Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Modifying an "ssl-proxy-list" without disturbing the active sessions.

Hello,

I would like to know if it is possible to have two SSL modules installed in a CSS11503 with each one having it's own "ssl-proxy-list" ("ssl-proxy-list list1" and "ssl-proxy-list list2"), but the two lists (list1 and list2) are exactly the same.

I will explain my idea:

In normal situation the two "ssl-proxy-list" are active and the user's encrypted sessions are load balanced between the two SSL modules. But when we need to make a change to the "ssl-proxy-list", like changing a server's certificate, I would like to be able to suspend one service (type ssl-accel with the "ssl-proxy-list List1" attached to it for example) and wait for all active sessions to terminate before suspending the "ssl-proxy-list list1" for applying the changes.

Once the first "ssl-proxy-list" is updated I would make it active again and apply the same changes to the second "ssl-proxy-list".

Doing this this way I would like to be able to upgrade the servers's certificate during the working houres without disturbing the connected users...

Do you think this way of doing would be possible, or do you have an other solution to modify a "ssl-proxy-list" without disturbing the active running sessions ?

Thank you for your answer,

Best regards

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Modifying an "ssl-proxy-list" without disturbing the active

sounds like a good solution to me.

Gilles.

2 REPLIES
Cisco Employee

Re: Modifying an "ssl-proxy-list" without disturbing the active

sounds like a good solution to me.

Gilles.

Re: Modifying an "ssl-proxy-list" without disturbing the active

Hi Francois,

An SSL proxy list may belong to multiple SSL services (one SSL proxy list per service), and an SSL service may belong to multiple content rules. You can apply the services to content rules that allow the CSS to direct SSL requests for content.

The CSS supports one active SSL service for each SSL module in the CSS, one SSL service per slot. You can configure more than one SSL service for a slot but only a single SSL service can be active at a time.

No modifications to an SSL proxy list are permitted on an active list. Suspend the list prior to making changes, and then reactivate the SSL proxy list once the changes are complete. Once you have modified the SSL proxy list, suspend the SSL service, reactivate the SSL proxy list, and then reactivate the SSL service.

You can use maximum 4 different certificates at a time.

Use the suspend command to suspend an active SSL proxy list.

To suspend an active SSL proxy list, enter:

(config-ssl-proxy-list[ssl_list1])# suspend

use the url below for your reference:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.10/command/reference/CmdSSLC.html

Kind regards,

Sachin Garg

Senior Specialist Security

HCL Comnet Ltd.

http://www.hclcomnet.co.in

A-10, Sector 3, Noida- 201301

INDIA

Mob: +91-9911757733

Email: sachinga@hcl.in

157
Views
3
Helpful
2
Replies