ACE 4710 in failover - ssl offload, cert for second ACE

kasper123 · ‎11-04-2009

Hi,

I'm testing two ACE 4710 appliances that should work in active/standby mode and do ssl offload in bridged mode.

At the moment I have configured one of the devices to do basic load balancing (without ssl offload).

Now I would like to move further and configure ssl offload and configure High availability.

I read that the certificate for ssl can be localy generated on the ACE device but I couldn't find any information regarding the cert that should be used on the second ACE.

Should I generate a new cert od the standby unit or somehow use the one on the first ACE?

Is it better to first set up high availability and then configure ssl offload or vice versa?

Does anyone have a config example of ssl offload and active/standby configuration?

Thank you in advance.

Syed Iftekhar Ahmed · ‎11-04-2009

You simply need to generate keys & CSR on the primary ACE. Export the Keys from Primary ACE, Import these keys to Standby ACE and once you recieve the certs from CA then simply import the cert to both ACEs.

FOllowing will be steps to achive that

On primary Ace

1. create RSA Keys

crypto generate key 2048 app1.key

2. Create CSR & send it to CA

ace/Admin(config)# crypto csr-params app1-csr

ace/Admin(config-csr-params)# common-name www.app1.com

ace/Admin(config-csr-params)# country US

ace/Admin(config-csr-params)# email xx@xx.com

ace/Admin(config-csr-params)# locality xyz

ace/Admin(config-csr-params)# organization-name xyz

ace/Admin(config-csr-params)# organization-unit xyz

ace/Admin(config-csr-params)# state CA

ace/Admin(config-csr-params)# serial-number 1234

ace/Admin(config-csr-params)# end

ace/Admin(config)# crypto generate csr app1-csr app1.key

(copy the result to a file)

4. Import certificate recieved from CA

crypto import terminal app1.cert

(pasted the content from the cert)

5. verify the cert & keys match

crypto verify app1.key app1.cert

6. Export the keys from Active

crypto export app1.key

(copy the result to a file)

ON Standby ACE:

1. Import the keys

crypto import terminal app1.key

2. Import the cert

crypto import terminal app1.cert

3.verify the cert & keys match

crypto verify app1.key app1.cert

Hope this helps

Syed

kasper123 · ‎11-04-2009

Hi Syed,

thank you for taking the time to reply.

What if I don't want to get a key from a CA? I just need the sessions to be encrypted but the key does not have to be from a well known CA.

I plan to generate a self signed certificate using

[root@admin]# openssl genrsa -out key.pem 102 and

[root@admin]# openssl req -new -x509 -nodes -sha1 -days 365

-key key.pem -out cert.pem

Should I export the generated keys and transfer them to the standby ACE?

Can you please provide some info regarding the keys export procedure?

Thank you!

kasper123 · ‎11-05-2009

Hi Again,

I generated the keys on a linux machine using openssl.

I then imported the keys into the ACE and configured ssl offload but now when I go to the VIP address IE dows not work and Firefox displays the error:

An error occurred during a connection to 192.168.20.20.

SSL received a record that exceeded the maximum permissible length.

(Error code: ssl_error_rx_record_too_long)

I checked with the show crypto commands and everything seems to be fine with the keys.

Do you have an idea what might be wrong?

kasper123 · ‎11-05-2009

Well I reconfigured it again and now it is working fine. :)

All I need now is to add the second ACE as failover device.

If I understood correctly I should import the same keys on the second ACE before configuring HA?

kasper123 · ‎11-05-2009

Attached is my current config.

Thank you.

Syed Iftekhar Ahmed · ‎11-05-2009

You got it right.

If you are using Openssl then you simply need to import the same keys & certs to both ACE appliances.

Thanks

Syed Iftekhar Ahmed