Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

CSS Secure LDAP loadbalancing

I have succesfully configure the CSS to load balance ldap request to 3 Windows AD servers. However, when adding SSL to the front end only it fails.

I'm assuming it has to do with the certificate requiring extended key usages. Has anyone done this before?

How can I create a certificate requests on the CSS requiring those ext?

Any ideas or help would be gretely appreciated.

-Eric

4 REPLIES
Community Member

Re: CSS Secure LDAP loadbalancing

I just found myself in the same boat.  I got data going the the CSS fine but when I try to setup SSL on the front end (no backend SSL) I get nothing.  I'm sure it's just something minor I'm missing but having never been inside one of these CSS11500's until this project I am not sure what to focus my attention on as a likely suspect.  Appreciate any help that can be offered.

- Robbie

Community Member

Re: CSS Secure LDAP loadbalancing

Finally got it working.  The config on the CSS is pretty straight forward. The problem was with certificates. I was generating my own certificates using openssl and therefore were not trusted on the client pc I was testing with.  All I did to get it working is adding the root certicate that I used to sign the ldap server certificate on the client machine.

It just worked.

Useful links that might be related to what you I was  trying to accomplish:

   http://www.cs.bham.ac.uk/~smp/projects/peap/

Good luck!

Community Member

Re: CSS Secure LDAP loadbalancing

Would you mind sharing your config with me?  Of course the confidential stuff removed.  You can contact me off-board.

Thx

Community Member

Re: CSS Secure LDAP loadbalancing

Hi Robbie,

Sorry for the delayed response. Here is the relevant config info. No backend SSL service yet, backend is still unencrypted, but at this point everything is on our data center not crossing any WAN or networks.  One thing to note is that my CSS is one armed, doing NAT as well so the load-balancing is considered full-proxy.

Hope it helps.

ssl-proxy-list ssl_list1
  ssl-server 2
  ssl-server 2 dhparam mydhparam1
  ssl-server 2 vip address 10.1.6.12
  ssl-server 2 cipher dhe-rsa-with-3des-ede-cbc-sha 10.1.6.12 389
  ssl-server 2 cipher dhe-rsa-with-des-cbc-sha 10.1.6.12 389
  ssl-server 2 cipher rsa-with-3des-ede-cbc-sha 10.1.6.12 389
  ssl-server 2 cipher rsa-with-des-cbc-sha 10.1.6.12 389
  ssl-server 2 cipher rsa-with-rc4-128-sha 10.1.6.12 389
  ssl-server 2 cipher rsa-with-rc4-128-md5 10.1.6.12 389
  ssl-server 2 port 636
  ssl-server 2 rsakey myrsakey1
  ssl-server 2 rsacert ldapxCert
  active


service LDAP1
  ip address 10.1.1.4
  keepalive port 389
  protocol tcp
  keepalive type tcp
  port 389
  active

service LDAP2
  ip address 10.10.6.5
  protocol tcp
  keepalive type tcp
  port 389
  keepalive port 389
  active

service ssl_module1
  type ssl-accel
  add ssl-proxy-list ssl_list1
  slot 2
  keepalive type none
  active

  content LDAPSSLTest
    vip address 10.1.6.12
    add service ssl_module1
    protocol tcp
    port 636
    active


group LDAPGroup
  vip address 10.1.6.12
  add destination service LDAP1
  add destination service LDAP2
  active

Eric

699
Views
0
Helpful
4
Replies
CreatePlease to create content