Hewlett-Packard Company
3000 Hanover Street
Palo Alto, CA 94304-1185
Publication Number
5971-0894
February 2001
Disclaimer
The information contained in this document is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY
KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not
be liable for errors contained herein or f or incidental or conse quential damages
in connection with the furnishing, performance, or use of this material.
Hewlett-Packard assumes no responsibility for the use or reliability of its
software on equipment that is not furnished by Hewlett-Packard.
Warranty
A copy of the specific warranty terms applicable to your Hewlett-Packard
products and replacement parts can be obtained from
http://www.hp.com/serverappliances/support.
*Other brands and names are the prop erty of their respective owners.
C O N T E N T SHP e-Commerce Server Accelerator SA7100/SA7120 User Guide
Notes
x
Introduction
Congratulations on your choice of the HP e-Commerce Server
Accelerator SA7100/SA7120. The processing of secure tr ansact ions
through Secure Socket Layer (SSL) can use up to 90% of even the
largest servers’ CPU power and can degrade response time
significantly. The SA7100/SA7120 provides a completely
transparent way to increase the performance of Web sites for SSL
transactions. The SA7100/SA7120 i s positioned in front of t he server
farm, where it intercepts SSL transactions, processes them, and relays
them to the servers. The SA7100/SA7120 performs all encryption
and decryption management i n thi s environment with a minimum of
administrator interaction.
About this User Guide
This User Guide supports the HP e-Commerce Server Accelerator
SA7100 and the HP e-Commerce Server Accelerator SA7120. By
default this text refers to the product as “SA7100/SA7120.” Where
appropriate, the text refers to “SA7100” or “SA7120.” Additionally,
notes in the le ft-hand mar gin may be used to distingu ish the two products. Illustrations of the command prompt use:
“HP SA7120>”.
C H A P T E R 1 HP e-Commerce Server Accelerator SA7100/SA7120 User Guide
Who Should Use this Book
This User Guide is intended for ad m inistrators with the following
background:
•Familiarity with networking concepts and terminology.
•Basic knowledge of network topologies.
•Basic knowledge of networks and IP routing.
•Some knowledge of SSL, keys, and certificates.
•Knowledge of Web servers.
Before You Begin
SA7100/SA7120 setup can be divided into three basic procedures:
•Physically install single or multiple SA7100/SA7120s with sin-
gle or multiple servers.
•Configure your SA7100/SA7120 in the Command Line Inter-
face.
•Identify existing certificates or obtain new ones you want to use
in SSL operations.
How to Use this Book
The information in this book is organized as follows:
•Chapter 1: Introdu cti on provides an introduction and overview
of the SA7100/SA7120, and a summary of new features.
•Chapter 2: Installation and Initial Configuration contains
installation and initial configuration procedures. (This material is
also discussed in the separate Quick Start Guide.)
•Chapter 3: Theory of Operation explains the general principles
behind SA7100/SA7120 operation.
•Chapter 4: Scenarios provides examples of SA7100/SA7120
configurations, together with specific procedures for their
implementation.
•Chapter 5: Command Reference explains the Command Line
Interface (CLI), and lists the commands and their functions.
2
C H A P T E R 1How to Use this Book
•Chapter 6: Remote Management detail s how you can use Te lne t,
Secure Shell (SSH), and SNMP to manage the SA7100/SA7120
from remote locations.
•Chapter 7: Alarms and Monitoring explains the ways in which
you can configure the device to report information to you, either
routinely or as a result of abnormal events or conditions.
•Chapter 8: Software Updates provides procedures for obtaining
SA7100/SA7120 system software updates.
•Chapter 9: T roubleshooting is a table containing symptoms of
problems you may encounter with corresponding likely causes
and remedies.
•Appendix A: Front Panel diagrams and explains the SA7100/
SA7120’s front panel LEDs, buttons, and connections.
•Appendix B: Failure/Bypass Mode s explains how the SA7100/
SA7120 deals with failure conditions and details the bypass
function.
•Appendix C: Supported Ciphers lists the supported encryption
ciphers.
•Appendix D: Regulatory Information provides information
regarding the SA7100/SA7120’s compliance with applicable
regulations.
•Appendix E: Software License Agreement contains the software
license and terms and conditions of user of this product.
•Support Services contains customer support telephone numbers
for various locales.
•Glossary defines terms appearing in this User Guide.
3
C H A P T E R 1 HP e-Commerce Server Accelerator SA7100/SA7120 User Guide
Notes
4
Installation and Initial
Configuration
Before You Begin
WARNING: Do not
remove the device’s
cover. There are no userservicable parts inside.
Before you begin installation, you need the following:
•IP address for SA7100/SA7120 (only if you intend to use the
Remote Management).
•IP addresses and IP port numbers of servers.
•Keys/certificates. See Chapter 3 for information on obtaining
keys and certificates.
•Network cables, such as straight-through and/or crossover
cables. (The table in the section “Ne twork Con nect ions ” in this
chapter identifies the types of cables you must use.)
•Phillips screwdriver (rack-mounting only).
•Rack-mounting screws (rack-mounting only).
C H A P T E R 2 HP e-Commerce Server Accelerator SA7100/7120 User Guide
Installing the SA7100/SA7120 Free-Standing or
in a Rack
The HP e-Commerce Server Accelerator SA7100/SA7120 is
physically installed in either of two ways:
•In a standard 19” rack, cantilevered from the provided mounting
brackets.
•Free-standing on a flat surface with sufficient space for air-flow.
Rack
Installation
Rack mounting requires the use of the mount ing brackets, and all four
of the included Phillip s screws.
1. Locate the two mounting brackets and the four screws. (Two
screws for each bracket.)
2. Attach a mounting bracket to each side of the SA7100/SA7120,
using two of the provided screws for each bracket. Use the holes
near the front of the SA7100/SA7120’s sides. The brackets have
both round and oval holes; the flange with round holes attaches
to the SA7100/SA7120, the flange with oval holes to the rack.
Mounting Bracket Orientation
3. Position the SA7100/SA7120 in the desired space of your 19”
rack and attach the front flange of each mounting bracket to the
rack with two screws each. (Rack-mounting screws are not
provided.)
6
C H A P T E R 2Installing the SA7100/SA7120 Free-Standing or in a Rack
Free-Standing
Installation
Network
Connections
NOTE: Use caution
when connecting both of
the SA7100/SA7120’s
network ports to the same
switch, hub, or router.
Doing so creates a
feedback loop that
adversely effects network
bandwidth.
1. Attach the provided self-adhesive rubber feet to the SA7100/
SA7120’s bottom.
2. Place the SA7100/SA7120 on a flat surface and make sure that
there is adequate airflow surrounding the unit (allow at le ast one
inch of air space on all sides).
Use the table below to select and install the approp r ia te cables. (All
cables must be Category 5 UTP or better.)
SA7100/SA7120’s
network
connector
Workstation or ServerCrossover cableStraight-through cable
Switch or HubStraight-through cableCrossover cable
RouterCrossover cableNot recommended
SA7100/SA7120
network
connector*
SA7100/SA7120
server
connector*
* Applicable only to multiple, cascaded units.
N/AStraight-through cable
Straight-through cableN/A
SA7100/SA7120’s
server
connector
3. Connect the provided power cable to the bac k of the unit . (Ther e
is no power switch.) Under normal circumstances, the SA7100/
SA7120 requires approximately 30 seconds to boot. When the
boot is complete, the unit’s Power LED is steadily illuminated.
(If the Power LED is not steadily illuminated, see Chapter 9,
“Troubleshooting,” to rectify before proceeding to Step 3.)
4. The Inline LED should be either steadily illuminated or blinking
(to indicate Inline mode). If it is not, press the Bypass switch on
the device’s front panel to enable Inline mode.
7
C H A P T E R 2 HP e-Commerce Server Accelerator SA7100/7120 User Guide
5. At this point both the Network and Server LEDs should be
steadily illuminated. If not, please see Chapter 9,
“Troubleshooting.”
HP e-Commerce Server Accelerators
Hub/Router/Switch
Status Check
Server
Network Connections
Before proceeding to the Admin Terminal Connect ion section, take a
moment to verify that the SA7100/SA7120 is correctly connected.
Network and Server LEDs
Verify that the Network and Server LEDs are both illuminated. If one
or both are not, re fer to the Troubleshooting sec tion at the end of t his
chapter.
Inline LED
A blinking Inline LED indicates that the syst em is online in F ail-safe
mode. Refer to the Troubleshooting secti on at the end o f this c hapter
or Appendix B, “Failure/Bypass Modes.”
8
C H A P T E R 2Installing the SA7100/SA7120 Free-Standing or in a Rack
Admin
Terminal
Connection
Power Error Overload Activity
(green) (red) (amber) (green)
Console
Run HyperTerminal* or a similar term inal emulator on your PC . The
steps below are illustrative of HyperTerminal*. Other terminals will
require different procedures.
1. Use the serial cable provided with the SA7100/SA7120 to connect the device’s serial port (the left-hand serial port labeled “Console”) to the serial port of any termi nal. (A PC running Windows* HyperTerminal* is used here as an example.)
Aux Console
Network Link
(green)
Network Link
(RJ45)
Inline
(green)
Server Link
(green)
Server Link
(RJ45)
Front Panel Connectors and LEDs
2. Type an appropriate name in the Name field of the Connection
Description window (e.g., “Configuration”), and then click the
OK button. The Phone Number panel appears.
HyperTerminal*
Paste
Operations
3. In the Connect Using… field specify “COM1” (or the serial port
through which the PC is connected to the SA7100/SA7120 if
different from COM1).
4. Click the OK button. The COM1 Properties panel appears. Set
the values displayed here to 9600, 8, none, 1, and none.
5. Click the OK button.
If you’re using HyperTerminal* you must make the following
configuration change:
1. In the File menu, click Properties.
2. Click the Settings tab.
3. Click the ASCII Setup button.
4. Change the values of Line and Character delay from 0 to at least
1 millisecond.
9
C H A P T E R 2 HP e-Commerce Server Accelerator SA7100/7120 User Guide
5. Click OK to exit ASCII Setup.
6. Click OK to exit Connection Properties.
Troubleshooting
Server and Network LEDs
If either the Network or Serv er LED fails to illuminate us ing either
straight-through or crossover network cables, the problem may be
elsewhere in the network. Verify by wiring around the SA7100/
SA7120.
Inline LED
The Fail-through switch allows you to control what happens in the
event of a failure. It is located in a recess between the Network and
Server connectors. Use a small screwdriver or paper clip to
manipulate the swit ch. The two options are:
•Allow traffic to flow through the SA7100/SA7120 unprocessed.
(Fail-through mode, indicated by a steadily illuminated Inline
LED.)
Continuing
Configuration
10
•Block traffic flow through the SA7100/SA7120 entirely. (Fail-
safe mode, indicated by a blinking Inline LED.)
Please see Appendix B for a table describing all permutatio ns of LED
operation.
This concludes basic configuration of the SA7100/SA7120. To
configure the unit for production please continue with Chapter 3,
Theory of Operations, or Chapter 4, Scenarios.
Security
Theory of Operation
The HP e-Commerce Server Accelerator SA7100/SA7120 offers
Remote Management capability. This feature require s that the
SA7100/SA7120’s network interface be assign ed an IP address, thus
security becomes a matter for your a ttention. If you i ntend to manage
your SA7100/SA7120 from a remote location, be sure to read the
section, “Access Control” in Chapter 6.
Single Server Accele r ati on
Typically, SA7100/SA7120 supports the SSL processing needs of a
single server. This is the simplest and most common configuration.
The SA7100/SA7120 is connected to the network between the ro uter
and the server.
C H A P T E R 3 HP e-Commerce Server Accelerator SA7100/SA7120 User Guide
Ideally, the SA7100/ SA7120 is installed in the network in su ch a way
as to minimize network latency.
HP e-Commerce Server Accelerator
SA7100/7120
Router
Single Server
SA7100/SA7120 in Single Server Configuration
Multiple Servers
Given the SSL processing power of the SA7100/SA7120, multiple
servers can be support ed. I n t hi s c onf i gurat i on, the SA7100/SA7120
sits between the router and the switch. SSL traffic intended for these
servers is intercepted and other traffic is passed through.
12
Server 1
Server 2
hub/switchRouter
Server 3
HP e-Commerce Server Accelerator
SA7100/7120
SA7100/SA7120 in Multiple Server Configuration
C H A P T E R 3Working with Internet Traffic Management (ITM) Devices
Working with Internet Traffic Management (ITM)
Devices
The SA7100/SA7120 is compatible with Internet Traffic
Management (ITM) devices. In su ch environm ents, the SA7100/
SA7120 lies between the router and the ITM device, or between the
ITM device and the server. ITM devices distribute workload across
multiple servers and redirect traffic based on content.
Positioning
SA7100/
SA7120
between ITM
Device and
Client Network
Router
Internet
Client
If the ITM device supports layer 7 traffic management, URLs must
be readable (that is, unencrypted). Therfore, in environments
performing layer 7 load balancing, it is recommended that the
SA7100/SA7120 be placed between the ITM device and the client
network.
HP e-Commerce Server Accelerator SA7100/7120
ITM Device
SA7100/SA7120 Between Router and ITM Device
Server 1
Server 2
Server 3
13
C H A P T E R 3 HP e-Commerce Server Accelerator SA7100/SA7120 User Guide
Positioning
SA7100/
SA7120
between ITM
Device and
Server
Router
Internet
Client
NOTE: The illustrated
configuration precludes
layer 7 load balancing
because secure traffic
through the ITM device is
encrypted.
If security considerations require limited network access to clear text,
the SA7100/SA7120 should be placed between the ITM device and
the server.
ITM Device
HP e-Commerce Server Accelerator
SA7100/SA7120s Between ITM Device and Servers
SA7100/7120s
Servers
Multiple SA7100/SA7120s and Cascading
Processing
Scalability and
Cascading
14
The SA7100/SA7120’s capabilities are scalable by chaining, or
“cascading,” multiple SA7100/SA7120s together. In such
configurations, each unit’s server side connector is wired to the
network side connector of the next SA7100/ SA7120 i n line . The last
SA7100/SA7120 in line is connected to the server, switch, or ITM
device.
C H A P T E R 3Multiple SA7100/SA7120s and Cascading Processing
Spilling and
Throttling
Hub/Router/Switch
Availability
When the SA7100/SA7120’s “spill” option is enabled, if a given
SA7100/SA7120 cannot p rocess a request with in a specified interval,
the request is passed on, sti ll encrypt ed, t o the next SA7100/ SA7120
in line. The last SA7100/SA7120 on the server side can also be
enabled to spill to the server. Spilling is performed dynamically on a
connection-by-connection basis. (See spill command, Chapter 5,
“Command Reference.”) If spill is disabled, the SA7100/SA7120
“throttles,” that is, will not accept incoming requests when it becomes
overloaded.
HP e-Commerce Server Accelerator SA7100/7120s
Server
Cascaded SA7100/SA7120s
When a SA7100/SA7120 fails or is set to Bypass mode while Failthrough is enabled, the SA7100/SA7120’s network side and server
side network adapters are directly connected, allowing t raffic to pass
through to the next device until the failed unit is brought back into
service. This feature eliminates a single poi nt o f failure and provid es
a high level of availability, should there be a failure. In installations
with multiple SA7100/SA7120s, t he next unit in the casca de picks up
the encryption/decrypti on workload, while in single SA7100/SA7120
configurations, the server assumes the load. See “Failure/Bypass
Modes” in Appendix B for more information.
15
C H A P T E R 3 HP e-Commerce Server Accelerator SA7100/SA7120 User Guide
Keys and Certificates
WARNING: The
SA7100/SA7120 comes
with default keys and
certific ates for test
purposes. Certificates for
production use should be
obtained from a
recognized certificate
authority.
A necessa ry part of the SA7100/ SA7120 configurat ion is the use of
keys and certificates. A key is a set of numbers used to encrypt or
decrypt data. A certificate is a “form” that identifies a server or user.
The certificate contains information about your company as well as
information from a third party that verifies your identity.
There are three ways to obtain keys and certificates:
•Obtaining a certificate from VeriSign* or other Certificate
Authority (or “CA”)
•Using an existing key/certificate
•Creating a new key/certificate on the SA7100/SA7120
Cutting and Pasting with HyperTerminal*
Cutting and pasting is an in tegral part of the next several pr ocedures.
Below are procedures for cutting and pasting in HyperTerminal*. If
you use some other terminal program, consult that product’s
documentation for appropriate procedures.
To copy an item (key, certificate signing request, etc.) from
HyperTerminal*:
1. Open the HyperTerminal* window.
2. Click and drag to select the item.
16
3. After the item is selected, open the Edit menu and click Copy (or
type <ctrl-c>).
4. Open the window where you will paste the data, and position t he
cursor at the appropriate point.
5. In the Edit menu, click Paste (or type <ctrl-v>).
To paste an item (key, certificate signing request, etc.) into
HyperTerminal*:
1. Display the item in the appropriate appl ication window, then
click and drag to select the item.
2. Once the item is selected, click the Edit menu and select Copy
(or type <ctrl-c>).
C H A P T E R 3Keys and Certificates
3. Move to the HyperTerminal* window, and position the cursor at
the appropriate point.
4. Pull down the Edit menu, and select Paste to Host (or type <ctrl-v>).
Obtaining a
Certificate
from VeriSign*
or Other
Certificate
Authority
Use the create key command to create your key and the create si gn
command to create a signing request t o be sen t to VeriSign* o r ot her
CA for authentication. The CA will return it in approximately one to
five days. After you have recei ved the certificate, use t he import cert
command to import it into the SA7100/SA7120.
The fields input to create a signing request are called collectively a
Distinguished Name (DN). For optimal security, one or more fields
must be modified to make the DN unique.
Procedure
Create a key:
1. Type the create key command at the prompt:
HP SA7120> create key
Key strength (512 /1024) [512]:
New keyID [001]: mywebserver
Keypair was created for keyID: mywebserver
2. Create a Certificate Signing Request:
HP SA7120> create sign mywebserver
You are about to be asked to enter information
that will be incorporated into your
certificate request. The "common name" must be
unique. For other fields, you could use
default values.
Certifying authoriti es have specific guideli nes on how to answer each
of the questions. These guidelines may vary by certifying authority.
Please refer to th e guid eline s of th e cert ifyin g auth ority to who m you
submit your Certificate Signing Request (CSR). Please keep the
following in mind when entering the information that will be
incorporated into your certificate request:
•Country code: This is the two-letter ISO abbreviation for your
country (for example, US for the United States).
•State or Province: This is the name of the state or province
where your organizati on’s head office is located. Please enter the
full name of the state or province. Do not abbreviate.
17
C H A P T E R 3 HP e-Commerce Server Accelerator SA7100/SA7120 User Guide
•Locality: This is usually the name of the city where your
organization’s head office is located.
•Organization: This should be the organization that owns the
domain name. The organization name (corporation, limited
partnership, university, or government agency) must be
registered with some authority at the n ational, state, or city level.
Use the legal name under which your organization is registered.
Please do not abbrevia te your or gani zation’s name and do not use
any of the following characters: < > ~ ! @ # $ % ^ * / \ ( ) ?.
•Organizat i onal unit: This is n ormally the name of the
department or group that will use the certificate.
•Common name: The common name is the “fully qualified
domain name,” (or FQDN) used for DNS lookups of your server
(for example, www.mysite.com). Browsers use this information
to identify your Web site. Some browsers will refuse to establish
a secure connection with your site if the server name does not
match the common name in the certificate. Please do not include
the protocol specifier “http://” or any port numbers or pat h names
in the common name. Do not u se wildcard characters su ch as * or
?, and do not use an IP address.
18
•E-mail address: This should be the e-mail address of the
administrator responsible for the certificate.
3. Export the Certificate Signing Request (CSR).
In this example, xmod em i s used t o send the CSR to a PC c onnected
Use Ctrl-x to kill transmission
Beginning export...
Export successful!
HP SA7120>
To submit the CSR to a certifying authority, paste it into the field
provided in the authority’s online request form. Remember to include
the “-----BEGIN CERTIFICATE REQUEST-----” and “-----END
CERTIFICATE REQUES T-----” lines.
4. When the CA returns th e certificate, import it into the SA7100/
SA7120. Use the impor t cert command, with the KeyID. As
with the import key, choose an import protocol for importing the
key . Use p for paste. After the paste is finished, add three periods
to display the command line.
HP SA7120> import cert mywebserver
keyid is mywebser ver;
Import protocol: (paste, xmodem) [paste]:
-----END CERTIF ICATE----- <Enter>
... <Enter>
Import successful!
HP SA7120>
5. Create mapping for Server 1. Use the create map command to
specify the server IP address, ports, and keyID.
HP SA7120> create map
Server IP (0.0.0.0): 10.1.1.30
SSL (network) port [443]: <Enter>
Cleartext (server) port [80]: <Enter>
KeyID to use for mappi ng: mywebserver
6. Save the configuration when the server has been mapped.
HP SA7120> config save
Saving configuration to flash...
Configuration saved to flash
HP SA7120>
19
C H A P T E R 3 HP e-Commerce Server Accelerator SA7100/SA7120 User Guide
Using an Existing Key/Certificate
Exporting a
Key/Certificate
from a Server
NOTE: Currently there
is no published method
for extracting private
keys from Microsoft* IIS
or Netscape* servers.
This method is used when it is important that the existing keys and
certificates are used.
Consult your server software documentat ion for detailed inst ructions
on how to export keys and certificates. Once you have exported the
keys and certificates, use the import key and import cert commands
to paste the keys and certificates into your SA7100/SA7120. Some
general instructions are provided bel ow for the Apache* Web Server.
Apache* Interface to Open SSL* (mod_ssl)
For key:
1. Look in $APACHEROOT/conf/httpd.conf for location of *.key
file.
2. Copy and paste the key file.
For certificate:
1. Look in $APACHEROOT/conf/httpd.conf for location of *.crt
file (certificate).
2. Copy and paste the certificate file.
20
Apache SSL*
For key:
1. Look in $APACHESSLROOT/conf/httpd.conf for location of
*.key file.
2. Copy and paste the key file.
For certificate:
1. Look in $APACHESSLROOT/conf/httpd.conf for location of
*.cert file.
2. Copy and paste the certificate file.
Loading...
+ 162 hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.