Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACE ssl initiation

Have done ssl init on the CSS before.

It can be easily configured to present a client cert to the remote end like a browser would.

I can't see how this is done on the ACE.

Do I just apply an authgroup referring to the client cert in the ssl proxy configuration ?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee
3 REPLIES
Cisco Employee

ACE ssl initiation

Hi,

For SSL intiation ACE shall act as a client. So you will define a SSL-Proxy and just bind it with the policy map.

Below config is for end-to-end SSL but look at bold part that is for SSL initiation and here is the link for your reference.

access-list allow_all line 10 extended permit ip any any

probe http KEEPALIVE-WEBS
  description Test for Webs Servers
  interval 15
  passdetect interval 30
  request method head url /ping.jsp
  expect status 200 200

parameter-map type ssl ssl_ciphers
  cipher RSA_WITH_RC4_128_MD5
  cipher RSA_WITH_RC4_128_SHA
  cipher RSA_WITH_DES_CBC_SHA
  cipher RSA_WITH_AES_128_CBC_SHA
  cipher RSA_WITH_AES_256_CBC_SHA

rserver host WEB001
  description Web Servers
  ip address 10.0.130.253
  probe KEEPALIVE-WEBS
  inservice
rserver host WEB002
  description Web Servers
  ip address 10.0.130.252
  probe KEEPALIVE-WEBS
  inservice
rserver host WEB003
  description Web Servers
  ip address 10.0.130.254
  probe KEEPALIVE-WEBS
  inservice
rserver redirect OLD_SITE_REDIR
  webhost-redirection
 https://www.newsite.com 301
  inservice

ssl-proxy service SERVER_SSL
  key www-server.key
  cert www-server.crt
  ssl advanced-options ssl_ciphers
ssl-proxy service CLIENT_SSL
   ssl advanced-options ssl_ciphers

serverfarm redirect REDIRECT
  rserver OLD_SITE_REDIR
    inservice
serverfarm host VIP-WWW-443
  description servers-for-https
  rserver WEB001 443
    inservice
  rserver WEB002 443
    inservice
  rserver WEB003 443
    inservice
serverfarm host VIP-WWW-80
  description servers-for-www
  rserver WEB001 80
    inservice
  rserver WEB002 80
    inservice
  rserver WEB003 80
    inservice

sticky http-cookie wwwservers WWW-P80
  cookie insert
  timeout 720
  replicate sticky
  serverfarm VIP-WWW-80
sticky http-cookie wwwservers WWW-P443
  cookie insert
  timeout 720
  replicate sticky
  serverfarm VIP-WWW-443

class-map type http loadbalance match-all CLA7REDIR
  2 match http url http://www.oldsite.com/.*
class-map type http loadbalance match-all CLA7WWW
  2 match http url http://www.newsite.com/.*
class-map match-any VIP-P443
  2 match virtual-address 10.0.128.211 tcp eq https
class-map match-any VIP-P80
  2 match virtual-address 10.0.128.211 tcp eq www

policy-map type loadbalance first-match VIP_SERVER_P443
  class CLA7REDIR
    serverfarm REDIRECT
  class CLA7WWW
    sticky-serverfarm WWW-P443
    ssl-proxy client CLIENT_SSL
policy-map type loadbalance first-match VIP_SERVER_P80
  class class-default
    sticky-serverfarm WWW-P80
policy-map multi-match WWW_LB
  class VIP-P80
    loadbalance vip inservice
    loadbalance policy VIP_SERVER_P80
    loadbalance vip icmp-reply active
    loadbalance vip advertise active
  class VIP-P443
    loadbalance vip inservice
    loadbalance policy VIP_SERVER_P443
    loadbalance vip icmp-reply active
    loadbalance vip advertise active
    ssl-proxy server SERVER_SSL

interface vlan 128
  ip address 10.0.128.15 255.255.255.0
  access-group input allow_all
  service-policy input WWW_LB
  no shutdown
interface vlan 130
  ip address 10.0.130.15 255.255.255.0
  access-group input allow_all
  no shutdown

ip route 0.0.0.0 0.0.0.0 10.0.128.1

Regards,

Kanwal

Cisco Employee
New Member

ACE ssl initiation

Thanks. That helped. It wasn't clear to find in the manual.

845
Views
0
Helpful
3
Replies
CreatePlease to create content