Hardware Installation Guide
Page 18
... Locator Qualifier Lists (URQLs), Network Qualifier Lists (NQLs), and Domain Qualifier Lists (DQLs) HTTP header load balancing Content caching • • Cisco Content Services Switch Advanced Configuration Guide Describes how to perform advanced CSS configuration tasks, including: Domain Name Service (DNS) DNS Sticky Content Routing Agent Client Side Accelerator Network proximity VIP and virtual IP interface redundancy Box-to-box...
... Locator Qualifier Lists (URQLs), Network Qualifier Lists (NQLs), and Domain Qualifier Lists (DQLs) HTTP header load balancing Content caching • • Cisco Content Services Switch Advanced Configuration Guide Describes how to perform advanced CSS configuration tasks, including: Domain Name Service (DNS) DNS Sticky Content Routing Agent Client Side Accelerator Network proximity VIP and virtual IP interface redundancy Box-to-box...
Configuration Guide
Page 16
... to make a load-balancing decision, then reencrypt the data and send it to perform Secure Sockets Layer (SSL) termination between the client and the Web servers. Audience Preface Audience This guide is organized as follows: Chapter Description Chapter 1, Overview of CSS SSL Overview of SSL cryptography and the CSS SSL features. Cisco Content Services Switch SSL Configuration Guide...
... to make a load-balancing decision, then reencrypt the data and send it to perform Secure Sockets Layer (SSL) termination between the client and the Web servers. Audience Preface Audience This guide is organized as follows: Chapter Description Chapter 1, Overview of CSS SSL Overview of SSL cryptography and the CSS SSL features. Cisco Content Services Switch SSL Configuration Guide...
Configuration Guide
Page 18
...Title Cisco Content Services Switch Getting Started Guide Cisco Content Services Switch Administration Guide Description This guide describes how to perform initial administration and configuration tasks on the CSS, including: • Booting the CSS for the first time and a routine basis, and logging in to the CSS ...hostname resolution • Configuring sticky cookies with a sticky overview and advanced load-balancing method using cookies • A task list to help you find information in the CSS documentation • Troubleshooting the boot process This guide describes how to perform...
...Title Cisco Content Services Switch Getting Started Guide Cisco Content Services Switch Administration Guide Description This guide describes how to perform initial administration and configuration tasks on the CSS, including: • Booting the CSS for the first time and a routine basis, and logging in to the CSS ...hostname resolution • Configuring sticky cookies with a sticky overview and advanced load-balancing method using cookies • A task list to help you find information in the CSS documentation • Troubleshooting the boot process This guide describes how to perform...
Configuration Guide
Page 19
... guide describes how to perform CSS content load-balancing configuration tasks, including: • Flow and port mapping • Services • Service, global, and script keepalives • Source groups • Loads for services • Dynamic Feedback Protocol (DFP) • Owners • Content rules • Sticky parameters • HTTP header load balancing • Content caching • Content replication OL-5655-01 Cisco Content Services Switch SSL Configuration Guide xix
... guide describes how to perform CSS content load-balancing configuration tasks, including: • Flow and port mapping • Services • Service, global, and script keepalives • Source groups • Loads for services • Dynamic Feedback Protocol (DFP) • Owners • Content rules • Sticky parameters • HTTP header load balancing • Content caching • Content replication OL-5655-01 Cisco Content Services Switch SSL Configuration Guide xix
Configuration Guide
Page 20
... and manage your CSS. Cisco Content Services Switch SSL Configuration Guide xx OL-5655-01 Cisco Content Services This guide describes how to use the Device Switch Device Management user interface, an HTML-based Management User's Guide Web-based application that you use to the CSS • Secure Shell Daemon protocol • Radius • TACACS+ • Firewall load balancing Cisco Content Services Switch Command Reference This...
... and manage your CSS. Cisco Content Services Switch SSL Configuration Guide xx OL-5655-01 Cisco Content Services This guide describes how to use the Device Switch Device Management user interface, an HTML-based Management User's Guide Web-based application that you use to the CSS • Secure Shell Daemon protocol • Radius • TACACS+ • Firewall load balancing Cisco Content Services Switch Command Reference This...
Configuration Guide
Page 34
...a flow from an SSL module. All inbound SSL flows from a client to an SSL module. Cisco Content Services Switch SSL Configuration Guide 1-8 OL-5655-01 For more detailed information on load balancing. The SSL module provides the following major SSL features: • SSL Termination • Client Authentication... from a client terminate at an SSL module in the CSS, see Chapter 4, Configuring SSL Termination. To define how an SSL module processes SSL requests for content (which service) • Specify which load-balancing method to use An SSL proxy list determines the flow ...
...a flow from an SSL module. All inbound SSL flows from a client to an SSL module. Cisco Content Services Switch SSL Configuration Guide 1-8 OL-5655-01 For more detailed information on load balancing. The SSL module provides the following major SSL features: • SSL Termination • Client Authentication... from a client terminate at an SSL module in the CSS, see Chapter 4, Configuring SSL Termination. To define how an SSL module processes SSL requests for content (which service) • Specify which load-balancing method to use An SSL proxy list determines the flow ...
Configuration Guide
Page 37
... verifying CA certificate authenticity, configuring a CRL record, and assigning it periodically. The CSS allows you to configure a CRL record that defines how and when to the client. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 1-11 A CA certificate contains the CA public key that verifies the...'s IP address, encrypts the clear text data used for load balancing the flow and initiates the SSL connection to the back-end SSL server. Chapter 1 Overview of CSS SSL Overview of the SSL Module Functions in the CSS An X.509 certificate includes a signature that is generated by...
... verifying CA certificate authenticity, configuring a CRL record, and assigning it periodically. The CSS allows you to configure a CRL record that defines how and when to the client. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 1-11 A CA certificate contains the CA public key that verifies the...'s IP address, encrypts the clear text data used for load balancing the flow and initiates the SSL connection to the back-end SSL server. Chapter 1 Overview of CSS SSL Overview of the SSL Module Functions in the CSS An X.509 certificate includes a signature that is generated by...
Configuration Guide
Page 83
... an SSL module, acting as a proxy server, terminates an SSL connection from a client, and then establishes a TCP connection to configure a CSS as a virtual SSL server for a decision on load balancing. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 4-1 When the module terminates the SSL connection, it decrypts the data and sends the data as clear...
... an SSL module, acting as a proxy server, terminates an SSL connection from a client, and then establishes a TCP connection to configure a CSS as a virtual SSL server for a decision on load balancing. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 4-1 When the module terminates the SSL connection, it decrypts the data and sends the data as clear...
Configuration Guide
Page 88
... for SSL Termination" section. Cisco Content Services Switch SSL Configuration Guide 4-6 OL-5655-01 See the "Configuring a Content Rule for the VIP address, the CSS uses its Domain Name Service (DNS) facility to translates host names such as myhost.mydomain.com to IP addresses such as the means to the Cisco Content Services Switch Global Server Load-Balancing Configuration Guide. For details on...
... for SSL Termination" section. Cisco Content Services Switch SSL Configuration Guide 4-6 OL-5655-01 See the "Configuring a Content Rule for the VIP address, the CSS uses its Domain Name Service (DNS) facility to translates host names such as myhost.mydomain.com to IP addresses such as the means to the Cisco Content Services Switch Global Server Load-Balancing Configuration Guide. For details on...
Configuration Guide
Page 120
... the default of an SSL session cache timeout value is important when using the advanced-balance ssl load-balancing method for an SSL Proxy List Chapter 4 Configuring SSL Termination (config-ssl-proxy-list..., enter: (config-ssl-proxy-list[ssl_list1])# no ssl-server 20 session-cache 4-38 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 By disabling this option (entering a value of time an...command. Specifying SSL Session Cache Timeout In SSL, a new session ID is reused to improve CSS performance. Enter an SSL session cache timeout value in seconds, from 0 (SSL session ID...
... the default of an SSL session cache timeout value is important when using the advanced-balance ssl load-balancing method for an SSL Proxy List Chapter 4 Configuring SSL Termination (config-ssl-proxy-list..., enter: (config-ssl-proxy-list[ssl_list1])# no ssl-server 20 session-cache 4-38 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 By disabling this option (entering a value of time an...command. Specifying SSL Session Cache Timeout In SSL, a new session ID is reused to improve CSS performance. Enter an SSL session cache timeout value in seconds, from 0 (SSL session ID...
Configuration Guide
Page 121
...for the SSL proxy list after a data exchange of 125000 Kbytes is important when using the advanced-balance ssl load-balancing method for an SSL Proxy List Specifying SSL Session Handshake Renegotiation The SSL session handshake commands send the... after a session has lasted the defined number of data to be exchanged between the CSS and the client, after which the CSS transmits the SSL handshake message and reestablishes the SSL session. By setting the data value,...list[ssl_list1])# no ssl-server 20 handshake timeout OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 4-39
...for the SSL proxy list after a data exchange of 125000 Kbytes is important when using the advanced-balance ssl load-balancing method for an SSL Proxy List Specifying SSL Session Handshake Renegotiation The SSL session handshake commands send the... after a session has lasted the defined number of data to be exchanged between the CSS and the client, after which the CSS transmits the SSL handshake message and reestablishes the SSL session. By setting the data value,...list[ssl_list1])# no ssl-server 20 handshake timeout OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 4-39
Configuration Guide
Page 122
... TCP connection comes in a high traffic environment, this situation, the CSS is aware of this may send the connection to an SSL service. In this SSL flow, the CSS considers it as a new SSL session and load balances the connections to a different SSL module. The connection will be ...that the CSS performs handshake renegotiation because the SSL session ID regenerates within an existing TCP flow. If you are operating in for a second time. If there is more than one service and multiple SSL modules, the CSS may impact overall SSL performance. 4-40 Cisco Content Services Switch SSL ...
... TCP connection comes in a high traffic environment, this situation, the CSS is aware of this may send the connection to an SSL service. In this SSL flow, the CSS considers it as a new SSL session and load balances the connections to a different SSL module. The connection will be ...that the CSS performs handshake renegotiation because the SSL session ID regenerates within an existing TCP flow. If you are operating in for a second time. If there is more than one service and multiple SSL modules, the CSS may impact overall SSL performance. 4-40 Cisco Content Services Switch SSL ...
Configuration Guide
Page 131
... to 31 characters. Use the type command to the Cisco Content Services Switch Content Load-Balancing Configuration Guide. To create service ssl_serv1, enter: (config)# service ssl_serv1 Create service , [y/n]: y The CSS transitions into the newly created service mode. (config-service[ssl_serv1])# Specifying the SSL Acceleration Service Type After you create the SSL service and the CSS enters into service mode, you must identify it . For details on creating...
... to 31 characters. Use the type command to the Cisco Content Services Switch Content Load-Balancing Configuration Guide. To create service ssl_serv1, enter: (config)# service ssl_serv1 Create service , [y/n]: y The CSS transitions into the newly created service mode. (config-service[ssl_serv1])# Specifying the SSL Acceleration Service Type After you create the SSL service and the CSS enters into service mode, you must identify it . For details on creating...
Configuration Guide
Page 133
... maximum number of the master key on specifying a keepalive type, refer to the Cisco Content Services Switch Content Load-Balancing Configuration Guide. To disable sending keepalive messages for an SSL service, enter: (config-service[ssl_serv1])# keepalive type none Specifying the SSL Session ID Cache Size The cache size is...is 4096 entries and is an integrated device within the CSS chassis and, therefore, does not require the use of the SSL session ID cache for the service. Chapter 4 Configuring SSL Termination Configuring a Service for SSL Termination For example, to identify an SSL ...
... maximum number of the master key on specifying a keepalive type, refer to the Cisco Content Services Switch Content Load-Balancing Configuration Guide. To disable sending keepalive messages for an SSL service, enter: (config-service[ssl_serv1])# keepalive type none Specifying the SSL Session ID Cache Size The cache size is...is 4096 entries and is an integrated device within the CSS chassis and, therefore, does not require the use of the SSL session ID cache for the service. Chapter 4 Configuring SSL Termination Configuring a Service for SSL Termination For example, to identify an SSL ...
Configuration Guide
Page 134
...into the resource pool for load-balancing SSL content requests between the client and the server. Before activating an SSL service: • For a virtual SSL server, you must add an SSL proxy list to an ssl-accel type service before you configure an SSL proxy list service, use of SSL session...])# session-cache-size 20000 To reset the SSL session cache size to the service must add an SSL proxy list to disable SSL sticky. No ssl-lists on service, service not activated 4-52 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 For example, to specify an SSL session cache size...
...into the resource pool for load-balancing SSL content requests between the client and the server. Before activating an SSL service: • For a virtual SSL server, you must add an SSL proxy list to an ssl-accel type service before you configure an SSL proxy list service, use of SSL session...])# session-cache-size 20000 To reset the SSL session cache size to the service must add an SSL proxy list to disable SSL sticky. No ssl-lists on service, service not activated 4-52 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 For example, to specify an SSL session cache size...
Configuration Guide
Page 135
...proxy list. To suspend service ssl_serv1, enter: (config-service[ssl_serv1])# suspend Configuring a Content Rule for SSL Termination For the CSS to direct SSL requests for content (which SSL service), and which load-balancing method to content rules. No network traffic...content. You must suspend a service prior to a specific SSL module and activates the service. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 4-53 Suspending an SSL service does not affect existing content flows, but it from accessing the service for the server entry in transfer, the CSS...
...proxy list. To suspend service ssl_serv1, enter: (config-service[ssl_serv1])# suspend Configuring a Content Rule for SSL Termination For the CSS to direct SSL requests for content (which SSL service), and which load-balancing method to content rules. No network traffic...content. You must suspend a service prior to a specific SSL module and activates the service. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 4-53 Suspending an SSL service does not affect existing content flows, but it from accessing the service for the server entry in transfer, the CSS...
Configuration Guide
Page 141
To create a back-end server in the SSL proxy list that allows a CSS to: • Receive encrypted data from a client • Decrypt the data for example, VIP address, certificate name, and key pair). This command assigns it a number (... specific SSL parameters associated with the back-end SSL server (for load balancing • Re-encrypt the data and send it to an SSL server over an SSL connection If you can configure back-end SSL proxy-list parameters. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 5-5 For example, to reconfigure SSL initiation server...
To create a back-end server in the SSL proxy list that allows a CSS to: • Receive encrypted data from a client • Decrypt the data for example, VIP address, certificate name, and key pair). This command assigns it a number (... specific SSL parameters associated with the back-end SSL server (for load balancing • Re-encrypt the data and send it to an SSL server over an SSL connection If you can configure back-end SSL proxy-list parameters. OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 5-5 For example, to reconfigure SSL initiation server...
Configuration Guide
Page 226
... In Figure 8-5, Client A's SSL connection has a destination address 192.168.5.5 that matches content rule ssl-rule-1. The CSS load balances the SSL connection to SSL module 2. The CSS directs the clear text data back to SSL module 1. The module terminates the connection, re... has a destination address 192.28.4.4 that matches content rule ssl-rule. The CSS load balances the SSL connection to SSL server ServerDEF. 8-12 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 The CSS forwards the request to content rule http-rule. The module terminates the connection,...
... In Figure 8-5, Client A's SSL connection has a destination address 192.168.5.5 that matches content rule ssl-rule-1. The CSS load balances the SSL connection to SSL module 2. The CSS directs the clear text data back to SSL module 1. The module terminates the connection, re... has a destination address 192.28.4.4 that matches content rule ssl-rule. The CSS load balances the SSL connection to SSL server ServerDEF. 8-12 Cisco Content Services Switch SSL Configuration Guide OL-5655-01 The CSS forwards the request to content rule http-rule. The module terminates the connection,...
Configuration Guide
Page 235
... office contains a CSS 11506 with two SSL modules. The CSS load balances (by the slot command. The SSL module encrypts the traffic and sends it to the configured destination. • To optimally load balance flows, you must contain the destination IP address (the ssl-init service IP address). This... a CSS VIP using clear text. The service of type ssl-init tells the CSS to send the connection to the SSL module defined by applying one of the advanced-balance sticky commands), NATs, and sends the connection to an SSL initiation service. OL-5655-01 Cisco Content Services Switch SSL ...
... office contains a CSS 11506 with two SSL modules. The CSS load balances (by the slot command. The SSL module encrypts the traffic and sends it to the configured destination. • To optimally load balance flows, you must contain the destination IP address (the ssl-init service IP address). This... a CSS VIP using clear text. The service of type ssl-init tells the CSS to send the connection to the SSL module defined by applying one of the advanced-balance sticky commands), NATs, and sends the connection to an SSL initiation service. OL-5655-01 Cisco Content Services Switch SSL ...
Configuration Guide
Page 239
...). OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 8-25 Clients connect to One Data Center with Server Authentication In Figure 8-8, an office contains a CSS 11506 with two SSL modules. The SSL module encrypts the traffic and sends it , define the CA certificate as a cacert within the SSL proxy list. The CSS load balances (by the slot...
...). OL-5655-01 Cisco Content Services Switch SSL Configuration Guide 8-25 Clients connect to One Data Center with Server Authentication In Figure 8-8, an office contains a CSS 11506 with two SSL modules. The SSL module encrypts the traffic and sends it , define the CA certificate as a cacert within the SSL proxy list. The CSS load balances (by the slot...