Reserved Flows:                              10
Current Active Pass-Through Flows:                   0
Historical Flows:                                    102


D:DRE,L:LZ,T:TCP Optimization RR:Total Reduction Ratio
A:AOIM,C:CIFS,E:EPM,G:GENERIC,H:HTTP,M:MAPI,N:NFS,S:SSL,V:VIDEO

ConnID        Source IP:Port          Dest IP:Port            PeerID             Accel   RR  
   799       172.16.5.2:1119        172.16.2.2:443    00:22:64:96:eb:5c     
T     00.0%

EDGE-WAE-1#

This is due to the fact that the encrypted traffic is by definition very random and thus does not get any benefit from the DRE/LZ optimization.

To overcome this limitation, the SSL Accelerator was introduced in WAAS 4.1.3. This will allow the edge WAE to decrypt the traffic, optimize it then re-encrypt it. Same happens on the Core WAE which decrypt the traffic, give it back it's original format then re-encrypt it to the destination server.

Certificate and key export

To be able to optimize the SSL traffic, we will need to export the certificate/key of the Server and of the Certificate of the CA that you used to generate the Server certificate. Here is how it can be done:

With IIS

Here is how you can export your certificates/key from your IIS server:

-Launch the Start menu and click on Run

-Type mmc in the Windows that popped in then click on Ok. This will launch the Management Console

-Once it appears, go to the File menu and select Add/Remove Snap-in

-Follow this path to add the computer certificates view:

1-export.jpg

-Once the Snap-in is added, you can go into it in the Personal > Certificates Folder and right click on the certificate which is used by IIS and click on Export. Follow those steps afterwards:

1-export2.jpg

If the "Yes, export the private key" is greyed out in this process, this means that your original key was marked as non exportable and that you won't be able to export it.

-You will then be asked for a password to protect the private key. Once it is entered, you'll be able to save the data in pfx format.

-WAAS is using PEM format for certificates so you'll need to put your file on a machine with OpenSSL installed and convert it with the following command:

nfournie@nfournie-laptop:~$ openssl pkcs12 -in cdn-server-1.pfx -out cert.pem -nodes
Enter Import Password: ***

(Enter here the password you have set when exporting the key from the Management Console)
MAC verified OK
nfournie@nfournie-laptop:~$

This will generate a single file that will looks like this:

cert.pem

Bag Attributes
    localKeyID: 01 00 00 00
    Microsoft CSP Name: Microsoft Enhanced Cryptographic Provider v1.0
    friendlyName: 921a35de2b0d51e0c399ed6e03f39ef8_1029dd00-9600-4641-919f-c85f4050df37
Key Attributes
    X509v3 Key Usage: 10
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCPLNNfsIrAPDretPkC9QDMuls2KFIgKsHH9jU6xk83AwetZ7XZ
...
q3yuKUm5GMBWSsCKA8t55CL58VXctDizl1AO8CfvEx8=
-----END RSA PRIVATE KEY-----

Bag Attributes
    localKeyID: 01 00 00 00
subject=/O=cisco/CN=cdn-server-1
issuer=/C=BE/L=Brussels/O=Cisco/OU=TAC/CN=cdn-acs-1
-----BEGIN CERTIFICATE-----
MIIEKjCCAxKgAwIBAgIKGLoPewAAAAAAEDANBgkqhkiG9w0BAQUFADBSMQswCQYD
...
6BOnvT0bogUMAL/XPBWS/PEVfGr9+BHAtwYOdxcALpCk3NIsJUstY2XtgqyG/fuY
QLuECaFSJ8UC2j+8u4w=
-----END CERTIFICATE-----

Bag Attributes: <Empty Attributes>
subject=/C=BE/L=Brussels/O=Cisco/OU=TAC/CN=cdn-acs-1
issuer=/C=BE/L=Brussels/O=Cisco/OU=TAC/CN=cdn-acs-1
-----BEGIN CERTIFICATE-----
MIID6jCCAtKgAwIBAgIQYRARgNZbD75LWl00GwArmzANBgkqhkiG9w0BAQUFADBS
...
+Opx59HosHQrmiVh3INt3AXgXfMAGopgVonsbNEzXvTbYOYGts4QYhzl956NCw==
-----END CERTIFICATE-----

You'll need to Copy/Paste those parts in Red in three different files:

File Name
Content
client.keyServer private key
client.crtServer certificate
CA.crtCA certificate

You can refer to the Bag Attributes before the actual data to see which part is what.

This whole document assumes that your Server certificate was directly generated by your Root CA. In case of a multiple levels CA architecture, you'll have to put the whole chain and not a single certificate in the CAcert.crt file.

With Apache

The procedure with Apache is much simpler since the input it uses is in the same format as the one used by WAAS. You just need to figure out where the files are stored and this can be done by looking at the VirtualHost entry of your server in the httpd.conf  file used by Apache.

It will look something like this:

httpd.conf VirtualHost entry
<VirtualHost 172.16.2.2:443>
DocumentRoot /var/www/html
ServerName www.csc.com
SSLEngine on
SSLCertificateFile /path/to/client.crt
SSLCertificateKeyFile /path/to/client.key
SSLCertificateChainFile /path/to/CA.crt

</VirtualHost>

As you can see, we already have there the three files we ended up with in the IIS procedure.

Setting up SSLAO

Opening secure stores

The secure store is where the certificates and keys are held on the WAAS devices.

To be able to use it, you'll need to initialize and open it. First on the Central Manager itself:

2-initCM.jpg

The passphrase you enter here wil be needed to re-open the CM Secure Store after a reboot so make sure you don't loose it !!!

Then on the Edge and Core WAEs themselves:

3-initWAEs.jpg

Importing the CA certificate

Once all the stores are initialized and opened, it is time to import the CA certificate on the Core WAE. To do so, go to the following menu and select the CA.crt file that was generated previously:

4-importCA.jpg

Once you submit it, you should see your CA certificate imported on the device:

4-importCADone.jpg

Create your SSL Accelerated Service

On the Core WAE, go to the SSL Accelerated Services and first start by importing the client certificate and key (client.crt and client.key exported from the Web server):

5-createService.jpg

Once the certificate/key are imported, you can setup the rest of the service by matching the interesting traffic  and by putting it "In Service":

5-createService2.jpg

Congratulations, you now have your SSL Service up and running:

5-createServiceDone.jpg

Enable SSL Accelerator

Last step is to make sure that the SSL Accelerator is running on both your Core and Edge WAEs:

6-SSLAOEnabled.jpg

Verify the optimization

First of all, verify that the accelerated service has been created on your Core WAE:

CORE-WAE-1#sh run | begin crypto
...skipping
crypto pki ca cdn-acs-1
   ca-certificate cdn-acs-1.ca
   exit
!
crypto ssl services global-settings
   version all
   exit
!
!
!
crypto ssl services accelerated-service cdn-server-1
   description "SSL AO optimization of IIS"
   server-cert-key cdn-server-1.p12
   server-ip 172.16.2.2 port 443
   inservice
   exit

!

CORE-WAE-1#

Verify that the SSL AO is running on both you Core and Edge WAE:

EDGE-WAE-1#sh accelerator

Accelerator        Licensed           Config State       Operational State           
-----------        --------           ------------       -----------------           
cifs               Yes                Enabled            Running  
epm                Yes                Enabled            Running  
http               Yes                Enabled            Running  
mapi               Yes                Enabled            Running  
nfs                Yes                Enabled            Running

ssl                Yes                Enabled            Running  
video              Yes                Enabled            Running  
wafs-core          Yes                Disabled           Shutdown                     
wafs-edge          Yes                Disabled           Shutdown


EDGE-WAE-1#

If those conditions are met, here is what you should do when you pass an HTTPS connection through your setup:

EDGE-WAE-1#sh statistics connection

Current Active Optimized Flows:                      1
   Current Active Optimized TCP Plus Flows:          1
   Current Active Optimized TCP Only Flows:          0
   Current Active Optimized TCP Preposition Flows:   0
Current Active Auto-Discovery Flows:                 1
Current Reserved Flows:                              10
Current Active Pass-Through Flows:                   0
Historical Flows:                                    102


D:DRE,L:LZ,T:TCP Optimization RR:Total Reduction Ratio
A:AOIM,C:CIFS,E:EPM,G:GENERIC,H:HTTP,M:MAPI,N:NFS,S:SSL,V:VIDEO

ConnID        Source IP:Port          Dest IP:Port            PeerID          Accel   RR  
   114       172.16.5.2:1199        172.16.2.2:443 00:0f:fe:db:5b:2e TSDL  32.7%

EDGE-WAE-1#

As you can see, our connection is now taking benefit from TFO, SSL, DRE and LZ optimization.

SSL/HTTP Accelerators chaining

If you are running WAAS version 4.3.1 or above, there is a new feature that could also be useful here: AO chaining. This allows us to pass the traffic which is optimized not only through one accelerator but through multiple ones. In our case the SSL and the HTTP ones.


Enabling this chaining is pretty simple, you just need to tick the Enable HTTPS metadatacache caching checkbox from the HTTP/HTTPS Settings and this on both the Core and Edge WAE:

7-AOChaining.jpg

You can also check the Suppress server compression or/and Enable DRE hints if you want to take advantage of those. For more info, see the link in the Further Info part.

Once this is done, you should see that the connection is also taking benefit of the HTTP accelerator together wit SSL, TFO, DRE and LZ:

EDGE-WAE-1#sh statistics connection closed client-ip 172.16.5.2 ssl http

Current Active Optimized Flows:                      1
   Current Active Optimized TCP Plus Flows:          1
   Current Active Optimized TCP Only Flows:          0
   Current Active Optimized TCP Preposition Flows:   0
Current Active Auto-Discovery Flows:                 1
Current Reserved Flows:                              10
Current Active Pass-Through Flows:                   0
Historical Flows:                                    113


D:DRE,L:LZ,T:TCP Optimization RR:Total Reduction Ratio
A:AOIM,C:CIFS,E:EPM,G:GENERIC,H:HTTP,M:MAPI,N:NFS,S:SSL,V:VIDEO

ConnID        Source IP:Port          Dest IP:Port            PeerID             Accel    RR  
   826       172.16.5.2:1351        172.16.2.2:443 00:22:64:96:eb:5c THSDL 65.7%

EDGE-WAE-1#

You can also verify that the SSL AO is successfully passing the request to the HTTP AO through the show statistics accelerator ssl payload http command:

EDGE-WAE-1#show statistics accelerator ssl payload http                 

SSL - payload HTTP
------------------
Total Optimized Connections:                 6        
Successful HTTP accelerator insertions:      6        
Unsuccessful HTTP accelerator insertions:    0        

EDGE-WAE-1#

Further info

If you want to get more info on SSL AO optimization or AO chaining, here are a couple of documents you might want to have a look at:

DescriptionLink
SSL AO Q and AHere
SSL AO Configuration GuideHere
SSL Accelerated Service CLIHere
SSL AO Deployment GuideHere
Configuring AO chainingHere
Configuring SSL MonitoringHere
Average Rating: 5 (2 ratings)

Comments

nfournie Thu, 05/05/2011 - 10:15

Comments on the document itself or on what could be added to it are more than welcome.

Actions

Login or Register to take actions

This Document

Posted May 5, 2011 at 2:52 AM
Stats:
Comments:6 Avg. Rating:5
Views:3164 Contributors:6
Shares:0

Related Content