Cisco 11000 Series Secure
Content Accelerator
Configuration Guide
April 2003
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Text Part Number: 78-13124-06
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT
NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT
ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR
THEIR APPLICA TION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION
PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO
LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class
A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when
the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio-frequency ener gy and, if not installed
and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a
residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense.
The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate
radio-frequency energy. If it is not installed in accordance with Cisco’s installation instructions, it may cause interference with radio and television
reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in
part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation.
However, there is no guarantee that interference will not occur in a particular installation.
Modifying the equipment without Cisco’s written authorization may result in the equipment no longer complying with FCC requirements for Class
A or Class B digital devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct
any interference to radio or television communications at your own expense.
You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the Cisco
equipment or one of its peripheral devices. If the equipment causes interference to radio or television reception, try to correct the interference by
using one or more of the following measures:
• Turn the television or radio antenna until the interference stops.
• Move the equipment to one side or the other of the television or radio.
• Move the equipment farther away from the television or radio.
• Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, make certain the equipment and the television
or radio are on circuits controlled by different circuit breakers or fuses.)
Modifications to this product not authorized by Cisco Systems, Inc. could void the FCC approval and negate your authority to operate the product.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as
part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE
PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED
OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL
DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR
INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
CCIP, the Cisco Arrow logo, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, iQ
Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and
Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, The Fastest Way to
Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE,
CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital,
the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient,
IOS, IP/TV, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar,
SlideCast, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S.
and certain other countries.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (0208R)
This product includes cryptographic software written by Eric A. Young. This product includes software written by Tim J. Hudson.
Cisco 11000 Series Secure Content Accelerator Configuration Guide
Copyright © 2003, Cisco Systems, Inc.
All rights reserved.
About This Guide xxxi
CONTENTS
How to Use This Guide
Symbols and Conventions
Obtaining Documentation
Cisco.com
xxxv
Documentation CD-ROM
Ordering Documentation
Documentation Feedback
Obtaining Technical Assistance
Cisco.com
xxxvii
Technical Assistance Center
Cisco TAC Website
Cisco TAC Escalation Center
xxxi
xxxiii
xxxv
xxxv
xxxv
xxxvi
xxxvii
xxxvii
xxxviii
xxxix
Obtaining Additional Publications and Information
xxxix
CHAPTER
1
Overview
Product Overview
Secure Content Accelerator Versions
CHAPTER
2
Installing the Hardware and Software
Site Requirements
Required Tools and Equipment
Shipment Contents
78-13124-06
1-1
1-2
1-3
2-1
2-2
2-2
2-2
Cisco 11000 Series Secure Content Accelerator Configuration Guide
v
Contents
CHAPTER
Unpacking the Secure Content Accelerator
Installing the Hardware
2-3
Installing as a Free-Standing Unit
Installing as a Rack-Mounted Unit
Panel Descriptions
Identifying SCA Models
Connecting to Power
Connecting to Ethernet
3
Using the QuickStart Wizard
Before You Begin
Initiating a Management Session
2-5
2-8
2-8
2-9
3-1
3-2
3-2
Serial Management and IP Address Assignment
Telnet
3-3
2-3
2-4
2-5
3-2
CHAPTER
Starting the QuickStart Wizard
Using the QuickStart Wizard
Using the QuickStart Wizard with a Configured Appliance
4
Using the Configuration Manager
Overview
Configuration Security
Passwords
Access Lists
4-2
4-3
4-3
4-3
Factory Default Reset Password
Before You Begin
4-4
Initiating a Management Session
Serial Management and IP Address Assignment
3-4
3-5
3-14
4-1
4-4
4-5
4-5
Cisco 11000 Series Secure Content Accelerator Configuration Guide
vi
78-13124-06
Contents
Telnet
Configuring the Device
Example: Setting up Basic Device Parameters
Example: Setting up a Secure Server
Example: Setting up a Backend Server
Example: Setting up a Reverse-Proxy Server
Example: Configuring Secure URL Rewrite
Example: Configuring SNTP Servers
4-6
4-6
4-7
4-8
4-10
4-11
4-12
4-14
Example: Restricting Access using an Access List
Configuring an Ethernet Interface
Example: Saving a Configuration File
4-16
4-17
Step-Up Certificates and Server-Gated Cryptography
Configuring Certificate Groups
Example: Configuring a Certificate Group
4-18
4-18
4-15
4-17
Example: Importing Certificate Groups
4-20
Using Client and Server Certificate Authentication
Example: Configuring Server Certificate Authentication
Example: Configuring Client Certificate Authentication
Generating Keys and Certificates
Example: Generating an RSA Key
Example: Generating a Certificate
Supporting SNMP
4-25
Example: Configuring SNMP
Supporting RIP
4-26
Example: Configuring RIP
Supporting Other Secure Protocols
Example: Configuring a Secure Mail Server
4-24
4-24
4-24
4-25
4-26
4-27
4-27
4-21
4-21
4-23
78-13124-06
Cisco 11000 Series Secure Content Accelerator Configuration Guide
vii
Contents
CHAPTER
Supporting FIPS
Working with Syslogs
Disabling SSL Versions
Enabling Keepalives
Setting the Idle-Timeout
5
Graphical User Interface Reference
Overview
5-2
Browser and System Support
Enabling Web Management
Restricting Access to Web Management
Starting the GUI
Configuring for Client-Side Access
Administrative Time Out
4-27
4-28
4-28
4-29
4-31
5-1
5-2
5-2
5-3
5-3
5-4
5-5
Web Management User Interface
General Configuration Examples
5-5
5-7
Example: Setting the Device Name (Hostname)
Example: Resetting the IP Address
5-8
Example: Configuring an Ethernet Interface
Example: Enabling RIP
5-10
Example: Adding a Route to the Routing Table
Example: Working with Syslogs
5-13
Example: Restricting Access using an Access List
Example: Reloading (Rebooting) the Appliance
Example: Setting an Enable Password
Example: Configuring SNMP
SSL Configuration Examples
5-22
5-19
5-18
5-7
5-9
5-11
5-14
5-17
Cisco 11000 Series Secure Content Accelerator Configuration Guide
viii
78-13124-06
Contents
CHAPTER
Example: Setting up a Secure Server
Example: Creating and Using Certificate Groups
Example: Supporting Other Secure Protocols
Example: Generating an RSA Private Key
Example: Generating a Self-Signed Certificate
Example: Importing a PKCS#7 Certificate Group
Example: Importing a PKCS#12 Certificate Group 5-47
Running the Secure Server Wizard 5-48
6 FIPS Operation 6-1
FIPS Capabilities 6-2
Using FIPS Mode 6-2
Creating a Server in FIPS Mode 6-5
Command Changes 6-7
5-22
5-35
5-37
5-38
5-42
5-46
APPENDIX
APPENDIX
Unavailable Commands 6-7
Differing Command Behaviors 6-7
Returning to Normal Operation 6-9
More Information 6-10
A Specifications A-1
Electrical Specifications A-2
Environmental Specifications A-2
Physical Specifications A-3
B Deployment Examples B-1
Single Device B-2
Load Balancing B-2
78-13124-06
Cisco 11000 Series Secure Content Accelerator Configuration Guide
ix
Contents
Use with the CSS B-4
In-Line B-4
One-Armed Non-Transparent Proxy B-10
One-Armed Transparent Proxy B-19
Connecting the Device to a Terminal Server B-30
Web Site Changes B-30
Transparent Local-Listen B-31
APPENDIX
C Command Summary C-1
Input Data Format Specification C-2
Text Conventions C-2
Editing and Completion Features C-3
Command Hierarchy C-5
Configuration Security C-6
Passwords C-6
Access Lists C-7
Factory Default Reset Password C-7
Methods to Manage the Device C-7
Initiating a Management Session C-9
Serial Management and IP Address Assignment C-9
Telnet C-10
Command Listing C-10
Top Level Command Set C-31
Non-Privileged Command Set C-31
Cisco 11000 Series Secure Content Accelerator Configuration Guide
x
clear screen C-31
cls C-31
enable C-31
78-13124-06
exit C-32
help C-32
monitor C-33
paws C-33
ping C-33
quit C-34
set monitor-interval C-34
show arp C-35
show copyrights C-35
show cpu C-35
show date C-36
Contents
show device C-36
show dns C-37
show flows C-37
show history C-37
show interface C-38
show interface errors C-38
show interface statistics C-39
show ip domain-name C-40
show ip name-server C-40
show ip routes C-41
show ip statistics C-41
show keepalive-monitor C-41
show log C-42
show memory C-42
78-13124-06
show messages C-42
show netstat C-43
Cisco 11000 Series Secure Content Accelerator Configuration Guide
xi
Contents
show password C-43
show password access C-43
show password enable C-44
show password idle-timeout C-44
show processes C-44
show rdate-server C-45
show rip C-45
show route C-45
show sessions C-46
show sntp C-46
show sntp-server C-46
show ssl C-47
show ssl cert C-47
show ssl certgroup C-48
show ssl errors C-49
show ssl key C-54
show ssl secpolicy C-54
show ssl server C-55
show ssl session-stats C-56
show ssl statistics C-58
show ssl tcp-tuning C-60
show syslog C-61
show system-resources C-61
show telnet C-62
show terminal C-62
Cisco 11000 Series Secure Content Accelerator Configuration Guide
xii
show timezone C-62
show version C-63
78-13124-06
show web-management C-63
terminal baud C-63
terminal history C-64
terminal length C-65
terminal pager C-65
terminal reset C-66
terminal width C-66
traceroute C-67
Privileged Command Set C-68
clear interface statistics C-68
clear ip routes C-68
Contents
clear ip statistics C-69
clear line C-69
clear log C-69
clear messages C-70
clear ssl session-stats C-70
clear ssl statistics C-70
configure C-71
copy running-configuration C-71
copy running-configuration startup-configuration C-72
copy startup-configuration C-72
copy startup-configuration running-configuration C-73
copy to flash C-73
copy to running-configuration C-74
copy to startup-configuration C-74
78-13124-06
disable C-75
erase running-configuration C-75
Cisco 11000 Series Secure Content Accelerator Configuration Guide
xiii
Contents
erase startup-configuration C-75
fips enable C-76
quick-start C-76
refresh C-77
reload C-77
show access-list C-77
show diagnostic-report C-78
show running-configuration C-79
show snmp C-79
show startup-configuration C-80
write flash C-81
write memory C-81
write messages C-82
write network C-82
write terminal C-83
Configuration Command Set C-84
access-list C-84
clock C-85
end C-86
exit C-86
finished C-86
help C-87
hostname C-87
interface C-88
ip address C-88
ip domain-name C-89
ip name-server C-89
Cisco 11000 Series Secure Content Accelerator Configuration Guide
xiv
78-13124-06
ip route C-90
ip route default C-91
keepalive-monitor C-91
mode one-port C-92
mode pass-thru C-92
password C-92
rdate-server C-93
registration-code C-94
rip C-94
no snmp C-95
snmp access-list C-96
Contents
snmp contact C-97
snmp default community C-97
snmp enable C-98
snmp location C-99
snmp trap-host C-100
snmp trap-type enterprise C-101
snmp trap-type generic C-102
sntp interval C-103
sntp server C-104
ssl C-104
syslog C-105
telnet access-list C-106
telnet enable C-107
telnet port C-107
timezone C-108
web-mgmt access-list C-108
78-13124-06
Cisco 11000 Series Secure Content Accelerator Configuration Guide
xv
Contents
web-mgmt enable C-109
web-mgmt port C-110
Interface Configuration Command Set C-111
auto C-111
duplex C-111
end C-111
finished C-112
help C-112
speed C-112
SSL Configuration Command Set C-113
backend-server C-113
cert C-114
certgroup C-115
end C-116
exit C-116
finished C-116
gencsr C-116
help C-117
import pkcs12 C-118
import pkcs7 C-118
key C-119
reverse-proxy-server C-120
secpolicy C-121
server C-122
tcp-tuning C-122
Backend Server Configuration Command Set C-124
Cisco 11000 Series Secure Content Accelerator Configuration Guide
xvi
activate C-124
78-13124-06
certgroup serverauth C-124
end C-125
exit C-125
finished C-125
help C-126
info C-126
ip address C-126
keepalive enable C-127
keepalive frequency C-127
keepalive maxfailure C-128
localport C-128
Contents
log-url C-129
remoteport C-129
secpolicy C-130
serverauth domain-name C-131
serverauth enable C-131
serverauth ignore C-132
session-cache enable C-132
session-cache size C-133
session-cache timeout C-133
sslv2 enable C-134
sslv3 enable C-134
suspend C-135
tcp-tuning C-135
tlsv1 enable C-136
78-13124-06
transparent C-136
urlrewrite C-137
Cisco 11000 Series Secure Content Accelerator Configuration Guide
xvii
Contents
Certificate Configuration Command Set C-138
binhex C-138
der C-138
end C-139
exit C-139
finished C-139
help C-139
info C-140
pem C-140
pem-paste C-140
Certificate Group Configuration Command Set C-142
cert C-142
end C-142
exit C-143
finished C-143
help C-143
info C-144
Key Configuration Command Set C-145
binhex C-145
der C-145
end C-146
exit C-146
finished C-146
genrsa C-146
help C-147
Cisco 11000 Series Secure Content Accelerator Configuration Guide
xviii
info C-148
net-iis C-148
78-13124-06
pem C-148
pem-paste C-149
Reverse-Proxy Server Configuration Command Set C-150
activate C-150
certgroup serverauth C-150
end C-151
exit C-151
finished C-152
help C-152
info C-152
localport C-153
Contents
log-url C-153
secpolicy C-154
serverauth enable C-155
serverauth ignore C-155
session-cache enable C-156
session-cache size C-156
session-cache timeout C-157
sslv2 enable C-157
sslv3 enable C-158
suspend C-158
tcp-tuning C-159
tlsv1 enable C-159
urlrewrite C-160
Security Policy Configuration Command Set C-161
78-13124-06
crypto C-161
end C-163
Cisco 11000 Series Secure Content Accelerator Configuration Guide
xix
Contents
exit C-163
finished C-164
help C-164
info C-164
Server Configuration Command Set C-165
activate C-165
cert C-165
certgroup chain C-166
certgroup clientauth C-167
clientauth enable C-167
clientauth error C-168
clientauth verifydepth C-169
end C-170
ephemeral error C-170
ephrsa C-171
exit C-171
finished C-171
help C-172
httpheader C-172
info C-175
ip address C-175
keepalive enable C-176
keepalive frequency C-176
keepalive maxfailure C-177
key C-177
Cisco 11000 Series Secure Content Accelerator Configuration Guide
xx
localport C-178
log-url C-178
78-13124-06
remoteport C-179
secpolicy C-180
session-cache enable C-181
session-cache size C-181
session-cache timeout C-182
sharedcipher error C-182
sslport C-183
sslv2 enable C-183
sslv3 enable C-184
suspend C-184
tcp-tuning C-185
Contents
tlsv1 enable C-185
transparent C-186
urlrewrite C-187
TCP Tuning Configuration Command Set C-189
2msltime C-189
delay-ack C-190
finwt2time C-191
keepalive C-191
keepalive-cnt C-192
keepalive-intv C-193
max-rexmit C-193
maxrt C-194
maxseg C-194
mtu C-195
78-13124-06
nodelay C-196
nopush C-196
Cisco 11000 Series Secure Content Accelerator Configuration Guide
xxi
Contents
probe-max C-197
probe-min C-198
push-all C-199
rto-def C-199
rto-max C-200
rto-min C-201
slow-start C-202
stdurg C-202
ts C-203
wnd-scale C-204
APPENDIX
D MiniMax Command Summary D-1
Text Conventions D-2
Getting Help D-3
Examples D-4
Configuring Basic Device Parameters D-4
Installing a Firmware Image (Netcat) D-5
Installing a Firmware Image (Xmodem) D-6
Extracting a Device Configuration D-8
Resetting the Environment to Factory Defaults D-9
Command Set D-11
? (question mark) D-11
baud D-11
boot D-11
cat D-11
Cisco 11000 Series Secure Content Accelerator Configuration Guide
xxii
do D-12
eaddr D-12
78-13124-06
env D-13
help D-14
hinv D-14
ifconfig D-14
ip D-14
ls D-15
netstat D-15
printenv D-15
rdate-server D-15
reboot D-16
resetenv D-16
Contents
APPENDIX
APPENDIX
rm D-16
sbridge D-16
show D-17
version D-18
zap D-18
E Troubleshooting E-1
Troubleshooting the Hardware E-2
F SSL Introduction 1
Introduction to SSL 2
Port Blocking Mechanism 2
Before You Begin 4
Using Existing Keys and Certificates 4
Apache mod_SSL 5
ApacheSSL 5
78-13124-06
Cisco 11000 Series Secure Content Accelerator Configuration Guide
xxiii
Contents
Stronghold 5
IIS 4 on Windows NT 5
IIS 5 on Windows 2000 6
Configuration Security 7
Passwords 7
Access Lists 8
Factory Default Reset Password 8
Cisco SSL Configuration Components 8
Real Server IP Addresses 9
Keys 9
Certificates 9
APPENDIX
Step-Up Certificates and Server-Gated Cryptography 9
Chained Certificates 10
Security Policies 10
Cisco Secure Content Accelerator Management 12
G Regulatory Information 15
Regulatory Standards Compliance 16
Canadian Radio Frequency Emissions Statement 16
FCC Class A 17
CISPR 22 (EN 55022) Class A 18
VCCI 18
Cisco 11000 Series Secure Content Accelerator Configuration Guide
xxiv
78-13124-06
Figure 2-1 Secure Content Accelerator Front Panel 2-6
Figure 2-2 Secure Content Accelerator Rear Panel 2-6
Figure 2-3 SCA Ethernet Port Detail 2-7
Figure 2-4 SCA2 Ethernet Port Detail 2-7
Figure 4-1 Configuration Manager Hierarchy 4-2
Figure 5-1 Password Request Dialog Box 5-4
Figure 5-2 Basic User Interface Example 5-6
Figure 5-3 Changing Hostname Configuration Example 5-8
Figure 5-4 Resetting IP Information Configuration Example 5-9
Figure 5-5 Ethernet Interface Configuration Example 5-10
Figure 5-6 RIP Configuration Example 5-11
Figure 5-7 Routing Table Configuration Example 5-12
FIGURES
Figure 5-8 Adding a Route Example 5-12
Figure 5-9 Syslog Configuration Example 5-13
Figure 5-10 Access List Configuration Example 5-14
Figure 5-11 Add Access List Entry Example 5-15
Figure 5-12 Subsystem Access Configuration Example 5-16
Figure 5-13 Device Reloading Example 5-17
Figure 5-14 Save Changes Button 5-17
Figure 5-15 Change Password Example 5-18
Figure 5-16 SNMP Configuration Example 5-19
Figure 5-17 SNMP Trap Example 5-20
Figure 5-18 Add SNMP Trap Host Example 5-21
Cisco 11000 Series Secure Content Accelerator Configuration Guide
78-13124-06
xxv
Figures
Figure 5-19 Private Keys Tab 5-22
Figure 5-20 Add Private Key Example 5-23
Figure 5-21 Importing a Private Key File Example 5-24
Figure 5-22 Certificates Tab 5-25
Figure 5-23 Add Certificate Example 5-26
Figure 5-24 Importing a Certificate Example 5-27
Figure 5-25 Security Policies Tab 5-28
Figure 5-26 Add Security Policy Example 5-29
Figure 5-27 Secure Servers Tab 5-30
Figure 5-28 Add Secure Server Information Example 5-31
Figure 5-29 Server Certificate and Security Policy Example 5-32
Figure 5-30 SSL Session Cache Example 5-32
Figure 5-31 Add URL Rewrite Rule Example 5-33
Figure 5-32 Add Secure Server Information Example 5-33
Figure 5-33 Add HTTP Headers Example 5-34
Figure 5-34 Add Keepalives Example 5-34
Figure 5-35 Certificate Groups Tab 5-35
Figure 5-36 Add Certificate Group Example 5-36
Figure 5-37 Assign Certificate Group Example 5-37
Figure 5-38 Configuring for Other Protocols Example 5-38
Figure 5-39 Generating a Private Key 5-39
Figure 5-40 Key Not Displayed Example 5-40
Figure 5-41 Key Displayed Example 5-41
Figure 5-42 Generate CSR Example 5-42
Figure 5-43 Generate Self-Signed Certificate 5-43
Figure 5-44 Self-Signed Certificate Example 5-44
Figure 5-45 Successfully Generated Self-Signed Certificate 5-45
Cisco 11000 Series Secure Content Accelerator Configuration Guide
xxvi
78-13124-06
Figures
Figure 5-46 Import PKCS#7 Certificate Group Example 5-46
Figure 5-47 Import PKCS#12 Certificate Group Example 5-47
Figure 5-48 Starting the Secure Server Wizard 5-48
Figure B-1 Single Secure Content Accelerator Installation B-2
Figure B-2 Secure Content Accelerator Installation with a Load Balancer B-3
Figure B-3 Secure Content Accelerator In-Line Installation B-5
Figure B-4 Secure Content Accelerator One-Armed Non-Transparent Proxy Installation B-11
Figure B-5 Secure Content Accelerator One-Armed Transparent Proxy Installation B-20
Figure C-1 Command Hierarchy C-5
Figure E-1 Troubleshooting Flowchart 1 E-6
Figure E-2 Troubleshooting Flowchart 2 E-7
Figure E-3 Troubleshooting Flowchart 3 E-8
Figure F-1 Port Blocking 3
Figure F-2 Port Blocking with Dropped Traffic 3
78-13124-06
Cisco 11000 Series Secure Content Accelerator Configuration Guide
xxvii
Figures
Cisco 11000 Series Secure Content Accelerator Configuration Guide
xxviii
78-13124-06
TABLES
Table 1-1 Secure Content Accelerator Model Differences 1-3
Table 2-1 SCA Port LED Descriptions 2-7
Table 2-2 SCA2 Port LED Descriptions 2-8
Table 6-1 Unavailable Commands 6-7
Table 6-2 FIPS Mode Command Changes 6-8
Table A-1 AC Electrical Specifications A-2
Table A-2 Environmental Specifications A-2
Table A-3 Physical Specifications A-3
Table B-1 In-Line Installation Device Configuration B-6
Table B-2 One-Armed Non-Transparent Proxy Installation Device Configuration B-12
Table B-3 One-Armed Transparent Proxy Installation Device Configuration B-22
Table C-1 Input Data Formats C-2
Table C-2 Key Reference C-3
Table C-3 Non-Privileged Command Description C-11
Table C-4 Privileged Command Description C-14
Table C-5 Configuration Command Description C-16
Table C-6 Interface Configuration Command Description C-19
Table C-7 SSL Configuration Command Description C-20
Table C-8 Backup-Server Configuration Command Description C-21
Table C-9 Certificate Configuration Command Description C-23
Table C-10 Certificate Group Configuration Command Description C-23
Table C-11 Key Configuration Command Description C-24
Table C-12 Reverse-Proxy Server Configuration Command Description C-25
Cisco 11000 Series Secure Content Accelerator Configuration Guide
78-13124-06
xxix
Tables
Table C-13 Security Policy Configuration Command Description C-26
Table C-14 Server Configuration Command Description C-27
Table C-15 TCP Tuning Configuration Command Description C-29
Table C-16 Output Description for show ssl errors C-49
Table C-17 Abbreviations Used for show ssl errors continuous C-53
Table C-18 Output Description for show ssl session-stats C-57
Table C-19 Output Description for show ssl statistics C-59
Table C-20 Headers Inserted with httpheader client-cert Command C-173
Table C-21 Headers Inserted with httpheader session Command C-174
Table C-22 Headers Inserted with httpheader server-cert Command C-174
Table D-1 Firmware Image Selection D-5
Table D-2 Firmware Image Selection D-7
Table E-1 Troubleshooting the Hardware E-2
Table F-1 Secure Content Accelerator Cryptographic Algorithms 10
Table G-1 Regulatory Standards Compliance 16
Cisco 11000 Series Secure Content Accelerator Configuration Guide
xxx
78-13124-06
Loading...