Cisco CSS11501S-C-K9, CSS-11154-AC, 11000 Series Configuration Manual

Download

Page 1

Cisco 11000 Series Secure Content Accelerator Conﬁguration Guide

April 2003

Corporate Headquarters

Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 526-4100

Text Part Number: 78-13124-06

Page 2

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICA TION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio-frequency ener gy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense.

The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with Cisco’s installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the speciﬁcations in part 15 of the FCC rules. These speciﬁcations are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation.

Modifying the equipment without Cisco’s written authorization may result in the equipment no longer complying with FCC requirements for Class A or Class B digital devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television communications at your own expense.

You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the Cisco equipment or one of its peripheral devices. If the equipment causes interference to radio or television reception, try to correct the interference by using one or more of the following measures:

• Turn the television or radio antenna until the interference stops.

• Move the equipment to one side or the other of the television or radio.

• Move the equipment farther away from the television or radio.

• Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, make certain the equipment and the television or radio are on circuits controlled by different circuit breakers or fuses.)

Modiﬁcations to this product not authorized by Cisco Systems, Inc. could void the FCC approval and negate your authority to operate the product. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as

part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE

PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Page 3

CCIP, the Cisco Arrow logo, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.

All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0208R)

This product includes cryptographic software written by Eric A. Young. This product includes software written by Tim J. Hudson.

Cisco 11000 Series Secure Content Accelerator Conﬁguration Guide

Page 4

Page 5

About This Guide xxxi

CONTENTS

How to Use This Guide Symbols and Conventions Obtaining Documentation

Cisco.com

xxxv

Documentation CD-ROM Ordering Documentation Documentation Feedback

Obtaining Technical Assistance

Cisco.com

xxxvii

Technical Assistance Center

Cisco TAC Website Cisco TAC Escalation Center

xxxi

xxxiii

xxxv

xxxvi

xxxvii

xxxviii

xxxix

Obtaining Additional Publications and Information

xxxix

CHAPTER

Overview

Product Overview Secure Content Accelerator Versions

CHAPTER

Installing the Hardware and Software

Site Requirements

Required Tools and Equipment

Shipment Contents

78-13124-06

1-1

1-2

1-3

2-1

2-2

Cisco 11000 Series Secure Content Accelerator Configuration Guide

Page 6

Contents

CHAPTER

Unpacking the Secure Content Accelerator Installing the Hardware

2-3

Installing as a Free-Standing Unit Installing as a Rack-Mounted Unit

Panel Descriptions

Identifying SCA Models Connecting to Power Connecting to Ethernet

Using the QuickStart Wizard

Before You Begin Initiating a Management Session

2-5

2-8

2-9

3-1

3-2

Serial Management and IP Address Assignment

Telnet

3-3

2-3

2-4

2-5

3-2

CHAPTER

Starting the QuickStart Wizard Using the QuickStart Wizard Using the QuickStart Wizard with a Configured Appliance

Using the Configuration Manager

Overview Configuration Security

Passwords

Access Lists

4-2

4-3

Factory Default Reset Password Before You Begin

4-4

Initiating a Management Session

Serial Management and IP Address Assignment

3-4

3-5

3-14

4-1

4-4

4-5

Cisco 11000 Series Secure Content Accelerator Configuration Guide

78-13124-06

Page 7

Contents

Telnet Configuring the Device

Example: Setting up Basic Device Parameters

Example: Setting up a Secure Server

Example: Setting up a Backend Server

Example: Setting up a Reverse-Proxy Server

Example: Configuring Secure URL Rewrite

Example: Configuring SNTP Servers

4-6

4-7

4-8

4-10

4-11

4-12

4-14

Example: Restricting Access using an Access List

Configuring an Ethernet Interface

Example: Saving a Configuration File

4-16

4-17

Step-Up Certificates and Server-Gated Cryptography Configuring Certificate Groups

Example: Configuring a Certificate Group

4-18

4-15

4-17

Example: Importing Certificate Groups

4-20

Using Client and Server Certificate Authentication

Example: Configuring Server Certificate Authentication

Example: Configuring Client Certificate Authentication Generating Keys and Certificates

Example: Generating an RSA Key

Example: Generating a Certificate Supporting SNMP

4-25

Example: Configuring SNMP Supporting RIP

4-26

Example: Configuring RIP Supporting Other Secure Protocols

Example: Configuring a Secure Mail Server

4-24

4-25

4-26

4-27

4-21

4-23

78-13124-06

Cisco 11000 Series Secure Content Accelerator Configuration Guide

vii

Page 8

Contents

CHAPTER

Supporting FIPS Working with Syslogs Disabling SSL Versions Enabling Keepalives Setting the Idle-Timeout

Graphical User Interface Reference

Overview

5-2

Browser and System Support Enabling Web Management Restricting Access to Web Management Starting the GUI

Configuring for Client-Side Access Administrative Time Out

4-27

4-28

4-29

4-31

5-1

5-2

5-3

5-4

5-5

Web Management User Interface General Configuration Examples

5-5

5-7

Example: Setting the Device Name (Hostname)

Example: Resetting the IP Address

5-8

Example: Configuring an Ethernet Interface

Example: Enabling RIP

5-10

Example: Adding a Route to the Routing Table

Example: Working with Syslogs

5-13

Example: Restricting Access using an Access List

Example: Reloading (Rebooting) the Appliance

Example: Setting an Enable Password

Example: Configuring SNMP SSL Configuration Examples

5-22

5-19

5-18

5-7

5-9

5-11

5-14

5-17

Cisco 11000 Series Secure Content Accelerator Configuration Guide

viii

78-13124-06

Page 9

Contents

CHAPTER

Example: Setting up a Secure Server

Example: Creating and Using Certificate Groups

Example: Supporting Other Secure Protocols

Example: Generating an RSA Private Key

Example: Generating a Self-Signed Certificate

Example: Importing a PKCS#7 Certificate Group

Example: Importing a PKCS#12 Certificate Group 5-47 Running the Secure Server Wizard 5-48

6 FIPS Operation 6-1

FIPS Capabilities 6-2 Using FIPS Mode 6-2

Creating a Server in FIPS Mode 6-5 Command Changes 6-7

5-22

5-35

5-37

5-38

5-42

5-46

APPENDIX

Unavailable Commands 6-7

Differing Command Behaviors 6-7 Returning to Normal Operation 6-9 More Information 6-10

A Specifications A-1

Electrical Specifications A-2 Environmental Specifications A-2 Physical Specifications A-3

B Deployment Examples B-1

Single Device B-2 Load Balancing B-2

78-13124-06

Cisco 11000 Series Secure Content Accelerator Configuration Guide

Page 10

Contents

Use with the CSS B-4

In-Line B-4

One-Armed Non-Transparent Proxy B-10

One-Armed Transparent Proxy B-19 Connecting the Device to a Terminal Server B-30 Web Site Changes B-30 Transparent Local-Listen B-31

APPENDIX

C Command Summary C-1

Input Data Format Specification C-2 Text Conventions C-2 Editing and Completion Features C-3 Command Hierarchy C-5 Configuration Security C-6

Passwords C-6

Access Lists C-7

Factory Default Reset Password C-7 Methods to Manage the Device C-7 Initiating a Management Session C-9

Serial Management and IP Address Assignment C-9

Telnet C-10 Command Listing C-10 Top Level Command Set C-31

Non-Privileged Command Set C-31

Cisco 11000 Series Secure Content Accelerator Configuration Guide

clear screen C-31 cls C-31 enable C-31

78-13124-06

Page 11

exit C-32 help C-32 monitor C-33 paws C-33 ping C-33 quit C-34 set monitor-interval C-34 show arp C-35 show copyrights C-35 show cpu C-35 show date C-36

Contents

show device C-36 show dns C-37 show flows C-37 show history C-37 show interface C-38 show interface errors C-38 show interface statistics C-39 show ip domain-name C-40 show ip name-server C-40 show ip routes C-41 show ip statistics C-41 show keepalive-monitor C-41 show log C-42 show memory C-42

78-13124-06

show messages C-42 show netstat C-43

Cisco 11000 Series Secure Content Accelerator Configuration Guide

Page 12

Contents

show password C-43 show password access C-43 show password enable C-44 show password idle-timeout C-44 show processes C-44 show rdate-server C-45 show rip C-45 show route C-45 show sessions C-46 show sntp C-46 show sntp-server C-46 show ssl C-47 show ssl cert C-47 show ssl certgroup C-48 show ssl errors C-49 show ssl key C-54 show ssl secpolicy C-54 show ssl server C-55 show ssl session-stats C-56 show ssl statistics C-58 show ssl tcp-tuning C-60 show syslog C-61 show system-resources C-61 show telnet C-62 show terminal C-62

Cisco 11000 Series Secure Content Accelerator Configuration Guide

xii

show timezone C-62 show version C-63

78-13124-06

Page 13

show web-management C-63 terminal baud C-63 terminal history C-64 terminal length C-65 terminal pager C-65 terminal reset C-66 terminal width C-66 traceroute C-67

Privileged Command Set C-68

clear interface statistics C-68 clear ip routes C-68

Contents

clear ip statistics C-69 clear line C-69 clear log C-69 clear messages C-70 clear ssl session-stats C-70 clear ssl statistics C-70 configure C-71 copy running-configuration C-71 copy running-configuration startup-configuration C-72 copy startup-configuration C-72 copy startup-configuration running-configuration C-73 copy to flash C-73 copy to running-configuration C-74 copy to startup-configuration C-74

78-13124-06

disable C-75 erase running-configuration C-75

Cisco 11000 Series Secure Content Accelerator Configuration Guide

xiii

Page 14

Contents

erase startup-configuration C-75 fips enable C-76 quick-start C-76 refresh C-77 reload C-77 show access-list C-77 show diagnostic-report C-78 show running-configuration C-79 show snmp C-79 show startup-configuration C-80 write flash C-81 write memory C-81 write messages C-82 write network C-82 write terminal C-83

Configuration Command Set C-84

access-list C-84

clock C-85

end C-86

exit C-86

finished C-86

help C-87

hostname C-87

interface C-88

ip address C-88

ip domain-name C-89

ip name-server C-89

Cisco 11000 Series Secure Content Accelerator Configuration Guide

xiv

78-13124-06

Page 15

ip route C-90

ip route default C-91

keepalive-monitor C-91

mode one-port C-92

mode pass-thru C-92

password C-92

rdate-server C-93

registration-code C-94

rip C-94

no snmp C-95

snmp access-list C-96

Contents

snmp contact C-97

snmp default community C-97

snmp enable C-98

snmp location C-99

snmp trap-host C-100

snmp trap-type enterprise C-101

snmp trap-type generic C-102

sntp interval C-103

sntp server C-104

ssl C-104

syslog C-105

telnet access-list C-106

telnet enable C-107

telnet port C-107

timezone C-108

web-mgmt access-list C-108

78-13124-06

Cisco 11000 Series Secure Content Accelerator Configuration Guide

Page 16

Contents

web-mgmt enable C-109

web-mgmt port C-110

Interface Configuration Command Set C-111

auto C-111 duplex C-111 end C-111 finished C-112 help C-112 speed C-112

SSL Configuration Command Set C-113

backend-server C-113 cert C-114 certgroup C-115 end C-116 exit C-116 finished C-116 gencsr C-116 help C-117 import pkcs12 C-118 import pkcs7 C-118 key C-119 reverse-proxy-server C-120 secpolicy C-121 server C-122 tcp-tuning C-122

Backend Server Configuration Command Set C-124

Cisco 11000 Series Secure Content Accelerator Configuration Guide

xvi

activate C-124

78-13124-06

Page 17

certgroup serverauth C-124 end C-125 exit C-125 finished C-125 help C-126 info C-126 ip address C-126 keepalive enable C-127 keepalive frequency C-127 keepalive maxfailure C-128 localport C-128

Contents

log-url C-129 remoteport C-129 secpolicy C-130 serverauth domain-name C-131 serverauth enable C-131 serverauth ignore C-132 session-cache enable C-132 session-cache size C-133 session-cache timeout C-133 sslv2 enable C-134 sslv3 enable C-134 suspend C-135 tcp-tuning C-135 tlsv1 enable C-136

78-13124-06

transparent C-136 urlrewrite C-137

Cisco 11000 Series Secure Content Accelerator Configuration Guide

xvii

Page 18

Contents

Certificate Configuration Command Set C-138

binhex C-138 der C-138 end C-139 exit C-139 finished C-139 help C-139 info C-140 pem C-140 pem-paste C-140

Certificate Group Configuration Command Set C-142

cert C-142 end C-142 exit C-143 finished C-143 help C-143 info C-144

Key Configuration Command Set C-145

binhex C-145 der C-145 end C-146 exit C-146 finished C-146 genrsa C-146 help C-147

Cisco 11000 Series Secure Content Accelerator Configuration Guide

xviii

info C-148 net-iis C-148

78-13124-06

Page 19

pem C-148 pem-paste C-149

Reverse-Proxy Server Configuration Command Set C-150

activate C-150 certgroup serverauth C-150 end C-151 exit C-151 finished C-152 help C-152 info C-152 localport C-153

Contents

log-url C-153 secpolicy C-154 serverauth enable C-155 serverauth ignore C-155 session-cache enable C-156 session-cache size C-156 session-cache timeout C-157 sslv2 enable C-157 sslv3 enable C-158 suspend C-158 tcp-tuning C-159 tlsv1 enable C-159 urlrewrite C-160

Security Policy Configuration Command Set C-161

78-13124-06

crypto C-161 end C-163

Cisco 11000 Series Secure Content Accelerator Configuration Guide

xix

Page 20

Contents

exit C-163 finished C-164 help C-164 info C-164

Server Configuration Command Set C-165

activate C-165 cert C-165 certgroup chain C-166 certgroup clientauth C-167 clientauth enable C-167 clientauth error C-168 clientauth verifydepth C-169 end C-170 ephemeral error C-170 ephrsa C-171 exit C-171 finished C-171 help C-172 httpheader C-172 info C-175 ip address C-175 keepalive enable C-176 keepalive frequency C-176 keepalive maxfailure C-177 key C-177

Cisco 11000 Series Secure Content Accelerator Configuration Guide

localport C-178 log-url C-178

78-13124-06

Page 21

remoteport C-179 secpolicy C-180 session-cache enable C-181 session-cache size C-181 session-cache timeout C-182 sharedcipher error C-182 sslport C-183 sslv2 enable C-183 sslv3 enable C-184 suspend C-184 tcp-tuning C-185

Contents

tlsv1 enable C-185 transparent C-186 urlrewrite C-187

TCP Tuning Configuration Command Set C-189

2msltime C-189 delay-ack C-190 finwt2time C-191 keepalive C-191 keepalive-cnt C-192 keepalive-intv C-193 max-rexmit C-193 maxrt C-194 maxseg C-194 mtu C-195

78-13124-06

nodelay C-196 nopush C-196

Cisco 11000 Series Secure Content Accelerator Configuration Guide

xxi

Page 22

Contents

probe-max C-197 probe-min C-198 push-all C-199 rto-def C-199 rto-max C-200 rto-min C-201 slow-start C-202 stdurg C-202 ts C-203 wnd-scale C-204

APPENDIX

D MiniMax Command Summary D-1

Text Conventions D-2 Getting Help D-3 Examples D-4

Configuring Basic Device Parameters D-4

Installing a Firmware Image (Netcat) D-5

Installing a Firmware Image (Xmodem) D-6

Extracting a Device Configuration D-8

Resetting the Environment to Factory Defaults D-9 Command Set D-11

? (question mark) D-11 baud D-11 boot D-11 cat D-11

Cisco 11000 Series Secure Content Accelerator Configuration Guide

xxii

do D-12 eaddr D-12

78-13124-06

Page 23

env D-13 help D-14 hinv D-14 ifconfig D-14 ip D-14 ls D-15 netstat D-15 printenv D-15 rdate-server D-15 reboot D-16 resetenv D-16

Contents

APPENDIX

rm D-16 sbridge D-16 show D-17 version D-18 zap D-18

E Troubleshooting E-1

Troubleshooting the Hardware E-2

F SSL Introduction 1

Introduction to SSL 2 Port Blocking Mechanism 2 Before You Begin 4 Using Existing Keys and Certificates 4

Apache mod_SSL 5

ApacheSSL 5

78-13124-06

Cisco 11000 Series Secure Content Accelerator Configuration Guide

xxiii

Page 24

Contents

Stronghold 5

IIS 4 on Windows NT 5

IIS 5 on Windows 2000 6 Configuration Security 7

Passwords 7

Access Lists 8

Factory Default Reset Password 8 Cisco SSL Configuration Components 8

Real Server IP Addresses 9

Keys 9

Certificates 9

APPENDIX

Step-Up Certificates and Server-Gated Cryptography 9 Chained Certificates 10

Security Policies 10 Cisco Secure Content Accelerator Management 12

G Regulatory Information 15

Regulatory Standards Compliance 16 Canadian Radio Frequency Emissions Statement 16 FCC Class A 17 CISPR 22 (EN 55022) Class A 18 VCCI 18

Cisco 11000 Series Secure Content Accelerator Configuration Guide

xxiv

78-13124-06

Page 25

Figure 2-1 Secure Content Accelerator Front Panel 2-6 Figure 2-2 Secure Content Accelerator Rear Panel 2-6 Figure 2-3 SCA Ethernet Port Detail 2-7 Figure 2-4 SCA2 Ethernet Port Detail 2-7 Figure 4-1 Configuration Manager Hierarchy 4-2 Figure 5-1 Password Request Dialog Box 5-4 Figure 5-2 Basic User Interface Example 5-6 Figure 5-3 Changing Hostname Configuration Example 5-8 Figure 5-4 Resetting IP Information Configuration Example 5-9 Figure 5-5 Ethernet Interface Configuration Example 5-10 Figure 5-6 RIP Configuration Example 5-11 Figure 5-7 Routing Table Configuration Example 5-12

FIGURES

Figure 5-8 Adding a Route Example 5-12 Figure 5-9 Syslog Configuration Example 5-13 Figure 5-10 Access List Configuration Example 5-14 Figure 5-11 Add Access List Entry Example 5-15 Figure 5-12 Subsystem Access Configuration Example 5-16 Figure 5-13 Device Reloading Example 5-17 Figure 5-14 Save Changes Button 5-17 Figure 5-15 Change Password Example 5-18 Figure 5-16 SNMP Configuration Example 5-19 Figure 5-17 SNMP Trap Example 5-20 Figure 5-18 Add SNMP Trap Host Example 5-21

Cisco 11000 Series Secure Content Accelerator Configuration Guide

78-13124-06

xxv

Page 26

Figures

Figure 5-19 Private Keys Tab 5-22 Figure 5-20 Add Private Key Example 5-23 Figure 5-21 Importing a Private Key File Example 5-24 Figure 5-22 Certificates Tab 5-25 Figure 5-23 Add Certificate Example 5-26 Figure 5-24 Importing a Certificate Example 5-27 Figure 5-25 Security Policies Tab 5-28 Figure 5-26 Add Security Policy Example 5-29 Figure 5-27 Secure Servers Tab 5-30 Figure 5-28 Add Secure Server Information Example 5-31 Figure 5-29 Server Certificate and Security Policy Example 5-32 Figure 5-30 SSL Session Cache Example 5-32 Figure 5-31 Add URL Rewrite Rule Example 5-33 Figure 5-32 Add Secure Server Information Example 5-33 Figure 5-33 Add HTTP Headers Example 5-34 Figure 5-34 Add Keepalives Example 5-34 Figure 5-35 Certificate Groups Tab 5-35 Figure 5-36 Add Certificate Group Example 5-36 Figure 5-37 Assign Certificate Group Example 5-37 Figure 5-38 Configuring for Other Protocols Example 5-38 Figure 5-39 Generating a Private Key 5-39 Figure 5-40 Key Not Displayed Example 5-40 Figure 5-41 Key Displayed Example 5-41 Figure 5-42 Generate CSR Example 5-42 Figure 5-43 Generate Self-Signed Certificate 5-43 Figure 5-44 Self-Signed Certificate Example 5-44 Figure 5-45 Successfully Generated Self-Signed Certificate 5-45

Cisco 11000 Series Secure Content Accelerator Configuration Guide

xxvi

78-13124-06

Page 27

Figures

Figure 5-46 Import PKCS#7 Certificate Group Example 5-46 Figure 5-47 Import PKCS#12 Certificate Group Example 5-47 Figure 5-48 Starting the Secure Server Wizard 5-48 Figure B-1 Single Secure Content Accelerator Installation B-2 Figure B-2 Secure Content Accelerator Installation with a Load Balancer B-3 Figure B-3 Secure Content Accelerator In-Line Installation B-5 Figure B-4 Secure Content Accelerator One-Armed Non-Transparent Proxy Installation B-11 Figure B-5 Secure Content Accelerator One-Armed Transparent Proxy Installation B-20 Figure C-1 Command Hierarchy C-5 Figure E-1 Troubleshooting Flowchart 1 E-6 Figure E-2 Troubleshooting Flowchart 2 E-7 Figure E-3 Troubleshooting Flowchart 3 E-8 Figure F-1 Port Blocking 3 Figure F-2 Port Blocking with Dropped Traffic 3

78-13124-06

Cisco 11000 Series Secure Content Accelerator Configuration Guide

xxvii

Page 28

Figures

Cisco 11000 Series Secure Content Accelerator Configuration Guide

xxviii

78-13124-06

Page 29

TABLES

Table 1-1 Secure Content Accelerator Model Differences 1-3 Table 2-1 SCA Port LED Descriptions 2-7 Table 2-2 SCA2 Port LED Descriptions 2-8 Table 6-1 Unavailable Commands 6-7 Table 6-2 FIPS Mode Command Changes 6-8 Table A-1 AC Electrical Specifications A-2 Table A-2 Environmental Specifications A-2 Table A-3 Physical Specifications A-3 Table B-1 In-Line Installation Device Configuration B-6 Table B-2 One-Armed Non-Transparent Proxy Installation Device Configuration B-12 Table B-3 One-Armed Transparent Proxy Installation Device Configuration B-22 Table C-1 Input Data Formats C-2 Table C-2 Key Reference C-3 Table C-3 Non-Privileged Command Description C-11 Table C-4 Privileged Command Description C-14 Table C-5 Configuration Command Description C-16 Table C-6 Interface Configuration Command Description C-19 Table C-7 SSL Configuration Command Description C-20 Table C-8 Backup-Server Configuration Command Description C-21 Table C-9 Certificate Configuration Command Description C-23 Table C-10 Certificate Group Configuration Command Description C-23 Table C-11 Key Configuration Command Description C-24 Table C-12 Reverse-Proxy Server Configuration Command Description C-25

Cisco 11000 Series Secure Content Accelerator Configuration Guide

78-13124-06

xxix

Page 30

Tables

Table C-13 Security Policy Configuration Command Description C-26 Table C-14 Server Configuration Command Description C-27 Table C-15 TCP Tuning Configuration Command Description C-29 Table C-16 Output Description for show ssl errors C-49 Table C-17 Abbreviations Used for show ssl errors continuous C-53 Table C-18 Output Description for show ssl session-stats C-57 Table C-19 Output Description for show ssl statistics C-59 Table C-20 Headers Inserted with httpheader client-cert Command C-173 Table C-21 Headers Inserted with httpheader session Command C-174 Table C-22 Headers Inserted with httpheader server-cert Command C-174 Table D-1 Firmware Image Selection D-5 Table D-2 Firmware Image Selection D-7 Table E-1 Troubleshooting the Hardware E-2 Table F-1 Secure Content Accelerator Cryptographic Algorithms 10 Table G-1 Regulatory Standards Compliance 16

Cisco 11000 Series Secure Content Accelerator Configuration Guide

xxx

78-13124-06

Page 31

About This Guide

This guide can help you successfully install and conﬁgure the Cisco 11000 Series Secure Content Accelerators (SCA and SCA2). It also provides helpful troubleshooting suggestions for potential hardware and software problems.

How to Use This Guide

This section describes the contents of this guide.

Section Description

Chapter 1, Overview This chapter describes the features and

functions of the Secure Content Accelerator.

Chapter 2, Installing the Hardware and Software

Chapter 3, Using the QuickStart Wizard

Chapter 4, Using the Conﬁguration Manager

78-13124-06

This chapter describes how to install the Secure Content Accelerator as a free-standing or rack-mount unit.

This chapter provides instructions for using the QuickStart wizard.

This chapter describes how to use the conﬁguration manager to conﬁgure the SSL appliance.

Cisco 11000 Series Secure Content Accelerator Conﬁguration Guide

xxxi

Page 32

How to Use This Guide

About This Guide

Section Description

Chapter 5, Graphical User Interface Reference

This chapter describes how to use the Graphical User Interface (GUI) to conﬁgure the Cisco Secure Content Accelerator. The GUI provides a conv enient, Web browser-based method of conﬁguring SSL appliances.

Chapter 6, FIPS Operation This chapter provides a basic

introduction to FIPS and describes how to conﬁgure the Secure Content Accelerator for FIPS operation. FIPS operation is only availble for the SCA2.

Appendix A, Speciﬁcations This appendix provides speciﬁcations

for the Secure Content Accelerator.

Appendix B, Deployment Examples This appendix provides examples for

conﬁguring and deploying the Secure Content Accelerator in conjunction with other networking hardware.

Appendix C, Command Summary This appendix provides detailed

command descriptions and examples to help you take advantage of Secure Content Accelerator features.

xxxii

Appendix D, MiniMax Command Summary

MiniMax command descriptions and examples

Appendix E, T roubleshooting This appendix provides information to

help you isolate and solve problems. It also provides information on using the Cisco Connection Online.

Appendix F, SSL Introduction This appendix presents a short

introduction to SSL and a description of how the components are used in conﬁguration. Instructions for generating keys and certiﬁcates with OpenSSL is also included chapter.

Cisco 11000 Series Secure Content Accelerator Configuration Guide

78-13124-06

Page 33

About This Guide

Section Description

Appendix G, Regulatory Information This appendix provides information on

Glossary This section provides deﬁnitions of

Index The index provides a detailed list to

Symbols and Conventions

This guide uses the following symbols and conventions to emphasize certain information.

Symbols and Conventions

regulatory compliance.

terms used in this document.

help you locate speciﬁc information quickly.

Warning

Caution A caution means that a speciﬁc action you take could cause a loss of

This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. Read the installation instructions before you connect the system to its power source.

data or adversely impact use of the equipment.

Note A note provides important related information, reminders, and

recommendations.

Bold text indicates a command in a paragraph.

Courier text indicates text that appears in a command line (such as the command

line interface) or is returned by the computer.

Courier bold text indicates commands and text you enter in a command line.

78-13124-06

Cisco 11000 Series Secure Content Accelerator Conﬁguration Guide

xxxiii

Page 34

Symbols and Conventions

About This Guide

Italic text indicates the ﬁrst occurrence of a new term, a book title, and emphasized text.

1. A numbered list indicates that the order of the list items is important. a. An alphabetical list indicates that the order of the secondary list items is

important.

• A bulleted list indicates that the order of the list topics is unimportant.

–

An indented dashed list indicates that the order of the list topics is unimportant.

Cisco 11000 Series Secure Content Accelerator Configuration Guide

xxxiv

78-13124-06

Page 35

About This Guide

Obtaining Documentation

Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation on the World Wide Web at this URL:

http://www.cisco.com/univercd/home/home.htm

You can access the Cisco website at this URL:

http://www.cisco.com

Obtaining Documentation

International Cisco web sites can be accessed from this URL:

http://www.cisco.com/public/countries_languages.shtml

Documentation CD-ROM

Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription.

Registered Cisco.com users can order the Documentation CD-ROM (product number DOC-CONDOCCD=) through the online Subscription Store:

http://www.cisco.com/go/subscription

Ordering Documentation

You can ﬁnd instructions for ordering documentation at this URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

78-13124-06

Cisco 11000 Series Secure Content Accelerator Conﬁguration Guide

xxxv

Page 36

Obtaining Documentation

About This Guide

You can order Cisco documentation in these ways:

• Registered Cisco.com users (Cisco direct customers) can order Cisco product

documentation from the Networking Products MarketPlace:

http://www.cisco.com/en/US/partner/ordering/index.shtml

• Registered Cisco.com users can order the Documentation CD-ROM

(Customer Order Number DOC-CONDOCCD=) through the online Subscription Store:

http://www.cisco.com/go/subscription

• Nonregistered Cisco.com users can order documentation through a local

account representative by calling Cisco Systems Corporate Headquarters (California, U.S.A.) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation Feedback

You can submit comments electronically on Cisco.com. On the Cisco Documentation home page, click Feedback at the top of the page.

You can e-mail your comments to bug-doc@cisco.com. You can submit your comments by mail by using the response card behind the

front cover of your document or by writing to the following address: Cisco Systems

Attn: Customer Document Ordering 170 West Tasman Drive San Jose, CA 95134-9883

We appreciate your comments.

Cisco 11000 Series Secure Content Accelerator Configuration Guide

xxxvi

78-13124-06

Page 37

About This Guide

Obtaining Technical Assistance

Cisco provides Cisco.com, which includes the Cisco Technical Assistance Center (TAC) Website, as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample conﬁgurations from the Cisco TAC website. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC website, including TAC tools and utilities.

Cisco.com

Cisco.com offers a suite of interactive, networked services that let you access Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.

Obtaining Technical Assistance

Cisco.com provides a broad range of features and services to help you with these tasks:

• Streamline business processes and improve productivity

• Resolve technical issues with online support

• Download and test software packages

• Order Cisco learning materials and merchandise

• Register for online skill assessment, training, and certiﬁcation programs

T o obtain customized information and service, you can self-register on Cisco.com at this URL:

http://www.cisco.com

Technical Assistance Center

The Cisco TAC is av ailable to all customers who need technical assistance with a Cisco product, technology, or solution. Two levels of support are available: the Cisco TAC website and the Cisco TAC Escalation Center. The avenue of support that you choose depends on the priority of the problem and the conditions stated in service contracts, when applicable.

78-13124-06

Cisco 11000 Series Secure Content Accelerator Conﬁguration Guide

xxxvii

Page 38

Obtaining Technical Assistance

We categorize Cisco TAC inquiries according to urgency:

Cisco TAC Website

About This Guide

• Priority level 4 (P4)—You need information or assistance concerning Cisco

product capabilities, product installation, or basic product conﬁguration.

• Priority level 3 (P3)—Your network performance is degraded. Network

functionality is noticeably impaired, but most business operations continue.

• Priority level 2 (P2)—Your production network is severely degraded,

affecting signiﬁcant aspects of business operations. No workaround is available.

• Priority level 1 (P1)—Your production network is down, and a critical impact

to business operations will occur if service is not restored quickly. No workaround is available.

You can use the Cisco TAC website to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC website, go to this URL:

http://www.cisco.com/tac

All customers, partners, and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC website. Some services on the Cisco TAC website require a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register:

http://tools.cisco.com/RPF/register/register.do

If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco TAC website, you can open a case online at this URL:

http://www.cisco.com/en/US/support/index.html

If you have Internet access, we recommend that you open P3 and P4 cases through the Cisco TAC website so that you can describe the situation in your own words and attach any necessary ﬁles.

Cisco 11000 Series Secure Content Accelerator Configuration Guide

xxxviii

78-13124-06

Page 39

About This Guide

Cisco TAC Escalation Center

The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These classiﬁcations are assigned when severe network degradation signiﬁcantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer automatically opens a case.

To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

Before calling, please check with your network operations center to determine the level of Cisco support services to which your company is entitled: for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). When you call the center, please ha ve av ailable your service agreement number and your product serial number.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

• The Cisco Product Catalog describes the networking products offered by

Cisco Systems as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:

http://www.cisco.com/en/US/products/products_catalog_links_launch.html

• Cisco Press publishes a wide range of networking publications. Cisco

suggests these titles for new and experienced users: Internetworking Terms and Acronyms Dictionary, Internetworking Technology Handbook, Internetworking Troubleshooting Guide, and the Internetworking Design Guide. For current Cisco Press titles and other information, go to Cisco Press

online at this URL:

http://www.ciscopress.com

• Packet magazine is the Cisco monthly periodical that provides industry

professionals with the latest information about the ﬁeld of networking. You can access Packet magazine at this URL:

http://www.cisco.com/en/US/about/ac123/ac114/about_cisco_packet_magaz ine.html

78-13124-06

Cisco 11000 Series Secure Content Accelerator Conﬁguration Guide

xxxix

Page 40

Obtaining Additional Publications and Information

• iQ Magazine is the Cisco monthly periodical that provides business leaders

and decision makers with the latest information about the networking industry. You can access iQ Magazine at this URL:

http://business.cisco.com/prod/tree.taf%3fasset_id=44699&public_view=tru e&kbns=1.html

• Internet Protocol Journal is a quarterly journal published by Cisco Systems

for engineering professionals involved in the design, development, and operation of public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_ protocol_journal.html

• Training—Cisco offers world-class networking training, with current

offerings in network training listed at this URL:

http://www.cisco.com/en/US/learning/le31/learning_recommended_training _list.html

About This Guide

Cisco 11000 Series Secure Content Accelerator Configuration Guide

78-13124-06

Page 41

CHAPTER

Overview

This chapter describes the features and functions of the Secure Content Accelerator. This chapter contains the following sections:

• Product Overview

• Secure Content Accelerator Versions

78-13124-06

Cisco 11000 Series Secure Content Accelerator Configuration Guide

1-1

Page 42

Product Overview

The Secure Content Accelerator is a Secure Sockets Layer (SSL) of ﬂoading solution. You can secure a server for testing purposes immediately using a pre-loaded default key and certiﬁcate rather than wait up to a week for your ke y and certiﬁcate to arri ve. Simply load your own certiﬁcate and key when they are available.

The Cisco 11000 Series Secure Content Accelerator is compatible with all Cisco content switches—the Cisco LocalDirector, the Catalyst Content Switching Module, and the Cisco CSS 11000 Series Content Services Switches.

The Secure Content Accelerator provides:

• Secure URL rewrite, prev enting URL redirects and references from breaking

or circumventing SSL sessions.

• FIPS-compliant operation (SCA2 only)

Chapter 1 Overview

• Firmware signatures are veriﬁed during startup and when a ﬁrmware image is

uploaded to or loaded on the device.

• Auto logout for increased conﬁguration security

• Management via command line and Web-based graphical user interfaces

• Hardware server keepalive support

• Arbitrary HTTP headers

• TCP tuning facility

• Syslog facility support

• Authentication logging

• SSL version control

• RIP client version 1 and 2 support

• Multiple SNTP server support

• SNMP MIB-II support (read-only)

• Transparent/non-transparent SSL proxy toggling

• Non-SSL trafﬁc blocking when operating in default in-line (dual-port) mode

• Arbitrary certiﬁcate size

• Netscape International Step-Up Certiﬁcate and Microsoft Server Gated

Cryptography support

Cisco 11000 Series Secure Content Accelerator Configuration Guide

1-2

78-13124-06

Page 43

Chapter 1 Overview

Secure Content Accelerator Versions

• Private key security

• Client and server certiﬁcate authentication

• Conﬁgurable shared cipher and ephemeral RSA error messages

• On-device key and certiﬁcate generation

• HTTPS, IMAPS, POP3S, NNTPS, and LDAPS as well as TLS version 1.0,

and SSL version 2.0 and 3.0 support

Secure Content Accelerator Versions

This document applies to all Secure Content Accelerator hardware models, the SCA and SCA2. Any differences in displayed information are described where applicable. The table below presents the differences between the two Secure Content Accelerator models.

Table 1-1 Secure Content Accelerator Model Differences

Feature SCA SCA2

Maximum Connections 5000 30,000 Maximum Session Cache 75,000 300,000 Maximum SSL Servers 255 4095 Maximum Keys 255 4095 Maximum Certiﬁcates 255 4095 CPU 250 MHz Motorola 8240 600 MHz IBM 750CXE RAM 64MB 256MB Flash 16MB 32MB Cryptographic Engine Rainbow FastMap 200 Broadcom 5821

Maximum 1024-bit

200 4000 RSA Operations/ Second

Hardware Digest No Yes

Hardware Cipher No Yes Hardware RNG No Yes

78-13124-06

Cisco 11000 Series Secure Content Accelerator Configuration Guide

1-3

Page 44

Secure Content Accelerator Versions

Chapter 1 Overview

Cisco 11000 Series Secure Content Accelerator Configuration Guide

1-4

78-13124-06

Page 45

CHAPTER

Installing the Hardware and Software

This chapter describes how to install the Secure Content Accelerator as a free-standing or rack-mounted unit. Suggestions for using the Secure Content Accelerator in conjunction with other networking hardware are described in Appendix B, Deployment Examples.

This chapter contains the following sections:

• Site Requirements

• Shipment Contents

• Unpacking the Secure Content Accelerator

78-13124-06

• Installing the Hardware

• Panel Descriptions

• Connecting to Power

• Connecting to Ethernet

Cisco 11000 Series Secure Content Accelerator Configuration Guide

2-1

Page 46

Site Requirements

Before you select an installation site for the Secure Content Accelerator, read the electrical, environmental, and physical requirements as described in Appendix A.

Chapter 2 Installing the Hardware and Software

Warning

Before you install, operate, or service the system, read the Site Preparation and Safety Guide. This guide contains important safety information you should know before working with the system. Please see Appendix A.

Required Tools and Equipment

To install the Secure Content Accelerator, you need the following tools and equipment:

• A Phillips screwdriver

• Rack-mount screws and appropriate screwdriver

Shipment Contents

The Secure Content Accelerator shipment contains the following items:

• Secure Content Accelerator

• Mounting brackets and hardware

• Null modem cable

• Two power cables

• Secure Content Accelerator compact disk containing:

–

Secure Content Accelerator documentation

–

Release Notes

–

PDF version of this guide

–

Firmware ﬁles

Cisco 11000 Series Secure Content Accelerator Configuration Guide

2-2

78-13124-06

Page 47

Chapter 2 Installing the Hardware and Software

Unpacking the Secure Content Accelerator

The Secure Content Accelerator is shipped in a protective carton. The appliance is a self-contained chassis; no modules or components can be added or removed.

Note A tamper-evident sticker is afﬁxed to the Secure Content

Accelerator. When using the device for FIPS-compliant operation, this sticker must remain in place and untouched.

To unpack the Secure Content Accelerator:

1. Remove all enclosed packing materials. Save the packing materials in case

you need to repack the Secure Content Accelerator later.

2. Remove all accessories from the shipping carton.

3. Check the accessories against the items listed in the section “Shipment

Contents”.

Installing the Hardware

Warning

Before working on a system that has an on/off switch, turn OFF the power and unplug the power cord. This unit has more than one power cord. To reduce the risk of electric shock, disconnect the two power supply cords before servicing the unit. The safety cover is an integral part of the product. Do not operate the unit without the safety cover installed. Operating the unit without the cover in place will invalidate the safety approvals and pose a risk of ﬁre and electrical hazards.

The Secure Content Accelerator can be placed on a ﬂat surface as a free-standing unit or rack-mounted in an equipment cabinet. The following sections describe the steps to install the Secure Content Accelerator as a:

• Free-standing unit

• Rack-mounted unit

78-13124-06

Cisco 11000 Series Secure Content Accelerator Configuration Guide

2-3

Page 48

Installing the Hardware

Chapter 2 Installing the Hardware and Software

Prior to installing the Secure Content Accelerator, observe the following installation requirements:

• The Maximum Rated Ambient Temperature (Tmra) for the Secure Content

Accelerator is 105° F (40° C). To ensure the Tmra for this device is not exceeded, allow at least 1 inch (2.54 cm) of space around the four sides of the Secure Content Accelerator.

• This equipment is designed to support only its own weight. Do not place other

equipment or material on the Secure Content Accelerator.

Warning

Review nameplate ratings for correct voltage and load requirements. For safety, this equipment is required to be grounded through the ground conductor of the AC power cords. Do not remove the cover of the Secure Content Accelerator. There are electrical shock hazards present in the unit if the cover is removed. T o reduce the risk of ﬁ re or electric shock, do not expose the Secure Content Accelerator to rain or moisture. To disconnect power, remove both power cords. Please review the caution label on the Secure Content Accelerator.

Installing as a Free-Standing Unit

Position the Secure Content Accelerator on a level surface in an area with access to your network cabling. When installing the Secure Content Accelerator note that Ethernet and serial cables attach to the front of the chassis and power cables attach to the back.

Cisco 11000 Series Secure Content Accelerator Configuration Guide

2-4

78-13124-06

Page 49

Chapter 2 Installing the Hardware and Software

Installing as a Rack-Mounted Unit

Panel Descriptions

Warning

To prevent bodily injury when mounting or servicing this unit in a rack, you must take special precautions to ensure that the system remains stable. The following guidelines are provided to ensure your safety: 1) This unit should be mounted at the bottom of the rack if it is the only unit in the rack. 2) When mounting this unit in a partially ﬁlled rack, load the rack from the bottom to the top with the heaviest component at the bottom of the rack. 3) If the rack is provided with stabilizing devices, install the stabilizers before mounting or servicing the unit in the rack.

Before you begin, you will need the mounting brackets and six screws shipped with the Secure Content Accelerator, a #2 Phillips screwdriver, rack-mounting screws and an appropriate screwdriver.

1. Position the Secure Content Accelerator with the front panel facing you.

2. Position a mounting bracket on one side of the chassis, aligning the holes in

the bracket with the screw holes on the chassis.

3. Secure the bracket to the chassis with three screws and the Phillips

screwdriver.

4. Repeat steps 2 and 3 to install a mounting bracket on the other side of the

chassis.

5. Raise the Secure Content Accelerator to the installation height. Align the

screw holes of the mounting brackets with the holes on the equipment rack.

6. Use the appropriate screwdriver and screws to secure each mounting bracket

to each side of the rack.

Panel Descriptions

The front panel of the Secure Content Accelerator, shown in Figure 2-1, contains the following connectors, switches, and LEDs:

• Two DB9 serial ports, marked “AUX” and “CONSOLE”

• Two RJ-45 10/100 Ethernet interface ports, marked “SERVER” and

“NETWORK”

78-13124-06

Cisco 11000 Series Secure Content Accelerator Configuration Guide

2-5

Page 50

Panel Descriptions

Chapter 2 Installing the Hardware and Software

• Three Ethernet management LEDs associated with each port

• One “TEST” LED

• One “RESET” switch

Figure 2-1 Secure Content Accelerator Front Panel

The rear panel of the Secure Content Accelerator, shown in Figure 2-2, contains the following connectors and switches:

• Two power inputs

• Two power switches

Figure 2-2 Secure Content Accelerator Rear Panel

Figure 2-3 shows the LED layout of the SCA Ethernet ports. Table 2-1 describes the function of each LED on the SCA.

Cisco 11000 Series Secure Content Accelerator Configuration Guide

2-6

78-13124-06

Page 51

Chapter 2 Installing the Hardware and Software

Figure 2-3 SCA Ethernet Port Detail

Reset Switch Test LED

100 ACT LNK Server Network100 ACT LNK

Table 2-1 SCA Port LED Descriptions

LED Name Color State Indication

LK Green Off No link established

Panel Descriptions

On Link established TX Amber Blinking Transmit activity detected RX Green Blinking Receive activity detected Test Amber Off Self-diagnostics are successful

On Self-diagnostics are running

Figure 2-4 shows the LED layout of the SCA2 Ethernet ports. Table 2-2 describes the function of each LED on the device.

Figure 2-4 SCA2 Ethernet Port Detail

Reset Switch Test LED

100 ACT LNK Server Network100 ACT LNK

78-13124-06

Cisco 11000 Series Secure Content Accelerator Configuration Guide

2-7

Page 52

Connecting to Power

Chapter 2 Installing the Hardware and Software

Table 2-2 SCA2 Port LED Descriptions

LED Name Color State Indication

LNK Green Off No link established

On Link established ACT Amber Blinking Transmit activity detected 100 Green Off 10Mbps

On 100Mbps Test Amber Off Self-diagnostics are successful

On Self-diagnostics are running

Identifying SCA Models

SCA and SCA2 models can be differentiated by the text on the product label.

Connecting to Power

The Secure Content Accelerator is powered by dual AC power supplies. Before you install the power cords, ensure that you have read Appendix A for electrical speciﬁcations.

1. Ensure that the Secure Content Accelerator power switches are in the 0 (off)

position.

2. Attach the power cables to the Secure Content Accelerator by plugging the

AC power cord connector into the power receptacle at the rear panel.

3. Plug the power cords into dedicated three-wire grounding receptacles.

4. Switch the power switches to the 1 (on) position.

Note Connect the power supplies to different circuits to further ensure

appliance availability.

Cisco 11000 Series Secure Content Accelerator Configuration Guide

2-8

78-13124-06

Page 53

Chapter 2 Installing the Hardware and Software

Connecting to Ethernet

This section describes how to attach the Secure Content Accelerator to Ethernet. For network deployment instructions and suggestions, see Appendix B, Deployment Examples.

Caution If you are using the Secure Content Accelerator in two-port mode,

you must connect the cables to it so that client requests (inbound) and server requests (outbound) move through different ports. Inbound trafﬁc uses the “Network” port; outbound trafﬁc uses the “Server” port. If you are using the appliance in one-port mode, you must connect it so that both client requests and server trafﬁc travel through the “Network” port. Use only Category 5 UTP cables with RJ-45 connectors. The Secure Content Accelerator Ethernet interfaces are conﬁgured as NIC ports. Use a straight-through cable to connect the Secure Content Accelerator to a hub or switch. Use a crossover cable to connect the Secure Content Accelerator to a NIC.

Connecting to Ethernet

1. Connect the “Network” port to the Internet.

2. Connect the “Server” port to the servers (or to the “Network” port if using

one-port mode).

3. Check the LK LEDs for connection viability . If one or both LK LEDs are not

lit, see Appendix E, Troubleshooting, for suggestions.

78-13124-06

Cisco 11000 Series Secure Content Accelerator Configuration Guide

2-9

Page 54

Connecting to Ethernet

Chapter 2 Installing the Hardware and Software

Cisco 11000 Series Secure Content Accelerator Configuration Guide

2-10

78-13124-06

Page 55

CHAPTER

Using the QuickStart Wizard

The QuickStart wizard helps you set up the SSL appliance rapidly using the most basic information. To perform a more advanced conﬁguration, use the conﬁguration manager as described in Chapter 4. The QuickStart wizard presented in this chapter is available only from a CLI-based management session. See Chapter 5 for information about using the Secure Server wizard from a GUI-based management session.

This chapter contains the following sections:

• Before Y ou Begin

• Initiating a Management Session

78-13124-06

• Starting the QuickStart Wizard

• Using the QuickStart Wizard

• Using the QuickStart Wizard with a Conﬁgured Appliance

Cisco 11000 Series Secure Content Accelerator Configuration Guide

3-1

Page 56

Before You Begin

Before conﬁguring the SSL appliance you must have a certiﬁcate and keys for the server. Y ou can use the ﬁles you received from the Certiﬁcate Authority, copy the keys and certiﬁcate from an existing secure server, use default keys and certiﬁcates preloaded in the device, or generate your own keys and certiﬁcates.

Instructions for exporting keys and certiﬁcates from existing server are found in “Using Existing Keys and Certiﬁcates” in Appendix F.

Additionally, be aware that you might have to make several changes to your Web pages. The nature of the changes depends upon whether you are securing a previously unsecured site, or adding the SSL appliance to an already secure server installation. These changes are described in the section “Web Site Changes” in Appendix B, Deployment Examples.

Chapter 3 Using the QuickStart Wizard

Note When using the QuickStart wizard in FIPS Mode, only

FIPS-approved algorithms are available.

Initiating a Management Session

Use the appropriate instructions below to initiate a management session with the Cisco Secure Content Accelerator.

Note When using the Secure Content Accelerator in FIPS Mode, only

serial management is allowed.

Serial Management and IP Address Assignment

Follow these steps to initiate a management session via a serial connection and set an IP address for the device.

Note

Cisco 11000 Series Secure Content Accelerator Configuration Guide

3-2

When conﬁguring an SCA2 via a serial connection, the displayed prompt is “SCA2” unless a hostname has been deﬁned for the device.

78-13124-06

Page 57

Chapter 3 Using the QuickStart Wizard

Note The default terminal settings on the SSL devices and modules is 80

columns by 25 lines. To ensure the best display and reduce the chance of graphic anomalies, please use the same settings with the serial terminal software. The device terminal settings can be changed, if necessary. Use the standard ANSI setting on the serial terminal software.

1. Attach the included null modem cable to the appliance port marked

“CONSOLE”. Attach the other end of the null modem cable to a serial port on the conﬁguring computer.

2. Launch any terminal emulation application that communicates with the serial

port connected to the appliance. Use these settings: 9,600 baud, 8 data bits, no parity, 1 stop bit, no ﬂow control.

Initiating a Management Session

Telnet

3. Press Return. Initial information is displayed followed by an SCA> prompt.

4. Enter Privileged and Conﬁguration modes and set the IP address using the

following commands. Replace the IP address in the example with the appropriate one.

SCA> enable SCA# configure (config[SCA])# ip address 10.1.2.5 netmask 255.255.255.0 (config[SCA])#

Note When prompted to supply a ﬁle name during serial management, you

must supply it as a URL in the form of HOST/PATH/FILENAME using the http://, https://, ftp://, or tftp:// preﬁx.

After you have assigned an IP address to the Cisco Secure Content Accelerator using the serial console CLI, you can connect to the appliance via telnet.

1. Initiate a telnet session with the IP address previously assigned to the

appliance.

2. An SCA> prompt is displayed.

78-13124-06

Cisco 11000 Series Secure Content Accelerator Configuration Guide

3-3

Page 58

Starting the QuickStart Wizard

Note When prompted to supply a ﬁle name during a telnet management

session, you must supply it as a URL in the form of HOST/PATH/FILENAME using the http://, https://, ftp://, or tftp:// preﬁx.

Starting the QuickStart Wizard

After initiating a management session as described previously, start the QuickStart wizard via a serial or telnet connection by entering these commands:

enable quick-start

If you are using telnet, go to “Using the QuickStart Wizard” below.

Chapter 3 Using the QuickStart Wizard

If you are using a serial connection and the device has not been assigned an IP address, you are prompted to assign a hostname and IP address before beginning the QuickStart conﬁguration process.

Would you like to specify a hostname and IP address for this device?:

Enter the hostname for this device:

The hostname is a user-speciﬁed device name. In this example, we use the name myDevice. When prompted for them, enter the IP address, netmask, and default gateway for the device. You are prompted to accept the information before continuing with conﬁguration.

The following configuration will be saved to the device.

Hostname : myDevice Ip address : 10.1.11.100 Netmask : 255.255.255.0 Default gateway addr : 10.1.11.10

Is the above information correct? (y/n):

Enter y if the listing is correct. Go to “Using the QuickStart W izard” belo w. Enter n if the information is incorrect. You are prompted for the conﬁguration

information again.

Cisco 11000 Series Secure Content Accelerator Configuration Guide

3-4

78-13124-06

Page 59

Chapter 3 Using the QuickStart Wizard

Using the QuickStart Wizard

Read the opening screen information and respond to the prompt.

Would you like to use the QuickStart wizard to create an ssl-server? (y/n):

If you do not have a key and certiﬁcate available and do not wish to use a default key and certiﬁcate, enter n or q. If you have read and agree with the introductory information, enter y. The following text is be displayed:

Enter a name for your ssl-server:

Enter a name for the logical secure server (“ssl-server”) you are conﬁguring. The name is used for identiﬁcation purposes only. (In this example, we name the server myServer.) If it already exists, you are asked to provide a different name.

Using the QuickStart Wizard

Note Secure server names can consist of Arabic numerals and upper- and

lowercase alphabetic, underscore (_), hyphen (-), and period (.) characters. Secure server names must begin with an alphabetic character and have a limit of 15 characters.

Enter the IP address for myServer:

This is the IP address of the real server to which the clear text should be sent.

Enter the SSL port:

Enter the TCP service port for the appliance to monitor for secure connection requests. The default is 443, but you can specify a different number. You cannot specify a TCP service port already conﬁgured to the same IP address.

Enter the clear text port:

Enter the number of the TCP service port for the SSL appliance to use to send clear text to the server. If you specify TCP service port 80, you are warned that the port will be unavailable for non-SSL requests. (See Appendix F for a discussion of port blocking.) Y ou can abort the current clear te xt port designation and enter a different TCP service port, or approve using TCP service port 80 for clear text.

78-13124-06

Cisco 11000 Series Secure Content Accelerator Configuration Guide

3-5

Page 60

Using the QuickStart Wizard

You have completed TCP service port conﬁguration of the logical secure server and are ready to specify a key to use.

The following ssl-server will be created.

Each ssl-server is associated with a key.

1. Key is stored in a file on a http or ftp server.

2. Want to use an existing or default Key.

Choose the option corresponding to your situation (1/2):

Chapter 3 Using the QuickStart Wizard

CONFIGURE SSL-SERVER ‘myServer’ KEY

SSL-Server name : myServer Ip address : 10.1.2.3 Secure Port : 443 Clear Port : 80

Note If you are using a key created with an IIS or non-PEM-encoded key

or certiﬁcate, use the default keys and certiﬁcates included with SSL device. After conﬁguring the device with the QuickStart wizard, use the conﬁguration manager to load your own certiﬁcate and key. See “Example: Setting up a Secure Server” in Chapter 4 and “SSL Conﬁguration Command Set” in Appendix C.

If you have the key available via a URL, type 1.

Enter the name of the key for ssl-server ‘myServer’:

Enter the name to assign a key. This name is used for identiﬁcation only.

Note Key names can consist of Arabic numerals and upper - and lowercase

alphabetic, underscore (_), hyphen (-), and period (.) characters. Key names must begin with an alphabetic character and have a limit of 15 characters.

Enter the URL for a PEM encoded key file:

Cisco 11000 Series Secure Content Accelerator Configuration Guide

3-6

78-13124-06

Page 61

Chapter 3 Using the QuickStart Wizard

Enter the URL for the key as prompted. If the QuickStart wizard is unable to ﬁnd or load the ﬁle, you receive an error message and are allowed to restart key assignment. After the key is properly loaded, conﬁgure the certiﬁcate as described below.

T o use a ke y alr eady loaded into the appliance (including defaults) rather than key on disk, type 2 when prompted to choose an option. All available keys are displayed. Enter the name of the key to use. If you enter an in v alid k ey name, you receive an error message and are prompted to re-enter the key name.

After the key has been properly loaded, you are shown a summary and asked to conﬁgure a certiﬁcate.

SSL-server name : myServer Ip address : 10.1.2.3 Secure Port : 443 Clear Port : 80 Key name : default

Using the QuickStart Wizard

CONFIGURE SSL-SERVER ‘myServer’ CERT

Each ssl-server is associated with a certificate.

1. Certificate is stored in a file on a http or ftp server.

2. Want to use an existing or default Certificate.

Choose the option corresponding to your situation (1/2):

If you have the certiﬁcate available via a URL, type 1.

Enter the name of the certificate for ssl-server ‘myServer’:

Enter the name to assign the certiﬁcate. This name is used for identiﬁcation only.

Note Certiﬁcate names can consist of Arabic numerals and upper- and

lowercase alphabetic, underscore (_), hyphen (-), and period (.) characters. Certiﬁcate names must begin with an alphabetic or underscore character and have a limit of 127 characters.

Enter URL for a PEM encoded X509 certificate file:

Enter the URL for the certiﬁcate as prompted. If the QuickStart wizard is unable to ﬁnd or load the ﬁle, you receive an error message and are allowed to restart certiﬁcate assignment. After the certiﬁcate is properly loaded, conﬁgure a security policy as described below.

78-13124-06

Cisco 11000 Series Secure Content Accelerator Configuration Guide

3-7

Page 62

Using the QuickStart Wizard

To use a certiﬁcate already loaded into the appliance (including default certiﬁcates) rather than certiﬁcate on disk, type 2 when prompted to choose an option. All av ailable certiﬁcates are displayed. Enter the name of the certiﬁcate to use. If you enter an inv alid certiﬁcate name, you receiv e an error message and are prompted to re-enter the certiﬁcate name.

Note When using default keys and certiﬁcates, the certiﬁcate and key you

choose must match. The pre-loaded “default” and “default-512” keys and certiﬁcates are interchangeable and can be used in combination. The “default-1024” key and certiﬁcate must be used in conjunction. If you have entered a ke y and certiﬁcate that cannot be used together, you are asked whether to re-enter the key and certiﬁcate. If you do not choose to re-enter the key and certiﬁcate, your choices are accepted, but the secure server is not conﬁgured correctly and will not function properly.

Chapter 3 Using the QuickStart Wizard

After the certiﬁcate has been properly loaded, you are shown a summary and asked to specify a security policy.

CONFIGURE SSL-SERVER ‘myServer’ SECURITY POLICY

SSL-server name :myServer IP address :10.1.2.3 Secure Port :443 Clear Port :80 Key name :default Cert name :default

You need to enter a security policy for ssl-server ‘myServer’. To simplify the encryption algorithms, you have 3 options:

strong -RSA key size of 1024, DES_MD5, DES_SHA1, 3DES_MD5,

3DES_SHA1, ARC4_MD5, and ARC4_SHA1

weak - RSA key size of 512, exp DES_SHA1, ARC2_MD5, ARC4_MD5,

RSA key size of 1024, exp ARC2_MD5, DES_SHA1, ARC4_SHA1, MD5, and SHA1

default-RSA key size of 1024, ARC4_MD5, ARC4_SHA1 and exp ARC4_MD5,

ARC4_SHA1, ARC2_MD5 RSA key size of 512, exp ARC4_MD5, MD5, and SHA1

Cisco 11000 Series Secure Content Accelerator Configuration Guide

3-8

78-13124-06

Page 63

Chapter 3 Using the QuickStart Wizard

ARC4 is compatible with RC4™ RSA Data Security; ARC2 is compatible with RC2™ RSA Data Security.

Enter the security policy for ssl-server ‘myServer’ [default]:

At the prompt, enter the name of the security policy to use, or simply press Enter to use the “default” security policy. The “strong” policy includes the most secure algorithms. The “weak” policy algorithms are less secure and appropriate for export use. The “default” policy algorithms are those most commonly used. See Appendix F for more algorithm information. If you enter an invalid security policy name, you receiv e an error message and are prompted to re-enter the name.

Note When using the QuickStart wizard in FIPS Mode, only security

policies containing one or more FIPS-compliant algorithms are available.

Using the QuickStart Wizard

After the name of the security policy is accepted, you are prompted to verify the logical secure server conﬁguration.

SSL-SERVER ‘myServer’ SUMMARY

The following SSL-server will be created:

SSL-server name :myServer IP address :10.1.2.3 Secure Port :443 Clear Port :80 Key name :default Cert name :default Security Policy name :strong

Is the above information correct? (y/n) :

If the information is correct, type y. The logical secure server you ha ve conﬁgured is created. If you type n, the server conﬁguration process restarts using the current secure server.

Would you like to use the QuickStart wizard to create another ssl-server? (y/n):

78-13124-06

Cisco 11000 Series Secure Content Accelerator Configuration Guide

3-9

Page 64

Using the QuickStart Wizard

Type y to begin the server conﬁguration process again with a new server. Type n to set a conﬁguration (enable) password for the device.

Would you like to set a password to protect configuration of the SCA? (y/n):

Type y, and enter a password. Re-enter it to conﬁrm. You must set an enable password for the device to ensure its conﬁguration

security. The password you enter is not displayed.

Would you like to set a name for this device? (y/n/q):

Type y, and enter a name for the SSL appliance.

A default gateway is needed to connect outside of your local subnet. Would you like to set a default gateway for this device? (y/n/q): y Enter a default gateway for this device:

Chapter 3 Using the QuickStart Wizard

SETUP CONFIGURATION PASSWORD PROTECTION

A default gateway is needed for the device to connect outside of the local subnet. Type y, and enter the IP address at the prompt.

A summary screen shows information about the device, k eys, certiﬁcates, security policies, and the logical secure servers conﬁgured on it.

SCA myDevice

Keys capacity 255, defined 3

----------------------------------Name Id RC V

-----------------------------------

default 1 0 Y default-512 2 0 Y default-1024 3 0 Y

Cisco 11000 Series Secure Content Accelerator Configuration Guide

3-10

78-13124-06

Page 65

Chapter 3 Using the QuickStart Wizard

Certificates capacity 511, defined 3

---------------------------------------------------------Name Id RCCG RCPS V

---------------------------------------------------------default 1 0 0 Y default-512 2 0 1 Y default-1024 3 0 0 Y

Certificates Groups capacity 64, defined 1

----------------------------------Name Id RC CNT

-----------------------------------

defaultCA 1 0 13

Security Policies capacity 255, defined 6

-----------------------------------------Name Id RC Policy List

-----------------------------------------default 1 0 ARC4-MD5,ARC4-SHA,EXP-ARC4-MD5,EXP-ARC4-SHA

weak 2 0 EXP-ARC4-MD5,EXP-ARC2-MD5,

fips 3 0 DES-CBC-SHA,DES-CBC3-SHA strong 4 1

all 5 0

noexport56 6 0

Using the QuickStart Wizard

EXP1024-ARC4-MD5,EXP1024-ARC2-CBC-MD5 EXP1024-ARC4-SHA,NULL-MD5,NULL-SHA

EXP1024-ARC4-MD5,EXP1024-ARC2-CBC-MD5, EXP1024-DES-CBC-SHA,EXP1024-ARC4-SHA,NULL-MD5, NULL-SHA,EXP-DES-CBC-SHA

DES-CBC-MD5,DES-CBC-SHA,DES-CBC3-MD5,DES-CBC3-SHA, ARC4-MD5,ARC4-SHA DES-CBC-MD5,DES-CBC-SHA,DES-CBC3-MD5,DES-CBC3-SHA, ARC4-MD5,ARC4-SHA,EXP-ARC4-MD5,EXP-ARC4-SHA, EXP-ARC2-MD5,EXP1024-ARC4-MD5,EXP1024-ARC2-CBC-MD5 EXP1024-DES-CBC-SHA,EXP1024-ARC4-SHA,NULL-MD5, NULL-SHA,EXP-DES-CBC-SHA DES-CBC-SHA,DES-CBC3-MD5,DES-CBC3-SHA, ARC4-SHA,EXP-ARC4-MD5,EXP-ARC2-MD5,EXP-DES-CBC-SHA

SSL Servers capacity 255, defined 1

----------------------------------------------------------------------

Name Secure SSL IP KC PKey Secpolicy

----------------------------------------------------------------------

myServer 10.1.2.3:443 Y myKey strong

Default Gateway: 10.1.14.1

The list of keys includes all those loaded into the device. The columns and their descriptions are shown in the table below.

78-13124-06

Id Plaintext IP ST Cert CA Group

001 10.1.2.3:80 A myCert *not set*

Cisco 11000 Series Secure Content Accelerator Configuration Guide

3-11

Page 66

Using the QuickStart Wizard

Column Description

Id The number of the key as loaded into the device RC (Reference Count) The number of logical secure servers using the key V (Validity) The validity of the key as loaded into the device

The list of certiﬁcates includes all certiﬁcates loaded into the device. The columns and their descriptions are shown in the table below.

Column Description

Id The number of the certiﬁcate as loaded into the

Chapter 3 Using the QuickStart Wizard

device

RCCG (Reference Count Certiﬁcate Group)

RCPS (Reference Count

The number of certiﬁcate groups using the certiﬁcate

The number of SSL servers using the certiﬁcate

Proxy Server) V (Validity) The validity of the certiﬁcate as loaded into the

device; “Y” indicates the certiﬁcate is valid, “N” indicates the certiﬁcate is invalid

The list of security policies includes all those conﬁgured on the device. The columns and their descriptions are shown in the table below.

Column Description

Name The name of the security policy Id The number of the security policy as loaded into the device RC (Reference

The number of SSL servers using the security policy

Count) PolicyList The names of the individual cryptographic schemes associated

with each security policy

Cisco 11000 Series Secure Content Accelerator Configuration Guide

3-12

78-13124-06

Page 67

Chapter 3 Using the QuickStart Wizard

The list of SSL servers includes all those conﬁgured on the device. The columns and their descriptions are shown in the table below.

Column Description

Name The name of the SSL server Id The number of the SSL server as loaded into the device Secure SSL IP The IP address and TCP service port to monitor for SSL

Plaintext IP The IP address and TCP service port used to send decrypted

KC The validity of the key and certiﬁcate pair assigned to the SSL

Using the QuickStart Wizard

transaction requests

SSL trafﬁc to the server

server; “U” indicates the key or certiﬁcate is not deﬁned, “Y” indicates the key and certiﬁcate match, “N” indicates the key

and certiﬁcate do not match PKey The name of the private key assigned to the SSL server ST Status: A (OK), I (incomplete or invalid), U (user-disabled), F

(FIPS-suspended), B (backend (hardware) server unavailable) Cert The name of the certiﬁcate assigned to the SSL server Secpolicy The name of the security policy assigned to the SSL server CA Group The name of the certiﬁcate chain, if one has been assigned to

the server

You are asked whether to save the conﬁguration to ﬂash memory.

Would you like to save your configuration to flash? (y/n):

If you type y, you will be asked to wait while the conﬁguration is saved to ﬂash, and the QuickStart wizard ﬁnishes. If you type n, the QuickStart wizard ﬁnishes.

Caution If the conﬁguration is not saved to ﬂash memory, the conﬁguration

is lost during a power cycle or when the reload command is used.

78-13124-06

Cisco 11000 Series Secure Content Accelerator Configuration Guide

3-13

Page 68

Chapter 3 Using the QuickStart Wizard

Using the QuickStart Wizard with a Configured Appliance

If you wish to run the QuickStart wizard for a previously conﬁgured Cisco Secure Content Accelerator, follow these steps:

1. Initiate a management session and start the conﬁguration manager as

described previously.

2. Use the appropriate method to attach to the device.

3. Enter Privileged mode.

4. Enter the command quick-start.

5. Go to “Using the QuickStart Wizard”.

Cisco 11000 Series Secure Content Accelerator Configuration Guide

3-14

78-13124-06

Page 69

CHAPTER

Using the Configuration Manager

This chapter describes how to use the conﬁguration manager to conﬁgure the SSL appliance. Refer to Appendix F for a brief introduction to how the SCA works SSL protocol components. This chapter contains the following sections:

• Overview

• Conﬁguration Security

• Before Y ou Begin

• Initiating a Management Session

• Conﬁguring the Device

78-13124-06

• Step-Up Certiﬁcates and Server-Gated Cryptography

• Conﬁguring Certiﬁcate Groups

• Using Client and Server Certiﬁcate Authentication

• Generating Keys and Certiﬁcates

• Supporting SNMP

• Supporting RIP

• Supporting Other Secure Protocols

• Supporting FIPS

• Working with Syslogs

• Disabling SSL Versions

• Enabling Keepalives

• Setting the Idle-Timeout

Cisco 11000 Series Secure Content Accelerator Configuration Guide

4-1

Page 70

Overview

Chapter 4 Using the Configuration Manager

Whether used via serial or telnet connection, the command line interface conﬁguration manager provides greater control over the SSL appliance than the QuickStart or Secure Server wizard alone.

The conﬁguration manager allows you to control hardware and SSL portions of the appliance through a discreet mode and submode system as shown in the hierarchy diagram in Figure 4-1.

Figure 4-1 Conﬁguration Manager Hierarchy

TOP LEVEL

COMMANDS

TCP-TUNING

BACKEND

SERVER

TCP-TUNING

REVERSE-PROXY

SERVER

TCP-TUNING

TCP-TUNINGSERVER

CERTIFICATE

GROUP

NON-PRIVILEGED

PRIVILEGED

CONFIGURATION

SECURITY

KEY

POLICY

SSLINTERFACE

To conﬁgure items in a submode, activate the submode by entering a command in the mode above it. For example, to set the network interface speed or duplex you must ﬁrst enter enable, conﬁgure, then interface network. To return to the higher Conﬁguration mode, simply enter end or exit or press CTRL+D. The ﬁnished command returns to the Top Level from any mode. Appendix C lists all commands for SSL devices.

Note Refer to Chapter 6 for FIPS Mode instructions.

Cisco 11000 Series Secure Content Accelerator Configuration Guide

4-2

78-13124-06

Page 71

Chapter 4 Using the Configuration Manager

Note The system prompts displayed by the conﬁguration manager vary

slightly depending upon the management session type used and Secure Content Accelerator version. Secure Content Accelerator version 2 is indicated by an “SCA2” prompt.

Configuration Security

Cisco Secure Content Accelerator devices allow easy, ﬂexible conﬁguration without compromising the security of your network or their own conﬁguration.

Passwords

Configuration Security

Note FIPS-compliant operation requires both access- and

Access Lists

Cisco Secure Content Accelerator devices use two levels of passw ord protection: access- and enable-level. Access-level passwords control who can access the device via telnet and serial connections. Enable-level passwords control who can view the same data av ailable with access-lev el passwords as well as view sensiti ve data and conﬁgure the device.

SSL devices are shipped without passwords. Setting passwords is important because the device can be administered over a network. For more information about passwords, see the commands password access and password enable in Appendix C.

conﬁguration-level passwords. See Chapter 6 for more information.

Access lists control which computers can attach to a speciﬁc device. No access lists exist when you ﬁrst install the Secure Content Accelerator. You can restrict the computers allowed to manage the appliance by adding their IP addresses to one or more access lists for each device. For more information about conﬁguring access lists, see the commands show access-list, access-list, snmp access-list, telnet access-list, and web-mgmt access-list in Appendix C.

78-13124-06

Cisco 11000 Series Secure Content Accelerator Configuration Guide

4-3

Page 72

Before You Begin

Note In FIPS Mode you can conﬁgure access lists but can assign them

only to the SNMP subsystem.

Factory Default Reset Password

If you have forgotten your access or enable password, you can use a factory-set password during a serial conﬁguration session. When prompted for a password, enter FailSafe (case-sensitive). Y ou are asked to conﬁrm the action. The appliance reboots (reloads) with factory default settings.

Caution All conﬁguration is lost when using the factory default reset.

Chapter 4 Using the Configuration Manager

Before You Begin

Instructions for exporting keys and certiﬁcates from existing server is found in “Using Existing Keys and Certiﬁcates” in Appendix F.

Additionally, be aware that you must make several changes to your Web pages. The nature of the changes depends upon whether you are securing a previously unsecured site, or adding the SSL appliance to an already secure server installation. These changes are described in section “Web Site Changes” in Appendix B.

Cisco 11000 Series Secure Content Accelerator Configuration Guide

4-4

78-13124-06

Page 73

Chapter 4 Using the Configuration Manager

Initiating a Management Session

Use the appropriate instructions below to initiate a management session with the Secure Content Accelerator.

Note When using the Secure Content Accelerator in FIPS Mode, only

serial management is allowed.

Serial Management and IP Address Assignment

Follow these steps to initiate a management session via a serial connection and set an IP address for the device.

Note The default terminal settings on the SSL devices and modules is 80

1. Attach the included null modem cable to the appliance port marked

“CONSOLE”. Attach the other end of the null modem cable to a serial port on the conﬁguring computer.

2. Launch any terminal emulation application that communicates with the serial

port connected to the appliance. Use these settings: 9600 baud, 8 data bits, no parity, 1 stop bit, no ﬂow control.

3. Press Return. Initial information is displayed followed by an SCA> prompt.

4. Enter Privileged and Conﬁguration modes and set the IP address using the

following commands. Replace the IP address in the example with the appropriate one.

SCA> enable SCA# configure (config[SCA])# ip address 10.1.2.5 netmask 255.255.255.0 (config[SCA])#

78-13124-06

Cisco 11000 Series Secure Content Accelerator Configuration Guide

4-5

Page 74

Configuring the Device

Telnet

Chapter 4 Using the Configuration Manager

Note When prompted to supply a ﬁle name during serial management, you

must supply it as a URL in the form of HOST/PATH/FILENAME using the http://, https://, ftp://, or tftp:// preﬁx.

After you have assigned an IP address to the Cisco Secure Content Accelerator using the serial console CLI, you can connect to the appliance via telnet.

1. Initiate a telnet session with the IP address previously assigned to the

appliance.

2. An

Note When prompted to supply a ﬁle name during a telnet

SCA>

prompt is displayed.

management session, you must supply it as a URL in the form of HOST/PA TH/FILEN AME using the http://, https://, ftp://, or tftp:// preﬁx.

Configuring the Device

When you conﬁgure an appliance to perform SSL ofﬂoading you are actually setting up one or more logical secure servers whose SSL-related conﬁgurations reside in the appliance. Each logical secure server has several attributes:

• A unique IP address for the real server providing content

• Speciﬁcations for the appropriate key and certiﬁcate to use

• A security policy specifying the cryptographic scheme(s) to use

Cisco 11000 Series Secure Content Accelerator Configuration Guide

4-6

78-13124-06

Page 75

Chapter 4 Using the Configuration Manager

Example: Setting up Basic Device Parameters

This example describes how to use the conﬁguration manager to set the basic SSL appliance conﬁguration.

1. Initiate a serial management session, and set the IP address of the device to

10.1.2.5.

SCA> enable SCA# config (config[CSS-SCA])# ip address 10.1.2.5 netmask 255.255.0.0 (config[CSS-SCA])#

2. If you wish to conﬁgure the server using the serial connection, continue with

step 3. If you wish to use a telnet connection, initiate a telnet session with the IP

address assigned in step 1, and go to step 3.

Configuring the Device

3. Use the following commands to enter Privileged and Conﬁguration modes

and change the name of the SSL appliance to myDevice.

SCA> enable SCA# configure (config[CS-10-1-2-3])# hostname myDevice (config[CS-10-1-2-3])# end SCA# configure (config[myDevice])#

4. Set the default router.

(config[myDevice])# ip route default 10.1.2.1 (config[myDevice])#

5. Set an enable password to protect the appliance conﬁguration. The password

is requested whenever the enable command is given.

Note Passwords are not echoed to the screen.

(config[myDevice])# password enable Enter new password: Confirm password: (config[myDevice])# end SCAE

78-13124-06

Cisco 11000 Series Secure Content Accelerator Configuration Guide

4-7

Page 76

Configuring the Device

Example: Setting up a Secure Server

This example describes how to use the conﬁguration manager rather than the QuickStart wizard to set up a secure server. In this example, the default SSL port (443) and remote port (81) are used.

1. Enter Privileged, Conﬁguration, and SSL Conﬁguration modes.

SCA> enable SCA# configure (config[myDevice])# ssl (config-ssl[myDevice])#

2. Enter Key Conﬁguration mode and create a key named myKey. Load the

PEM-encoded key ﬁle. Return to SSL Conﬁguration Mode.

(config-ssl[myDevice])# key myKey create (config-ssl-key[myKey])# pem keyFile (config-ssl-key[myKey])# end (config-ssl[myDevice])#

Chapter 4 Using the Configuration Manager

Note Use the der command when using DER-encoded keys

and certiﬁcates, the net-iis command when using keys exported from IIS 4.

Note Key names can consist of Arabic numerals and upper-

and lowercase alphabetic, underscore (_), hyphen (-), and period (.) characters. Key names must be gin with an alphabetic character and have a limit of 15 characters.

3. Enter Certiﬁcate Conﬁguration mode and create a certiﬁcate named myCert.

Then load the PEM-encoded certiﬁcate ﬁle. Return to SSL Conﬁguration Mode.

(config-ssl[myDevice])# cert my create (config-ssl-cert[myCert])# pem certFile (config-ssl-cert[myCert])# end (config-ssl[myDevice])#

Cisco 11000 Series Secure Content Accelerator Configuration Guide

4-8

78-13124-06

Page 77

Chapter 4 Using the Configuration Manager

Note Certiﬁcate names can consist of Arabic numerals and

upper- and lowercase alphabetic, underscore (_), hyphen (-), and period (.) characters. Certiﬁcate names must begin with an alphabetic character and have a limit of 127 characters.

4. Enter Security Policy Conﬁguration mode and create a security policy named

myPol. Assign the “strong” cryptography policy to it. Return to SSL Conﬁguration mode.

(config-ssl[myDevice])# secpolicy myPol create (config-ssl-secpolicy[myPol])# crypto strong (config-ssl-secpolicy[myPol])# end (config-ssl[myDevice])#

Configuring the Device

Note When using FIPS Mode only the FIPS security policy is

available.

Note Security policy names can consist of Arabic numerals

and upper- and lowercase alphabetic, underscore (_), hyphen (-), and period (.) characters. Security policy names must begin with an alphabetic character and have a limit of 15 characters.

5. Enter Server Conﬁguration mode and create a server named myServer. Assign

the IP address 10.1.2.4. Assign port 443 for monitoring for SSL connections and port 81 for sending clear text. Assign the key, certiﬁcate, and security policies just created. Then exit to Top Level mode.

(config-ssl[myDevice])# server myServer create (config-ssl-server[myServer])# ip address 10.1.2.4 (config-ssl-server[myServer])# sslport 443 (config-ssl-server[myServer])# remoteport 81 (config-ssl-server[myServer])# key myKey (config-ssl-server[myServer])# cert myCert (config-ssl-server[myServer])# secpolicy myPol (config-ssl-server[myServer])# finished SCA#

78-13124-06

Cisco 11000 Series Secure Content Accelerator Configuration Guide

4-9

Page 78

Configuring the Device

6. Save the conﬁguration to ﬂash memory . If it is not sa v ed, the conﬁguration is

lost during a power cycle or if the reload command when used.

SCA# write flash SCA#

Note Y ou can re vie w the conﬁguration of the currently edited

SSL object (key, certiﬁcate, certiﬁcate chain, security policy, or server) by using the info command in the appropriate mode.

Example: Setting up a Backend Server

This example describes how to use the conﬁguration manager to set up a backend server.

Chapter 4 Using the Configuration Manager

1. Enter Privileged, Conﬁguration, and SSL Conﬁguration modes.

SCA> enable SCA# configure (config[myDevice])# ssl (config-ssl[myDevice])#

2. Enter Backend Server Conﬁguration mode and create a backend server named

myBackServ.

(config-ssl[myDevice])# backend-server myBackServ create (config-ssl-backend[myBackServ])#

3. Assign an IP address and netmask to the backend server.

(config-ssl-backend[myBackServ])# ip address

4. Assign port 443 for SSL trafﬁc and port 80 for clear text trafﬁc.

(config-ssl-backend[myBackServ])# localport 80 (config-ssl-backend[myBackServ])# remoteport 443

5. Specify a security policy for the server.

(config-ssl-backend[myBackServ])# secpolicy strong

Cisco 11000 Series Secure Content Accelerator Configuration Guide

4-10

78-13124-06

Page 79

Chapter 4 Using the Configuration Manager

Note When using FIPS Mode only default security policies

and those conﬁgured for FIPS 140-2-compliant operation are available.

6. Exit to Privileged mode, and save the conﬁguration to ﬂash memory. If it is

not saved, the conﬁguration is lost during a power cycle or when the reload command is used.

(config-ssl-backend[myBackServ])# finished SCA# write flash SCA#

Example: Setting up a Reverse-Proxy Server

Configuring the Device

This example describes how to use the conﬁguration manager to set up a reverse-proxy server.

1. Enter Privileged, Conﬁguration, and SSL Conﬁguration modes.

SCA> enable SCA# configure (config[myDevice])# ssl (config-ssl[myDevice])#

2. Enter Reverse-Proxy Server Conﬁguration mode and create a server named

myRevServ.

(config-ssl[myDevice])# reverse-proxy-server myRevServ create (config-ssl-rproxy[myRevServ])#

3. Assign port 8080 for clear text trafﬁc.

(config-ssl-rproxy[myRevServ])# localport 8080

4. Specify a security policy for the server.

(config-ssl-rproxy[myRevServ])# secpolicy strong

Note When using FIPS Mode only security policies

78-13124-06

conﬁgured for FIPS 140-2-compliant operation are available.

Cisco 11000 Series Secure Content Accelerator Configuration Guide

4-11

Page 80

Chapter 4 Using the Configuration Manager

Configuring the Device

5. Exit to Privileged mode and save the conﬁguration to ﬂash memory. If it is

not saved, the conﬁguration is lost during a power cycle or when the reload command is used.

(config-ssl-rproxy[myRevServ])# finished SCA# write flash SCA#

Note When using this conﬁguration, client browsers must be set to use this

device as a proxy.

Example: Configuring Secure URL Rewrite

The Secure URL Rewrite feature prevents URL redirects and references from breaking or circumventing SSL sessions. This example uses the CLI. The same options are available in the GUI.

1. Open a management session with the device.

2. Enter Privileged, Conﬁguration, and SSL Conﬁguration modes:

SCA> enable SCA# configure (config[SCA])# ssl (config-ssl[SCA])#

3. Enter Server Conﬁguration mode for the server you wish to conﬁgure URL

rewrites.

(config-ssl[SCA])# server myServer (config-ssl-server[myServer])#

4. The urlrewrite command uses the following syntax:

urlrewrite <domainName> [sslport <portid>] [clearport <portid>] <redirectonly>

Cisco 11000 Series Secure Content Accelerator Configuration Guide

4-12

78-13124-06

Page 81

Chapter 4 Using the Configuration Manager

domainName The domain or ﬁle identiﬁer as a domain name, IP

sslport Keyword identifying the speciﬁed port to be used for

portid A port identiﬁcation for SSL trafﬁc.

clearport Keyword identifying the speciﬁc port to be used for

portid A port identiﬁcation for clear text trafﬁc.

redirectonly A keyword is used to indicate that only the

Configuring the Device

address, or path and ﬁle name. An * (asterisk) wild card character can be used to specify more than one server in a single domain, e.g., “*.company.com”.

SSL trafﬁc.

clear text trafﬁc.

“Location:” ﬁeld in the HTTP 30x redirect header should be rewritten. This solves a common problem with Web servers using insecure HTTP 30x redirects.

Enter a URL rewrite rule for the www.mybusiness.com.

(config-ssl-server[myServer])# urlrewrite www.mybusiness1.com sslport 443 clearport 81

All references that pass through the device to

http://www.mybusiness1.com:81 are rewritten to https://www.mybusiness1.com.

To securely rewrite only 30x-series redirects (i.e., 302 or 304) referencing http:// rather than all instances of http:// (such as those that appear intentionally in the application data), use the redirectonly option. (This command must be entered on a single line.)

(config-ssl-server[myServer])# urlrewrite www.mybusiness2.com sslport 443 clearport 81 redirectonly

5. A wildcard can be used to specify multiple SSL hosts in the same domain.

(config-ssl-server[myServer])# urlrewrite *.mybusiness3.com sslport 443 clearport 81

Note Do not use *.com as a ﬁlter. The deﬁnition is too broad.

78-13124-06

Cisco 11000 Series Secure Content Accelerator Configuration Guide

4-13

Page 82

Configuring the Device

Chapter 4 Using the Configuration Manager

Wildcards should be used with care to avoid any unwanted rewriting of references.

6. T o see the results of these URL re write rules in the server conﬁguration, enter

the following command. The results are presented below it.

(config-ssl-server[myServer])# show ssl server myServer

... URL Rewrite:

Name Clear Port SSL Port Redirect Only

__________________________________________________________________

www.mybusiness1.com 443 81 No www.mybusiness2.com 443 81 Yes *.mybusiness3.com 443 81 No

For more information about URL rewriting, contact your Cisco representati ve for a copy of the white paper SSL Ofﬂoaders and Contextual Consistency.

Example: Configuring SNTP Servers

Up to four SNTP servers can be conﬁgured on the Secure Content Accelerator.

Note To provide increased security, we recommend using an SNTP server

on the internal network. Using an external SNTP server might compromise network security.

1. Open a management session with the device.

2. Enter Privileged and Conﬁguration modes:

SCA> enable SCA# configure (config[SCA])#

3. Enter the IP addresses or host names of up to four SNTP servers. (Host names

are resolved to IP addresses in the device conﬁguration.)

(config[SCA])# sntp server 10.1.24.2 (config[SCA])# sntp server 10.1.24.4 (config[SCA])# sntp server 10.2.22.2 (config[SCA])# sntp server 10.2.22.6 (config[SCA])#

Cisco 11000 Series Secure Content Accelerator Configuration Guide

4-14

78-13124-06

Page 83

Chapter 4 Using the Configuration Manager

4. The default polling interval is 86400 seconds (one day). To change this

interval to 43200 seconds (12 hours), enter use the sntp interval command.

(config[SCA])# sntp interval 43200 (config[SCA])#

5. To view the results of these commands, you can use either the show sntp or

show device command. The show sntp command and an example of returned

information are below.

(config[SCA])# show sntp SNTP server sources:

10.1.24.2 (0/6 fails/tries, stratum 2)

10.1.24.4 (0/0 fails/tries, stratum 2)

10.2.22.2 (0/0 fails/tries, stratum 2)

10.2.22.6 (0/0 fails/tries, stratum 2) SNTP synchronization interval: 43200 (seconds) (config[SCA])#

Configuring the Device

The show device command and an example of returned information are presented below.

(config[SCA])# show device ... SNTP sync'ing : every 43200 (s) from 10.1.24.2, 10.1.24.4,

10.2.22.2, 10.2.22.6 ...

Any errors resulting from polling or synchronization are written to syslog messages .

Example: Restricting Access using an Access List

Access lists permit or deny management access to the device or module. Up to 999 access lists can be conﬁgured. Access lists are created then assigned for use by the telnet and Web management subsystems. An access list can be used by the SNMP subsystem as well. This example demonstrates ho w to create two access lists and assign each to a management subsystem.

1. Enter Privileged and Conﬁguration modes.

SCA> enable SCA# configure (config[myDevice)#

78-13124-06

Cisco 11000 Series Secure Content Accelerator Configuration Guide

4-15

Page 84

Configuring the Device

Chapter 4 Using the Configuration Manager

2. Create an access list allowing management access to all IP addresses.

(config[myDevice)]# access-list 1 permit 0.0.0.0 255.255.255.255

3. Create an access list allowing access from a single computer.

(config[myDevice])# access-list 2 permit 10.1.4.5 0.0.0.0

4. Assign the ﬁrst access list to the Web management subsystem.

(config[myDevice])# web-management access-list 1

5. Assign the second access list to the telnet subsystem, allowing management

access only from the speciﬁc IP address.

(config[myDevice])# telnet access-list 2

6. Exit to Privileged mode and save the conﬁguration to ﬂash memory. If it is

not saved, the conﬁguration is lost during a power cycle or when the reload command is used.

(config[myDevice])# finished SCA# write flash SCA#

Note In FIPS Mode, access lists can be conﬁgured but assigned only to the

SNMP subsystem.

Configuring an Ethernet Interface

The Ethernet interfaces on the SSL appliance can be conﬁgured at either 10 Mbps or 100 Mbps and half or full duplex. Enter Privileged and Conﬁguration modes. In the following example, the “Network” interface of myDevice is forced to full duplex. Make sure to save this conﬁguration to ﬂash.

(config[myDevice])# interface network (config-if[network])# duplex full (config-if[network])# speed 100 (config-if[network])# finished SCA#

Cisco 11000 Series Secure Content Accelerator Configuration Guide

4-16

78-13124-06

Page 85

Chapter 4 Using the Configuration Manager

Example: Saving a Configuration File

Once you have conﬁgured your device and it is running well, you should sa v e the conﬁguration to a separate ﬁle. This ﬁle can be used to restore the device in case of a power cycle or serious error. This example demonstrates how to save the startup-conﬁguration to a ﬁle.

1. Enter Privileged mode.

SCA> enable SCA#

2. Save the existing conﬁguration to be the startup-conﬁguration.

SCA# write flash SCA#

3. Save the startup-conﬁguration to a ﬁle.

Step-Up Certificates and Server-Gated Cryptography

SCA# copy startup-configuration https://www.mycorp.com/myconfig SCA#

Before this ﬁle is uploaded to the device, you must reload the keys and conﬁgure the passwords on the device. Use the same key object names previously used to reference the keys.

Step-Up Certificates and Server-Gated Cryptography

Cisco Secure Content Accelerator support both Netscape International Step-Up Certiﬁcates and Microsoft Server-Gated Cryptography. Ephemeral RSA must be enabled for the device to function properly with these certiﬁcates. Load the certiﬁcate normally.

Note Y ou must specify that your certiﬁcate work with both Microsoft and

Netscape browsers when requesting it from the CA. Otherwise, the server cannot support both browsers.

78-13124-06

Cisco 11000 Series Secure Content Accelerator Configuration Guide

4-17

Page 86

Configuring Certificate Groups

Certiﬁcate groups are collections of certiﬁcates used for certiﬁcate chains and client and server authentication. Certiﬁcate chains are used in certain circumstances such as when a known, trusted CA (such as Thawte or VeriSign) provides a certiﬁcate to attest that certiﬁcates created by an intermediary CA can be trusted. For example, a company can create its o wn certiﬁcates for internal use only; howev er , clients do not accept the certiﬁcates because they were not created by a known CA. When private certiﬁcates are chained with the trusted CA certiﬁcate, clients accept them during SSL negotiations.

Example: Configuring a Certificate Group

The locally created certiﬁcate, the intermediary CA certiﬁcate signed by a trusted CA, and any other intermediary certiﬁcates are loaded into individual certiﬁcate objects that are combined into a certiﬁcate group. This example demonstrates how to:

Chapter 4 Using the Configuration Manager

• Load an intermediate CA certiﬁcate into a certiﬁcate object

• Create a certiﬁcate group

• Enable using the group as a certiﬁcate chain

The name of the SSL device is myDevice. The name of the secure logical server is server1. The name of the DER-encoded, intermediary CA certiﬁcate is CACertFile. The name of the PEM-encoded certiﬁcate generated by the intermediary CA is localCertFile. The name of the certiﬁcate group is CACertGroup.

1. Initiate a management session as described previously.

2. Enter Privileged and Conﬁguration modes.

SCA> enable SCA# configure (config[myDevice)#

Cisco 11000 Series Secure Content Accelerator Configuration Guide

4-18

78-13124-06

Page 87

Chapter 4 Using the Configuration Manager

3. Enter SSL Conﬁguration mode and create an intermediary certiﬁcate object

named CACert, entering into Certiﬁcate Conﬁguration mode. Load the DER-encoded CACertFile file into the certiﬁcate object, and return to SSL Conﬁguration mode.

(config[myDevice])# ssl (config-ssl[myDevice])# cert CACert create (config-ssl-cert[CACert])# der CACertFile (config-ssl-cert[CACert])# end (config-ssl[myDevice])#

4. Create a certiﬁcate object named localCert, load the PEM-encoded certiﬁcate

ﬁle, and return to SSL Conﬁguration mode.

(config-ssl[myDevice])# cert localCert create (config-ssl-cert[localCert])# pem localCertFile (config-ssl-cert[localCert])# end (config-ssl[myDevice])#

Configuring Certificate Groups

5. Enter Certiﬁcate Group Conﬁguration mode, create the certiﬁcate group

CACertGroup, load the certiﬁcate object CACert, and return to SSL Conﬁguration mode.

(config-ssl[myDevice])# certgroup CACertGroup create (config-ssl-certgroup[CACertGroup])# cert CACert (config-ssl-certgroup[CACertGroup])# end (config-ssl[myDevice])#

6. Enter Server Conﬁguration mode, create the logical secure server server1,

assign an IP address, SSL and clear text ports, a security policy myPol, the certiﬁcate group CACertGroup, certiﬁcate localCert, key localKey (compatible with the local certiﬁcate), and exit to Privileged mode.

(config-ssl[myDevice])# server server1 create (config-ssl-server[server1])# ip address 10.1.2.4 (config-ssl-server[server1])# localport 443 (config-ssl-server[server1])# remoteport 81 (config-ssl-server[server1])# secpolicy myPol (config-ssl-server[server1])# certgroup chain CACertGroup (config-ssl-server[server1])# cert localCert (config-ssl-server[server1])# key localKey (config-ssl-server[server1])# finished SCA#

78-13124-06

Cisco 11000 Series Secure Content Accelerator Configuration Guide

4-19

Page 88

Configuring Certificate Groups

7. Save the conﬁguration to ﬂash memory . If it is not sa v ed, the conﬁguration is

lost during a power cycle or when the reload command is used.

SCA# write flash SCA#

Example: Importing Certificate Groups

PKCS#7 certiﬁcate groups can be imported directly into the device. This example demonstrates how to import a PEM-encoded PKCS#7 ﬁle into the Cisco Secure Content Accelerator .

1. Initiate a management session as described previously.

2. Enter Privileged and Conﬁguration modes.

Chapter 4 Using the Configuration Manager

3. Enter SSL Conﬁguration mode.

(config[myDevice])# ssl (config-ssl[myDevice])#

4. Specify the PKCS#7 ﬁle to import, indicating the appropriate encoding (in

this example, PEM). In this example, the name of the certiﬁcate group to create is myCertGroup. The certiﬁcate preﬁx is impt. (The certiﬁcate preﬁx is optional. This command must be entered on one line.)

(config-ssl[myDevice])# import pkcs7 myCertGroup pem impt https://www.mycertgroups.com/certgroups/mygroup.pem

5. The ﬁle is imported, and certiﬁcates and a certiﬁcate group are generated. The

certiﬁcates are named incrementally from impt_1 to impt_N, where N is the number of certiﬁcates in the PKCS#7 ﬁle. The certiﬁcate with the highest incremented number is the server certiﬁcate.

Note See the entry in Appendix C for additional command options.

Cisco 11000 Series Secure Content Accelerator Configuration Guide

4-20

78-13124-06

Page 89

Chapter 4 Using the Configuration Manager

Using Client and Server Certificate Authentication

To further ensure transaction security, client or server certiﬁcate authentication can be conﬁgured on servers. Backend and reverse-proxy servers can be conﬁgured for server certiﬁcate authentication; basic secure servers can be conﬁgured for client certiﬁcate authentication. To use either of these certiﬁcate authentication methods, a certiﬁcate group must have been created.

Example: Configuring Server Certificate Authentication

Server certiﬁcation authentication can be conﬁgured on both backend and reverse-proxy serv ers. The conﬁguration procedure for both server types is nearly identical. This example demonstrates ho w to conﬁgure an existing backend server for server certiﬁcate authorization using the certiﬁcate group servTrustGroup. The domain name (for backend server conﬁguration only) is www.mycorp.com. Several options are available for authentication errors to ignore. In this example the backend server is set to not ignore errors, resulting in immediate disconnection.

1. Initiate a management session as described previously.

2. Enter Privileged and Conﬁguration modes.

SCA> enable SCA# configure (config[myDevice])#

3. Enter SSL Conﬁguration mode and Backend Server Conﬁguration mode for

the server myBackServ.

(config[myDevice])# ssl (config-ssl[myDevice])# backend-server myBackServ (config-ssl-backend[myBackServ])#

78-13124-06

Cisco 11000 Series Secure Content Accelerator Configuration Guide

4-21

Page 90

Using Client and Server Certificate Authentication

4. Enter the following commands to enable server certiﬁcate authentication, set

the handling authentication of errors to the most stringent level, and assign the certiﬁcate group to use for comparison. (The ﬁnal command must be entered on a single line.)

(config-ssl-backend[myBackServ])# serverauth enable (config-ssl-backend[myBackServ])# serverauth ignore none (config-ssl-backend[myBackServ])# certgroup serverauth

servTrustGroup

5. Enter a domain name to use for certiﬁcate comparison. This is necessary only

for backend servers when server certiﬁcate authentication is not set to ignore domain name errors. (The ﬁnal command must be entered on a single line.)

(config-ssl-backend[myBackServ])# serverauth domain-name “www.mycorp.com”

6. Exit to Privileged mode, and save the conﬁguration to ﬂash memory. If it is

not saved, the conﬁguration is lost during a power cycle or when the reload command is used.

Chapter 4 Using the Configuration Manager

(config-ssl-backend[myBackServ])# finished SCA# write flash SCA#

Cisco 11000 Series Secure Content Accelerator Configuration Guide

4-22

78-13124-06

Page 91

Chapter 4 Using the Configuration Manager

Using Client and Server Certificate Authentication

Example: Configuring Client Certificate Authentication

Client certiﬁcation authentication can be conﬁgured on basic secure servers. This example demonstrates how to conﬁgure an existing server for client certiﬁcate authorization using the certiﬁcate group clientTrustGroup. Several options are available for authentication error handling. In this example, the server is set to handle all errors by disconnecting the SSL session and redirecting the client to a standard HTML error page.

1. Initiate a management session as described previously.

2. Enter Privileged and Conﬁguration modes.

SCA> enable SCA# configure (config[myDevice])#

3. Enter SSL Conﬁguration mode and Server Conﬁguration mode for the server

myServ.

(config[myDevice])# ssl (config-ssl[myDevice])# server myServ (config-ssl-server[myServ])#

4. Enter the following commands to enable client certiﬁcate authentication, set

the handling of authentication of errors, and assign the certiﬁcate group to use for comparison.

(config-ssl-server[myServ])# clientauth enable (config-ssl-server[myServ])# clientauth error all failhtml (config-ssl-server[myServ])# certgroup clientauth clientTrustGroup (config-ssl-server[myServ])# certgroup verifydepth 1

5. Exit to Privileged mode, and save the conﬁguration to ﬂash memory. If it is

not saved, the conﬁguration is lost during a power cycle or when the reload command is used.

(config-ssl-server[myServ])# finished SCA# write flash SCA#

78-13124-06

Cisco 11000 Series Secure Content Accelerator Configuration Guide

4-23

Page 92

Generating Keys and Certificates

RSA private keys, certiﬁcates, and certiﬁcate signing requests can be generated directly on the device.

Example: Generating an RSA Key

1. Enter Privileged, Conﬁguration, SSL Conﬁguration, and Key Conﬁguration

modes, creating a key named myGenKey.

SCA> enable SCA# configure (config[myDevice])# ssl (config-ssl[myDevice])# key myGenKey create (config-ssl-key[myGenKey])#

Chapter 4 Using the Configuration Manager

2. Enter the following command to generate a 1024-bit key using the seed string

lemon. The key is displayed once using DES encryption. The resulting k ey is stored on the device as well as exported to a PEM-encoded ﬁle named mykey.pem. (This command must be entered on one line.)

(config-ssl-key[myGenKey])# genrsa bits 1024 encrypt des seed lemon output https://www.mywebsite.com/mykey.pem

Note Using the HTTPS protocol ensures that your key is transmitted

securely.

Example: Generating a Certificate

1. Enter Privileged, Conﬁguration, and SSL Conﬁguration modes.

SCA> enable SCA# configure (config[myDevice])# ssl (config-ssl[myDevice])#

Cisco 11000 Series Secure Content Accelerator Configuration Guide

4-24

78-13124-06

Page 93

Chapter 4 Using the Configuration Manager

2. Enter the following command to generate a certiﬁcate using the key created

in the previous example. An MD5 digest is displayed and the certiﬁcate is saved in a ﬁle named myGenCert. (This command must be entered on one line.) A wizard starts, requesting certiﬁcate information.

(config-ssl[myDevice])# gencsr key myGenKey digest md5 output https://www.mywebsite.com/myGenCert

Note Using the HTTPS protocol ensures that your certiﬁcate is

transmitted securely.

Supporting SNMP

Cisco Secure Content Accelerator devices have basic support for SNMP functions. The device is shipped with SNMP disabled. This example demonstrates how to set basic SNMP data.

Supporting SNMP

Example: Configuring SNMP

1. Initiate a management session as described previously.

2. Enter Privileged and Conﬁguration modes.

SCA> enable SCA# configure

3. Enter SNMP data and enable SNMP. Access-list 1 has already been created.

(See Appendix C for information for using the access-list command.) Return to Privileged mode.

(config[myDevice])# snmp enable (config[myDevice])# snmp access-list 1 (config[myDevice])# snmp location “Main Office” (config[myDevice])# snmp contact “Administrator” (config[myDevice])# snmp default community ITS_Office (config[myDevice])# snmp trap-host v1 10.1.2.4 (config[myDevice])# snmp trap-type generic (config[myDevice])# end SCA#

78-13124-06

Cisco 11000 Series Secure Content Accelerator Configuration Guide

4-25

Page 94

Supporting RIP

4. Save the conﬁguration to ﬂash memory . If not sa v ed, the conﬁguration is lost

during a power cycle or when the reload command is used.

SCA# write flash SCA#

Supporting RIP

Cisco Secure Content Accelerator devices support Routing Information Protocol (RIP) versions 1 and 2. This example demonstrates how to enable RIP version 1 packet usage.

Example: Configuring RIP

Chapter 4 Using the Configuration Manager

1. Initiate a management session as described previously.

2. Enter Privileged and Conﬁguration modes.

SCA> enable SCA# configure

3. Enable reception and processing of RIP version 1 packets. Then return to

Privileged mode.

(config[myDevice])# rip v1 (config[myDevice])# end SCA#

4. Save the conﬁguration to ﬂash memory . If not sa v ed, the conﬁguration is lost

during a power cycle or if the reload command is used.

SCA# write flash SCA#

Cisco 11000 Series Secure Content Accelerator Configuration Guide

4-26

78-13124-06

Page 95

Chapter 4 Using the Configuration Manager

Supporting Other Secure Protocols

Along with SSL, Cisco Secure Content Accelerator devices can support other secure protocols using TLS v1.0, SSL v2.0, and SSL v3.0. IMAPS, POP3S, NNTPS, and LDAPS are some e xamples. The steps belo w sho w how to conﬁgure the SSL appliance for setting up a secure server to process only POP3S (S-POP) mail.

Example: Configuring a Secure Mail Server

Note The steps in this example are abbreviated to show only relevant

changes from the standard SSL server setup.

Supporting Other Secure Protocols

1. Initiate a management session as described above. Enter Privileged and

Conﬁguration modes. Enter a default router. Enter SSL Conﬁguration mode.

2. Enter Server Conﬁguration mode and create a server named mySecureMail.

Assign an IP address and netmask. Assign port 995 for monitoring for POP3S (S-POP) connections and port 110 for sending clear text. Assign the appropriate key, certiﬁcate, and security policy. Return to Privileged mode.

(config-ssl[myDevice])# server mySecureMail create (config-ssl-server[myServer])# sslport 995 (config-ssl-server[myServer])# remoteport 110 (config-ssl-server[myServer])# finished SCA#

3. Save the conﬁguration to ﬂash memory . If not sa v ed, the conﬁguration is lost

during a power cycle or when the reload command is used.

SCA# write flash SCA#

Supporting FIPS

Refer to Chapter 6, FIPS Operation, for instructions to use the Secure Content Accelerator in FIPS-compliant operation mode.

78-13124-06

Cisco 11000 Series Secure Content Accelerator Configuration Guide

4-27

Page 96

Working with Syslogs

The syslog command gives you greater control over message sent to syslog servers. The syslog command uses the following syntax:

syslog <ipaddr> [port <portid>] [facility <facilvalue>]

ipaddr The IP address of the syslog server

port Keyword identifying the TCP port to be used for

portid A port identiﬁcation for syslog trafﬁc.

facility Keyword identifying the facility to be used

facilvalue The facility number, from 0 to 7.

Chapter 4 Using the Configuration Manager

syslog message transfer

1. Initiate a management session as described previously.

2. Enter Privileged and Conﬁguration modes.

SCA> enable SCA# configure

3. Enter syslog information. Return to Privileged mode.

(config[myDevice])# syslog ip 10.1.1.2.122 port 514 facility 1 (config[myDevice])# end SCA#

4. Save the conﬁguration to ﬂash memory . If not sa v ed, the conﬁguration is lost

during a power cycle or when the reload command is used.

SCA# write flash SCA#

Disabling SSL Versions

In certain situations, you may want to disable individual SSL versions. The SCA allows you to enable or disable these on a version-by-v ersion basis for individual servers.

1. Initiate a management session as described previously.

Cisco 11000 Series Secure Content Accelerator Configuration Guide

4-28

78-13124-06

Page 97

Chapter 4 Using the Configuration Manager

2. Enter Privileged, Conﬁguration, and SSL Conﬁguration modes.

SCA> enable SCA# configure (config[myDevice])# ssl

3. Enter Server Conﬁguration mode for the desired server.

(config-ssl[myDevice])# server myServer (config-ssl-server[myServer])#

4. Disable SSL version 2.

(config-ssl-server[myServer])# sslv2 disable (config-ssl-server[myServer])#

5. Verify the active SSL/TLS versions for this server by entering the info

command.

(config-ssl-server[myServer])# info

Enabling Keepalives

... SSL version : v3 tls1 ...

6. Return to Privileged mode.

(config-ssl-server[myServer])# finished SCA#

7. Save the conﬁguration to ﬂash memory . If not sa v ed, the conﬁguration is lost

during a power cycle or when the reload command is used.

SCA# write flash SCA#

Enabling Keepalives

You can enable and conﬁgure keepalive “GET” messages between the virtual servers on the device and hardware servers to which they refer. If no response is received from the hardware server after speciﬁc number of failures (maxfailure), the virtual server is marked as “suspended”. When the hardware server comes back online, the keepalive messages discover the server and mark it “active” again.

78-13124-06

Cisco 11000 Series Secure Content Accelerator Configuration Guide

4-29

Page 98

Enabling Keepalives

Chapter 4 Using the Configuration Manager

The following example demonstrates enabling keepalives and conﬁguring settings.

1. Initiate a management session as described previously.

2. Enter Privileged, Conﬁguration, and SSL Conﬁguration modes.

SCA> enable SCA# configure (config[myDevice])# ssl

3. Enter Server Conﬁguration mode for the desired server.

(config-ssl[myDevice])# server myServer (config-ssl-server[myServer])#

4. Enable keepalive messaging.

(config-ssl-server[myServer])# keepalive enable (config-ssl-server[myServer])#

5. Set the keepalive message frequency to 8 seconds and the failure interval to

5 non-responded keepalive messages.

(config-ssl-server[myServer])# keepalive frequency 8 (config-ssl-server[myServer])# keepalive maxfailure 5 (config-ssl-server[myServer])#

6. Verify the keepalive information by entering the info command.

(config-ssl-server[myServer])# info

... Keepalive enable : on Keepalive frequency : 8 seconds Keepalive maxfailure : 5 ...

7. Return to Privileged mode.

(config-ssl-server[myServer])# finished SCA#

8. Save the conﬁguration to ﬂash memory . If not sa v ed, the conﬁguration is lost

during a power cycle or when the reload command is used.

SCA# write flash SCA#

Cisco 11000 Series Secure Content Accelerator Configuration Guide

4-30

78-13124-06

Page 99

Chapter 4 Using the Configuration Manager

Setting the Idle-Timeout

Use the idle-timeout to further ensure the device conﬁguration security. Telnet and GUI management sessions are monitored for activity. If a management session is idle beyond the speciﬁed idle-timeout, the telnet connection is closed or the Web GUI connection or serial console connection is logged out. The default timeout period is 15 minutes.

In the following example, the idle-timeout period is changed to 10 minutes.

1. Initiate a management session as described previously.

2. Enter Privileged and Conﬁguration modes.

SCA> enable SCA# configure (config[myDevice])#

Setting the Idle-Timeout

3. Reset the timeout period using the following command.

(config[myDevice])# password idle-timeout 10 (config[myDevice])#

4. Verify the keepalive information by entering the show password command.

(config[myDevice])# show password

... Password Idle Timeout : 10 minutes

5. Return to Privileged mode.

(config[myDevice])# end SCA#

6. Save the conﬁguration to ﬂash memory . If not sa v ed, the conﬁguration is lost

during a power cycle or when the reload command is used.

SCA# write flash SCA#

78-13124-06

Cisco 11000 Series Secure Content Accelerator Configuration Guide

4-31

Page 100

Setting the Idle-Timeout

Chapter 4 Using the Configuration Manager

Cisco 11000 Series Secure Content Accelerator Configuration Guide

4-32

78-13124-06