Migrating the SSL Offloading Configuration of the Alteon Application Switch 2424-SSL to AlteonOS version

(1)

Migrating the SSL Offloading Configuration of

the Alteon Application Switch 2424-SSL to

AlteonOS version 27.0.0.0

1 Introduction

The target readers of this document are technical staff and customers planning or executing migration from the SSL Offloading configuration of the Alteon Application Switch 2424-SSL to Alteon version 27.0.0.0.

The document provides step-by-step instructions for this migration. As part of the migration, an automatic tool is provided to convert the 2424-SSL certificate repository. See Certificates Repository for more information. The following common configurations are covered in this document:

 Migrating a simple virtual service with SSL offloading

 Migrating a virtual service with SSL offloading and with back-end encryption between Alteon and the real servers

 In addition, the following may be part of one or both of the above configurations:  Using Alteon to perform client authentication

 Setting intermediate CA certificates to be sent with a server certificate in order for clients to be able to complete the trust chain of the root Certificate Authorities (CA).

Throughout this document, the Alteon version 27.0.0.0 commands are shown next to their analogous Alteon commands running on the Alteon 2424-SSL platform (Alteon version 25.x or earlier).

(2)

2 Certificates Repository

Alteon version 27.0.0.0 includes a Certificates Repository that holds all PKI related components. For a comprehensive explanation about the Certificates Repository, see the chapter that discusses SSL Offloading in version 27.0.0.0 of the Alteon Application Switch Operating System Application Guide.

In Alteon version 27.0.0.0, you can use the import command in the certificate repository (/cfg/slb/ssl/certs/) to import the relevant certificate components from the Alteon 2424-SSL platform, as follows:

1. One-by-one – Manually import each component by its type using copy/paste or import from a file.

2. Bulk –Automatically parse the 2424-SSL processor configuration file and import the certificates and keys linked to SSL servers, including:

 Cert - Server Certificates

 Cachain – Intermediate CA cert/group  Cacerts - Trusted CA cert/group

For more information regarding import options, see the section that discusses on the /cfg/slb/ssl/certs command in the Alteon Application Switch Operating System Application Guide.

3 Common SSL Offloading Settings

3.1 Basic SSL offloading service

To configure the basic SSL offloading service for a virtual service in Alteon version 27.0.0.0, do the following:

2424-SSL Processor SSL Server dump Alteon version 27.0.0.0

1. Import Alteon 2424 device configuration to Alteon version 27.0.0.0

2. Import the relevant server certificates from the 2424SSL Processor config file to the certificate repository [see Certificates Repository for the available import options].

3. Configure virtual HTTPS service (default vport = 443). a. Attach the real server group

b. Update the real servers listening port if needed (rport)

Note: You can offload the SSL of any service (Generic SSL). For the Generic SSL offloading service, define the virtual service with application type set to SSL

4. Set SSL globally on See example in the next row /cfg/ssl/server 1/.

name https-2-http

vips 192.168.10.100

standalone off

port "443 (https)"

rip 0.0.0.0

rport "80 (http)"

type http

proxy on loopback on ena enabled

/c/slb/virt 1 ena

vip 192.168.10.100

/c/slb/virt 1/service 443 https

group 1

rport 80

(3)

5. Configure the SSL policy which defines the SSL offloading behavior. Set the front-end cipher (back-end encryption is disabled by default)

6. Associate that SSL policy and the server certificate to the configured virtual HTTPS service you created above

See example in the next row /cfg/ssl/server 1/ssl/.

cert 1

protocol ssl3 verify none

ciphers ALL

ena enabled

/c/slb/ssl/sslpol SSLp2

name https-2-http

cipher all

ena

/c/slb/virt 1/service 443 https/ssl

srvrcert <cert ID>

sslpol SSLp2 ena

7. Enable DAM on the switch or configure proxy IP addresses and enable proxy on the client port.

3.2 SSL offloading service with Back-end encryption

When encryption between Alteon and the real servers is needed for enhanced security, you can configure Alteon to re-encrypt data for this transport, as follows:

1. Import Alteon 2424 device configuration to Alteon version 27.0.0.0

2. Import the relevant server certificates from the 2424SSL Processor config file to the certificate repository [see Certificates Repository for the available import options].

3. Configure virtual HTTPS service (default vport = 443). a. Attach the real server group

b. Update the real servers listening port if needed (rport)

Note: You can offload SSL of any service (Generic SSL). F or the generic SSL offloading service, define the virtual service with application type set to SSL.

4. Set SSL globally on See example in the next row /cfg/ssl/server 1/.

name https-end-2-end

vips 192.168.10.100

standalone off

port "443 (https)"

rport "443 (https)"

type http

proxy off

ena enabled

/c/slb/virt 1 ena

vip 192.168.10.100

/c/slb/virt 1/service 443 https

group 1

rport 443

(4)

encryption, and set the back-end cipher as required.

4. Associate the SSL policy and the server certificate to the configured virtual HTTPS service configured above.

Note: When end-to-end encryption is used, the connection pooling setting is usually used to alleviate possible performance degradation. In version 27.0.0.0, it can be achieved by enabling HTTP connection management.

See example in the next row /cfg/ssl/server 1/ssl/.

cert 1

protocol ssl3 verify none

ciphers RSA

ena enabled

/cfg/ssl/server 5/adv/sslconnect/. protocol ssl3

ciphers LOW

ena enabled

/c/slb/ssl/sslpol SSLp2

name https-end-2-end

cipher rsa

becipher low

bessl enabled

ena

/c/slb/virt 1/service 443 https/ssl

srvrcert 1

sslpol SSLp2

5. Load balancing of back-end servers is done by Alteon. Set the back-end servers in the group associated to the virtual service.

See example in the next row

/cfg/ssl/server 5/adv/loadbalancing/. type all

persistence none

metric leastconn

health tcp

interval 10s

ena enabled /cfg/ssl/server

5/adv/loadbalancing/backend 1/.

ip 10.20.10.2

port 443 sslconnect on remote false remotessl true lbop any

ena enabled /cfg/ssl/server

5/adv/loadbalancing/backend 2/.

ip 10.20.10.3

port 443 sslconnect on remote false remotessl true lbop any

ena enabled

/c/slb/real 1 ena ipver v4

rip 10.20.10.2

inter 10

/c/slb/real 2 ena ipver v4

rip 10.20.10.3

inter 10

/c/slb/group 1 ipver v4

health tcp

metric leastconns

add 1 add 2

(5)

7. Enable connection management at the HTTPS service and set the required idle timeout. See example in the next row

/cfg/ssl/server 5/adv/pool/.

timeout 300s

ena enabled

/c/slb/virt 1/service 443 https/http

connmgt ena 300

8. Configure the proxy IP to be used for back-end connections for connection management use [see the chapter that discusses SSL Offloading in the Alteon Application Switch Operating System Application Guide.]

a. Radware recommends configuring egress PIP

b. Set the PIP addresses on the server side ports/VLANs c. Enable the proxy flag on the server side ports

3.3 Advanced

This section discusses the migration of advanced configurations for either of the Basic SSL offloading service or SSL offloading service with Back-end encryption scenarios.

3.3.1 Add SSL based client authentication

Alteon version 27.0.0.0 can perform client authentication as part of the SSL handshake process. To add SSL-based client authentication to any SSL offloading service, do the following:

1. Import the relevant CA certificate to the certificate repository as a trusted CA certificate and create a trusted CA group if needed (see Certificates Repository for available import options).

(6)

3.3.2 Add Intermediate CA certificate

When the virtual service’s server certificate is not generated by a 3rd-party root CA service, you need to supply clients with the chain of CAs certificate in order to complete the SSL trust chain between them and Alteon. To allow this, Alteon version 27.0.0.0 lets you associate an intermediate CA certificate or certificate groups to the virtual service’s SSL policy as follows::

1. Import the relevant CA chain certificate to the certificate repository as intermediate CA certificate and create a intermediate CA group if needed (see Certificates Repository).

2. Associate the intermediate CA certificate/group to the SSL policy used in this service. See example in the next row

/cfg/ssl/server 1/ssl/cachain 7 /c/slb/ssl/sslpol SSLp2

intermca 7 of client certificate’s CA validation level.

3. Associate that client authentication policy to the SSL policy used in the SSL offloading service. See example in the next row

/cfg/ssl/server 1/ssl/

cacerts 5

verify require

/c/slb/ssl/authpol myauth name auth-pol-for-ssl

clientca cert 5

caverify require

ena

/c/slb/ssl/sslpol SSLp2 authpol myauth

(7)

Appendix A – List of 2424-SSL Processor SSL Offloading Commands and their

Analogous Commands in Alteon version 27.0.0.0

2424-SSL Processor Alteon version 27.0.0.0

Command Description Command Description

/cfg/ssl/server 1/.

name Set server name /c/slb/ssl/sslpol <ID>/name SSL policy name vips Set IP addresses of server /c/slb/virt <ID>/vip Virtual server IP standalone Set NVG standalone mode N/R N/R

port Set listening port of server /c/slb/virt <ID>/vip <ip>/service <vport>

Virtual service listening port rip Set real server IP address N/R N/R

rport Set real server port /c/slb/virt <ID>/vip

<ip>/service <vport>/rport

Back-end server listening port set in virtual service

type Set type

(generic/http/socks)

/c/slb/virt <ID>/vip

<ip>/service <vport> <app>

Application: Set "ssl" application for generic SSL service or "https" application for HTTP service. Socks and portal are not supported. dnsname Set DNS name of server. N/R N/R

Proxy Transparent/non-transparent <regular pip setting> Default mode is transparent unless PIP is defined

trace Traffic trace menu /maint/pktcap Use Alteon packet capturing ssl SSL settings menu See details below

tcp TCP endpoint settings menu General Alteon setting http HTTP settings menu See details below

dns DNS settings menu

adv Advanced settings menu See details below

/cfg/ssl/server 1/ssl/.

cert Set server certificate /c/slb/virt 1/service <vport> <appl>/ssl/srvrcert <id>

Server certificate is associated to the virtual service

cachesize Number of SSL cached sessions

N/R Alteon general session table mechanism

(8)

cacerts Set list of accepted signers of client certificates

/c/slb/ssl/authpol <id>/trustca Trusted CA certificate/group set in the client authentication policy. Need to associate that authentication policy to the SSL policy used in the virtual service.

cachain Set list of CA chain certificates

/c/slb/ssl/sslpol <ID>/intermca

Intermediate CA

certificate/group set in the SSL policy used in the virtual service.

protocol Set protocol version /c/slb/ssl/sslpol <ID>/cipher Accepted protocol is part of the cipher set in the SSL policy verify Set certificate verification

level

/c/slb/ssl/authpol <ID>/caverify

Set in the client authentication policy. Require certificate's CA verification (none, optional, require). Associate client authentication policy to the SSL policy.

ciphers Set cipher list /c/slb/ssl/sslpol <ID>/cipher Accepted ciphers in the SSL policy associated to the virtual service (predefined or in openssl format)

/cfg/ssl/server 1/http/.

httpsredir Set Perform HTTP to HTTPS redirect for all traffic

/cfg/slb/filt Can be done using filtering redirmap Redirect mapping /cfg/slb/filt Can be done using filtering dynheader Dynamically generated

headers

/cfg/slb/layer7/httpmod HTTP modifications can be used to add any host header

required redirect Perform HTTPS to HTTP

redirect for all traffic

/c/slb/ssl/sslpol <ID>/convert /c/slb/ssl/sslpol <ID>/convuri

SSL policy: Set protocol redirection conversion and additional URIs to match for conversion

downstatus Set server down reply status /cfg/slb/virt 1/service

<vport>/http/errcode

Define matching response error code, set the URI to redirect or the reason text message downurl Server down redirect URL /cfg/slb/virt

1/service

<vport>/http/errcode

Define matching response error code, set the URI to redirect or the reason text message rewrite Rewrite cipher strength or

customize error message

Not supported

securecook Set add secure option to session cookie

/cfg/slb/virt 1/service <vport>/pbind

Supported in Alteon pbind legacy command

(9)

certcard Set enable extra secure smart card setting

Not supported

sslheader Add SSL header /cfg/slb/ssl/sslpol

<id>/passinfo

/cfg/slb/ssl/authpol

<id>/passinfo

Pass information to the back-end server in HTTP header SSL Policy: Set SSL information to pass.

Client authentication policy: Set certificate information to pass.

sslxheader Add SSL header with serial in hex

Not supported

sslsidhead Add SSL SID header N/R N/R addxfor Add X-Forwarded-For header /cfg/slb/virt 1/service

<vport>/http/xforward

Supported in the Alteon virtual HTTP service

addvia Add via header /cfg/slb/layer7/httpmod Set HTTP modification rule to remove via header or add it with the virtual IP.

addxisd Add HTTP-X /maint/applog Use application services log for debugging

addfront Add Front-End-Https header /cfg/slb/ssl/sslpol <id>/passinfo

SSL Policy: Pass SSL information to the back-end server in HTTPS header.

To remove set an HTTP modification rule addbeassl Add WL-Proxy-SSL header Not supported addbeacli Add WL-Proxy-Client-Cert

header

<id>/passinfo Client authentication policy: Pass certificate information to the back-end server in HTTP header

addclicert Add Client-Cert as a HTTP header

<id>/passinfo Client authentication policy: Pass certificate information to the back-end server in HTTP header

addnostore Add no-cache/no-store HTTP header

/cfg/slb/layer7/httpmod /cfg/slb/accel/comp/cachpol

Use HTTP mod to add Cache-Control or Pragma headers. Use cache policy to control Alteon caching behavior

compress Set compress http data to the client

/cfg/slb/accel/comp/comppol Set in compression policy

cmsie Set MSIE session termination bug workaround

N/R N/R

rhost Set Rewrite host header to default value

(10)

defaulthos Set Default host header value

required auth User authentication menu Not supported maxrcount Set max number of

persistent client requests

Parameter not configurable maxline Set max line length /cfg/slb/virt 1/service

80/http/parselen and parselmt

Set length of HTTP parsing

2424-SSL Processor Alteon version 27 .0.0.0

/cfg/ssl/server 1/adv

string String menu /cfg/slb/layer7/slb String for Layer 7 Load Balancing

blockstrin Set strings to block /cfg/slb/filt /cfg/slb/layer7/slb

Can be done using filtering and Layer 7 strings

pool Connection pooling menu /c/slb/virt 1/service 80 http/http/connmgt

Set connection management. for back-end encryption multiplexing should be used instead of pooling

traflog UDP syslog Traffic Log menu /cfg/sys/syslog Use Alteon general syslog setting

loadbalanc Load balancing menu /cfg/slb/group

/c/slb/virt 1/service 80 http/pbind

For load balancing and health checks see the slb group setting in Alteon. For persistency use the Alteon pbind command sslconnect SSL connect menu /cfg/slb/ssl/sslpol Back-end encryption and its

allowed ciphers are set in the SSL policy

Migrating the SSL Offloading Configuration of the Alteon Application Switch 2424-SSL to AlteonOS version