Cisco Content Services Switch SSL Software Version 8.20 November 2006 Text Part Number: OL J

Size: px

Start display at page:

Download "Cisco Content Services Switch SSL Software Version 8.20 November 2006 Text Part Number: OL J"

はすなにいだ
5 years ago
Views:

1 Cisco Content Services Switch SSL Software Version 8.20 November 2006 Text Part Number:

2 Information Packet TCP UNIX University of California, Berkeley UCB UCB All rights reserved.copyright 1981, Regents of the University of California. CCVP, the Cisco Logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iq Expertise, the iq logo, iq Net Readiness Scorecard, iquick Study, LightStream, Linksys, MeetingPlace, MGX, Networking Academy, Network Registrar, Packet, PIX, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0609R) Cisco Content Services Switch SSL Copyright 2006, Cisco Systems, Inc. All rights reserved.

3 CONTENTS xv xvi xvii xviii xxii xxiii Web xxiii Product Documentation DVD xxiii xxiv xxiv xxiv xxv Japan TAC Web xxv xxvi CHAPTER 1 CSS SSL 1-1 SSL 1-2 SSL SSL 1-6 Cisco Content Services Switch SSL iii

4 Contents CSS SSL 1-8 SSL SSL 1-12 SSL 1-13 CHAPTER 2 SSL 2-1 RSA 2-2 RSA 2-5 SSL 2-6 SSL 2-6 SSL 2-8 SSL 2-10 SSL 2-13 SSL 2-13 SSL 2-16 SSL 2-20 SSL 2-22 CHAPTER 3 SSL 3-1 SSL 3-2 CSS 3-5 RSA 3-6 iv Cisco Content Services Switch SSL

5 Contents DSA 3-7 Diffie-Hellman 3-8 RSA SFTP FTP 3-15 CSS RSA 3-20 DSA 3-21 Diffie-Hellman CSS 3-25 CHAPTER 4 SSL 4-1 SSL 4-2 SSL 4-3 SSL 4-4 SSL SSL 4-5 SSL 4-7 IP Cisco Content Services Switch SSL v

6 Contents 4-9 RSA 4-9 RSA 4-10 DSA 4-10 DSA 4-11 Diffie-Hellman CA 4-18 CRL 4-19 CRL SSL 4-21 CSS CRL 4-22 CSS SSL CRL HTTP HTTP HTTP 4-40 HTTP HTTP 4-43 SSL TLS 4-43 vi Cisco Content Services Switch SSL

7 Contents TCP FIN 4-44 URL 4-44 SSL 4-48 SSL 4-49 SSL 4-51 SSL TCP 4-52 TCP SYN 4-52 TCP 4-53 SSL TCP 4-54 TCP SYN 4-54 TCP 4-55 SSL TCP 4-55 SSL TCP Nagle 4-56 SSL TCP 4-58 SSL TCP TCP 4-59 SSL 4-60 SSL 4-61 SSL 4-62 SSL 4-62 SSL 4-63 SSL SSL 4-63 SSL 4-64 Cisco Content Services Switch SSL vii

8 Contents SSL 4-65 SSL ID 4-65 SSL 4-66 SSL 4-67 SSL 4-68 CHAPTER 5 SSL 5-1 SSL 5-2 SSL 5-3 SSL 5-4 SSL SSL 5-5 SSL SSL 5-6 SSL 5-7 SSL VIP IP SSL SSL 5-12 SSL 5-12 TCP 5-14 TCP SYN 5-14 viii Cisco Content Services Switch SSL

9 Contents TCP 5-15 SSL TCP 5-16 TCP SYN 5-16 TCP 5-17 SSL TCP 5-18 SSL TCP 5-18 SSL TCP Nagle 5-19 SSL TCP 5-20 SSL TCP TCP 5-21 SSL 5-23 SSL 5-24 SSL 5-25 SSL 5-26 SSL 5-26 SSL SSL HTTP SSL IP 5-32 SSL 5-32 SSL 5-33 SSL 5-34 SSL 5-34 Cisco Content Services Switch SSL ix

10 Contents CHAPTER 6 SSL 6-1 SSL 6-2 SSL 6-4 SSL 6-5 SSL SSL 6-6 SSL 6-7 SSL 6-8 SSL IP 6-8 SSL 6-9 SSL IP 6-10 SSL 6-10 SSL SSL 6-13 SSL 6-14 TCP 6-15 TCP SYN 6-16 TCP 6-16 Nagle 6-17 TCP 6-18 SSL TCP 6-19 TCP SYN 6-19 x Cisco Content Services Switch SSL

11 Contents TCP 6-20 Nagle 6-21 TCP 6-21 SSL TCP TCP 6-22 SSL TCP 6-23 SSL TCP RSA 6-25 RSA 6-26 Diffie Hellman 6-26 DSA 6-27 DSA 6-27 CA 6-28 SSL 6-30 SSL 6-31 SSL 6-32 SSL 6-33 SSL 6-33 SSL IP 6-34 SSL SSL 6-34 SSL 6-35 SSL 6-36 HTTP SSL ID 6-41 SSL 6-41 Cisco Content Services Switch SSL xi

12 Contents SSL 6-42 SSL 6-43 SSL 6-44 CHAPTER 7 SSL SSL 7-2 SSL RSA 7-5 SSL DSA 7-6 SSL Diffie-Hellman 7-7 SSL 7-8 SSL Diffie-Hellman 7-8 SSL CRL 7-9 SSL 7-10 CRL 7-15 SSL URL 7-18 SSL 7-20 SSL 7-27 SSL 7-28 CHAPTER 8 CSS SSL 8-1 SSL SSL 8-2 SSL 1 SSL 8-6 SSL 2 SSL 8-9 SSL HTTP SSL 8-13 SSL 1 SSL 8-18 xii Cisco Content Services Switch SSL

13 Contents SSL SSL SSL 8-26 CHAPTER 9 HTTP 9-1 CSS 9-2 SSL 9-4 CSS 9-5 HTTP 9-6 SSL HTTP 9-6 SSL HTTP 9-7 SSL SSL HTTP CSS SSL Accept-Encode TCP 9-19 TCP 9-19 TCP SYN 9-20 TCP 9-21 TCP 9-21 Cisco Content Services Switch SSL xiii

14 Contents TCP SYN 9-22 TCP 9-23 TCP 9-23 TCP Nagle 9-24 TCP TCP 9-26 TCP 9-27 SSL INDEX xiv Cisco Content Services Switch SSL

15 Cisco Content Services Switch CSS; SSL SSL HTTP CSS CSS Secure Shell Host SSH Secure Socket Layer SSL Cisco Content Services Switch SSL xv

16 CSS Web xvi Cisco Content Services Switch SSL

17 1 CSS SSL SSL CSS SSL 2 SSL CSS SSL 3 SSL 4 SSL CSS SSL Web Secure Socket Layer SSL 5 SSL CSS SSL SSL SSL 6 SSL CSS SSL CSS Web SSL 7 SSL CSS SSL 8 CSS SSL CSS SSL CSS SSL 9 HTTP HTTP CSS SSL Cisco Content Services Switch SSL xvii

18 Content Services Switch Release Note for the Cisco Cisco CSS Series Content Command Line Interface CLI; Services Switch Cisco Series Content Services Switch Hardware Installation Guide Cisco Content Services Switch Getting Started Guide CSS CSS CSS CSS CSS IP DNS CSS CSS Cisco View Device Manager CVDM CSS xviii Cisco Content Services Switch SSL

19 Cisco Content Services Switch Administration Guide CSS CSS Cisco Content Services Switch Routing and Bridging Configuration Guide sys.log CSS SNMP RMON XML CSS CSS Offline Diagnostic Monitor Offline DM CSS Address Resolution Protocol ARP; Routing Information Protocol RIP; Internet Protocol IP; Open Shortest Path First (OSPF) Cisco Discovery Protocol CDP; Dynamic Host Configuration Protocol DHCP; Cisco Content Services Switch SSL xix

20 Cisco Content Services Switch Content Load-Balancing Configuration Guide Cisco Content Services Switch Global Server Load-Balancing Configuration Guide CSS Server/Application State Protocol SASP Dynamic Feedback Protocol DFP HTTP CSS Domain Name System DNS; DNS xx Cisco Content Services Switch SSL

21 Cisco Content Services Switch Redundancy Configuration Guide Cisco Content Services Switch Security Configuration Guide Cisco Content Services Switch Command Reference CSS VIP CSS CSS Secure Shell Daemon SSHD Radius TACACS+ CLI Cisco Content Services Switch SSL xxi

22 CLI courier courier 1. a. 2 xxii Cisco Content Services Switch SSL

23 Web Web URL Web URL Web URL Product Documentation DVD Product Documentation DVD DVD URL Web HTML PDF Product Documentation DVD DVD Cisco.com URL Cisco Marketplace Product Documentation Store Product Documentation DVD Part Number DOC-DOCDVD= DOC-DOCDVD=SUB Cisco Content Services Switch SSL xxiii

24 Cisco Marketplace Cisco.com URL Product Documentation Store ID URL Security Vulnerability Policy URL xxiv Cisco Content Services Switch SSL

25 Japan TAC Web Japan TAC Web TAC Web Japan TAC Web URL Japan TAC Web Japan TAC Web Cisco.com ID ID URL Cisco Content Services Switch SSL xxv

26 Cisco Online Subscription Center Web Cisco Online Subscription Center URL Cisco Product Quick Reference Guide 2 Cisco Product Quick Reference Guide URL Web Cisco Marketplace Cisco Marketplace URL Cisco Press Cisco Press URL Internet Protocol Journal Internet Protocol Journal URL URL xxvi Cisco Content Services Switch SSL

27 Networking Professionals Connection Web URL What's New in Cisco Documentation What's New in Cisco Documentation What's New in Cisco Documentation URL URL Cisco Content Services Switch SSL xxvii

28 xxviii Cisco Content Services Switch SSL

29 CHAPTER 1 CSS SSL Secure Sockets Layer SSL e Web SSL SSL / Diffie-Hellman SSL CSS SSL Cisco Content Services Switch SSL 1-1

30 SSL 1 CSS SSL SSL CSS SSL SSL SSL SSL SSL SSL 3.0 Transport Layer Security TLS 1.0 SSL SSL 2.0 ClientHello SSL 2.0 SSL 3.0 SSL CSS SSL 2.0 ClientHello SSL 3.0 SSL 3.0 SSL SSL SSL 3.0 ServerHello SSL SSL SSL SSL SSL Message Authentication Code MAC; 3 SSL CSS SSL SSL SSL SSL 1-2 Cisco Content Services Switch SSL

31 1 CSS SSL SSL SSL SSL Public Key Infrastructure PKI; PKI PKI 3 e e 3 PKI SSL Rivest Shamir Adelman RSA Cisco Content Services Switch SSL 1-3

32 SSL 1 CSS SSL SSL Web Web Diffie-Hellman Diffie-Hellman 1 e Web e Web SSL ID Certificate Authority CA; PKI PKI CA CSS CA CA A B B C A C CA 1-4 Cisco Content Services Switch SSL

33 1 CSS SSL SSL CA SSL MAC MAC SSL MAC 2 Message Digest 5 MD5 Secure Hash Algorithm SHA MAC RSA MAC SSL 1 Digital Signature Algorithm DSA; Cisco Content Services Switch SSL 1-5

34 SSL 1 CSS SSL DSA FIPS-186 Digital Signature Standard DSS; DSA DSS DSS Diffie-Hellman Diffie-Hellman DSS Secure Hash Algorithm 1 SHA-1 SSL 1-1 SSL SSL 1-1 SSL SSL SSL SSL SSL SSL 3.0 Transport Layer Security TLS 1.0 RSA DSA Diffie-Hellman Data Encryption Standard DES; Triple-Strength Data Encryption Standard 3DES; DES RC4 4 SSL 4-1 SSL MAC-MD5 SSL MAC-SHA1 4 SSL Cisco Content Services Switch SSL

35 1 CSS SSL SSL 1-1 SSL SSL SSL SSL SSL CA VeriSign Entrust Netscape iplanet Windows 2000 Certificate Server Thawte Equifax Genuity Cisco Content Services Switch SSL 1-7

36 CSS SSL 1 CSS SSL CSS SSL CSS CSS SSL CSS CSS CSS SSL 1 SSL SSL Switch Control Module SCM; CSS SCM CSS SSL MB CSS CSS SSL SSL SCM SSL SSL SSL SSL SSL SSL SSL SSL SSL SSL SSL 8 CSS SSL SSL SSL SSL SSL SSL 1-8 Cisco Content Services Switch SSL

37 1 CSS SSL CSS SSL SSL SSL SSL Web HTTP SSL SSL SSL CSS SSL SSL CSS CSS CSS HTTP CSS SSL 4 SSL Cisco Content Services Switch SSL 1-9

38 CSS SSL 1 CSS SSL CSS CA Certificate Revocation List CRL; CSS CA SSL SSL SSL SSL ClientHello ServerHello Certificate ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec Finished Cisco Content Services Switch SSL

39 1 CSS SSL CSS SSL 1-2 CertificateRequest 1-2 SSL SSL SSL ClientHello ServerHello Certificate CertificateRequest ServerHelloDone Certificate ClientKeyExchange CertificateVerify ChangeCipherSpec Finished ChangeCipherSpec Finished ServerHelloDone Certificate CertificateVerify Cisco Content Services Switch SSL 1-11

40 CSS SSL 1 CSS SSL CertificateVerify CSS X.509 CA CA CA CA CA CA CSS SSL 4 CA CA Certificate Revocation List CRL; CA HTTP CSS CRL CSS CRL CSS CRL SSL CRL CSS SSL CA CRL SSL CRL 4 SSL SSL SSL SSL SSL SSL SSL IP SSL 1-12 Cisco Content Services Switch SSL

41 1 CSS SSL CSS SSL CSS SSL CSS SSL 5 SSL SSL SSL CSS SSL SSL SSL SSL CSS SSL SSL Web SSL CSS SSL CSS SSL 6 SSL SSL 8 CSS SSL SSL SSL Cisco Content Services Switch SSL 1-13

42 CSS SSL 1 CSS SSL 1-14 Cisco Content Services Switch SSL

43 SSL CHAPTER 2 CSS SSL SSL SSL SSL SSL SSL CLI RSA CSS SSL 1. RSA RSA SSL SSL 2-6 SSL 1. SSL SSL 2-7 SSL 1. SSL SSL SSL 2-9 Cisco Content Services Switch SSL 2-1

44 2 SSL RSA 2-1 CSS RSA CSS SSL RSA RSA 1. # config (config) # 2. RSA (config) # ssl genrsa CSSrsakey passwd123 Please be patient this could take a few minutes 3. RSA (config) # ssl associate rsakey myrsakey1 CSSrsakey1 2-2 Cisco Content Services Switch SSL

45 2 SSL 2-1 RSA 4. RSA RSA Certificate Signing Request CSR; (config) # ssl gencsr myrsakey1 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. For some fields there will be a default value, If you enter '.', the field will be left blank. Country Name (2 letter code) [US]US State or Province (full name) [SomeState]MA Locality Name (city) [SomeCity]Boxborough Organization Name (company name) [Acme Inc]Cisco Systems, Inc. Organizational Unit Name (section) [Web Administration]Web Admin Common Name (your domain name) [ address [webadmin@acme.com]webadmin@cisco.com -----BEGIN CERTIFICATE REQUEST----- MIIBWDCCAQICAQAwgZwxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNQTETMBEGA1UE BxMKQm94Ym9yb3VnaDEcMBoGA1UEChMTQ2lzY28gU3lzdGVtcywgSW5jLjESMBAG A1UECxMJV2ViIEFkbWluMRYwFAYDVQQDEw13d3cuY2lzY28uY29tMSEwHwYJKoZI hvcnaqkbfhjra3jvzwjlckbjaxnjby5jb20wxdanbgkqhkig9w0baqefaanladbi AkEAqHXjtQUVXvmo6tAWPiMpe6oYhZbJUDgTxbW4VMCygzGZn2wUJTgLrifDB6N3 v+1tkfnde686bhkqfyoidml3wqidaqaboaawdqyjkozihvcnaqeebqadqqa94yc3 4SUJJ4UQEnO2OqRGLOZpAElc4+IV9aTWK6NmiZsM9Gt0vPhIkLx5jjhVRLlb27Ak H6D5omXa0SPJan5x -----END CERTIFICATE REQUEST----- CSS11503(config)# ssl gencsr Privacy Enhanced Mail PEM; PKCS10 CSR CSR CSS 5. CA Web 128 CA SETUP/SGC 7 Cisco Content Services Switch SSL 2-3

46 2 SSL 2-1 RSA 6. CSR CSR CSR Web CA 7. 7 FTP FTP RSA CSS 2-4 Cisco Content Services Switch SSL

47 2 SSL RSA 2-2 RSA CSS 2-2 RSA 1. FTP SFTP CSS # ftp-record ssl_record johndoe abc123 /home/johndoe 2. FTP CSS # copy ssl sftp ssl_record import rsacert.pem PEM passwd123 Connecting Completed successfully # copy ssl sftp ssl_record import rsakey.pem PEM passwd123 Connecting Completed successfully 3. # config (config) # 4. RSA a. RSA (config) # ssl associate cert myrsacert1 rsacert.pem b. RSA (config) # ssl associate rsakey myrsakey1 rsakey.pem 5. (config) # ssl verify myrsacert1 myrsakey1 Certificate mycert1 matches key mykey1 Cisco Content Services Switch SSL 2-5

48 2 SSL 2-2!*************************** GLOBAL *************************** ftp-record ssl-record johndoe des-password 1frapbyg4fldce4d /home/johndoe ssl associate cert myrsacert1 rsacert.pem ssl associate rsakey myrsakey1 rsakey.pem SSL SSL SSL SSL SSL SSL SSL SSL SSL HTTP SSL SSL 2-3 SSL SSL RSA 4 SSL 2-6 Cisco Content Services Switch SSL

49 2 SSL 2-3 SSL 1. SSL (config)# ssl-proxy-list ssl_list1 Create ssl-list <ssl_list1>, [y/n]: y SSL CLI SSL ssl-proxy-list (config-ssl-proxy-list[ssl_list1])# 2. SSL SSL (config-ssl-proxy-list[ssl_list1])# ssl-server IP VIP SSL VIP (config-ssl-proxy-list[ssl_list1])# ssl-server 20 vip address TCP TCP 443 (config-ssl-proxy-list[ssl_list1])# ssl-server 20 port SSL SSL RSA RSA (config-ssl-proxy-list[ssl_list1])# ssl-server 20 rsacert myrsacert1 (config-ssl-proxy-list[ssl_list1])# ssl-server 20 rsakey myrsakey1 6. RSA IP TCP (config-ssl-proxy-list[ssl_list1])# ssl-server 20 cipher rsa-export-with-rc4-40-md weight 5 7. URL URL HTTP 300 (config-ssl-proxy-list[ssl_list1])# ssl-server 20 urlrewrite 22 Cisco Content Services Switch SSL 2-7

50 2 SSL 2-3 SSL 8. SSL SSL (config-ssl-proxy-list[ssl_list1])# active 2-3!*********************** SSL PROXY LIST *********************** ssl-proxy-list ssl_list1 ssl-server 20 ssl-server 20 vip address ssl-server 20 port 444 ssl-server 20 rsacert myrsacert1 ssl-server 20 rsakey myrsakey1 ssl-server 20 cipher rsa-export-with-rc4-40-md weight 5 ssl-server 20 urlrewrite 22 active SSL CCS SSL SSL SSL SSL SSL SSL SSL SSL 2-4 SSL 2-8 Cisco Content Services Switch SSL

51 2 SSL 2-4 SSL 1. SSL SSL (config-ssl-proxy-list[ssl_list1])# backend-server 1 2. IP SSL IP (config-ssl-proxy-list[ssl_list1])# backend-server 1 ip address TCP 80 TCP (config-ssl-proxy-list[ssl_list1])# backend-server 1 port IP IP (config-ssl-proxy-list[ssl_list1])# backend-server 1 server-ip (config-ssl-proxy-list[ssl_list1])# backend-server 1 server-port 113 backend-server number ip address server-ip backend-server number port server-port 6. CSS SSL RSA (config-ssl-proxy-list[ssl_list1])# backend-server 1 cipher rsa-export-with-rc4-40-md5 7. SSL (config-ssl-proxy-list[ssl_list1])# active Cisco Content Services Switch SSL 2-9

52 2 SSL SSL!*********************** SSL PROXY LIST *********************** ssl-proxy-list ssl_list1 ssl-server 20 ssl-server 20 vip address ssl-server 20 port 444 ssl-server 20 rsacert myrsacert1 ssl-server 20 rsakey myrsakey1 ssl-server 20 cipher rsa-export-with-rc4-40-md weight 5 ssl-server 20 urlrewrite 22 active backend-server 1 backend-server 1 ip address backend-server 1 port 8080 backend-server 1 server-ip backend-server 1 server-port 113 backend-server 1 cipher rsa-export-with-rc4-40-md5 active SSL CCS SSL SSL SSL SSL SSL 2-5 SSL 2-5 SSL 1. SSL (config)# ssl-proxy-list ssl_list1 Create ssl-list <ssl_list1>, [y/n]: y SSL CLI SSL ssl-proxy-list (config-ssl-proxy-list[ssl_list1)# 2-10 Cisco Content Services Switch SSL

53 2 SSL 2-5 SSL 2. SSL SSL (config-ssl-proxy-list[ssl_list1])# backend-server 1 3. SSL (config-ssl-proxy-list[ssl_list1])# backend-server 1 type initiation 4. IP SSL IP IP (config-ssl-proxy-list[ssl_list1])# backend-server 1 ip address TCP 80 TCP (config-ssl-proxy-list[ssl_list1])# backend-server 1 port IP (config-ssl-proxy-list[ssl_list1])# backend-server 1 server-ip (config-ssl-proxy-list[ssl_list1])# backend-server 1 server-port backend-server number ip address server-ip backend-server number port server-port 8. CSS (config-ssl-proxy-list[ssl_list1])# backend-server 1 cipher rsa-with-rc4-128-md5 weight 10 Cisco Content Services Switch SSL 2-11

54 2 SSL 2-5 SSL 9. SSL CSS RSA (config-ssl-proxy-list[ssl_list1])# backend-server 1 rsacert myrsacert (config-ssl-proxy-list[ssl_list1])# backend-server 1 rsakey myrsakey 10. SSL CA CA CSS (config-ssl-proxy-list[ssl_list1])# backend-server 1 cacert mycert1 11. SSL (config-ssl-proxy-list[ssl_list1])# active 2-5!*********************** SSL PROXY LIST *********************** ssl-proxy-list ssl-list1 backend-server 1 backend-server 1 initiation backend-server 1 ip address backend-server 1 port 8080 backend-server 1 server-ip backend-server 1 server-port backend-server 1 cipher rsa-with-rc4-128-md5 weight 10 backend-server 1 rsacert myrsacert backend-server 1 rsakey myrsakey backend-server 1 cacert mycert1 active 2-12 Cisco Content Services Switch SSL

55 2 SSL SSL CSS SSL SSL SSL SSL SSL SSL SSL 2-6 SSL SSL SSL SSL SSL 2-6 SSL 1. SSL (config)# service ssl_serv1 Create service <ssl_serv1>, [y/n]: y 2. ssl-accel (config-service[ssl_serv1])# type ssl-accel 3. SSL CSS (config-service[ssl_serv1])# slot 3 4. CSS (config-service[ssl_serv1])# keepalive type none 5. SSL SSL (config-service[ssl_serv1])# add ssl-proxy-list ssl_list1 Cisco Content Services Switch SSL 2-13

56 2 SSL 2-6 SSL 6. (config-service[ssl_serv1])# compress enable HTTP 9 HTTP 7. SSL (config-service[ssl_serv1])# active 8. SSL (config)# owner ssl_owner Create owner <ssl_owner>, [y/n]: y (config-owner[ssl_owner])# content ssl_rule1 Create content <ssl_rule1>, [y/n]: y 9. VIP VIP SSL (config-owner-content[ssl-rule1]# vip address TCP SSL (config-owner-content[ssl-rule1]# port SSL 5 SSL 3 ID SSL ID application ssl SSL (config-owner-content[ssl-rule1])# application ssl advanced-balance ssl SSL (config-owner-content[ssl-rule1])# advanced-balance ssl 12. SSL (config-owner-content[ssl_rule1])# add service ssl_serv Cisco Content Services Switch SSL

57 2 SSL 2-6 SSL 13. (config-owner-content[ssl_rule1])# active 14. # copy running-config startup-config 15. SSL 2-7 SSL !************************** SERVICE ************************** service ssl-serv1 type ssl-accel slot 3 keepalive type none add ssl-proxy-list ssl_list1 compress enable active!*************************** OWNER *************************** owner ssl_owner content ssl_rule1 protocol tcp vip address port 444 application ssl advanced-balance ssl add service ssl-serv1 active Cisco Content Services Switch SSL 2-15

58 2 SSL SSL 2-7 SSL SSL SSL SSL SSL SSL 2-7 SSL 1. SSL (config)# service ssl_serv2 Create service <ssl_serv2>, [y/n]: y 2. ssl-accel-backend (config-service[ssl_serv2])# type ssl-accel-backend 3. IP backend-server number ip address SSL IP (config-service[ssl_serv2])# ip address TCP (config-service[ssl_serv2])# port Cisco Content Services Switch SSL

59 2 SSL 2-7 SSL 5. ICMP TCP SSL / HTTP SSL TCP HTTP (config-service[ssl_serv2])# keepalive type http encrypt SSL (config-service[ssl_serv2])# keepalive port 443 HTTP IP IP 6. SSL SSL (config-service[ssl_serv2])# add ssl-proxy-list ssl_list1 7. SSL (config-service[ssl_serv2])# active 8. SSL (config)# owner ssl_owner (config-owner[ssl_owner])# content ssl_backend_rule1 Create content <ssl_backend_rule1>, [y/n]: y 9. IP VIP VIP SSL (config-owner-content[ssl_backend_rule1]# vip address Cisco Content Services Switch SSL 2-17

60 2 SSL 2-7 SSL 10. TCP SSL SSL TCP (config-owner-content[ssl_backend_rule1]# port advanced-balance arrowpoint-cookie arrowpoint (config-owner-content[ssl_backend_rule1])# advanced-balance arrowpoint-cookie 12. url /* (config-owner-content[ssl_backend_rule1])# url /* 13. SSL (config-owner-content[ssl_backend_rule1])# add service ssl_serv2 14. (config-owner-content[ssl_backend_rule1])# active 15. # copy running-config startup-config 2-18 Cisco Content Services Switch SSL

61 2 SSL SSL!************************** SERVICE ************************** service ssl-serv1 type ssl-accel slot 3 keepalive type none add ssl-proxy-list ssl_list1 active service ssl_serv2 type ssl-accel-backend ip address port 8080 keepalive http encrypt keepalive port 443 add ssl-proxy-list ssl_list1 active!*************************** OWNER *************************** owner ssl_owner content ssl_backend_rule1 vip address advanced-balance arrowpoint-cookie protocol tcp port 8080 url /* add service ssl_serv2 active content ssl_rule1 protocol tcp vip address port 444 application ssl advanced-balance ssl add service ssl-serv1 active Cisco Content Services Switch SSL 2-19

62 2 SSL SSL 2-8 SSL SSL SSL SSL 2-8 SSL 1. SSL (config)# service ssl_serv1 Create service <ssl_serv1>, [y/n]: y 2. ssl-init (config-service[ssl_serv1])# type ssl-init 3. IP backend-server number ip address SSL IP SSL (config-service[ssl_serv1])# ip address SSL (config-service[ssl_serv1])# port Cisco Content Services Switch SSL

63 2 SSL 2-8 SSL 5. ICMP SSL ICMP SSL TCP / HTTP SSL TCP SSL HTTP (config-service[ssl_serv1])# keepalive type http encrypt (config-service[ssl_serv1])# keepalive port HTTP IP IP 6. SSL SSL CSS (config-service[ssl_serv1])# slot 5 7. SSL SSL (config-service[ssl_serv1])# add ssl-proxy-list ssl_list1 8. (config-service[ssl_serv1])# compress enable HTTP 9 HTTP 9. SSL (config-service[ssl_serv1])# active Cisco Content Services Switch SSL 2-21

64 2 SSL 2-8!************************** SERVICE ************************** service ssl-serv2 type ssl-init ip address port 8080 slot 5 keepalive type http encrypt keepalive port add ssl-proxy-list ssl_list1 compress enable active SSL 2-9 SSL SSL SSL SSL 2-9 SSL 1. (config)# owner ssl_owner Create owner <ssl_owner>, [y/n]: y 2. SSL SSL (config)# owner ssl_owner (config-owner[ssl_owner])# content ssl_init_rule1 Create content <ssl_init_rule1>, [y/n]: y 3. IP VIP (config-owner-content[ssl_backend_rule1]# vip address TCP (config-owner-content[ssl_backend_rule1]# port url /* (config-owner-content[ssl_backend_rule1])# url /* 2-22 Cisco Content Services Switch SSL

65 2 SSL 2-9 SSL 6. advanced-balance arrowpoint-cookie arrowpoint (config-owner-content[ssl_backend_rule1])# advanced-balance arrowpoint-cookie 7. SSL (config-owner-content[ssl_backend_rule1])# add service ssl_serv2 8. (config-owner-content[ssl_backend_rule1])# active 9. # copy running-config startup-config 2-9!*************************** OWNER *************************** owner ssl_owner content ssl_init_rule1 vip address port 80 url /* advanced-balance arrowpoint-cookie add service ssl_serv1 active Cisco Content Services Switch SSL 2-23

66 2 SSL 2-24 Cisco Content Services Switch SSL

67 CHAPTER 3 SSL SSL CSS SSL CSS CSS Cisco Content Services Switch SSL 3-1

68 SSL 3 SSL SSL ID VeriSign Thawte Certificate Authority CA; CA CA CA Certificate Revocation List CRL; CA CA CSS SSL SSL CRL CA CA CA SSL SSL CSS SSL SSL / CSS CSS CA CSS CSS CSS Web CSS SSL CA CSS SSL 3-2 Cisco Content Services Switch SSL

69 3 SSL SSL CSS SSL SSL CSS CSS CSS SSL CSS SSL SSL CSS Cisco Content Services Switch Command Reference 2 CLI Commands (config) username-technician 3-1 CSS RSA SSL Cisco Content Services Switch SSL 3-3

70 SSL 3 SSL 3-1 SSL FTP SFTP CSS FTP CSS RSA FTP CSS RSA? RSA / CSS CSS SSL RSA CSS?? CSR RSA CSR SSL CSR CA Web CSR CA CA FTP CSS CSS CSS SSL Cisco Content Services Switch SSL

71 3 SSL CSS CSS CSS CSS Diffie-Hellman CSS RSA DSA Diffie-Hellman Certificate Signing Request CSR; ssl genrsa gencsr gendsa gencert Web CA 1 ssl gencsr Privacy Enhanced Mail PEM PKCS10 RSA DSA Diffie-Hellman RSA Cisco Content Services Switch SSL 3-5

72 CSS 3 SSL RSA RSA CSS SSL RSA CSS RSA / ssl genrsa ssl genrsa filename numbits password filename RSA 31 CSS numbits Web RSA RSA password RSA CSS Data Encryption Standard DES; RSA CSS 35 CSS DES RSA myrsakeyfile1 (config) # ssl genrsa myrsakeyfile passwd123 Please be patient this could take a few minutes RSA RSA CSR CA CSS RSA 3-6 Cisco Content Services Switch SSL

73 3 SSL CSS CA RSA RSA DSA DSA National Institutes of Standards and Technology NIST; DSA / DSA CSS DSA / ssl gendsa ssl gendsa filename numbits password filename DSA 31 CSS numbits Web DSA DSA password DSA CSS DES DSA CSS 35 CSS DES Cisco Content Services Switch SSL 3-7

74 CSS 3 SSL DSA mydsakeyfile2 (config) # ssl gendsa mydsakeyfile2 512 passwd123 Please be patient this could take a few minutes DSA DSA Diffie-Hellman Diffie-Hellman Diffie-Hellman / Diffie-Hellman CSS ssl gendh Diffie-Hellman Diffie-Hellman 20 CPU ssl gendh CSS ssl gendh filename numbits password filename Diffie-Hellman 31 CSS numbits Web Diffie-Hellman Diffie-Hellman Cisco Content Services Switch SSL

75 3 SSL CSS password Diffie-Hellman CSS DES Diffie-Hellman CSS 35 CSS DES Diffie-Hellman dhparamfile2 (config) # ssl gendh dhparamfile2 512 passwd123 Please be patient this could take a few minutes Diffie-Hellman Diffie-Hellman RSA RSA CSR CA ssl gencsr rsakey PEM PKCS10 CSR CSR CA RSA CSR rsakey RSA CSR RSA RSA CSS RSA RSA CSS Cisco Content Services Switch SSL 3-9

76 CSS 3 SSL RSA myrsakey1 CSR CSS11503(config)# ssl gencsr myrsakey1 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. For some fields there will be a default value, If you enter '.', the field will be left blank. Country Name (2 letter code) [US]US State or Province (full name) [SomeState]Massachusetts Locality Name (city) [SomeCity]Boxborough Organization Name (company name) [Acme Inc]Cisco Systems, Inc. Organizational Unit Name (section) [Web Administration]Web Admin Common Name (your domain name) [ address [webadmin@acme.com]webadmin@cisco.com -----BEGIN CERTIFICATE REQUEST----- MIIBWDCCAQICAQAwgZwxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNQTETMBEGA1UE BxMKQm94Ym9yb3VnaDEcMBoGA1UEChMTQ2lzY28gU3lzdGVtcywgSW5jLjESMBAG A1UECxMJV2ViIEFkbWluMRYwFAYDVQQDEw13d3cuY2lzY28uY29tMSEwHwYJKoZI hvcnaqkbfhjra3jvzwjlckbjaxnjby5jb20wxdanbgkqhkig9w0baqefaanladbi AkEAqHXjtQUVXvmo6tAWPiMpe6oYhZbJUDgTxbW4VMCygzGZn2wUJTgLrifDB6N3 v+1tkfnde686bhkqfyoidml3wqidaqaboaawdqyjkozihvcnaqeebqadqqa94yc3 4SUJJ4UQEnO2OqRGLOZpAElc4+IV9aTWK6NmiZsM9Gt0vPhIkLx5jjhVRLlb27Ak H6D5omXa0SPJan5x -----END CERTIFICATE REQUEST----- CSS11503(config)# ssl gencsr PEM PKCS10 CSR Web CSR CSS 128 CA SETUP/SGC CSS 3-10 Cisco Content Services Switch SSL

77 3 SSL CSS CSR CA 7 CSR CSR CSS CSR CSR CSR CSR Web CA SSL CSR CSR 30 CSS ssl gencert ssl gencert Web CA RSA DSA ssl gencert RSA DSA RSA DSA CSS DSA RSA RSA DSA RSA RSA DSA DSA Cisco Content Services Switch SSL 3-11

78 CSS 3 SSL ssl gencert certkey certkey signkey signkey certfile password certkey certkey RSA DSA 31 signkey signkey RSA DSA 31 certfile CSS 31 password CSS DES CSS 35 CSS DES mycertfile2 CSS11503(config)# ssl gencert certkey myrsakey signkey myrsasignkey myrsacertfile passwd123 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. For some fields there will be a default value, If you enter '.', the field will be left blank. Country Name (2 letter code) [US]US State or Province (full name) [SomeState]Massachusetts Locality Name (city) [SomeCity]Boxborough Organization Name (company name) [Acme Inc]Cisco Systems, Inc. Organizational Unit Name (section) [Web Administration]Web Admin Common Name (your domain name) [ address [webadmin@acme.com]webadm@cisco.com CSS11503(config)# 3-12 Cisco Content Services Switch SSL

79 3 SSL 40 SSL SSL CA CA CA 1 CSS 1 SSL FTP CSS 2 1 CSS Cisco Content Services Switch SSL 3-13

80 3 SSL 1 CSS CSS CSS CSS Secure Shell SSHv2 2 CSS Secure File Transfer Protocol SFTP; FTP 2 SFTP SFTP FTP CSS CSS CSS SSH SSH SSH no restrict ssh SSH CSS SSH copy ssl sftp CSS Secure Shell Daemon SSHD Cisco Content Services Switch Security Configuration Guide SFTP SFTP 3-14 Cisco Content Services Switch SSL

81 3 SSL SSH CSS SSH CSS SSH CSS SFTP FTP ftp-record CSS SFTP FTP CSS SFTP FTP ftp-record Cisco Content Services Switch Administration Guide copy ssl FTP SSH sshlogin SSH d: Program Files Network d: Program Files Network ssh SFTP ssl_record # ftp-record ssl_record johndoe abc123 /home/johndoe Cisco Content Services Switch SSL 3-15

82 3 SSL CSS copy ssl CSS CSS copy ssl [protocol] ftp_record [import filename [format] password { passphrase } export filename2 password ] protocol sftp ftp SFTP ftp_record FTP import filename 128 format PEM DES CSS SCM DER Distinguished Encoding Rules DER ASN.1 DER X509 Microsoft Windows NT IIS 4.0 PEM Privacy Enhanced Mail PEM Base64 PEM X509 Apache/SSL UNIX PKCS12 RSA Data Security, Inc. Microsoft Windows 2000 IIS Cisco Content Services Switch SSL

83 3 SSL password DES CSS 35 CSS DES passphrase PEM CSS PKCS12.pfx CSS export filename2 32 RSA/DSA Diffie-Hellman Diffie-Hellman rsacert.pem CSS # copy ssl sftp ssl_record import rsacert.pem PEM passwd123 Connecting Completed successfully Cisco Content Services Switch SSL 3-17

84 3 SSL rsakey.pem CSS # copy ssl sftp ssl_record import rsakey.pem PEM passwd123 Connecting Completed successfully rsacert.pem CSS # copy ssl sftp ssl_record export rsacert.pem passwd123 copy ssl ftp ssh ssh/path SSH ftp SSH IP 3-18 Cisco Content Services Switch SSL

85 3 SSL Diffie-Hellman CSS / Diffie-Hellman CSS CSS CSS CSS CSS RSA DSA Diffie-Hellman ssl associate cert no ssl associate cert certname filename certname 31 Cisco Content Services Switch SSL 3-19

86 3 SSL filename 128 ssl associate cert certname? rsacert.pem myrsacert1 (config) # ssl associate cert myrsacert1 rsacert.pem (config) # no ssl associate ssl cert myrsacert1 no SSL RSA RSA RSA ssl associate rsakey no ssl associate rsakey keyname filename keyname RSA 31 filename RSA 128 RSA ssl associate rsakey keyname? RSA myrsakey1 rsakey.pem (config) # ssl associate rsakey myrsakey1 rsakey.pem 3-20 Cisco Content Services Switch SSL

87 3 SSL (config) # no ssl associate rsakey myrsakey1 no RSA SSL DSA DSA DSA ssl associate dsakey no ssl associate dsakey keyname filename keyname DSA 31 filename DSA 128 DSA ssl associate dsakey keyname? DSA mydsakey1 dsakey.pem (config) # ssl associate dsakey mydsakey1 dsakey.pem (config) # no ssl associate dsakey mydsakey1 no DSA SSL Cisco Content Services Switch SSL 3-21

88 3 SSL Diffie-Hellman Diffie-Hellman Diffie-Hellman ssl associate dhparam no ssl associate dhparam paramname filename paramname Diffie-Hellman 31 filename Diffie-Hellman 128 Diffie-Hellman ssl associate dhparam filename? dhparams.pem Diffie-Hellman mydhparam1 (config) # ssl associate dhparam mydhparam1 dhparams.pem (config) # no ssl associate dhparam mydhparam1 no Diffie-Hellman SSL 3-22 Cisco Content Services Switch SSL

89 3 SSL 1 ssl verify ssl verify? / ssl verify certname keyname certname keyname myrsacert1 myrsakey1 (config)# ssl verify myrsacert1 myrsakey1 Certificate and key match Cisco Content Services Switch SSL 3-23

90 3 SSL SSL 30 ssl cert-exp tolerance ssl cert-exp tolerance days days SSL SSL 10 (config)# ssl cert-exp tolerance (config)# no ssl cert-exp tolerance 3-24 Cisco Content Services Switch SSL

91 3 SSL CSS CSS CSS clear ssl file clear ssl file no ssl associate clear ssl file filename password filename CSS Diffie-Hellman password CSS CSS DES dsacert.pem CSS # clear ssl file dsacert.pem passwd123 Cisco Content Services Switch SSL 3-25

92 CSS 3 SSL 3-26 Cisco Content Services Switch SSL

93 CHAPTER 4 SSL CSS SSL SSL SSL SSL SSL SSL SSL SSL SSL SSL SSL Cisco Content Services Switch SSL 4-1

94 SSL 4 SSL SSL CSS SSL SSL SSL TCP SSL SSL CSS CSS HTTP SSL SSL 4-1 SSL SSL CSS SSL 4-1 SSL SSL CSS HTTP SSL SSL SSL SSL 1 SSL CSS SSL SSL SSL 1 SSL 256 SSL SSL SSL SSL SSL CSS SSL SSL 4-2 Cisco Content Services Switch SSL

95 4 SSL SSL SSL SSL SSL SSL SSL ssl-proxy-list ssl-proxy-list ACL rmon ssl-proxy-list SSL SSL 1 31 SSL ssl_list1 (config)# ssl-proxy-list ssl_list1 Create ssl-list <ssl_list1>, [y/n]: y SSL CLI ssl-proxy-list (config-ssl-proxy-list[ssl_list1])# SSL (config)# no ssl-proxy-list ssl_list1 Delete ssl-list <ssl_list1>, [y/n]: y SSL SSL SSL SSL Cisco Content Services Switch SSL 4-3

96 SSL 4 SSL SSL SSL description 64 ssl_list1 SSL (config-ssl-proxy-list[ssl_list1])# description This is the SSL list for SSL (config-ssl-proxy-list[ssl_list1])# no description 4-4 Cisco Content Services Switch SSL

97 4 SSL SSL SSL SSL SSL SSL 1 SSL ssl-server SSL SSL SSL CSS SSL SSL SSL SSL SSL 1 SSL 256 SSL Brand New Products e CSS SSL Web CSS SSL SSL SSL VIP VIP VIP SSL TCP RSA DSA SSL RSA CSS SSL Diffie-Hellman Diffie-Hellman SSL SSL CCS SSL SSL Cisco Content Services Switch SSL 4-5

98 SSL SSL 4 SSL SSL SSL SSL IP HTTP SSL TLS TCP FIN URL SSL SSL SSL SSL TCP SSL TCP SSL TCP SSL TCP Nagle SSL TCP SSL TCP TCP SSL 7 SSL 4-6 Cisco Content Services Switch SSL

99 4 SSL SSL SSL SSL SSL SSL SSL SSL ssl-server number SSL SSL VIP SSL SSL 20 (config-ssl-proxy-list[ssl_list1])# ssl-server 20 SSL SSL (config-ssl-proxy-list[ssl_list1])# no ssl-server 20 IP VIP SSL VIP VIP IP VIP ssl-server number vip address ip_or_host SSL SSL VIP SSL VIP myhost.mydomain.com VIP CSS DNS myhost.mydomain.com IP VIP DNS Cisco Content Services Switch Global Server Load-Balancing Configuration Guide Cisco Content Services Switch SSL 4-7

100 SSL SSL 4 SSL SSL VIP SSL SSL TCP Nagle SSL SSL VIP SSL 1 VIP VIP SSL VIP (config-ssl-proxy-list[ssl_list1])# ssl-server 20 vip address SSL VIP (config-ssl-proxy-list[ssl_list1])# no ssl-server 20 vip address SSL SSL TCP ssl-server number port number SSL TCP SSL TCP SSL SSL SSL SSL TCP Nagle SSL SSL SSL 1 CSS 4-8 Cisco Content Services Switch SSL

101 4 SSL SSL SSL 444 (config-ssl-proxy-list[ssl_list1])# ssl-server 20 port (config-ssl-proxy-list[ssl_list1])# no ssl-server 20 port CSS SSL CSS CSS 3 SSL RSA RSA DSA DSA Diffie-Hellman RSA / RSA ssl-server number rsacert name RSA ssl-server number rsacert? RSA CSS 3 SSL RSA SSL Cisco Content Services Switch SSL 4-9

102 SSL SSL 4 SSL rsacert RSA (config-ssl-proxy-list[ssl_list1])# ssl-server 20 rsacert myrsacert1 SSL RSA (config-ssl-proxy-list[ssl_list1])# no ssl-server 20 rsacert RSA RSA ssl-server number rsakey name RSA CSS SSL RSA ssl-server number rsakey? RSA CSS 3 SSL RSA SSL rsakey RSA (config-ssl-proxy-list[ssl_list1])# ssl-server 20 rsakey myrsakey1 SSL RSA (config-ssl-proxy-list[ssl_list1])# no ssl-server 20 rsakey DSA DSA ssl-server number dsacert name DSA ssl-server number dsacert? 4-10 Cisco Content Services Switch SSL

103 4 SSL SSL SSL DSA CSS 3 SSL RSA SSL dsacert DSA (config-ssl-proxy-list[ssl_list1])# ssl-server 20 dsacert mydsacert1 SSL DSA (config-ssl-proxy-list[ssl_list1])# no ssl-server 20 dsacert DSA DSA CSS SSL DSA ssl-server number dsakey name DSA ssl-server number dsakey? DSA CSS 3 SSL DSA SSL dsakey DSA (config-ssl-proxy-list[ssl_list1])# ssl-server 20 dsakey mydsakey1 SSL DSA (config-ssl-proxy-list[ssl_list1])# no ssl-server 20 dsakey Cisco Content Services Switch SSL 4-11

104 SSL SSL 4 SSL Diffie-Hellman Diffie-Hellman 2 Diffie-Hellman ssl-server number dhparam name Diffie-Hellman ssl-server number dhparam? Diffie-Hellman CSS 3 SSL Diffie-Hellman SSL Diffie-Hellman (config-ssl-proxy-list[ssl_list1])# ssl-server 20 dhparam mydhparams1 Diffie-Hellman SSL (config-ssl-proxy-list[ssl_list1])# no ssl-server 20 dhparam SSL SSL SSL SSL Cisco Content Services Switch SSL

105 4 SSL SSL SSL 128 3DES RC4 4-2 rsa-export-with-rc4-40-md5 4-2 Rivest, Shamir and Adelman (RSA) rsa-export-with-rc4-40-md SSL ssl-server number cipher CSS all-cipher-suites SSL RSA DSA Diffie-Hellman SSL Cisco Content Services Switch SSL 4-13

106 SSL SSL 4 SSL ssl-server number cipher name ip_address_or_hostname port {weight number} ssl-server number SSL SSL cipher name 4-1 ip_address_or_hostname IP IP myhost.mydomain.com port HTTP TCP weight number 10 1 SSL dhe-rsa-with-3des-ede-cbc-sha (config-ssl-proxy-list[ssl_list1])# ssl-server 20 cipher dhe-rsa-with-3des-ede-cbc-sha weight 5 SSL (config-ssl-proxy-list[ssl_list1])# no ssl-server 20 cipher dhe-rsa-with-3des-ede-cbc-sha 4-1 SSL SSL 4-1 CSS 4-14 Cisco Content Services Switch SSL

107 4 SSL SSL SSL all-cipher-suite 4-1 rsa-with-rc4-128-md5 all-cipher-suites all-cipher-suites dh-anon Diffie-Hellman export 4-1 CSS SSL all-cipher-suites RSA DSA RSA Diffie-Hellman rsa-with-rc4-128-md5 RSA RSA rsa-with-rc4-128-sha RSA RSA rsa-with-des-cbc-sha RSA RSA rsa-with-3des-ede-cbc-sha RSA RSA dhe-dss-with-des-cbc-sha DSA DSS Ephemeral Diffie-Hellman dhe-dss-with-3des-ede-cbc-sha DSA DSS Ephemeral Diffie-Hellman dhe-rsa-with-des-cbc-sha RSA Ephemeral Diffie-Hellman Cisco Content Services Switch SSL 4-15

108 SSL SSL 4 SSL 4-1 CSS SSL dhe-rsa-with-3des-ede-cbc-sha RSA Ephemeral Diffie-Hellman dh-anon-with-rc4-128-md5 Diffie-Hellman dh-anon-with-des-cbc-sha Diffie-Hellman dh-anon-with-3des-ede-cbc-sha Diffie-Hellman dhe-dss-with-rc4-128-sha DSA DSS Ephemeral Diffie-Hellman rsa-export-with-rc4-40-md5 RSA RSA rsa-export-with-des40-cbc-sha RSA RSA dhe-dss-export-with-des40-cbc-sha DSA DSS Ephemeral Diffie-Hellman dhe-rsa-export-with-des40-cbc-sha RSA Ephemeral Diffie-Hellman dh-anon-export-with-rc4-40-md5 Diffie-Hellman dh-anon-export-with-des40-cbc-sha Diffie-Hellman rsa-export1024-with-des-cbc-sha RSA RSA dhe-dss-export1024-with-des-cbc-sha DSA DSS Ephemeral Diffie-Hellman rsa-export1024-with-rc4-56-sha RSA RSA dhe-dss-export1024-with-rc4-56-sha DSA DSS Ephemeral Diffie-Hellman SSL CSS SSL CSS CA 4-16 Cisco Content Services Switch SSL

109 4 SSL SSL SSL CSS CA CRL CRL SSL CSS CRL CSS SSL CRL show ssl-proxy-list ssl-server SSL show ssl statistics 7 SSL CSS ssl-server authentication (config-ssl-proxy-list[ssl_list1])# ssl-server 20 authentication enable (config-ssl-proxy-list[ssl_list1])# no ssl-server 20 authentication disable (config-ssl-proxy-list[ssl_list1])# ssl-server 20 authentication disable Cisco Content Services Switch SSL 4-17

110 SSL SSL 4 SSL CSS CSS CA CA CA CA CA CA CA SSL CSS CA SSL CA SSL CSS CA CA 3 SSL 3 SSL CSS ssl-server number cacert CA SSL SSL mycert1 CA (config-ssl-proxy-list[ssl_list1])# ssl-server 20 cacert mycert Cisco Content Services Switch SSL

111 4 SSL SSL SSL SSL no form of the ssl-server number cacert mycert1 CA (config-ssl-proxy-list[ssl_list1])# no ssl-server 20 cacert mycert1 CRL CA Certificate Revocation List CRL; CRL CSS CRL CRL HTTP CSS CRL CRL CSS CRL URL CRL SSL CRL HTTP IP SSL VIP CSS 10 CRL 1 SSL CRL 1 CRL ssl crl-record ssl crl-record crl_name url sign_cert hours crl_name CRL 31 url CRL URL Cisco Content Services Switch SSL 4-19

112 SSL SSL 4 SSL sign_cert CRL CA CA CRL CRL CSS CA 3 SSL 3 SSL hours CRL CRL CRL CSS SSL CRL CRL CRL SSL SSL CRL CRL mycrl CRL CRL URL crl.verisign.com CRL CSS CA verisign_cacert CSS CRL 24 (config)# ssl crl-record mycrl verisign_cacert 24 CRL (config)# no ssl crl-record mycrl CRL show ssl crl-record 7 SSL 4-20 Cisco Content Services Switch SSL

113 4 SSL SSL SSL CRL SSL CRL SSL SSL 1 CRL CRL SSL ssl-server number crl ssl-server number crl crl_record_name {expiration-enabled {verification-enable}} number ssl-server? crl_record_name CRL ssl-server number crl? expiration-enabled SSL CRL Next Update CRL CRL CRL Next Update CRL CSS CRL SSL Next Update ssl-accel CRL SSL VIP CRL ssl force-crl CRL SSL CRL Cisco Content Services Switch SSL 4-21

114 SSL SSL 4 SSL verification-enable CRL SSL CRL SSL Host Timeout Host TCP Reset TCP HTTP CRL File Format Bad CRL CRL Signature Bad CRL CRL Next Update Field Invalid CRL Next Update CRL Next Update Expired CRL Next Update CRL mycrl CRL (config-ssl-proxy-list[ssl_list1])# ssl-server 20 crl mycrl mycrl CRL Next Update CSS (config-ssl-proxy-list[ssl_list1])# ssl-server 20 crl mycrl expiration-enabled mycrl CRL SSL (config-ssl-proxy-list[ssl_list1])# no ssl-server 20 crl mycrl CSS CRL CRL ssl-accel SSL CRL CSS ssl force-crl-reload 4-22 Cisco Content Services Switch SSL

115 4 SSL SSL SSL CRL # ssl force-crl-reload mycrl CRL CSS SSL CRL # ssl force-crl-reload CSS CRL CSS SSL CRL CRL CSS SSL CRL CRL ssl clear-crl ssl clear-crl {crl_name} crl_name CRL CRL SSL CRL CRL # ssl clear-crl Cisco Content Services Switch SSL 4-23

116 SSL SSL 4 SSL CA CSS CSS CRL Revoked SSL CRL show ssl statistics ssl ssl-server number failure CSS ignore CSS CSS (config-ssl-proxy-list[ssl_list1])# ssl-server 20 failure ignore ignore reject CSS (config-ssl-proxy-list[ssl_list1])# ssl-server 20 failure reject redirect URL (config-ssl-proxy-list[ssl_list1])# ssl-server 20 failure redirect CSS URL ssl-server number failure-url 168 URL URL (config-ssl-proxy-list[ssl_list1])# ssl-server 20 failure-url Cisco Content Services Switch SSL

117 4 SSL SSL SSL URL no ssl-server number failure-url URL ssl-server number failure-url URL SSL URL (config-ssl-proxy-list[ssl_list1])# no ssl-server 20 failure-url syslog HTTP SSL HTTP HTTP SSL CSS CSS HTTP SSL HTTP 1.1 HTTP HTTP TCP HTTP 1.0 HTTP CSS 1 HTTP SSL Cisco Content Services Switch SSL 4-25

118 SSL SSL 4 SSL HTTP SSL SSL HTTP HTTP HTTP HTTP HTTP HTTP HTTP show ssl-proxy-list 7 SSL HTTP CSS HTTP SSL HTTP HTTP SSL 4-26 Cisco Content Services Switch SSL

119 4 SSL SSL SSL HTTP CSS ssl-server number http-header client-cert (config-ssl-proxy-list[ssl_list1])# ssl-server 20 http-header client-cert HTTP (config-ssl-proxy-list[ssl_list1])# no ssl-server 20 http-header client-cert HTTP Client Certificate ClientCert-Fingerprint 16 ASCII ClientCert-Subject-CN ClientCert-Fingerprint: 64:75:CE:AD:9B:71:AC:25:ED:FE:DB:C7:4B:D4:1A:BA X.509 ClientCert-Issuer-CN ClientCert-Subject-CN: X.509 ClientCert-Issuer-CN: Cisco Content Services Switch SSL 4-27

120 SSL SSL 4 SSL 4-2 HTTP Client Certificate ClientCert-Certificate-Version X.509 X X.509 ASN ClientCert-Certificate-Version: 3 (0x2) ClientCert-Serial-Number ClientCert-Serial-Number: 2 ClientCert-Data-Signature-Algorithm X.509 md5withrsaencryption sha1withrsaencryption dsawithsha1 ClientCert-Signature-Algorithm: md5withrsaencryption ClientCert-DSA-Public-Key-Size DSA DSA bit ClientCert-DSA-Public-Key-Size: 1024 bit ClientCert-DSA-Public-Key DSA DSA : 16 0x ClientCert-DSA-Public-Key: 00:d8:1b:94:de:52:a1:20:51:b1:77 ClientCert-DSA-Private-Key-Size DSA DSA bit ClientCert-DSA-Private-Key-Size: 1024 bit 4-28 Cisco Content Services Switch SSL

121 4 SSL SSL SSL 4-2 HTTP Client Certificate ClientCert-Subject X.509 ClientCert-Subject: CN=Example, ST=Virginia, 0=Root ClientCert-Issuer X.509 ClientCert-Issuer: CN=Example CA, ST=Virginia, 0=Root ClientCert-Not-After Validity Not After UTC Generalized Time ClientCert-Not-After: :59.59 UTC ClientCert-Not-Before Validity Not Before UTC Generalized Time ClientCert-Not-Before: :00:00.00 UTC ClientCert-Public-Key-Algorithm rsaencryption rsa dsaencryption ClientCert-Public-Key-Algorithm: rsaencryption ClientCert-RSA-Modulus-Size RSA RSA bit ClientCert-RSA-Modulus-Size: 1024 bit Cisco Content Services Switch SSL 4-29

122 SSL SSL 4 SSL 4-2 HTTP Client Certificate ClientCert-RSA-Modulus RSA RSA n : 16 0x e RSA ClientCert-RSA-Modulus: + 00:d8:1b:94:de:52:a1:20:51:b1:77 ClientCert-RSA-Exponent RSA RSA e ClientCert-RSA-Exponent: ClientCert-Subject-Key-Identifier X.509 X ASCII ClientCert-Subject-Key-Identifier: 16:13:15:97:FD:8E:16:B9:D2:99 ClientCert-Authority-Key-Identifier X.509 X ASCII ClientCert-Authority-Key-Identifier: 16:13:15:97:FD:8E:16:B9:D2:99 ClientCert-Basic-Constraints X.509 CA=TRUE CA=FALSE ClientCert-Basic-Constraints: CA=TRUE 4-30 Cisco Content Services Switch SSL

123 4 SSL SSL SSL 4-2 HTTP Client Certificate ClientCert-Signature-Algorithm md5withrsaencryption sha1withrsaencryption dsawithsha1 Secure Hash Algorithm ClientCert-Signature ClientCert-Signature-Algorithm: md5withrsaencryption : 16 0x ClientCert-Signature: 33:75:8e:a4:05:92:65 CSS CSS ssl-server number rsacert ssl-server number dsacert HTTP SSL HTTP HTTP SSL ssl-server number http-header server-cert (config-ssl-proxy-list[ssl_list1])# ssl-server 20 http-header server-cert Cisco Content Services Switch SSL 4-31

124 SSL SSL 4 SSL HTTP (config-ssl-proxy-list[ssl_list1])# no ssl-server 20 http-header server-cert HTTP ServerCert-Fingerprint 16 ASCII ServerCert-Fingerprint: 64:75:CE:AD:9B:71:AC:25:ED:FE:DB:C7:4B:D4:1A:BA ServerCert-Subject-CN X.509 ServerCert-Subject-CN: ServerCert-Issuer-CN X.509 ServerCert-Issuer-CN: ServerCert-Certificate-Version X.509 X X.509 ASN ServerCert-Certificate-Version: 3 (0x2) ServerCert-Serial-Number ServerCert-Serial-Number: Cisco Content Services Switch SSL

125 4 SSL SSL SSL 4-3 HTTP ServerCert-Data-Signature-Algorithm X.509 md5withrsaencryption sha1withrsaencryption dsawithsha1 ServerCert-Signature-Algorithm: md5withrsaencryption ServerCert-DSA-Public-Key-Size DSA DSA bit ServerCert-DSA-Public-Key-Size: 1024 bit ServerCert-DSA-Public-Key DSA DSA : 16 0x ServerCert-DSA-Public-Key: 00:d8:1b:94:de:52:a1:20:51:b1:77 ServerCert-DSA-Private-Key-Size DSA DSA bit ServerCert-DSA-Private-Key-Size: 1024 bit ServerCert-Subject X.509 ServerCert-Subject: CN=Example, ST=Virginia, C=US/ =ca@example.com, 0=Root Cisco Content Services Switch SSL 4-33

126 SSL SSL 4 SSL 4-3 HTTP ServerCert-Issuer X.509 ServerCert-Issuer: CN=Example CA, ST=Virginia, C=US/ =ca@exampleca.com, 0=Root ServerCert-Not-After Validity Not After UTC Generalized Time ServerCert-Not-After: :59.59 UTC ServerCert-Not-Before Validity Not Before UTC Generalized Time ServerCert-Not-Before: :00:00.00 UTC ServerCert-Public-Key-Algorithm rsaencryption rsa dsaencryption ServerCert-Public-Key-Algorithm: rsaencryption ServerCert-RSA-Modulus-Size RSA RSA bit ServerCert-RSA-Modulus-Size: 1024 bit ServerCert-RSA-Modulus RSA RSA n : 16 0x e RSA ServerCert-RSA-Modulus: + 00:d8:1b:94:de:52:a1:20:51:b1: Cisco Content Services Switch SSL

127 4 SSL SSL SSL 4-3 HTTP ServerCert-RSA-Exponent RSA RSA e ServerCert-RSA-Exponent: ServerCert-Subject-Key-Identifier X.509 X ASCII ServerCert-Subject-Key-Identifier: 16:13:15:97:FD:8E:16:B9:D2:99 ServerCert-Authority-Key-Identifier X.509 X ASCII ServerCert-Authority-Key-Identifier: 16:13:15:97:FD:8E:16:B9:D2:99 ServerCert-Basic-Constraints X.509 CA=TRUE CA=FALSE ServerCert-Basic-Constraints: CA=TRUE ServerCert-Signature-Algorithm md5withrsaencryption sha1withrsaencryption dsawithsha1 Secure Hash Algorithm ServerCert-Signature-Algorithm: md5withrsaencryption Cisco Content Services Switch SSL 4-35

128 SSL SSL 4 SSL 4-3 HTTP ServerCert-Signature : 16 0x ServerCert-Signature: 33:75:8e:a4:05:92:65 SSL SSL CSS HTTP SSL HTTP HTTP SSL ssl-server number http-header session (config-ssl-proxy-list[ssl_list1])# ssl-server 20 http-header session SSL HTTP (config-ssl-proxy-list[ssl_list1])# no ssl-server 20 http-header session 4-4 SSL 4-36 Cisco Content Services Switch SSL

129 4 SSL SSL SSL 4-4 HTTP SSL Session-Cipher-Name OpenSSL Session-Cipher-Name: EXP1024-RC4-SHA Session-Cipher-Key-Size Session-Cipher-Key-Size: 128 Session-Cipher-Use-Size Session-Cipher-Use-Size: 56 Session-Protocol-Version SSL TLS SSL TLS Session-Protocol-Version: TLSv1 Session-Id SSL ID 32 ID 0x : 16 Session-Id: 75:45:62:cf:ee:71:de:ad:be:ef:00:33:ee:23:89:25:75:45: 62:cf:ee:71:de:ad:be:ef:00:33:ee:23:89:25 Session-Verify-Result SSL SSL Session-Verify-Result: 0 Cisco Content Services Switch SSL 4-37

130 SSL SSL 4 SSL HTTP HTTP ssl-server number http-header prefix 16 SSL HTTP HTTP SSL Acme-SSL (config-ssl-proxy-list[ssl_list1])# ssl-server 20 http-header prefix "Acme-SSL" ClientCert-Certificate-Version Acme-SSL-ClientCert-Certificate-Version (config-ssl-proxy-list[ssl_list1])# no ssl-server 20 http-header prefix ssl-server number http-header prefix HTTP SSL 4-38 Cisco Content Services Switch SSL

すべて見る

untitled

untitled CAD 6.2(1) for Cisco Unified Contact Center Express Release 4.5(1) 24-Feb-06 Text Part Number: OL-9407-01-J CCSP CCVP Cisco Square Bridge Follow Me Browsing StackWise Cisco Systems, Inc. Changing the Way