Configure SSL Termination on ACE

There are three methods of SSL proxying on the ACE; SSL Initiation, SSL termination and end-to-end SSL. In this article I am covering SSL termination.

SSL Termination

This method makes the ACE do the heavy lifting. Extra CPU cycles to encrypt/decrypt SSL traffic are offloaded to the ACE. In the tests that I have done in our development environments–it has given us, on average, a 10% overall performance increase vs. doing end-to-end SSL encryption with IIS 7.

In this case, the backend servers (IIS, Apache, etc.) do not have certificates on them. They are running port 80 (or any other cleartext port) behind the ACE. The default gateway will be either the ACE (one-arm mode) or the firewall (bridged mode) for your hosts.

NOTE: Some applications will send redirects out to the web-clients. If these redirects are not intercepted by the ACE and changed to HTTPS, it will redirect your clients to a port that is most likely not open on the firewall. I wrote an article that covers that issue here.

The only caveats with this methodology is that your clients do not have requirements against traffic being clear-text on the local network. No un-encrypted traffic traverses the Internet, but some customers and certifications do not allow any clear-text transmission of data.

What Serverfarms?

Do all your serverfarms need SSL or do just a few need SSL? Take note of what needs SSL at this point. For my example my SSL serverfarm is as follows:

serverfarm host FARM-SSL
 rserver SRVR1
   inservice
 rserver SRVR2
   inservice
 rserver SRVR3
   inservice
 rserver SRVR4
   inservice

Generate & Import Certificates

I covered how to do this on a previous post. You can find it here.

Create a VIP for SSL Traffic

What IP will you NAT on the firewall for SSL traffic? Pick one now.

class-map match-any CLASS-IP-SSL
  2 match virtual-address 10.100.1.100 tcp eq https

Create SSL Proxy

You created your key, imported your certs and configured your chaingroup already right? If not follow the steps above.

ssl-proxy service SSL-PROXY
  key MYKEY
  cert My-CERT-2012
  chaingroup MYCHAIN
  ssl advanced-options CIPHER

Easy right? I find this easier than Windows once you get the hang of it.

Create Policy to match Serverfarm

Now you want to create a policy that defines what serverfarm(s) are going to be behind the SSL proxy. In our case we only want one. If you had multiple you would simply add the class-maps under this policy.

policy-map type loadbalance first-match POLICY-SSL
  class class-default
    serverfarm FARM-SSL

Put it all together

Write your policy-map that puts everything together that you can assign to an interface.

policy-map multi-match VIP-SSL
  class CLASS-IP-SSL
    loadbalance vip inservice
    loadbalance policy POLICY-SSL
    loadbalance vip icmp-reply

Assign it to an Interface

In my case I have VLAN interfaces for bridged mode. So I assign it to both, one so the firewall can NAT it and one so the clients can hit the VIP.

interface vlan 100
  description Server Side VLAN
  bridge-group 1
  access-group input PERMIT-ALL
  service-policy input VIP-SSL
  no shut 
interface vlan 200
  description FW Side VLAN
  bridge-group 1
  access-group input PERMIT-ALL
  service-policy input VIP-SSL
  no shut 

interface bvi 1
 ip address 10.100.1.253 255.255.255.0
 description ACE IP Address
 no shutdown

That’s it! Now you should be able to hit your VIP IP from your server subnet and it should load the site with SSL. If it doesn’t, check your serverfarms, gateways, listening ports on the hosts, etc.

Advertisements
Configure SSL Termination on ACE

Easiest way to request an ACE Certificate

There are a variety of different ways to generate a CSR, request a certificate and import that cert into the ACE. I’ve found the easiest way to do this is through the console. No need to set up an FTP/TFTP server, just copy and paste. This is a pre-requisite to SSL-proxying on the ACE.

  • Create your CSR parameters.

CSR parameters are what will be pre-populated in your certificate request. The most important of these is the “common-name” which will be the domain your certificate is assigned to.

  1. Define csr-params 
crypto csr-params MY-PARAM
  country US
  state NY
  locality City
  organization-name Acme
  common-name example.domain.com
  serial-number 1000

There are other csr-parameters you can define if needed:

switch/Context1(config-csr-params)# ?
Configure CSR parameters:
common-name  Configure organization's common name (required parameter)
country      Configure country code (required parameter)
email        Configure email address
locality     Configure locality name
organization-name  Configure organization name
organization-unit  Configure organization unit's name
serial-number      Configure serial number
state              Configure state name (required parameter)

2. Define cipher set

Your cipher set defines the level of encryption for your site. Some clients require a specific level of encryption, while others do not. Perhaps you need to comply with some business certification (SAS70, SOX, etc.) that controls the overall level of your ciphers. Check with your business or clients for what to define this as.

The session-cache timeout is pretty self explanatory. Some users want it longer than the default. It’s good to define this so when users ask you can always check the config.

parameter-map type ssl CIPHER
  cipher RSA_WITH_RC4_128_SHA
  cipher RSA_WITH_AES_128_CBC_SHA
  cipher RSA_WITH_AES_256_CBC_SHA
  session-cache timeout 600

3. Generate your RSA key pair.

switch/Context1# crypto generate key 2048 MYKEY

I always choose a 2048 bit key because many certificate authorities require at least a 2048 bit key. For many CA’s, 1024 used to be the minimum but many have moved up to 2048.

4. Generate your CSR.

switch/Context1# crypto generate csr MY-PARAM MYKEY
-----BEGIN CERTIFICATE REQUEST-----
MIICeTCCAWECAQAwNDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk5ZMRgwFgYDVQQD
Ew90ZXN0LmRvbWFpbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQC0ArGUgdcqwgCEZNREvPGOL+rEzZBmoQN/rE+Nawr0KpMIFzcPEV2Bli9hTUuk
j9L0Q/I2VyuFFHUvlIcf+ZO8gS764sPkodKAWjrWKgvK8zAwlJih02cl//mn8zWO
HRJ30LxAXRXsbbMH1sBLwZIusIJcBDqbmAyhbmvAxFco5TzQ3D+RbBXVNPw7u/cv
NM6DH2S60CgCorbU+5AxWY0vPAUOpBrae9nRPqnEe6w2/khzRW6w/HjEPciQrHbj
qV07e071UUsxh`XJegL92SaZV2J4Kl746CheA1rAchncx2NHS4bJUfgsnyztMLus
A6G2/kxK/R0EAUwUeBB6tzYBAgMBAAGcADANBgkqhkiG9w0BAQQFAAOCAQEAR12z
KBmONU/qujbhaz/2jWMDTAq2JXvX+WjgIxKNLAn45tkkOFnmnUVQLCegDfH5/roO
AIEX539TnpJfKaFQPmV7Xdq/GX/Xn/5OJkpXhQ7nQF0nhGSh8ZAazn2sCOpvQ9aQ
jsnBJVr9VrLEgGWuthIc+lUCHaXSLWj8QOSVxhcTNtlpFIfIShniy9AbFDDwRefU
J4hH9A+SGRBSF+JDzN25E+KGkEpBkPl+yot8xzWxQSO9ADN2ZBEauE7vrPy8KeJv
Rsm/3TjJQncFkgXS6NH5CL0S25dyrKSGhwG0GTVWORKiSZAyF/jxdoD+Q0C/AHvg
gsqLVoC8xg4OmM+AqA==
-----END CERTIFICATE REQUEST-----

You will be presented with the CSR. If you are using putty this is easy. Just select everything from BEGIN to END and paste into a plain-text file. Name it MYCSR.csr or whatever relates to what you are requesting.

5. Submit your CSR to a CA (godaddy, comodo, etc.)

6. Once your certificate request has been approved you should get an email or ZIP file containing three things:

  • Root certificate
  • Intermediate certificate
  • Your certificate

7. Import root, intermediate and your certificate. Again the easiest way to do this is in putty.

  • Open your root certificate in notepad. Copy it.
switch/Context1# crypto import terminal ROOT-CERT

Paste the cert.

  • Open your intermediate certificate in notepad. Copy it.
switch/Context1# crypto import terminal INTERMEDIATE-CERT

Paste the cert.

  • Open your server certificate in notepad. Copy it.
switch/Context1# crypto import terminal My-CERT-20xx

Paste the cert.

8. Now that all your certificates are imported, you’ll want to create a chaingroup with root and intermediate certs.

crypto chaingroup MYCHAIN
  cert INTERMEDIATE-CERT
  cert ROOT-CERT

9. Verify that your certificates are stored on the ACE correctly.

switch/Context1# sh crypto files
Filename              File File Expor Key/
                      Size Type table Cert
-----------------------------------------------------------------------
INTERMEDIATE-CERT     1509 PEM  Yes   CERT
MYKEY                 1679 PEM  Yes   KEY
ROOT-CA-CERT          1740 PEM  Yes   CERT
My-CERT-2012          2045 PEM  Yes   CERT
cisco-sample-cert     1082 PEM  Yes   CERT
cisco-sample-key      887  PEM  Yes   KEY

Now your certificates are on the ACE! All you need to do now is set up a proxy service.

Easiest way to request an ACE Certificate

How to create an SSL Monitoring Server

If you have SSL certificates on many servers across the network it can sometimes be difficult to manage expiration dates for all the certs. There is a UNIX utility called “ssl-cert-check” that can scan servers on any port and notify you if they are near expiration.
This how-to is based on Cygwin instead of a *nix distro. The steps should be the same, but there may be some differences.
1. Install Cygwin (skip to step 3 if you are running a Linux host)
2. Download from the Cygwin website and make sure OpenSSL, mail, cygrunsrv, cron and vim are installed.
3. Once Cygwin is installed you need to download the ssl-check software
  $ wget http://prefetch.net/code/ssl-cert-check
  $ chmod 775 ssl-cert-check
  $ mv ssl-cert-check /bin
4. Test that the tool is working
  $ cd /bin
  $ ssl-cert-check -s x.x.x.x -p 443
5. Once you know the tool is working you can start customizing it to fit your needs. I needed to scan a large group of servers on port 443 and email me if any of them were within 14 days of expiring.
6. I created a text file with the hosts that I needed to scan and the ports that certificates were bound to.
  $ vi ssl-servers

  www.server.com 443
  192.168.0.22 443
  example.com 443
8. Once you have the file you can use ssl-cert-check to scan using the file. Test to make sure the file is working.
$ ssl-cert-check -i -f ssl-servers
Host                                Issuer            Status   Expires     Days Left
----------------------------------- ----------------- -------- ----------- ---------
www.server.com:443                  Comodo Limited    Valid    May 23 2012 218
192.168.0.22:443                    Equifax Secure In Valid    Jun 20 2012 246
example.com:443                     Thawte Consulting Valid    Jun 7 2012  233
9. Now that I know that I can scan against a list of servers, I want to be notified by email.
10. I want to test to make sure that email is installed and that my host can send out an email properly.
$ cd /usr/bin
$ mail -f MYSERVER@domain.com -s Test -r MAILSERVER user.name@domain.com
11. In order for Cygwin to be able to automatically send emails you need to modify a few things. First create a symbolic link pointing to the proper mail binary.
$ ln -s /bin/mail /usr/lib/sendmail
12. Then you need to modify the mail config file. Make sure the proper SMTP server and port is uncommented. Then add a name and email to send FROM.
$ vi /etc/email/email.conf
############################################################
# SMTP Server and Port number you use
############################################################
 SMTP_SERVER = '192.168.0.50'
 SMTP_PORT = '25'

############################################################
# If you'd rather use sendmail binary, specify it and the
# command line switches to use, here.  If you have both
# this option and SMTP_SERVER set, SMTP_SERVER will be of
# higher priority than SENDMAIL.
############################################################
SENDMAIL_BIN = '/usr/lib/sendmail -t -i'

############################################################
# Your email address: If you'd like To have your name to
# show in the from field instead of just your email address,
# then keep the format below and edit it to your email
# and name.
############################################################
MY_NAME  = 'SSL Monitoring Tool'
MY_EMAIL = 'server@domain.com'
13. Once your email configuration is finished you can test the following command which will check against a list of servers and email to the email you specify if the cert is due to expire in 60 days.
$ ssl-cert-check -a -f ssl-servers -q -x 60 -e user@domain.com
14. Install cron as a service, first right-click the Cygwin icon on the desktop and select “Run as Administrator”
$ cron-config
$ yes|ntsec smbntsec|no|enter password
15. Once cron is installed you can modify the cron tasks by running crontab -e at the command prompt
NOTE: If it’s a Windows 2008 server, chances are you might have trouble installing the cron service. If this is the case you can run any Cygwin task from the built-in Windows Scheduler service. Just save your command as a batch file and schedule it. E.g.
C:\Cygwin\bin\bash -c "./ssl-cert-check -a -q -f /bin/ssl-servers -x 14 -e userk@domain.com"
How to create an SSL Monitoring Server