Re: CSS certificate problems

cisco-pix · ‎09-28-2007

Hi, I installed and associated my cert on my CSS, but am having problems getting it working...

What I need is to be able to browse FROM my web server 192.168.10.1 to a specific website which provided me with the cert 'myRSAcert' below. I have implemented the below but when I browse to the website it says I have no cert installed. I have not configured anything locally on the server, I have only configured on the CSS.

Here is what I have done on the CSS:

I have set up my 443 content rule:

content myContentRule443

vip address 194.10.0.1

port 443

add service ssl_test

active

I have added my service:

service ssl_test

type ssl-accel

slot 2

keepalive type none

add ssl-proxy-list ssl_list

active

I have added an ssl-server in my ssl_list:

ssl-server 50

ssl-server 50 vip 194.10.0.1

ssl-server 50 rsakey myRSAkey

ssl-server 50 rsacert myRSAcert

cipher rsa-with-rc4-128-md5 194.10.0.1 80

active

I have set up my 80 content rule:

content myContentRule80

vip address 194.10.0.1

port 80

add service server1

active

I have set up my internal web server:

service server1

keepalive type http

keepalive port 80

keepalive freq 6

protocol tcp

port 80

ip address 192.168.10.1

active

Am I correct in this general set up, or have I missed anything out?

Can anyone please help?

RODRGUTI · ‎09-29-2007

Hi,

Please add this command:

content myContentRule443

vip address 194.10.0.1

port 443

add service ssl_test

application ssl < -- add this

active

This command should make it work, if service server1 is alive.

If you do a http request on port 80, does it works?

- Rodrigo.

Gilles Dufour · ‎09-30-2007

ok, ignore the other comment about application ssl. That's not required.

If I understand correctly the source of the traffic is 192.168.10.1.

But from your config, this is also the destination.

Is this correct ?

If you want the browser to be able to open a connection to the vip, you need to configure client nat using a 'group'.

I can assist you with this if that's what you need.

But, if you want to do SSL initiation - the source sends cleartext request and the CSS encrypts everything before forwarding to a remote server, then your config is wrong.

Please, let us know what you need exactly.

Gilles.

cisco-pix · ‎09-30-2007

I am looking to browse to a website (157.50.10.1) from my local server (192.168.10.1). My VIP is 194.10.0.1

In order for me to browse to this website I am required to have a cert, which I have requested and installed - myRSAcert.

Am I missing anything?

Thanks

Gilles Dufour · ‎09-30-2007

so, you want the CSS to encrypt the traffic on behalf of the server.

This is called ssl initiation and you're missing everything in your config.

See how to do ssl initiation at

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/configuration/ssl/guide/initiate.html#wp1010473

Gilles.

cisco-pix · ‎10-01-2007

Hi, thanks for your help. I have looked through this and this is what I came up with:

1. Create a backend server, defining my Virtual backend (192.168.25.1) and the Server I connect to externally (154.10.1.1)

ssl-proxy-list ssl_list1

backend-server 50

backend-server 50 type initiation

backend-server 50 ip address 192.168.25.1 (INTERNAL - my virtual backend ssl server)

backend-server 50 server-ip 154.10.1.1 (EXTERNAL - ip of the website I am looking to browse to)

backend-server 50 rsacert myRSAcert

backend-server 50 rsakey myRSAkey

2. Add an SSL service:

service myService1

type ssl-init

ip address 192.168.25.1

slot 2

keepalive type none

add ssl-proxy-list ssl_list1

active

3. Add a content rule:

owner ContentRules

content myContentRule1

add service myService1

vip address 192.168.25.2

protocol tcp

port 80

active

It still doesn't work, I am wondering am I missing anything else here?

Thanks so much for your help.

Gilles Dufour · ‎10-02-2007

you also need to set the cipher:

backend-server 50 cipher rsa-with-rc4-128-sha

If that does not work after that,

get us a 'show summary' and 'show ssl statistics' before and after opening a connection.

Capture a trace on your server and a simultanous trace on the other side of the CSS.

Gilles.