Application Delivery (ADX)

SSL offload and acceleration concepts and examples

by pmorrissey on ‎04-30-2009 03:02 PM (213 Views)

    

SSL Configuration Modes

• “Configuring SSL Termination Mode”

• “Configuring SSL Proxy Mode”

The ServerIron SSL module provides hardware-accelerated encryption and decryption services to clients. The

ServerIron sits between clients and servers and all client traffic is terminated on the switch. When traffic is

decrypted, the ServerIron analyzes the data and selects a server where the connection traffic can be forwarded.

The ServerIron then opens a new connection to the server and passes all data to this server. On the return path,

the ServerIron receives all data from the server, encrypts it, and forwards it to the client. For every incoming

connection from the client, ServerIron maintains an additional connection to the server. Both connections are

completely separate. The ServerIron essentially acts as a proxy.

Configuring SSL Termination Mode

In this mode, the ServerIron terminates the SSL connections, decrypts the data, and sends clear text to the server.

The ServerIron offloads the encryption and decryption services from the server CPU and performs them in

hardware, thereby offloading the burden from the server.

The ServerIron maintains an encrypted data-channel with the client and a clear-text data channel with the server.

Figure 2.5 shows a topology that terminates SSL on the ServerIron.

ssltop.JPG

Figure 2.5 ServerIron SSL Termination

To configure SSL in the termination mode, perform the following tasks in sequence:

• “Create an SSL Profile”

• “Create a Real Server”

• “Create a Virtual Server”

• “Enable SSL Termination”

Create an SSL Profile

NOTE: Optionally, you can import and use a CA-signed certificate.

This section describes how to create a profile with a “self-signed” certificate. You also have the option to generate

a CA-signed certificate. For more information on generating certificates, see the following sections:

• “Generating Self-Signed Certificates” on page 2-7

• “Using CA-Signed Certificates” on page 2-10

To create an SSL profile, follow these steps:

1. Generate an RSA key pair

ServerIron#ssl genrsa rsakey-file 1024 mypassword

The command configures an RSA key pair in a file named "rsakey-file", with key size 1024, and "mypassword"

as the password for the file.

Syntax: ssl genrsa <file-name> <key-size> <password>

ServerIron#ssl gencert certkey rsakey-file signkey rsakey-file mypassword mycert

Syntax: ssl gencert certkey <rsakeypair> signkey <rsakeypair> <password>

2. Generate a self-signed certificate.

At this point, you begin an interactive dialog.

You are about to be asked to enter information that will be incorporated into

your certificate request. What you are about to enter is what is called a

Distinguished Name or a DN.

Country name (2 letter code) US

State or province (full name) California

Locality name (city) San Jose

Organization name (Company name) Foundry Networks

Organizational unit name (department) Web Administration

Common name (your domain name) www.foundrynet.com

Email address webadmin@foundrynet.com

transfer_ssl_object_buf_to_bp : The object buffer length is 492

transfer_ssl_object_buf_to_bp: The message length is 622

3. Create an SSL Profile

ServerIron(config)#ssl profile myprofile

Syntax: ssl profile <profile-name>

This command creates an SSL profile named myprofile and enters the profile management mode.

Associate the RSA key pair and the Certificate with the SSL Profile.

ServerIron(config-ssl-profile-myprofile)#keypair-file rsakey-file

ServerIron(config-ssl-profile-myprofile)#certificate-file mycert

Syntax: keypair-file <key-file>

Syntax: certificate-file <cert-file>

Secure Socket Layer (SSL) Acceleration

September 2008 © 2008 Foundry Networks, Inc. 2 - 39

The <certificate-file> parameter specifies the name of the certificate to be associated with the SSL profile.

Select a Cipher Suite.

After you associate the RSA key pair and the certificate with the SSL profile, you can optionally select a cipher

suite for the SSL profile.

ServerIron(config-ssl-profile-myprofile)#cipher-suite all

Syntax: cipher-suite all |

Create a Real Server

To create real servers, enter commands such as the following:

ServerIron(config)#server real rs1 10.1.1.1

ServerIron(config-rs-rs1)#port http

ServerIron(config)#server real rs2 10.1.1.2

ServerIron(config-rs-rs2)#port http

Syntax: server real <server name> <ip address>

Syntax: port {http | <port-number>}

Create a Virtual Server

To create real servers, enter commands such as the following:

ServerIron(config)#server virtual-name-or-ip vip1 10.1.1.7

ServerIron(config-vs-vip1)#port ssl

Enable SSL Termination

Configure SSL-termination and your profile on the port:

ServerIron(config-vs-vip1)#port ssl ssl-terminate myprofile

Bind SSL to your real servers:

ServerIron(config-vs-vip1)#bind ssl rs1 http rs2 http

You are now ready to send SSL traffic to VIP1.

Configuring SSL Proxy Mode

In the full SSL proxy mode, the ServerIron maintains encrypted data channels with the client and the server. This

mode provides additional security with no SSL hardware acceleration cost to the server. The reason to use SSL

proxy is for visibility to application traffic for L7 processing and security.

Figure 2.6 shows the basic topology for a configuration of the full SSL proxy mode.

Figure 2.6 ServerIron SSL Proxy

When used in conjunction with SSL termination, SSL proxy provides an end-to-end SSL solution by encrypting

traffic from the ServerIron to a Server. In the end-to-end solution, the traffic can be divided into two segments:

• Client to ServerIron

• ServerIron to server

To configure SSL in proxy mode, you need two profiles (one for each traffic segment). For the first segment, SSL

termination, use the procedure in “Configuring SSL Termination Mode” on page 2-37. For the second segment,

SSL Proxy, you need to configure a new profile for the server-side traffic, as shown in “Configuring SSL Proxy

Mode” on page 2-39.

The ServerIron acts as a client to the real server. The real server presents a certificate, but the certificate needs to

be verified by the ServerIron. Because the ServerIron needs the CA certificate from the issuing authority to verify

the certificate from the real server, the CA certificate must be uploaded to the ServerIron before it can be used.

See “Transferring a Keypair File and a Certificate File” on page 2-19.

NOTE: If the server is using a self-signed certificate, the allow-self-signed certificate command must be

configured on the profile.

After both profiles are created, you need to bind them to a VIP. In this case, you must also bind the SSL port of the

VIP to the SSL port on the server.

To configure SSL in the proxy mode, perform the following tasks in sequence:

• “Create a Client-Side SSL Profile” on page 2-40

• “Create a Server-side SSL Profile” on page 2-41

• “Create a Real Server” on page 2-41

• “Create a Virtual Server” on page 2-41

• “Enable SSL-Proxy” on page 2-41

Create a Client-Side SSL Profile

To create a client-side SSL profile, follow these steps:

1. Create a client-side SSL profile.

ServerIron(config)#ssl profile clientProfile

Syntax: ssl profile <profile-name>

2. Associate the RSA key pair and the certificate with the client-side SSL Profile.

ServerIron(config-ssl-profile-clientProfile)#keypair-file rsakey-file

Syntax: keypair-file <key-file>

3. Specify the name of the certificate to be associated with the client-side SSL profile.

ServerIron(config-ssl-profile-clientProfile)#certificate-file mycert

Syntax: certificate-file <cert-file>

4. Select a Cipher Suite.

After you associate the RSA key pair and the certificate with the client-side SSL profile, you can optionally

select a cipher suite for the SSL profile.

ServerIron(config-ssl-profile-clientProfile)#cipher-suite all

Syntax: cipher-suite all |

Create a Server-side SSL Profile

To create a server-side SSL profile, follow these steps:

1. Create an SSL profile.

ServerIron(config)#ssl profile serverProfile

Syntax: ssl profile <profile-name>

2. Associate the CA certificate with the server profile.

ServerIron(config-ssl-profile-clientProfile)#ca-cert-file ca.cert

Syntax: ca-cert <ca-cert-file>

The <certificate-file> parameter specifies the name of the certificate to be associated with the SSL profile.

Create a Real Server

To create a real server, follow these steps:

1. Create a real server.

ServerIron#conf t

ServerIron(config)#server real rs1 10.1.1.1

Syntax: server real <server name> <ip address>

2. Enable an SSL port.

ServerIron(config-rs-rs20)#port ssl

Syntax: port {ssl | <port-number>}

Create a Virtual Server

To create a virtual server, enter these commands:

ServerIron(config)#server virtual-name-or-ip vip3 10.1.1.3

ServerIron(config-vs-vip20)#port ssl

Enable SSL-Proxy

To enable SSL-Proxy, enter these commands:

ServerIron(config-vs-vip20)#port ssl ssl-proxy clientProfile serverProfile

ServerIron(config-vs-vip20)#bind ssl rs20 ssl

Optional SSL Features

This section describes the optional SSL features and how to configure them.