Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
999
Views
0
Helpful
4
Replies

CSS Secure LDAP loadbalancing

amyskitchen
Level 1
Level 1

‎06-17-2010 03:08 PM

I have succesfully configure the CSS to load balance ldap request to 3 Windows AD servers. However, when adding SSL to the front end only it fails.

I'm assuming it has to do with the certificate requiring extended key usages. Has anyone done this before?

How can I create a certificate requests on the CSS requiring those ext?

Any ideas or help would be gretely appreciated.

-Eric

Labels:
0 Helpful
4 Replies 4

Robbie Woodley
Level 1
Level 1

‎06-18-2010 12:16 PM

I just found myself in the same boat.  I got data going the the CSS fine but when I try to setup SSL on the front end (no backend SSL) I get nothing.  I'm sure it's just something minor I'm missing but having never been inside one of these CSS11500's until this project I am not sure what to focus my attention on as a likely suspect.  Appreciate any help that can be offered.

- Robbie

0 Helpful

amyskitchen
Level 1
Level 1
In response to Robbie Woodley

‎06-22-2010 05:21 PM

Finally got it working.  The config on the CSS is pretty straight forward. The problem was with certificates. I was generating my own certificates using openssl and therefore were not trusted on the client pc I was testing with.  All I did to get it working is adding the root certicate that I used to sign the ldap server certificate on the client machine.

It just worked.

Useful links that might be related to what you I was  trying to accomplish:

   http://www.cs.bham.ac.uk/~smp/projects/peap/

Good luck!

0 Helpful

Robbie Woodley
Level 1
Level 1
In response to amyskitchen

‎06-28-2010 09:36 AM

Would you mind sharing your config with me?  Of course the confidential stuff removed.  You can contact me off-board.

Thx

0 Helpful

amyskitchen
Level 1
Level 1
In response to Robbie Woodley

‎07-06-2010 12:25 PM

Hi Robbie,

Sorry for the delayed response. Here is the relevant config info. No backend SSL service yet, backend is still unencrypted, but at this point everything is on our data center not crossing any WAN or networks.  One thing to note is that my CSS is one armed, doing NAT as well so the load-balancing is considered full-proxy.

Hope it helps.

ssl-proxy-list ssl_list1
  ssl-server 2
  ssl-server 2 dhparam mydhparam1
  ssl-server 2 vip address 10.1.6.12
  ssl-server 2 cipher dhe-rsa-with-3des-ede-cbc-sha 10.1.6.12 389
  ssl-server 2 cipher dhe-rsa-with-des-cbc-sha 10.1.6.12 389
  ssl-server 2 cipher rsa-with-3des-ede-cbc-sha 10.1.6.12 389
  ssl-server 2 cipher rsa-with-des-cbc-sha 10.1.6.12 389
  ssl-server 2 cipher rsa-with-rc4-128-sha 10.1.6.12 389
  ssl-server 2 cipher rsa-with-rc4-128-md5 10.1.6.12 389
  ssl-server 2 port 636
  ssl-server 2 rsakey myrsakey1
  ssl-server 2 rsacert ldapxCert
  active


service LDAP1
  ip address 10.1.1.4
  keepalive port 389
  protocol tcp
  keepalive type tcp
  port 389
  active

service LDAP2
  ip address 10.10.6.5
  protocol tcp
  keepalive type tcp
  port 389
  keepalive port 389
  active

service ssl_module1
  type ssl-accel
  add ssl-proxy-list ssl_list1
  slot 2
  keepalive type none
  active

  content LDAPSSLTest
    vip address 10.1.6.12
    add service ssl_module1
    protocol tcp
    port 636
    active


group LDAPGroup
  vip address 10.1.6.12
  add destination service LDAP1
  add destination service LDAP2
  active

Eric

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents