HP sa7120 User Manual

hp e-commerce
server accelerator
sa7100/sa7120
user guide
© Copyright 2001 Hewlett-Packard Company. All rights reserved.
Hewlett-Packard Company 3000 Hanover Street Palo Alto, CA 94304-1185
5971-0894 February 2001
Disclaimer
The information contained in this document is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or f or incidental or conse quential damages in connection with the furnishing, performance, or use of this material.
Hewlett-Packard assumes no responsibility for the use or reliability of its software on equipment that is not furnished by Hewlett-Packard.
Warranty
A copy of the specific warranty terms applicable to your Hewlett-Packard products and replacement parts can be obtained from http://www.hp.com/serverappliances/support.
*Other brands and names are the prop erty of their respective owners.

Table of Contents

Chapter 1: Introduction
About this User Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Who Should Use this Book. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
How to Use this Book. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Chapter 2: Installation and Initial Configuration
Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Installing the SA7100/SA7120 Free-Standing or in a Rack. . . . . . . . . . . . . . . . . . . . . 6
Rack Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Free-Standing Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Network Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Status Check. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Network and Server LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
C O N T E N T S HP e-Commerce Server Accelerator SA7100/SA7120 User Guide
Inline LED. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Admin Terminal Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
HyperTerminal* Paste Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Server and Network LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Continuing Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Chapter 3: Theory of Operation
Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Single Server Acceleration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Multiple Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Working with Internet Traffic Management (ITM) Devices . . . . . . . . . . . . . . . . . . . 13
Positioning SA7100/SA7120 between ITM Device and Client Network . . . . . . . 13
Positioning SA7100/SA7120 between ITM Device and Server . . . . . . . . . . . . . . 14
Multiple SA7100/SA7120s and Cascading Processing . . . . . . . . . . . . . . . . . . . . . . . 14
Scalability and Cascading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Spilling and Throttling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Availability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Keys and Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Cutting and Pasting with HyperTerminal* . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Obtaining a Certificate from VeriSign* or Other Certificate Authority . . . . . . . . 17
Procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Exporting a Key/Certificate from a Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Apache* Interface to Open SSL* (mod_ssl). . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Apache SSL*. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Stronghold*. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Importing into the SA7100/SA7120 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Creating a new Key/Certificate on the SA7100/SA7120. . . . . . . . . . . . . . . . . . . . 22
Procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Global Site Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Global Site Certificate Paste Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Redirection: Clients and Unsupported Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Creating a Client CA Certificate using OpenSSL* . . . . . . . . . . . . . . . . . . . . . . . . 28
SSL Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Server Assignment (“Mapping”) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
iv
Table of Contents
Automapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Automapping with user-specified key and certificate. . . . . . . . . . . . . . . . . . . . 30
Automapping with multiple port combinations . . . . . . . . . . . . . . . . . . . . . . . . 30
Deleting automapping entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Manual mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Combining automapping and manual mapping . . . . . . . . . . . . . . . . . . . . . . . . 31
Blocking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Specific IP, Specific Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Subnet, Specific Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
All IPs, Specific Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Delete a Block. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Failure Conditions, Fail-safe, and Fail-through . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Chapter 4: Scenarios
Scenario 1Single Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Procedure for Scenario 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Automapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Manual Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Scenario 2—Multiple Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Procedure for Scenario 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Scenario 3Multiple SA7100/SA7120s, Cascaded . . . . . . . . . . . . . . . . . . . . . . . . . 40
Initial Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Procedure for Scenario 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Scenario 4Different Ingress and Egress Routers . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Procedure for Scenario 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Scenario 5—Configuring a Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
SA7120 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Chapter 5: Command Reference
Online Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Command Line Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Syntax. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Abbreviation to Uniqueness. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Moving the Insertion Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
v
C O N T E N T S HP e-Commerce Server Accelerator SA7100/SA7120 User Guide
Command History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Cutting Text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Command Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Command Reference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Help Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Status Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
SSL Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Port Mapping Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Operational Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Remote Management Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Alarms and Monitoring Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Administration Commands
Logging Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Chapter 6: Remote Management
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Remote Management CLI Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Remote Telnet Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Local Serial Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Remote Console, Telnet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Changing the Telnet Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Disabling Telnet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Remote SSH Sessions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Local Serial Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Remote Console, SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Changing the SSH Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Disabling SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Standards Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
HP MIB Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Supported MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Where to find MIB Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Enterprise Private MIB Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Trap Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Standard SNMP Traps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
vi
Table of Contents
Private Traps in the HP private MIB
(hpssl-appliance-mib.my) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Enabling SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Specifying SNMP Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Community String. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Trap Community String . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Chapter 7: Alarms and Monitoring
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Alarm Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
ESC: Encryption Status Change Alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Alarm Modifiers and Messages: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
RSC: Refused SSL Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Alarm Modifiers and Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Extended Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
RSC Alarm CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
UTL: Utilization Threshold Alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Alarm Modifiers and Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Extended Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
UTL Alarm CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
OVL: Overload Alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Alarm Modifiers and Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Extended Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
OVL Alarm CLI Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
NLS: Network Link Status Alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Alarm Modifiers and Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Extended Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Alarm Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Example: list logs command: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Example: status command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Example: status alarms command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Monitoring Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Report Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Monitoring Reports CLI Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
vii
C O N T E N T S HP e-Commerce Server Accelerator SA7100/SA7120 User Guide
Chapter 8: Software Updates
Before Upgrading. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Monitoring output data can interfere with import/export operations.. . . . . . . 126
IP blocks may not persist across software upgrade. . . . . . . . . . . . . . . . . . . . . 126
Using Windows* HyperTerminal*. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Chapter 9: Troubleshooting
Appendix A: Front Panel
Buttons and Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Front Panel LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Connectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Appendix B: Failure/Bypass Modes
Bypass Button. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Fail-through Switch (Security Level) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Appendix C: Supported Ciphers
Cipher Strength. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
SSL Version Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Appendix D: Regulatory Information
Taiwan Class A EMI Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
VCCI Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
FCC Part 15 Compliance Statement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Canada Compliance Statement (Industry Canada). . . . . . . . . . . . . . . . . . . . . . . . . . 147
CE Compliance Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
CISPR 22 Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
VCCI Class A (Japan). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Australia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
WARNING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
AVERTISSEMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
WARNUNG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
AVVERTENZA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
viii
Table of Contents
ADVERTENCIAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Wichtige Sicherheitshinweise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Appendix E: Software License Agreement
Mozilla* and expat* License Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
MOZILLA PUBLIC LICENSE, Version 1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Support Services
Support for your SA7100/SA7120 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
U.S. and Canada. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Europe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Asia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Latin America . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Other Countries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Glossary
Index
ix
C O N T E N T S HP e-Commerce Server Accelerator SA7100/SA7120 User Guide
Notes
x

Introduction

Congratulations on your choice of the HP e-Commerce Server Accelerator SA7100/SA7120. The processing of secure tr ansact ions through Secure Socket Layer (SSL) can use up to 90% of even the largest servers CPU power and can degrade response time significantly. The SA7100/SA7120 provides a completely transparent way to increase the performance of Web sites for SSL transactions. The SA7100/SA7120 i s positioned in front of t he server farm, where it intercepts SSL transactions, processes them, and relays them to the servers. The SA7100/SA7120 performs all encryption and decryption management i n thi s environment with a minimum of administrator interaction.

About this User Guide

This User Guide supports the HP e-Commerce Server Accelerator SA7100 and the HP e-Commerce Server Accelerator SA7120. By default this text refers to the product as “SA7100/SA7120.” Where appropriate, the text refers to “SA7100” or SA7120. Additionally, notes in the le ft-hand mar gin may be used to distingu ish the two prod­ucts. Illustrations of the command prompt use: HP SA7120>.
C H A P T E R 1 HP e-Commerce Server Accelerator SA7100/SA7120 User Guide

Who Should Use this Book

This User Guide is intended for ad m inistrators with the following background:
Familiarity with networking concepts and terminology.
Basic knowledge of network topologies.
Basic knowledge of networks and IP routing.
Some knowledge of SSL, keys, and certificates.
Knowledge of Web servers.

Before You Begin

SA7100/SA7120 setup can be divided into three basic procedures:
Physically install single or multiple SA7100/SA7120s with sin-
gle or multiple servers.
Configure your SA7100/SA7120 in the Command Line Inter-
face.
Identify existing certificates or obtain new ones you want to use
in SSL operations.

How to Use this Book

The information in this book is organized as follows:
Chapter 1: Introdu cti on provides an introduction and overview
of the SA7100/SA7120, and a summary of new features.
Chapter 2: Installation and Initial Configuration contains
installation and initial configuration procedures. (This material is also discussed in the separate Quick Start Guide.)
Chapter 3: Theory of Operation explains the general principles
behind SA7100/SA7120 operation.
Chapter 4: Scenarios provides examples of SA7100/SA7120
configurations, together with specific procedures for their implementation.
Chapter 5: Command Reference explains the Command Line
Interface (CLI), and lists the commands and their functions.
2
C H A P T E R 1 How to Use this Book
Chapter 6: Remote Management detail s how you can use Te lne t,
Secure Shell (SSH), and SNMP to manage the SA7100/SA7120 from remote locations.
Chapter 7: Alarms and Monitoring explains the ways in which
you can configure the device to report information to you, either routinely or as a result of abnormal events or conditions.
Chapter 8: Software Updates provides procedures for obtaining
SA7100/SA7120 system software updates.
Chapter 9: T roubleshooting is a table containing symptoms of
problems you may encounter with corresponding likely causes and remedies.
Appendix A: Front Panel diagrams and explains the SA7100/
SA7120’s front panel LEDs, buttons, and connections.
Appendix B: Failure/Bypass Mode s explains how the SA7100/
SA7120 deals with failure conditions and details the bypass function.
Appendix C: Supported Ciphers lists the supported encryption
ciphers.
Appendix D: Regulatory Information provides information
regarding the SA7100/SA7120’s compliance with applicable regulations.
Appendix E: Software License Agreement contains the software
license and terms and conditions of user of this product.
Support Services contains customer support telephone numbers
for various locales.
Glossary defines terms appearing in this User Guide.
3
C H A P T E R 1 HP e-Commerce Server Accelerator SA7100/SA7120 User Guide
Notes
4

Installation and Initial Configuration

Before You Begin

WARNING: Do not remove the device’s cover. There are no user­servicable parts inside.
Before you begin installation, you need the following:
IP address for SA7100/SA7120 (only if you intend to use the
Remote Management).
IP addresses and IP port numbers of servers.
Keys/certificates. See Chapter 3 for information on obtaining
keys and certificates.
Network cables, such as straight-through and/or crossover
cables. (The table in the section Ne twork Con nect ions in this chapter identifies the types of cables you must use.)
Phillips screwdriver (rack-mounting only).
Rack-mounting screws (rack-mounting only).
C H A P T E R 2 HP e-Commerce Server Accelerator SA7100/7120 User Guide

Installing the SA7100/SA7120 Free-Standing or in a Rack

The HP e-Commerce Server Accelerator SA7100/SA7120 is physically installed in either of two ways:
In a standard 19” rack, cantilevered from the provided mounting
brackets.
Free-standing on a flat surface with sufficient space for air-flow.

Rack Installation

Rack mounting requires the use of the mount ing brackets, and all four of the included Phillip s screws.
1. Locate the two mounting brackets and the four screws. (Two screws for each bracket.)
2. Attach a mounting bracket to each side of the SA7100/SA7120, using two of the provided screws for each bracket. Use the holes near the front of the SA7100/SA7120s sides. The brackets have both round and oval holes; the flange with round holes attaches to the SA7100/SA7120, the flange with oval holes to the rack.
Mounting Bracket Orientation
3. Position the SA7100/SA7120 in the desired space of your 19 rack and attach the front flange of each mounting bracket to the rack with two screws each. (Rack-mounting screws are not provided.)
6
C H A P T E R 2 Installing the SA7100/SA7120 Free-Standing or in a Rack

Free-Standing Installation

Network Connections

NOTE: Use caution when connecting both of
the SA7100/SA7120’s network ports to the same switch, hub, or router. Doing so creates a feedback loop that adversely effects network bandwidth.
1. Attach the provided self-adhesive rubber feet to the SA7100/ SA7120’s bottom.
2. Place the SA7100/SA7120 on a flat surface and make sure that there is adequate airflow surrounding the unit (allow at le ast one inch of air space on all sides).
Use the table below to select and install the approp r ia te cables. (All cables must be Category 5 UTP or better.)
SA7100/SA7120’s network connector
Workstation or Server Crossover cable Straight-through cable Switch or Hub Straight-through cable Crossover cable Router Crossover cable Not recommended
SA7100/SA7120
network connector*
SA7100/SA7120
server connector*
* Applicable only to multiple, cascaded units.
N/A Straight-through cable
Straight-through cable N/A
SA7100/SA7120’s server connector
3. Connect the provided power cable to the bac k of the unit . (Ther e is no power switch.) Under normal circumstances, the SA7100/ SA7120 requires approximately 30 seconds to boot. When the boot is complete, the units Power LED is steadily illuminated. (If the Power LED is not steadily illuminated, see Chapter 9, Troubleshooting, to rectify before proceeding to Step 3.)
4. The Inline LED should be either steadily illuminated or blinking (to indicate Inline mode). If it is not, press the Bypass switch on the device’s front panel to enable Inline mode.
7
C H A P T E R 2 HP e-Commerce Server Accelerator SA7100/7120 User Guide
5. At this point both the Network and Server LEDs should be steadily illuminated. If not, please see Chapter 9, Troubleshooting.
HP e-Commerce Server Accelerators
Hub/Router/Switch

Status Check

Server
Network Connections
Before proceeding to the Admin Terminal Connect ion section, take a moment to verify that the SA7100/SA7120 is correctly connected.
Network and Server LEDs
Verify that the Network and Server LEDs are both illuminated. If one or both are not, re fer to the Troubleshooting sec tion at the end of t his chapter.
Inline LED
A blinking Inline LED indicates that the syst em is online in F ail-safe mode. Refer to the Troubleshooting secti on at the end o f this c hapter or Appendix B, Failure/Bypass Modes.
8
C H A P T E R 2 Installing the SA7100/SA7120 Free-Standing or in a Rack

Admin Terminal Connection

Power Error Overload Activity (green) (red) (amber) (green)
Console
Run HyperTerminal* or a similar term inal emulator on your PC . The steps below are illustrative of HyperTerminal*. Other terminals will require different procedures.
1. Use the serial cable provided with the SA7100/SA7120 to con­nect the device’s serial port (the left-hand serial port labeled Console) to the serial port of any termi nal. (A PC running Win­dows* HyperTerminal* is used here as an example.)
Aux Console
Network Link
(green)
Network Link
(RJ45)
Inline
(green)
Server Link
(green)
Server Link
(RJ45)
Front Panel Connectors and LEDs
2. Type an appropriate name in the Name field of the Connection Description window (e.g., “Configuration”), and then click the OK button. The Phone Number panel appears.

HyperTerminal* Paste Operations

3. In the Connect Using… field specify “COM1” (or the serial port through which the PC is connected to the SA7100/SA7120 if different from COM1).
4. Click the OK button. The COM1 Properties panel appears. Set the values displayed here to 9600, 8, none, 1, and none.
5. Click the OK button.
If youre using HyperTerminal* you must make the following configuration change:
1. In the File menu, click Properties.
2. Click the Settings tab.
3. Click the ASCII Setup button.
4. Change the values of Line and Character delay from 0 to at least 1 millisecond.
9
C H A P T E R 2 HP e-Commerce Server Accelerator SA7100/7120 User Guide
5. Click OK to exit ASCII Setup.
6. Click OK to exit Connection Properties.

Troubleshooting

Server and Network LEDs

If either the Network or Serv er LED fails to illuminate us ing either straight-through or crossover network cables, the problem may be elsewhere in the network. Verify by wiring around the SA7100/ SA7120.
Inline LED
The Fail-through switch allows you to control what happens in the event of a failure. It is located in a recess between the Network and Server connectors. Use a small screwdriver or paper clip to manipulate the swit ch. The two options are:
Allow traffic to flow through the SA7100/SA7120 unprocessed.
(Fail-through mode, indicated by a steadily illuminated Inline LED.)

Continuing Configuration

10
Block traffic flow through the SA7100/SA7120 entirely. (Fail-
safe mode, indicated by a blinking Inline LED.)
Please see Appendix B for a table describing all permutatio ns of LED operation.
This concludes basic configuration of the SA7100/SA7120. To configure the unit for production please continue with Chapter 3, Theory of Operations, or Chapter 4, Scenarios.

Security

Theory of Operation

The HP e-Commerce Server Accelerator SA7100/SA7120 offers Remote Management capability. This feature require s that the SA7100/SA7120s network interface be assign ed an IP address, thus security becomes a matter for your a ttention. If you i ntend to manage your SA7100/SA7120 from a remote location, be sure to read the section, Access Control in Chapter 6.

Single Server Accele r ati on

Typically, SA7100/SA7120 supports the SSL processing needs of a single server. This is the simplest and most common configuration. The SA7100/SA7120 is connected to the network between the ro uter and the server.
C H A P T E R 3 HP e-Commerce Server Accelerator SA7100/SA7120 User Guide
Ideally, the SA7100/ SA7120 is installed in the network in su ch a way as to minimize network latency.
HP e-Commerce Server Accelerator
SA7100/7120
Router
Single Server
SA7100/SA7120 in Single Server Configuration

Multiple Servers

Given the SSL processing power of the SA7100/SA7120, multiple servers can be support ed. I n t hi s c onf i gurat i on, the SA7100/SA7120 sits between the router and the switch. SSL traffic intended for these servers is intercepted and other traffic is passed through.
12
Server 1
Server 2
hub/switchRouter
Server 3
HP e-Commerce Server Accelerator
SA7100/7120
SA7100/SA7120 in Multiple Server Configuration
C H A P T E R 3 Working with Internet Traffic Management (ITM) Devices

Working with Internet Traffic Management (ITM) Devices

The SA7100/SA7120 is compatible with Internet Traffic Management (ITM) devices. In su ch environm ents, the SA7100/ SA7120 lies between the router and the ITM device, or between the ITM device and the server. ITM devices distribute workload across multiple servers and redirect traffic based on content.

Positioning SA7100/ SA7120 between ITM Device and Client Network

Router
Internet
Client
If the ITM device supports layer 7 traffic management, URLs must be readable (that is, unencrypted). Therfore, in environments performing layer 7 load balancing, it is recommended that the SA7100/SA7120 be placed between the ITM device and the client network.
HP e-Commerce Server Accelerator SA7100/7120
ITM Device
SA7100/SA7120 Between Router and ITM Device
Server 1
Server 2
Server 3
13
C H A P T E R 3 HP e-Commerce Server Accelerator SA7100/SA7120 User Guide

Positioning SA7100/ SA7120 between ITM Device and Server

Router
Internet
Client
NOTE: The illustrated configuration precludes layer 7 load balancing because secure traffic through the ITM device is encrypted.
If security considerations require limited network access to clear text, the SA7100/SA7120 should be placed between the ITM device and the server.
ITM Device
HP e-Commerce Server Accelerator
SA7100/SA7120s Between ITM Device and Servers
SA7100/7120s
Servers

Multiple SA7100/SA7120s and Cascading Processing

Scalability and Cascading

14
The SA7100/SA7120s capabilities are scalable by chaining, or cascading, multiple SA7100/SA7120s together. In such
configurations, each units server side connector is wired to the network side connector of the next SA7100/ SA7120 i n line . The last SA7100/SA7120 in line is connected to the server, switch, or ITM device.
C H A P T E R 3 Multiple SA7100/SA7120s and Cascading Processing

Spilling and Throttling

Hub/Router/Switch

Availability

When the SA7100/SA7120’s “spill” option is enabled, if a given SA7100/SA7120 cannot p rocess a request with in a specified interval, the request is passed on, sti ll encrypt ed, t o the next SA7100/ SA7120 in line. The last SA7100/SA7120 on the server side can also be enabled to spill to the server. Spilling is performed dynamically on a connection-by-connection basis. (See spill command, Chapter 5,
Command Reference.) If spill is disabled, the SA7100/SA7120 throttles, that is, will not accept incoming requests when it becomes
overloaded.
HP e-Commerce Server Accelerator SA7100/7120s
Server
Cascaded SA7100/SA7120s
When a SA7100/SA7120 fails or is set to Bypass mode while Fail­through is enabled, the SA7100/SA7120s network side and server side network adapters are directly connected, allowing t raffic to pass through to the next device until the failed unit is brought back into service. This feature eliminates a single poi nt o f failure and provid es a high level of availability, should there be a failure. In installations with multiple SA7100/SA7120s, t he next unit in the casca de picks up the encryption/decrypti on workload, while in single SA7100/SA7120 configurations, the server assumes the load. See “Failure/Bypass Modes in Appendix B for more information.
15
C H A P T E R 3 HP e-Commerce Server Accelerator SA7100/SA7120 User Guide

Keys and Certificates

WARNING: The SA7100/SA7120 comes with default keys and certific ates for test purposes. Certificates for production use should be obtained from a recognized certificate authority.
A necessa ry part of the SA7100/ SA7120 configurat ion is the use of keys and certificates. A key is a set of numbers used to encrypt or decrypt data. A certificate is a “form” that identifies a server or user. The certificate contains information about your company as well as information from a third party that verifies your identity.
There are three ways to obtain keys and certificates:
Obtaining a certificate from VeriSign* or other Certificate
Authority (or CA)
Using an existing key/certificate
Creating a new key/certificate on the SA7100/SA7120

Cutting and Pasting with HyperTerminal*

Cutting and pasting is an in tegral part of the next several pr ocedures. Below are procedures for cutting and pasting in HyperTerminal*. If you use some other terminal program, consult that product’s documentation for appropriate procedures.
To copy an item (key, certificate signing request, etc.) from HyperTerminal*:
1. Open the HyperTerminal* window.
2. Click and drag to select the item.
16
3. After the item is selected, open the Edit menu and click Copy (or type <ctrl-c>).
4. Open the window where you will paste the data, and position t he cursor at the appropriate point.
5. In the Edit menu, click Paste (or type <ctrl-v>).
To paste an item (key, certificate signing request, etc.) into HyperTerminal*:
1. Display the item in the appropriate appl ication window, then click and drag to select the item.
2. Once the item is selected, click the Edit menu and select Copy (or type <ctrl-c>).
C H A P T E R 3 Keys and Certificates
3. Move to the HyperTerminal* window, and position the cursor at the appropriate point.
4. Pull down the Edit menu, and select Paste to Host (or type <ctrl-v>).

Obtaining a Certificate from VeriSign* or Other Certificate Authority

Use the create key command to create your key and the create si gn command to create a signing request t o be sen t to VeriSign* o r ot her CA for authentication. The CA will return it in approximately one to five days. After you have recei ved the certificate, use t he import cert command to import it into the SA7100/SA7120.
The fields input to create a signing request are called collectively a Distinguished Name (DN). For optimal security, one or more fields must be modified to make the DN unique.
Procedure
Create a key:
1. Type the create key command at the prompt:
HP SA7120> create key Key strength (512 /1024) [512]: New keyID [001]: mywebserver Keypair was created for keyID: mywebserver
2. Create a Certificate Signing Request:
HP SA7120> create sign mywebserver
You are about to be asked to enter information that will be incorporated into your certificate request. The "common name" must be unique. For other fields, you could use default values.
Certifying authoriti es have specific guideli nes on how to answer each of the questions. These guidelines may vary by certifying authority. Please refer to th e guid eline s of th e cert ifyin g auth ority to who m you submit your Certificate Signing Request (CSR). Please keep the following in mind when entering the information that will be incorporated into your certificate request:
Country code: This is the two-letter ISO abbreviation for your
country (for example, US for the United States).
State or Province: This is the name of the state or province
where your organizati on’s head office is located. Please enter the full name of the state or province. Do not abbreviate.
17
C H A P T E R 3 HP e-Commerce Server Accelerator SA7100/SA7120 User Guide
Locality: This is usually the name of the city where your
organization’s head office is located.
Organization: This should be the organization that owns the
domain name. The organization name (corporation, limited partnership, university, or government agency) must be registered with some authority at the n ational, state, or city level. Use the legal name under which your organization is registered. Please do not abbrevia te your or gani zation’s name and do not use any of the following characters: < > ~ ! @ # $ % ^ * / \ ( ) ?.
Organizat i onal unit: This is n ormally the name of the
department or group that will use the certificate.
Common name: The common name is the “fully qualified
domain name, (or FQDN) used for DNS lookups of your server (for example, www.mysite.com). Browsers use this information to identify your Web site. Some browsers will refuse to establish a secure connection with your site if the server name does not match the common name in the certificate. Please do not include the protocol specifier “http://” or any port numbers or pat h names in the common name. Do not u se wildcard characters su ch as * or ?, and do not use an IP address.
18
E-mail address: This should be the e-mail address of the
administrator responsible for the certificate.
3. Export the Certificate Signing Request (CSR). In this example, xmod em i s used t o send the CSR to a PC c onnected
to the console port.
HP SA7120> export sign mywebserver Export protocol : (xmodem, ascii) [ascii]:x
<Enter>
Use Ctrl-x to kill transmission Beginning export... Export successful! HP SA7120>
To submit the CSR to a certifying authority, paste it into the field provided in the authoritys online request form. Remember to include the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUES T----- lines.
Typically, the CSR will look something like this:
-----BEGIN CERT IFICATE REQUEST----­MIIBnDCCAQUACQAwXjELMAkGA1UEBhMCQ0ExEDOABgNVBAgT B09udGFayW8xEDAOBgNVBAcTB01vbnRyYWwxDDAKBgNVBAoT
C H A P T E R 3 Keys and Certificates
A0tGQzEdMBsGA1UEAxMUd3d3Lmlsb3ZlY2hpY2tlbi5jb20w gZ0wDQYJKoZIhvcNAQEBBQADgYsAMIGHAoGBALmJA2FLSGJ9 iCF8uwfPW2AKkyyKoe9aHnnwLLw8WWjhl[ww9pLietwX3bp6 Do87mwV3jrgQ1OIwarj9iKMLT6cSdeZ0OTNn7vvJaNv1iCBW GNypQv3kVMMzzjEtOl2uGl8VOyeE7jImYj4HlMa+R168AmXT 82ubDR2ivqQwl7AgEDoAAwDQYJKoZIhvcNAQEEBQADgYEAn8 BTcPg4OwohGIMU2m39FVvh0M86ZBkANQCEHxMzzrnydXnvRM KPSE208x3Bgh5cGBC47YghGZzdvxYJAT1vbkfCSBVR9GBxef 6ytkuJ9YnK84Q8x+pS2bEBDnw0D2MwdOSF1sBb1bcFfkmbpj N2N+hqrrvA0mcNpAgk8nU=
-----END CERTIF ICATE REQUEST-----
4. When the CA returns th e certificate, import it into the SA7100/ SA7120. Use the impor t cert command, with the KeyID. As with the import key, choose an import protocol for importing the key . Use p for paste. After the paste is finished, add three periods to display the command line.
HP SA7120> import cert mywebserver keyid is mywebser ver; Import protocol: (paste, xmodem) [paste]:
<Enter>
Type or paste in date, end with ... alone on line
-----BEGIN CERT IFICATE----­MIIDKDCCAtKgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBnDEL MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQ4wDAYDVQQHEwVQ b3dheTEaMBgGA1UEChMRQ29tbWVyY2Ug . . .
-----END CERTIF ICATE----- <Enter> ... <Enter> Import successful! HP SA7120>
5. Create mapping for Server 1. Use the create map command to specify the server IP address, ports, and keyID.
HP SA7120> create map Server IP (0.0.0.0): 10.1.1.30 SSL (network) port [443]: <Enter> Cleartext (server) port [80]: <Enter> KeyID to use for mappi ng: mywebserver
6. Save the configuration when the server has been mapped.
HP SA7120> config save Saving configuration to flash... Configuration saved to flash HP SA7120>
19
C H A P T E R 3 HP e-Commerce Server Accelerator SA7100/SA7120 User Guide
Using an Existing Key/Certificate

Exporting a Key/Certificate from a Server

NOTE: Currently there is no published method for extracting private keys from Microsoft* IIS or Netscape* servers.
This method is used when it is important that the existing keys and certificates are used.
Consult your server software documentat ion for detailed inst ructions on how to export keys and certificates. Once you have exported the keys and certificates, use the import key and import cert commands to paste the keys and certificates into your SA7100/SA7120. Some general instructions are provided bel ow for the Apache* Web Server.
Apache* Interface to Open SSL* (mod_ssl)
For key:
1. Look in $APACHEROOT/conf/httpd.conf for location of *.key file.
2. Copy and paste the key file.
For certificate:
1. Look in $APACHEROOT/conf/httpd.conf for location of *.crt file (certificate).
2. Copy and paste the certificate file.
20
Apache SSL*
For key:
1. Look in $APACHESSLROOT/conf/httpd.conf for location of *.key file.
2. Copy and paste the key file.
For certificate:
1. Look in $APACHESSLROOT/conf/httpd.conf for location of *.cert file.
2. Copy and paste the certificate file.
Loading...
+ 162 hidden pages