Hewlett-Packard Company
3000 Hanover Street
Palo Alto, CA 94304-1185
Publication Number
5971-3006
March 2001
Disclaimer
The information contained in this document is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY
KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not
be liable for errors contained herein or f or incidental or conse quential damages
in connection with the furnishing, performance, or use of this material.
Hewlett-Packard assumes no responsibility for the use or reliability of its
software on equipment that is not furnished by Hewlett-Packard.
Warranty
A copy of the specific warranty terms applicable to your Hewlett-Packard
products and replacement parts can be obtained from http://www.hp.com/
serverappliances/support.
*Other brands and names are the prop erty of their respective owners.
C O N T E N T SHP e-Commerce/XML Server Accelerator SA7150 User Guide
Notes
x
Introduction
Introduction to the SA7150
The HP e-Commerce/XML Server Acce lerator S A7150 prov ides the
flexibility to analyze Extensible Markup Language (XML) traffic
according to content and distribute it according to user-defined
parameters. The SA7150 is positioned in the network in front of
business-to-business (B2B) XML servers, where it detects and parses
XML messages or transaction data. It se nds client data to the most
appropriate server, based on rules pre-configured for each server. The
most common application is a B2B environment where the client is
often another server or application.
C H A P T E R 1 HP e-Commerce/XML Server Accelerator SA7150 User Guide
Assumptions
It is assumed that you are a net w ork ad mini st rator and that you have
at least a basic understanding of the following:
•XML usage and syntax
•Networking concepts and terminology
•Network topologies
•Networks and IP routing
Benefits
The SA7150 offloads S ecure Socket Layer (SSL) processing f or your
e-Commerce site, web site, or Intranet. The S A7150 is th e best XML
processing solution available.
FeatureBenefits
Patent-pending rules engine
allows classification of XML
transactions for example, by:
•
Trading partner name
•Trading partner type
•Transaction quantity
•Transaction value
•Time of day
•Time zone
NOTE: The above items are examples.
You can define any number of
classifications according to your
business needs.
Multi-variable classification,
including AND, OR
Handles up to 600 secure
transactions per second
Business priorities easily configured:
•If the request is from Vendor A, then send to Server
1
•If transaction value is above $100,000, then send to
Server 2
Allows complex business priorities to be addressed.
Security with contin ued transaction speed
SA7150 Features
2
C H A P T E R 1Specifications
FeatureBenefits
Offloads XML distribution
decisions from e-Business
servers
Easy, drop-in installation between
router and server
Specifications
SpecificationDescription
Servers supported
XML Dialects supported
Most Web servers (Apache*, Microsoft*, Netscape*, etc.)
Most operating systems (UNIX*, Solaris*, Windows NT*, BSD*/
BSDI*, AIX*, etc.)
Most server hardware (SUN*, HP*, IBM*, Compaq*, SGI*,
Intel*-based platforms)
Supports up to 1000 servers
Supports most XML dialects and e-Business standards, such as
SOAP*, Microsoft’s Biztalk*, Ariba’s cXML*, Commerce One’s
CBL*, and the emerging ebXML standard via HTTP and HTTPS
transport protocols
Helps maximize server investment
No additional hardware or software needed
SA7150 Features
System administration
Performance
Command line interface
SNMP monitoring (MIB II and Private MIB )
Dynamic configuration through password-p rotected serial console,
Telnet, SSH v1, and SSH v2
Rated up to 1700 HTTP connections per second and 450 HTTPS
connections per second (1K data)
Patent-pending technology offloads all cryptographic processing
from server
Specifications
3
C H A P T E R 1 HP e-Commerce/XML Server Accelerator SA7150 User Guide
SpecificationDescription
Dimensions
Weight
Interface connection s
Patent pending XML
routing
Security algorithms
supported
Mounting: Standard 19-inch rack mount
Height: 1.75 inches (4.45 cm)
Width: 16.73 inches (46.99 cm)
Depth: 18.5 inches (4.45 cm)
8 pounds (3.64 kg)
10/100 Ethernet
TTY Serial - console
XML patterns: Defined by URI and XML expressions, in the
form:
URI Expression: */order.asp
XML Expressio n:
SSH for secure Command Line Interface (up to 168 bit encryp tion)
Serial port logon
Specifications
4
C H A P T E R 1Typographic Conventions
Typographic Conventions
The following typographic conven tions are used throughout this User
Guide:
NOTE: This is an
example of a note.
CAUTION: This is an
example of a caution.
WARNING: This is an
example of a warning.
NOTES clarify a point, emphasize vital information, or describe
options, alternatives, or shortcuts. Except for those within tables,
notes are always found in the left margin.
CAUTIONS are designed to prevent mistakes that could result in
injury or equipment damage. Except for those within tables, cautions
are always found in the left margin.
WARNINGS alert you to po tential hazar ds to life or l imb. Except for
those within tables, warnings are always found in the le ft margin.
NUMBERED LISTS indicate step-by-step proce dures that you must
follow in numeric order, as shown below:
1. This is the first step.
2. This is the second step.
3. This is the third step, etc.
BULLETED LISTS indicate options or features available to you, as
shown below:
•The first feature or option
•The second feature or option
•The third feature or option, etc.
ITALICS are used for emphasis or to indicate onscreen controls, as
shown in this example:
4. To edit the configuration settings, press the Configure tab.
COMMANDS are shown in the following ways:
•Any command or command response text that appears on the
terminal is presented in the
•Any text that you need to type at the command line appears in
bold courier, for example:
HP SA7150> create gold
courier font.
5
C H A P T E R 1 HP e-Commerce/XML Server Accelerator SA7150 User Guide
Notes
6
Parts Checklist
Installation and Initial
Configuration
Ensure that the items li sted below are included in th e shipping box:
•HP e-Commerce/XML Server Accelerator SA7150
•HP e-Commerce/XML Server Accelerator SA7150 Quick Start
Guide
•HP e-Commerce/XML Server Accelerator SA7150 User Guide
(this document)
•HP e-Commerce/XML Server Accelerator SA7150 Release Notes
•AC power cord
•Serial cable
•Rack mounting brackets wi th Phillips mounting screws
C H A P T E R 2 HP e-Commerce/XML Server Accelerator SA7150 User Guide
Additional Requirement s
Before you begin installation, acquire or prepare the following:
•IP address for SA7150 (Only if you intend to use the SA7150’s
Remote Management capabilities. Please see Chapter 6 for
details.)
•IP addresses and port numbers of servers.
•Keys/certificates. (Only if you anticipate supporting secure
transactions. See Chapter 3 for information on obtaining keys
and certificates.)
NOTE: Network cables
are not provided wit h th e
SA7150.
•Network cables, such as straight-through and/or crossover
cables. (Procedures in the section “Network Connection s” in this
chapter will identify the types of cables you must u s e.)
If you are installing the SA7150 in a rack, you will also need:
•Phillips screwdriver (not provided)
•Rack-mounting screws
8
C H A P T E R 2Physical Installation
Physical Installation
WARNING: Do not
remove the device’s
cover. There are no userserviceable parts inside.
Rack
Installation
The SA7150 is physically installed in either of two ways:
•In a standard 19” rack, cantilevered from th e pro vided mounting
brackets
•Free-standing on a flat surface with sufficient space for air-flow
(1” on all sides)
Rack mounting requires the use of the mount ing brackets, and all four
of the included Phillip s screws.
Mounting Bracket Installation
1. Locate the two mounting brackets and the four screws. (Two
screws for each bracket.)
2. Attach a mounting bracket to each side of the SA7150, u sing two
of the provided screws for each bracket. Use the holes near the
front of the SA7150’s sides. The brackets have both round and
oval holes; the flange with round holes attaches to the SA7150,
the one with oval holes attaches to the rack.
3. Position the SA7150 in the desired space of your 19” rack and
attach the front flange of each mounting bracket to the rack with
two screws each. (Rack-mounting screws are not provided.)
9
C H A P T E R 2 HP e-Commerce/XML Server Accelerator SA7150 User Guide
Free-Standing
Installation
Network
Connections
1. Attach the provided self-adhesive rubber feet to the SA7150’s
bottom.
2. Place the SA7150 on a flat surface and make sure that there is
adequate airflow surrounding the unit (allow at least one inch of
air space on all sides).
1. Use the table below to select and install the appropriate network
cables (Category 5 UTP or better):
SA7150’s network
connector
Workstation or ServerCrossover cableStraight-through cable
Switch or HubStraight-through cableCrossover cable
RouterCrossover cableNot recommended
SA7150 network
connector*
SA7150 server
connector*
* Applicable only to multiple, cascaded units
N/AStraight-through cable
Straight-through cableN/A
SA7150’s server
connector
NOTE: Never connect
both of the SA7150’s
network ports to the same
switch, hub, or router.
Doing so creates a
feedback loop that
adversely effects network
bandwidth.
10
2. Connect the provided power cable to the bac k of the uni t. (There
is no power switch.) Under normal circumstances, the SA7150
requires approximately 30 seconds to boot. When the boot is
complete, the unit’s Power LED is steadily illumin ated. (If the
Power LED is not steadily illuminated, see Chapter 9,
“Troubleshooting,” to rectify before proceeding to Step 3.)
3. The Inline LED should be either steadily illuminated or blinking
(to indicate Inline mode). If it is not, press the Bypass switch on
the device’s front panel to enable Inline mode.
C H A P T E R 2Physical Installation
4. At this point both the Network and Server LEDs should be
steadily illuminated. If not, please see Chapter 9,
“Troubleshooting.”
XML Server 1
XML Server 2
hub/switch
Console
Connection
hub/switch
HP e-Commerce/XML Server
Accelerator SA7150
Default Server
Wiring Connections
Run HyperTerminal* or a similar term inal emulator on your PC . The
steps below assume HyperTerminal* is used. Other terminals will
require different procedures.
1. Use the serial cable provided with the SA7150 to connect the
device’s serial port (the left-hand serial port labeled “Console”)
to the serial port of any terminal.
Power
(green)
Error
(red)
LEDs
Overload
(amber)
Activity
(green)
Network
(green)
LEDs
Inline
(green)
Server
(green)
Reset
Console
(CLI)
Aux Console
(Diagnostics)
Network Link
(RJ45)
Fail-through switch
Server Link
(RJ45)
Bypass
Front Panel Connectors and LEDs
2. Type an appropriate name in the Name field of the Connection
Description window (e.g., “Configuration”), and then click the
OK button. The Phone Number panel appears.
3. In the Connect Using… field specify “COM1” (or the serial port
through which the PC is connected to the SA7150 if different
from COM1).
11
C H A P T E R 2 HP e-Commerce/XML Server Accelerator SA7150 User Guide
4. Click the OK button. The COM1 Properties panel appears. Set
the values displayed here to 9600, 8, none, 1, and none.
5. Click the OK button.
Using
HyperTerminal*
Fail-through
Switch
If you’re using HyperTerminal* you must make the following
configuration change:
1. In the File menu, click Properties.
2. Click the Settings tab.
3. Click the ASCII Setup button.
4. Change the values of Line and Character delay from 0 to at least
1 millisecond.
5. Click OK to exit ASCII Setup.
6. Click OK to exit Connection Properties.
The Fail-through switch allows you to choose between two options in
the event of a failure. It is located in the opening between the Network
and Server connectors. Use a small screwdriver or paper clip to
operate the switch. The two options are:
•Allow traffic to flow through the SA7150 unprocessed. (Fail-
through mode, indicated by a steadily illuminated Inline LED.
Fail-through switch in DOWN position.)
•Block traffic flow t hr oug h t he S A7150 ent irel y. (Fail-safe mode,
indicated by a blinking Inline LED. Fail-through switch in UP
position.)
12
Please see Appendix B for a description of LED display.
C H A P T E R 2Physical Installation
Accessing the
Command
Prompt
NOTE: The password is
not echoed on the
command line.
After the SA7150 boots up, the password prompt appears.
1. Type admin at the password prompt and press Enter to access
the prompt:
Password: admin (password is not echoed at prompt)
Current date: 2000 11/01 05:01
HP SA7150>
You are now ready for operations at the Command Line Interface
(CLI) of the SA7150. The following is a typical way to begin:
2. Change your password from admin to another of your choice.
Use the password command.
HP SA7150> password
3. Use set date to correct the date/time, if necessary. The date
and time affect the validity of the certificate.
HP SA7150> se t date
4. Use the help command to list available command (or refer to the
Command Reference in Chapter 5 of the User Guide).
HP SA7150> help
5. Configure XML servers and patterns as appropriate for your
business needs. (See Chapter 3 of the User Guide for details.)
6. If your operational model includes SSL traffic, configure the
appropriate keys and certificates. (See Chapter 3 of the User Guide for details.)
13
C H A P T E R 2 HP e-Commerce/XML Server Accelerator SA7150 User Guide
Notes
14
Theory of Operation
This chapter discusses the general operating principles for the HP eCommerce/XML Server Accelerator SA7150. For details about the
SA7150 command set, please see Chapter 5. For information about
completing typical, specific tasks, please see Chapter 4.
XML Operations
The HP e-Commerce/XML Server Accelerator SA7150 provides a
powerful means of using XML technology to facilitate Business-toBusiness transactions. In additi on to its XML capabilit y, the SA7150
provides SSL acceleration (discussed later in this chapter).
The SA7150 employs user-created rules to evaluate the content
transmitted in XML documents and to distri bute this information
among the appropriate data center resources. XML functionality is
enabled or disabled for each user-specified “map” (i.e., a triad
consisting of an IP address, network port, and server port.)
XML functionality is controlled by way of the Command Line
Interface (CLI—detailed in Chapter 5). The SA7150 man a ges XML
traffic using “XML patterns,” pairs of “URI expressions” and “XML
expressions.” URI expressions serve as “coarse” filters, allowing the
system to determine whether a HTTP POST request is targe ted at an
XML-enabled server—if no URI match is found, the SA71 50 doesn’t
C H A P T E R 3 HP e-Commerce/XML Server Accelerator SA7150 User Guide
bother to examine the document for XML content, but simpl y passes
the document to the “mapped” server (i.e., the one with the IP address
and network port of the incoming message). XML expressions are the
“fine” filters—those to be applied to the content and context of the
XML data embedded in the HTTP POST request. XML patterns are
assigned to servers (identified by IP address and server port), and
when a match between a pat tern and an incomi ng request o ccurs, the
SA7150 sends data to the appropriate server.
XML Server 1
Router
HP e-Commerce/XML Server
Accelerator SA7150
Basic SA7150 Operating Configuration
Multiple SA7150s can be connected in series, or “cascaded,” to
multiply your site’s XML processing and availability capabilities,
(and also its SSL processing capability, should you use it.)
HP e-Commerce/XML Server
Accelerator SA7150
hub/switchRouter
HP e-Commerce/XML Se rver
Accelerator SA7150
XML Server 2
XML Server 3
XML Server 1
XML Server 2
hub/switch
XML Server 3
16
Cascaded SA7150s
Before you configure the SA7150 for XML operations, you should
first answer the following:
•Which of the several common formats or varieties of XML w ill
be used in the client application?
C H A P T E R 3XML Operations
•Which XML elements, attributes, or text and HTTP fulfillment
locations contained or identified in the anticipated XML traffic
should be used for XML pattern matching?
•Which servers will be assigned the XML patterns that yo u
create?
•Do you intend to use the SA7150’s SSL capabilities?
General Considerations
Some general facts to keep in mi nd concerning XML operat ions with
the current version of the SA7150 are listed be low. These fac ts do not
apply to SSL operations.
•The SA7150 uses an abbreviated version of the XPATH syntax.
•The SA7150 works with any XML applicati on the supports XML
1.0 and that is transported via HTTP or HTTPS POST request
methods.
•Transport protocols other than HTTP and HTTPS such as FTP
and SMTP are not supported.
•Content of incoming documents must be of type “text.”
•URL encoding is supported.
•Base64 encoding is not supported.
•The complete XML data stre am must be encapsulated in the
body of the HTTP(S) POST request.
•Multi-part MIME messages are not supported.
•The first character of the POST request’s body must be the “less
than” (<) character; the final character must be the “greate r than”
(>) character.
Server Mappings
Because the SA7150’s purpose is to send XML messages with
specific content to specific servers, it must be configured to recogniz e
these servers. This configuration is managed through the use of
“server mappings.” A server mapping consists of three items:
•A server’s IP address
•Network port
•Server port
17
C H A P T E R 3 HP e-Commerce/XML Server Accelerator SA7150 User Guide
Server mappings are created using the create map command.
Typically, a map specifies a Key ID for SSL encryption and
decryption, as in the example following.
HP SA7150> create map
Server IP [0.0.0.0]: x.x.x.x
Network port [443]:
Cleartext (server) port [80]:
KeyID to use for mappi ng: default
HP SA7150>
If your operations involve processing only unen crypted XML traff ic,
you should use a “clear text map,” i.e., a map with no Key ID. The
example below illustrates the creation of a clear text map:
NOTE: In the example
opposite, the prompt for a
KeyID is ignored. Keys,
certificates and related
matters are discussed in
this chapter under “SSL
Operations.”
NOTE: XML examples
here are indented for ease
of reading—the leading
spaces or tabs are not
significant with regard to
SA7150 operations.
HP SA7150> create map
Server IP [0.0.0.0]: x.x.x.x
Network port [443]:
Cleartext (server) port [80]:
KeyID to use for mappi ng:
Cleartext map for XML only? [n]: y
HP SA7150>
XML Data Model
XML data consists of three hierarchical components:
•Elements (data types)
•Attributes (subcategories of a data type or element)
•Text (specific data such as names, addresses, and quantities
contained within elements or attributes)
The content of an XML document is defined within these three
components, as illustrated below. The example shows a block of
incoming XML text as received by the SA7150 in an HTTP POST
request.
<street>13280 Evening Creek Dr</street>
<city>San Diego</city>
<state>California</state>
<zip>92128</zip>
</address>
</employee>
18
C H A P T E R 3XML Operations
Where:
•employee, name, address, street, city, state,
and zip are the elements of the XML document.
•lastName, firstName, and initial are the attributes of the
element,
•13280 Evening Cre ek Dr, San Diego, California,
name.
and 92128 are the text components of the elements, street,
city, state,
•“Smith,” and “John,” and “K” are the text components of the
lastName, firstName, and initial attributes of the name
element.
XML expressions configured in the SA7150 are matched against
XML data which is then sent for fulfillment to server assignments
defined in XML patterns.
URI expressions in XML Patterns
XML configurations use URI expressions to assign partic ular classes
of URLs to particular servers for fulfillment. Applicable expressions
are listed below:
and zip , respectively.
•File type expressions, such as *.asp
•Path expressions, such as /PurchaseOrder/*
•Unique file expressions, such as /purchase.cgi
•Wildcard expression, such as *
•Negation expressions, such as !*.asp or !*/purchase.cgi
Invalid URI Expressions
The following may not be used in URI expressions:
•Text on either side of the asterisk, such as /order*.asp
•Expressions containing more than one asterisk, such as
/order*.*
•Expressions containing one or more spaces or the dollar sign ($)
character
•Expressions containing a vertical bar ( | ) or a carat (^)
19
C H A P T E R 3 HP e-Commerce/XML Server Accelerator SA7150 User Guide
Negation Operator
The “*” and “!” operators are allowed in URI expressions, but they
can exist only at the beginning or end of an expression. Also, a
positive expression must appear after a not (!) expression, otherwise
the (!) expression has no effect.
The order of URI expressions is significant only when the “not” (!)
operator is used.
ExpressionYields
NOTE: The SA7150 uses
a subset of the XPath
Language standard.
!*.asp
!*/PurchaseOrder
!/Buy.cgi
All non-ASP requests
All non-PurchaseOrder requests
All non-Buy.cgi requests
Use of the Negation Operator
Operators
XML expressions consist of sequences of one or more XML elements
or attributes combined with various “operators.” “Step operators” tell
the SA7150 where in the XML data tree to look, while “comparison
operators” tell the SA7150 what to look for. In typical XML
expressions, elements are separated by step operators—single or
double slashes (/ or //). These are used to select el ements according to
their location (“node”) in the XML data tree. Step operators are
described in the table above. Comparison operators are the familiar
“equal to,”“not equal t o, ”“greater than,”“less than,”and other such
symbols. These form the bases upon which the SA7150 compares
incoming XML data to it s own XML patterns to decide where to sen d
each XML document for fu lfillment.
20
C H A P T E R 3XML Operations
An XML expression’s first element must be preceded by a step
operator.
Step
Operator
/
//
NameDescription
Child
Selects all immediate children of the context node
operator
Descendant
Selects elements at any level under the context node
operator
XML Step Operators
The node to the left o f the l ast step operator in an XML expressi on is
the “context node,” i.e., the node that establishes the level within the
XML data tree’s hierarchy at which the SA7150 searches for a match
when comparing XML data to XML expressions. The “ro ot node” is
the top level of the XML data tree, and by implication is to the left of
an XML expression’s left-most step operator. So me ex amples of the
effects of step operators are:
•//address Tells the SA7150 to search for the <address>
element anywhere in the XML data tree.
•//employee//state Tells the SA7150 to search anywhere
under the <employee> element node for the <state>
element.
•//employee/address Tells the SA7150 to search one level
below the <employee> node for the <address> element.
You can specify an element as “*”, which selects any element relat ive
to the context node. You can also specify an op tional filter at t he end
of a path to further refine parsing of the XML data stream.
21
C H A P T E R 3 HP e-Commerce/XML Server Accelerator SA7150 User Guide
Comparison operators allow the SA7150 to look for specific values
in the XML data tree and compare them with corresponding val ues in
your preconfigured XML patterns. An XML pattern might look like
this:
URI Expression: */hr.asp
XML Expressi o n : //address[ zi p > 90000]
Because the server to which the XML pattern belongs is configured
for zip codes greater than 90000 (as defined in the XML expression
component of the XML pattern), and John K. Smith’s zip code is
92128, the SA7150 sends his employee data to that server. The
following table contains the available comparison operators
Comparison
Operator
=
!=
<
<=
>
>=
NameDescription
Equal toReturns true if any values of the nodes specified in the pattern
equals given value
Not equal toReturns true if at least one value of the nodes specified in the
patterns does not equal given value
Less thanReturns true if at least one value of the nodes specified in the
patterns is less than the specified value
Less than or
equal to
Returns true if at least one value of the nodes specified in the
patterns is less than or equal to the specified value
Greater thanReturns true if at least one value of the nodes specified in the
patterns is greater than the specified value
Greater than
or equal to
Returns true if at least one value of the nodes specified in the
patterns is greater than or equal to the specified value
XML Comparison Operators
Attributes
Attributes are identified by the “at” sign (@). You can specify an
attribute as
relative to the context node.
@<AttributeName>, or use @* to select any attribute
22
C H A P T E R 3XML Operations
Filters
Filters are identified by a FilterExpression enclosed within square
brackets, [ ]. These define a pattern within a pattern following this
general structure:
( (’/’ | ’//’) Element )? [ FilterExpression
]
Filter expressions are applied to every element returned by the
preceding path pattern . They return a match if the server is a valid
choice according to the filter expression.
The operative component of a FilterExpression is a comparison
expression or any FunctionCal l expression that retur ns a string value,
which compares either an element or an attribute against a specified
value. An element in a Fi lterExpression refers to the chi ld element o f
the context node, while an at tribute refers to the attribute of th e
context node.
Comparison expression syntax:
(Element | Attrib ute | FunctionCall)
ComparisonOperator Value
FunctionCall expression syntax:
FunctionName ’(’ (Argument (’,’ Argument)*)?
’)’
You can combine comparison expressions and the FunctionCall
expression with Boolean operators and paren theses to create complex
filter expressions.
Sample PatternDescription
//PurchaseOrder
[Amount > 10000]
//PurchaseOrder
[@CustomerID > 9000]
//PurchaseOrder
[Amount > 10000 and
@CustomerID > 9000]
Matches a PurchaseOrder element with a child element Amount
value greater than 10000
Matches a PurchaseOrder element with an attribute
CustomerID value greater than 9000
Matches a PurchaseOrder element with a child element Amount
value greater than 10000 and with an attribute
greater than 9000
Comparison Expression Samples
CustomerID value
23
C H A P T E R 3 HP e-Commerce/XML Server Accelerator SA7150 User Guide
Boolean Operators
Boolean operators are logical operators between expressions. These
operators are used in the PathExpression and the Fi lterExpression, as
shown below.
Logical AND operatorPerforms a logical AND operation
Logical OR operatorPerforms a logical OR operation
Boolean Operators
Sample PatternDescription
//restaurant[@genre and
Food_Rating]
Matches if there is a restaurant element, a genre attribute, and a
Food_Rating child element. genre and Food_Rating are associated with the restaurant element.
//restaurant[@genre or
Food_Rating]
Matches if there is a restaurant element, a genre attribute, or a
Food_Rating child element. genre and Food_Rating are associated with the restaurant element.
//restaurant or //theater
Matches if there is a restaurant element or a theater element
anywhere in the XML data tree.
Boolean Operator Examples
Function Calls
NOTE: FunctionCalls
can only be specified
within FilterExpressions.
Function calls allow you to specify partial patterns within
FilterExpressions. FunctionCall expressions are evaluated by using
the FunctionName to identify a supported function, eval uat i ng each
of the arguments if needed, and calling the function passing the
24
C H A P T E R 3XML Operations
required arguments. Wrong number s of ar gumen ts or ar guments not
of the required type result in errors. The result of the FunctionCall
expression is the result returned by the functio n.
FunctionDescription
starts-with(value,
substring)
The starts-with function tests whether the string value of value starts the
specified substring. value can be either an element, attribute, or function
call that returns a string value. substring must be a literal value enclosed
in single or double quotes.
contains(value,
substring)
The contains function tests whether value contains the specified
substring. value can be either an element, attribute, or function call that
returns a string value. substring must be a literal value enclosed in single
or double quotes.
translate(value,
fromString,
toString)
The translate function replaces characters in the value string if they
appear in the fromString with the corresponding characters in the toString. If a character appears in fromString but not in th e corre spond ing
position in toString, the character will be dropped from the value string.
The result string is returned. value can be either an element, attribute, or
function call that returns a string value. Both fromString and toString
have to be a literal value enclosed in single or double quotes.
Function Calls
.
Sample PatternDescription
//Order[starts-with
(PartNumber, “001”)]
Matches if there is an Order element with a value of a PartNumber
child element starting with “001.”
Matches if there is a Part element with the value of a PartNumber
attribute containing “12345.”
Matches if there is a Part element with the value of a Description
attribute containing “ENGINE.” All characters in the Description
attribute are converted to uppercase before being passed to the
contains function.
Function Call Examples
25
C H A P T E R 3 HP e-Commerce/XML Server Accelerator SA7150 User Guide
Values
Values are used to specify the right operand of a comparison
expression, and can be either literals (e.g., a string) or numeric values.
Literals must be enclosed in either single or double quotes. If the
literal string contains singl e quo tes, do ubl e quot es shou ld be use d to
enclose the string. Conversely, if the literal string contains double
quotes, it should be enclosed in single quotes. Character references
(both decimal and hexadecimal format) and predefined entities as
described in the XML specification can be used within the literal
string.
The string value of the left operand is obtained for literal equality
comparisons. If an element is specified for the left operand, only
elements without a child element should be u sed. Although the up per
level elements are not supported, this generally is not a problem,
since in most cases only the lowest level element contains text values.
A number can be either a decimal value or an integer. Numbers
should not be enclosed in quotes. (Numbers within quotes are treat ed
as literals.) Numbers are signed by preceding them with the plus (+)
or minus (-) sign. Decimal values must contain a decimal point with
at least one digit to the right of it.
26
A numeric comparison is either an equality comparison with a
numeric right operand or a non-equality comparison. Both the value
of the left and right operands, if necessary, are con verted t o numeric
values before a numeric comparison is made. If the value cannot be
converted to a number, the comparison returns false.
C H A P T E R 3XML Operations
XML Pattern Creation
XML patterns are created with the create pattern command.
Because each pattern is assigned to a specific server, the comman d’s
syntax requires that a server be specified.
HP SA7150> create pattern <server name>
After entering the command and a server name, the SA7 150 prompts
you for a URI expression.
HP SA7150> create pattern gold
URI Expression: /PurchaseOrder
Each time a new URI expression is entered, the system performs a
“validity check” (a test for syntactical correctness). If the expression
is invalid, the SA7150 displays an erro r message and prompts you to
begin again.
NOTE: The validity
warning opposite is an
example for illustrative
purposes only. Actual
messages will vary
depending on the error.
Improper use of ’*’ character in URI
Expression
Enter another pattern? [n]: y
After you enter a valid URI expression, the system prompts for an
XML expression.
XML Expression: //order [amount>1000]
Enter another pattern? [n]:
HP SA7150>
As with the URI expressions, the SA7150 performs a validity check
on each XML expression when entered and disp lays an error message
if there is a problem. After you enter a valid XML expression, the
SA7150 performs a “duplicate check,” (i.e., verifies that the newly
entered pattern does not already exist). If the pattern already exists,
the following message appears:
A pattern with this URI and XML expression
already exists
Enter another pattern? [n]:
When the above steps are complete, the SA7150 asks if you want to
create another XML pattern.
The SA7150 stores each XML pattern i n a list on the server spe cified
during the pattern ’s creation and assigns each a unique i ndex number
within each server list. You can d isplay al l server l ists at th e con sol e
by typing the show pattern command.
27
C H A P T E R 3 HP e-Commerce/XML Server Accelerator SA7150 User Guide
HP SA7150> show pattern
Server: std
Pattern ID Pattern
========== ======= ==
1 * & //std
Server: gold
Pattern ID Pattern
========== ======= ==
1 * & //gold
2 * & //order [amount>1000]
Server: silver
Pattern ID Pattern
========== ======= ==
1 * & //silver
You can display the list for a single serv er by using the show pattern
command with the name of the ser ver whose pattern list you wish to
view included as an argument.
HP SA7150> show pattern gold
Server: gold
Pattern ID Pattern
========== ======= ==
1 * & //gold
2 * & //order [amount>1000]
HP SA7150>
28
Mapped Server
For the purpose of discussing SA7150 operations, the “mapped
server” is a server for which a map has been configured (see “Server
Mappings” on page 17). This is the server to which the SA7150 sends
messages for which no XML expression match is found among the
active XML patterns, including any that contain the keyword
“default” in their XML expression component. (Please see next
section, “Default Keyword.”)
C H A P T E R 3XML Operations
Default Keyword
The keyword default can be used as an XML pattern’s XML
expression component to catch cases not covered by active XML
patterns with specific XML expressions. To illustrate, imagine you
have a number of active XML patterns assigned to dif fe rent servers,
each with the same URI expression (orders.asp) but with different
XML expressions.
For example, incoming XML messages aimed at the URI
“orders.asp” and containing the company names “Chevrolet,”
“BMW,” or “Honda” would not result in exact matches with any of
the first three XML patterns i n the example above. However th e XML
pattern containing default would catch all of these messages, because
the URI expression is an exact match and default in the XML
expression doesn’t match “GM,” “Ford,” or “Chrysler.”
NOTE: Multiple XML
patterns can use the
default keyword, but they
must have different URI
expressions.
Below is an example of the CLI input to create an XML pattern
containing the default keyword.
HP SA7150> create pattern gold
URI Expression: orders.asp
XML Expression: default
Enter another pattern? [n]:
HP SA7150>
XML Pattern Matching
The SA7150 looks first for URI expression matches. If matches for
URI expression are found, then the SA7150 looks for XML
expression matches.
•If both the URI and XML expressions match, the SA7150 sends
the message to the server to wh ich the matching XML pattern is
assigned.
•If only the URI expression matches, the SA7150 sends the
message to the default XML server, if one is specified, or if not,
to the mapped server.
•If the URI expression does not match, the XML expression is
ignored and the message goes to the mapped server.
29
C H A P T E R 3 HP e-Commerce/XML Server Accelerator SA7150 User Guide
The table below illustrates ways in whic h XML messages are handled
depending on which component of XML patterns mat ch and whether
a default XML server is configured.
URI Match, no XML
Match
XML Match, no URI
Match
URI and XML Ma t ch
Default XML Server
Configured
Default XML Server
Not Configured
Default XML ServerMapped Server
Mapped ServerMapped Server
Server to which matching patt ern
is assigned
Server to which matching
pattern is assigned
XML Message Destinations
XML “Well-formed” Check
If the SA7150 detects a URI expression match in the XML data
stream, it checks it for syntactical errors, and, if it detects any, by
default sends an erro r message to the re questing client. Al ternately, it
can be configured to send an incoming XML data stream to the
mapped server when it detects punctuation or syntax errors. In all
such cases the XML expression is ignored for normal processing
purposes.
•If the xml_well_formed command is set to enable, when
malformed XML data is found in an incoming request the
SA7150 terminates the connection and returns HTTP Error 403 to
the client with the message, “XML data is not we ll-formed.”
30
•If xml_well_formed is set t o disable, when malformed XML
data is found in an incoming request it is sent to the mapped
server.
C H A P T E R 3Network Configurations
Network Configurations
Single Server
Router
Multiple
Servers
The HP e-Commerce/XML Server Accelerator SA7150 is typically
used with multiple servers although it can support multiple
applications running on separate ports of a single server. In single
server configurations the SA7150 is connected to the network
between the router and the server.
Ideally, the SA7150 is installe d in the network in such a way as to
minimize network latency.
App1
App 2
App 3
HP e-Commerce/XML Server Accelerator SA7150
Single Server
SA7150 in Single Server Configuration
In the more common multiple server configuration, the SA7150 sits
between the router and the switch. XML traffic is intercepted,
decrypted (if SSL-encrypted), pr ocessed, and sent to an XML ser ver.
HP e-Commerce/XML Server
Accelerator SA7150
hub/switchRouter
SA7150 in Multiple Server Configuration
XML Server 1
XML Server 2
XML Server 3
31
C H A P T E R 3 HP e-Commerce/XML Server Accelerator SA7150 User Guide
Multiple
SA7150s and
Cascading
HP e-Commerce/XML Server
Router
NOTE: The SA7150
restarts when spill is
enabled. Depending on
the size of the current
configuration file, it can
require from 30 seconds
to seven minutes to return
to operations.
Accelerator SA7 150
Scalability and Cascading
The SA7150’s capabilities are scalable by chaining, or “cascading,”
multiple SA7150s together. In such config urations, each unit’s server
side connector is wired to the network side connector of the next
SA7150 in line. The last SA7150 in line is connected to the server or
switch.
XML Server 1
HP e-Commerce/XM L Server
Accelerator SA7150
hub/switch
XML Server 2
XML Server 3
Cascaded SA7150s
Spilling and Throttling
When the SA7150’s “spill” option is enabled, if a given SA7150
cannot process a request within a specified interval, the request is
passed on to the next SA7 150 in l i ne. T he l ast SA7150 on the server
side can also be enabled to spill to the server. Spilling is p e rformed
dynamically on a connection-by-connection basis. (See spill
command, Chapter 5, “Command Reference.”) If spill is disabled, the
SA7150 “throttles,” that is, does not accept incoming requests when
it becomes overloaded.
32
Availability
When a SA7150 fails or is set to Bypass mode while Fail-through is
enabled, the SA7150’s network side and ser ver side network adapters
are directly connected, allowing traffic to pass through to the next
device until the failed unit is brought back into service. This feature
eliminates a single point of failure and provides a high level of
availability, should ther e be a failure. See “Failure/Bypass Modes” in
Appendix B for more information.
C H A P T E R 3SSL Operations
SSL Operations
Keys and
Certificates
CAUTION: The SA7150
comes with default keys
and certificates for test
purposes. Certificates for
production use should be
obtained from a
recognized certificate
authority.
In addition to its XML processing capabili ties, the SA7150 provid es
powerful SSL (Secure Socket Layer) decryption and encryption
processing. When secure maps are used it becomes necessary to
configure keys and certificates. A key is a set of numbers used to
encrypt or decrypt data. A certificate is a “form” that identifies a
server or user. The certificate contains information about your
company as well as information from a third party that verifies your
identity.
There are three ways to obtain keys and certificates:
•Obtaining a certificate from VeriSign* or other certificate
authority
•Using an existing key/certificate
•Creating a new key/certificate on the SA7150
Cutting and Pasting with HyperTerminal*
Cutting and pasting is an in tegral part of the next several pr ocedures.
Below are procedures for cutting and pasting in HyperTerminal*. If
you use some other terminal program, consult that product’s
documentation for appropriate procedures.
To copy an item (key, certificate signing request, etc.) from
HyperTerminal*:
1. Open the HyperTerminal* window.
2. Click and drag to select the item.
3. After the item is selected, open th e Edit menu and click Copy (or
type <ctrl-c>).
4. Open the window where you will pa ste t he data, and position the
cursor at the appropriate point.
5. In the Edit menu, click Paste (or type <ctrl-v>).
33
C H A P T E R 3 HP e-Commerce/XML Server Accelerator SA7150 User Guide
To paste an item (key, certificate signing request, etc.) into
HyperTerminal*:
1. Display the item in the appropriate appl ication window, then
click and drag to select the item.
2. Once the item is selected, click the Edit menu and select Copy
(or type <ctrl-c>).
3. Move to the HyperTerminal* window, and position the cursor at
the appropriate point.
4. Pull down the Edit menu, and select Paste to Host (or type <ctrl-v>).
Obtaining a
Certificate
from VeriSign*
or Other
Authority
Use the create key command to create your key and the create si gn
command to create a signing request t o be sen t to VeriSig n* or ot her
certificate authority for authentication. The certificate authority will
return it in approximately one to five days. After you have received
the certificate, use the import cert command to import it into the
SA7150.
The fields input to create a signing request are called collectively a
Distinguished Name (DN). For optimal security, one or more fields
must be modified to make the DN unique.
Procedure
Create a key.
1. Type the create key command at the prompt.
HP SA7150> create key
Key strength (512 /1024) [512]:
New keyID [001]: 002
Keypair was created for keyID: 002
2. Create a Certificate Signing Request.
HP SA7150> create sign 002
You are about to be aske d to enter
information that will be incorporated into
your certificat e request. The "common name"
must be unique. For other fields, you could
use default value s.
34
C H A P T E R 3SSL Operations
Certifying authoriti es have specific guideli nes on how to answer each
of the questions. These guidelines may vary by certifying authority.
Please refer to th e guid eline s of th e cert ifyin g auth ority to who m you
submit your Certificate Signing Request (CSR). Please keep the
following in mind when entering the information that will be
incorporated into your certificate request.
•Country code: This is the two-letter ISO abbreviation for your
country (for example, US for the United States).
•State or Province: This is the name of the state or province
where your organizati on’s head office is located. Please enter the
full name of the state or province. Do not abbreviate.
•Locality: This is usually the name of the city where your
organization’s head office is located.
•Organization: This should be the organization that owns the
domain name. The organization name (corporation, limited
partnership, university, or government agency) must be
registered with some authority at the national, state, or city level.
Use the legal name under which your organization is registered.
Please do not abbrevi ate you r org anizatio n’s name and do not use
any of the following characters: < > ~ ! @ # $ % ^ * / \ ( ) ?.
•Organizat i onal unit: This is n ormally the name of the
department or group that will use the certificate.
•Common name: The common name is the “fully qualified
domain name,” (or FQDN) used for DNS lookups of your server
(for example, www.mysite.com). Browsers use this information
to identify your Web site. Some browsers will refuse to establish
a secure connection with your site if the server name does not
match the common name in the certificate. Please do not include
the protocol specifier “http://” or any port numbers or pat h names
in the common name. Do not u se wildcard characters su ch as * or
?, and do not use an IP address.
•E-mail address: This should be the e-mail address of the
administrator responsible for the certificate.
3. Export the Certificate Signing Request (CSR).
35
C H A P T E R 3 HP e-Commerce/XML Server Accelerator SA7150 User Guide
In this example, xmod em i s used t o send the CSR to a PC c onnected
to the console port.
HP SA7150> export sign mywebserver
Export protocol : (xmodem, ascii)
[ascii]:xmodem
Use Ctrl-x to kill transmission
Beginning export...
Export successful!
HP SA7150>
To submit the CSR to a certifying authority, paste it into the field
provided in the authority’s online request form. Remember to include
the “-----BEGIN CERTIFICATE REQUEST-----” and “-----END
CERTIFICATE REQUES T-----” lines.
NOTE: It is possible to
import multiple
certificates in a single
file. The size of files
containing combined
certificates must not
exceed 20KB.
36
4. When the certificate authority returns the certificate, import it
into the SA7150. Use the import cert command, with the
KeyID. As with the import key, choose an import protocol for
importing the key. Use p for paste. After the paste is finished, add
three periods to displa y the command line.
HP SA7150> import cert mywebserver
keyid is mywebser ver;
Import protocol: (paste, xmodem) [paste]:
Type or paste in date, end with ... alone on
line
5. Create mapping for Server 1. Use the create map command to
specify the server IP address, ports, and keyID.
HP SA7150> create map
Server IP (0.0.0.0): 10.1.1.30
Network port [443]:
Cleartext (serv er) port [80]:
KeyID to use for mappi ng: mywebserver
6. Save the configuration when the server has been mapped.
HP SA7150> config save
Saving configuration to flash...
Configuration saved to flash
HP SA7150>
Using an
Existing Key/
Certificate
NOTE: Currently there
is no published method
for extracting private
keys from Microsoft* IIS
or Netscape* servers.
Exporting a Key/Certificate from a Server
This method is used when it is important that the existing keys and
certificates are used.
Consult your server software documentat ion for detailed inst ructions
on how to export keys and certificates. Once you have exported the
keys and certificates, use the import key and import cert commands
to paste the keys and certificates into your SA7150. Some general
instructions are provided below for the Apache Web Server.
Apache Interface to Open SSL* (mod_ssl)
For key:
1. Look in $APACHEROOT/conf/httpd.conf for location of *.key
file.
2. Copy and paste the key file.
37
C H A P T E R 3 HP e-Commerce/XML Server Accelerator SA7150 User Guide
For certificate:
1. Look in $APACHEROOT/conf/httpd.conf for location of *.crt
file (certificate).
2. Copy and paste the certificate file.
Apache SSL*
For key:
1. Look in $APACHESSLROOT/conf/httpd.conf for location of
*.key file.
2. Copy and paste the key file.
For certificate:
1. Look in $APACHESSLROOT/conf/httpd.conf for location of
*.cert file.
2. Copy and paste the certificate file.
Stronghold*
38
For key:
1. Look in $STRONGHOLDROOT/conf/httpd.conf for location of
*.key file.
2. Copy and paste the key file.
For certificate:
1. Look in $STRONGHOLDROOT/conf/httpd.conf for location of
*.cert file.
2. Copy and paste the certificate file.
Importing into the SA7150
1. Use the import key command with the keyID, and choose an
import protocol fo r importi ng the k ey. In this case, use the default
to “paste.” When the paste is finished, add a line break followed
by three periods to display the command line.
HP SA7150> import key mywebserver
Import protocol: (paste, xmodem) [paste]:
Type or paste in date, end with ... alone on
line
2. Use the import cert command with the keyID. As with import
key, choose an import protocol for importing the key. Use the
default to “paste.” When the paste is finished, add a line break
followed by three periods to display the command line.
HP SA7150> import cert mywebserver
keyid is mywebser ver;
Import protocol: (paste, xmodem) [paste]:
Type or paste in date, end with ... alone on
line
3. Create a server mapping. Use the create map command to
specify the server IP address, ports, and keyID.
HP SA7150> create map
Server IP (0.0.0.0): 10.1.1.30
SSL (network) por t [443]:
Cleartext (serv er) port [80]:
KeyID to use for mappi ng: mywebserver
39
C H A P T E R 3 HP e-Commerce/XML Server Accelerator SA7150 User Guide
4. Save the configuration when the server has been mapped.
HP SA7150> config save
Saving configuration to flash...
Configuration saved to flash
HP SA7150>
Creating a new
Key/Certificate
on the SA7150
Use the create key and create cert commands to create new keys and
certificates for SA7150 operation. This procedure can be used when
there are no existing keys and certificates on the server. The
advantage is that this method is very fast, but a certificate authority
has not signed the certificates.
The fields input to create a certificate are called a Distinguished
Name (DN). For optimal security, one or more fields must be
modified to make the DN unique.
Procedure
1. Create a key.
HP SA7150> create key
Enter the key strength [512,1024]: 512
New keyID [001]: mywebserver
Keypair was created for keyID: mywebserver
2. Enter the create cert command with the keyID.
HP SA7150> create cert mywebserver
You are about to be aske d to enter
information…
Enter the information for the certificate, as prompted.
•Country
40
•State
•Locality
•Organization
•Organization unit
•Common name (for example, www.myserver.com)
•E-mail address.
C H A P T E R 3SSL Operations
3. Create a server mapping. Use the create map command to
specify the server IP address, ports, and keyID.
HP SA7150> create map
Server IP (0.0.0.0): 10.1.1.30
SSL (network) por t [443]:
Cleartext (serv er) port [80]:
KeyID to use for mappi ng: mywebserver
4. Save the configuration when the server has been mapped.
HP SA7150> config save
Saving configuration to flash...
Configuration saved to flash
HP SA7150>
Global Site
Certificates
Overview
Four types of certificates are involved in the following discussion:
•Root Certificate. The certificate of a trusted Certificate Authority
(CA) such as VeriSign*.
•Server Certificate. Loaded on the server. Can be either self-
generated or received from a certificate authority such as
VeriSign*. Interacts with requesting browser’s root certificate to
establish encryption level.
•Global Site Certificate. An extended server certificate. Allows
128-bit encryption for export-r est rict ed browser s.
•Intermediate CA certificate. A certificate “signed,” that is,
authenticated, by a recognized CA such as VeriSign*, and used to
validate a global site certificate. Called an “intermediate CA
certificate” in the following discussion.
Export versions of Inte rnet Exp lorer* and Netscap e* Communicat or
use 40-bit encryptio n to initiate connections to SSL servers. Upon
receiving a client request, the server responds by sending a digital
certificate. If this certificate is a conventional server certificate (that
is, not a global site certificate), browser and serve r complete the SS L
handshake and use a 40-bit key to encrypt application data. If the
server responds to a re questing browser with a global sit e cer tific ate,
the client automatically renegotiates the connection to use 128-bit
encryption.
A global site certificate is validate d by an accompanying intermediate
CA certificate. (Such pairs are called “chained certificates.”)
Examples of intermediate CA certificates include Microsoft SGC
41
C H A P T E R 3 HP e-Commerce/XML Server Accelerator SA7150 User Guide
Root* and VeriSign Class 3*. When a requesting browser recei ves a
global site certificate along with an intermediate CA certificate, the
browser’s root certificate is used to validate the intermediate CA
certificate, which in turn is used to validate the global site certificate,
thus letting the browser know that it can renegotiate the connection to
use 128-bit encryption.
Global Site Certificate Paste Procedure
If you wish to use a global site certificate, you must import both the
global site certificate and its accompanying intermediate CA
certificate. Both certificates must be chained together in a single file.
NOTE: The size of the
file containing both
certificates must not
exceed 20KB.
NOTE: There must be no
white space before,
between, or after
certificates, and the
“Begin...” headers and
“End...” trailers must all
be retained.
Use the
import certcommand to import either single or chained
certificates. In the latter case, paste the server ’s global site certificate
first, followed by the intermediate CA certificate. Follow the
intermediate CA certificate by typing three periods on a new line.
Example:
HP SA7150> import cert <keyID>
Import protocol: (paste, xmodem) [paste]:
Type or paste in data, end with ... alone on
line
-----END CERTIF ICATE-----<Enter>
...<Enter>
Import successful!
HP SA7150>
Redirection: Clients and Unsupported Ciphers
NOTE: The user must
provide the redirect URL
and ensure that it is
available, as well as
define the content of the
redirect page.
WARNING: If the
redirect URL causes a
client to access the same
SA7150 mapping that
invoked the redirection
an infinite loop condition
will occur.
When a client that does not support t he selected ciph er suite att empts
to connect to the SA7150 , the default behavi or is to reject the
connection, resulting in the client system repo r ting a fatal error.
However, the SA7150 allows you to specify a “redirect address”
where you can provide clients with additional information. The set redirect command allows you to specify a redirect Web address for
any Map ID. The show redirect command displays any redirect
addresses currently configured.
If you are using a clear text map, the following three parameters are
not applicable:
•Cipher Suite
•Redirect URL
•Client Authenticat ion
HP SA7150> list maps
Map Net Ser Cipher Re- Client well
ID KeyID Server IP Port Port Suites direct Auth XML form
== ===== ========= ===== ==== ====== ===== ===== === ====
1 default Any 443 80 all(v2+v3) n n n N/A
HP SA7150> set redirect 2
Enter a redirect URL at following prompt
e.g. http://www.e-comm_site.com/browser.html
Enter redirect URL []:http://www.e-comm_site.com/
cipher_info.html
HP SA7150> list maps
Map Net Ser Cipher Re- Client well
ID KeyID Server IP Port Port Suites direct Auth XML form
== ===== ========= ===== ==== ====== ===== ===== === ====
1 default Any 443 80 all(v2+v3) n n n N/A
HP SA7150> show redirect 2
Redirect URL for map 2 is set: http://www.e-comm_site.com/
cipher_info.html
43
C H A P T E R 3 HP e-Commerce/XML Server Accelerator SA7150 User Guide
To disable a redirect URL for a mapping:
HP SA7150> se t redirect 2 none
HP SA7150> show redirect 2
Redirect URL for map 2 is not set
Client Authentication
The SA7150 supports only one root CA certificate per mapping.
However, multiple intermediate CA certificates per sin gle mapping
are supported.
First, use the list map command to display the current map IDs and
their configurations including Client Authentication, enabled (y) or
disabled (n).
HP SA7150> list map
Map Net Ser Cipher Re- Client well
ID KeyID Server IP Port Port Suites direct Auth XML form
== ===== ========= ===== ==== ====== ===== ===== === ====
1 default Any 443 80 all(v2+v3) n n n N/A
2 sample 10.1.2.57 443 80 med(v2+v3) n n n N/A
HP SA7150>
Next, import the client CA certificate for Map ID 2.
HP SA7150> import client_ca 2
Import protocol: (paste, xmodem) [paste]:
Type or paste in data, end with ... alone on
Verify the import by using t he list map command aga in. Note that the
Client Auth column now shows client authentication for Map ID 2
enabled.
HP SA7150> list map
Map Net Ser Cipher Re- Client well
ID KeyID Server IP Port Port Suites direct Auth XML form
== ===== ========= ===== ==== ====== ===== ===== === ====
1 default Any 443 80 all(v2+v3) n n n N/A
2 sample 10.1.2.57 443 80 med(v2+v3) n y n N/A
HP SA7150>
Clients connecting to “map 2” are required to present a client
certificate signed by the CA whose certificate was imported above. If
they do not present a properly signed certificate, their connection
attempt is refused.
Creating a
Client CA
Certificate
using
OpenSSL*
NOTE: To acquire a
copy of OpenSSL* for
your environment, access
the OpenSSL* Web site at
www.openssl.org.
NOTE: In this example,
ca_cert.pem is your
trusted CA and signing
certificate.
Software packages are available that handle the details of client
certificate generation. However, you can also implement them
manually. The following example illustrates the appropriate steps
using OpenSSL*.
1. Generate the key pair for the client CA.
openssl genrsa -out ca_key.pem 1024
2. Create another private key by typing this command.
C H A P T E R 3 HP e-Commerce/XML Server Accelerator SA7150 User Guide
4. Combine the key.pem and cert.pem keys into one file by
typing this command.
cat key.pem cert.pem > all.pem
5. Convert to p12 format by typing this command.
openssl pkcs12 -export -in all.pem -out
<file>.p12 - name “MY NA ME”
The output file <file>.p12 will be imported into the browser as a
personal certificate.
SSL Processing
The HP e-Commerce/XML Server Accelerator SA7150 handles
several SSL protocols, for example, HTTPS (which is the default).
For security purposes, you can block access to specified IPs or ports
(see “Blocking” section in this chapter). Traffic that is not mapped or
blocked flows through transparently (see “Failure Conditions”
section at the end of this chapter). Supported protocols are listed
below. (Ports listed are “well-known” port assignments. Any
available port may be used.)
Mapping
NOTE: The SA7150
supports a maximum of
1000 mappings.
46
•HTTPS 443 (default)
•IMAPS 993
•POP3S 995
•SMTPS 465
•NNTPS 563
•LDAPS 636
Keypairs and their associated certificates are referenced by a keyID.
A server is identified by a unique combination of server IP and
network port. Mapping is the process of associating a keyID with a
server (using server IP, network port, and server port). The SA7150
supports two types of mapping:
•Automapping
•Manual mapping
C H A P T E R 3SSL Processing
Automapping
NOTE: Remember to
save the configuration
(with the config save
command) after making
mapping changes.
Automapped entries are identified by a server IP address of zero
(0.0.0.0). When a server IP address of zero is specified, the SA7150
intercepts packets to any server IP address with the matching network
ports. As with any mapping en try, the combination of server IP
address and network port must be unique.
The initial configuration for the SA7150 provides an automapping
entry for network p ort 443 an d server po rt 80. This is assoc iated with
the internally generated default keypair and certificate with the keyID
of “default.” Under this initial c onfiguratio n, automappi ng occurs o n
any server with this ne twork port (443) when tr affic is routed thr ough
the SA7150.
Automapping with user-specified key and
certificate
When a user-specified key and certificate are to be automapped, the
user can replace t he initial automapping entry with the create map
command. By specifying the same unique identifier (server IP of
0.0.0.0, and network port of 443 with a user-generated keyID), the
user can overwrite the initial automapping entry. (The key and
certificate may be obtained through any of the methods described
previously in this chapter.)
Automapping with multiple port combinations
The user can specify multiple automapping entries when the network
port is unique. For example, a user might specify, in addition to the
initial network (443) and server (80) port combination, a combinat ion
of network (8010) and server (80) port.
Deleting automapping entries
Any automapping entry can be del eted, but if t he initial auto mapping
is deleted and no other mapping entry is specified, the SA7150
automatically recreates the initial automapping entry. Either replace
the initial automapping entry or create ano ther mapping/automapping
entry and then delete the initial automapp ing entry using the delete map command.
47
C H A P T E R 3 HP e-Commerce/XML Server Accelerator SA7150 User Guide
Manual mapping
The user can create (with the create map command) one or more
mapping entries for indi vidual servers. This is th e only way to specify
unique keyIDs for each server. Normally, when manual mapping is
performed, the initial automapping entry is deleted, but this is not a
requirement.
Combining automapping and manual mapping
NOTE: If both manual
mappings and applicabl e
automappings are
available, the SA7150
always uses the manual
mapping.
Blocking
NOTE: Blocking is
always performed before
mapping.
Any combination of automappin g and manual mapping en tries, up to
a total of 1000, can be used provided the server IP address and
network port combinations are unique. Several of the scenarios in
Chapter 4 include step-by-step mapping procedures.
For security purposes, the SA7150 allows the blocking of particular
IP addresses and ports. IP/port combinations can be blocked on the
basis of:
•Specific IP, specific port
•Subnet, specific port
•All IPs, specific port
Specific IP, Specific Port
To block a specific server IP and specific port combination:
1. Type the create block command.
2. Type the IP address.
3. Press Enter to accept the default IP mask
48
4. Type the specific port.
5. Press Enter to accept the default port mask.
C H A P T E R 3SSL Processing
Example:
HP SA7150> create block
Client IP to block [0.0.0.0]: 10.1.2.1
Client IP mask [0.0.0.0]: 255.255.255.255
Server IP to block [0.0.0.0]: 20.1.2.1
Server IP mask [0.0.0.0]: 25 5.255.255.255
Server Port to block: 80
Server Port mask [0xffff]:
Use the show block command to verify.
HP SA7150> show block
(1) block 10.1.2. 1 255.255.255.255 20.1.2.1
255.255.255.255 80 0xffff
Subnet, Specific Port
To block a subnet and port combination:
1. Specify a subnet, using 0 as the final octet. (In the example
below, all IPs from “10.1.x.x” to “20.1.x.x” are blocked on port
80.)
2. Type the subnet mask, with 0 indicating the portion of the IP
address to be ignored.
3. Type the specific port.
4. Press Enter to accept the default port mask.
Example:
HP SA7150> create block
Client IP to block [0. 0.0.0]: 10.1.2.1
Client IP mask [0.0.0.0]: 255.255.0.0
Server IP to block [0. 0.0.0]: 20.1.2.1
Server IP mask [0.0.0.0]: 255.255.0.0
Server Port to block: 80
Server Port mask [0xffff]:
49
C H A P T E R 3 HP e-Commerce/XML Server Accelerator SA7150 User Guide
1. Type all zeroes as the IP address to be blocked.
2. Type all zeroes as the IP wildcard mask to be blocked.
3. Type the specific port.
4. Press Enter to accept the default port mask.
Example:
HP SA7150> create block
Client IP to block [0.0.0.0]:
Client IP mask [0.0.0.0]:
Server IP to block [0.0.0.0]:
Server IP mask [0.0.0.0]:
Server Port to block: 80
Server Port mask [0xffff]:
50
5. Use the show block command to confirm the block.
HP SA7150> show block
-----------
blocks :
----------(1) block
0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 80 0xffff
-----------
C H A P T E R 3Failure Conditions, Fail-safe, and Fail-through
Delete a Block
The example below illus trates how to delete a subnet b lock. Type the
delete bloc k command with the block ID (block ID is 1 in the
example).
1. Use the show block command to identi f y th e bl ock t o b e del et ed.
2. Use the delete block command followed by the block ID to
delete the block.
HP SA7150> delete block 1
Failure Conditions, Fail-safe, and Fail-through
During a failure condition unprocessed data can either pass through
the SA7150 or not, depending on whether Fail-safe or Fail-through
mode is enabled. The Fail-through switch is by default in Fail-safe
mode, meaning that during a failure no data packets will pass from
one side of the SA7150 to the other. F or detail s, see “Failure/Bypass
Modes” in Appendix B.
51
C H A P T E R 3 HP e-Commerce/XML Server Accelerator SA7150 User Guide
Notes
52
Scenarios
This section contains scenarios illustrating examples of HP eCommerce/XML Server Accelerator SA7150 configurations:
•Scenario 1: Basic XML Operation
•Scenario 2: Single Server Configuration
•Scenario 3: Multiple Server Configuration (SSL)
•Scenario 4: Cascaded SA7150s
•Scenario 5: Different Ingress and Egress Routers
•Scenario 6: Configuring a Firewall
C H A P T E R 4 HP e-Commerce/XML Server Accelerator SA7150 User Guide
Scenario 1—Basic XML Operation
As discussed in Chapter 3, th e SA7150 parses XML content, sea rches
it for user-configured pattern s and distributes XML traf fic to variou s
servers according to user-established rules embodied in XML
patterns reflecting the user’s business needs.
This scenario illustrate s ste ps in a hypothetical situation in which
you:
•Expect to receive purchase orders from three companies
•Want to categorize these purchase orders according to dollar
amount of order, method of payment and client’s zip code
•Want to send these different dollar amount categories to separa te
servers for processing
The illustration below shows the network diagram for Scenario 1.
Though the illustration shows only three servers, th e principles
demonstrated here could be applied to up to 1000 servers.
XML Server 1
54
XML Server 2
hub/switchRouter
HP e-Commerce/XML Server Accelera tor SA7150
XML Server 3
Network Diagram for Scenario 1
Note that Servers 1 and 3 use clear text maps, suitable when the
anticipated XML t raf f ic is kn own to be unencrypted. Server 2 uses a
normal map (i.e., one specifying a Key ID) to enable SSL enc ryption
and decryption for XML data.
C H A P T E R 4Scenario 1—Basic XML Operation
Procedure for
Scenario 1
1. Create Server 1:
HP SA7150> create server
Name: Server1
Server IP: 1.1.1.1
Cleartext (serv er) port [80]:
Server MAC Address:00:a0:c9:fc:84:ab
HP SA7150>
2. Create Server 2:
HP SA7150> create server
Name: Server2
Server IP: 1.1.1.2
Cleartext (serv er) port [80]:
Server MAC Address:00:a0:d9:fc:84:ab
HP SA7150>
3. Create Server 3:
HP SA7150> create server
Name: Server3
Server IP: 1.1.1.3
Cleartext (serv er) port [80]:
Server MAC Address:00:a0:e9:fc:84:ab
HP SA7150>
4. Create map for Server 1:
HP SA7150> create map
Server IP [0.0.0.0]: 1.1.1.1
Network port [443]:
Cleartext (serv er) port [80]:
KeyID to use for mappi ng:
Cleartext map for XML only? [n]: y
HP SA7150>
5. Create map for Server 2 :
HP SA7150> create map
Server IP [0.0.0.0]: 1.1.1.2
Network port [443]:
Cleartext (serv er) port [80]:
KeyID to use for mappi ng: 001
HP SA7150>
6. Create map for Server 3:
HP SA7150> create map
Server IP [0.0.0.0]: 1.1.1.3
Network port [443]:
Cleartext (serv er) port [80]:
KeyID to use for mappi ng:
55
C H A P T E R 4 HP e-Commerce/XML Server Accelerator SA7150 User Guide
Cleartext map for XML only? [n]: y
HP SA7150>
Verify creation of maps:
Map Net Ser Cipher Re- Client well
ID KeyID Server IP Port Port Suites direct Auth XML form
== ===== ========= ===== ==== ======== ===== ===== === ====
1 N/A 1.1.1.1 443 80 N/A N/A N/A n N/A
2 001 1.1.1.2 443 80 all(v2+v3) n n n N/A
3 N/A 1.1.1.3 443 80 N/A N/A N/A n N/A
7. Enable XML for each mapping with the set xml command:
HP SA7150> set xml 1 enable
HP SA7150> set xml 2 enable
HP SA7150> set xml 3 enable
8. Create XML patterns for Server 1:
HP SA7150> create pattern server1
URI Expression: */order.asp
XML Expression: //From[id = “Acme”]
Enter another pattern? [n]: y
URI Expression: */order.asp
XML Expression: //Amount[Value >= 10000]
Enter another pattern? [n]: y
URI Expression: */order.asp
XML Expression: default
Enter another pattern? [n]:
56
9. Create XML patterns for Server 2:
HP SA7150> create pattern server2
URI Expression: */order.asp
XML Expression: //From[id = “Widgets.com”]
Enter another pattern? [n]: y
URI Expression: */order.asp
XML Expression: //Amount[Value < 10000]
Enter another pattern? [n]: y
URI Expression: */order.asp
XML Expression: //Order[@type = "debit
card"]
Enter another pattern? [n]:
C H A P T E R 4Scenario 1—Basic XML Operation
10.Create XML p a tterns for Server 3:
HP SA7150> create pattern server3
URI Expression: */order.asp
XML Expression: //Amount[Value > 5000 and
Value < 10000]
Enter another pattern? [n]: y
URI Expression: */order.asp
XML Expression: //
Enter another pattern? [n]: y
URI Expression: */order.asp
XML Expression: //Order[@type = "debit
card"]
Enter another pattern? [n]:
Address[zipcode < 9000]
The table below contains examples of XML patterns programmed i n
the SA7150 for each of the three servers in Scenario 1.
C H A P T E R 4 HP e-Commerce/XML Server Accelerator SA7150 User Guide
The table below shows the SA7150’s responses to incoming XML
data with URI expression */order.asp.
Incoming XML DataSA7150 Response
company name is AcmeSends to Server 1
company name is Widgets.comSends to Server 2
company name is YourCo.comSends to Server 3
purchase amount is $13,280Sends to Server 1
Sends to Server 2 (Though the value satisfies patterns for
purchase amount is $7,280
both Servers 2 and 3, patterns are applied in order of server
map ID. Server 2 is the first w ith a matching pattern.)
purchase amount is $713Sends to Server 2
order is paid for with a debit cardSends to Server 2
customer’s zip code is 92128Sends to Server 3
customer’s zip code is 27513Sends to Server 1 due to the default setting
order is paid for with a credit card Sends to Server 1 due to the default setting
SA7150 Responses to incoming XML traffic
58
C H A P T E R 4Scenario 2—Single Server Configuration
Scenario 2—Single Server Configuration
NOTE: This
configuration is intended
primarily for use with
SSL-intensive
operations—it is not
optimal for XML
environments.
Router
Procedure for
Scenario 2
This scenario describes a typic al configurat ion of a SA7150 with one
server, using either automapping or manual configuration/mapping.
This scenario describe s the fastest way to get up and running with a
SA7150.
HP e-Commerce/XML Server Accelerator SA7150
Single Server
Single SA7150, Single Server Installation
Automapping
1. Physically connect the SA7150 to the router and to one server.
NOTE: XML is by
default disabled for each
map. You must
specifically enable a map
to process XML requests.
See set xml command in
Chapter 5.
2. Initiate HTTPS traf fic to the se rver. The SA7150 monitors traffic
and uses the initial mapp ing (with associated default k ey and
certificate) to decrypt HTTPS traffic and pass clear text HTTP
traffic to the server.
Manual Configuration
1. Perform the installation as described in Chapter 2. Access the
SA7150 command prompt.
2. Acquire the appropriate keys and certificates following the
procedure in the “Keys and Certificates” section in Chapter 3.
59
C H A P T E R 4 HP e-Commerce/XML Server Accelerator SA7150 User Guide
3. Create a mapping for the server with the create map command:
HP SA7150> create map
Server IP [0.0.0.0]: 1.1.1.30
Network port [443]:
Cleartext (server) port [80]:
KeyID to use for mappi ng: default
HP SA7150>
4. After you have manually creat ed the mappi ng, you can d elete the
default mapping. In this case, delete MapID number 1. The
SA7150 automatically sorts MapIDs as they are created and
deleted, thus MapID number 2 becomes MapID number 1 when
the default is deleted.
HP SA7150> delete map 1
HP SA7150> list maps
Map Net Ser Cipher Re- Client well
ID KeyID Server IP Port Port Suites direct Auth XML form
== ===== ========= ===== ==== ======== ===== ===== === ====
1 default 1.1.1.30 443 80 all(v2+v3)n n n N/A
HP SA7150>
5. Save the configuration when the server has been mapped.
HP SA7150>config save
Saving configuration to flash...
Configuration saved to flash
HP SA7150>
60
C H A P T E R 4Scenario 3—Multiple Server Configuration (SSL)
Scenario 3—Multiple Server Configuration (SSL)
This scenario shows how to configure two or more servers.
Router
Procedure for
Scenario 3
HP e-Commerce/XML Server
Accelerator SA7150
Hub/switch
Single SA7150, Multiple Server Installation
1. Perform the installation as described in Chapter 2. Access the
SA7150 command prompt.
2. Acquire the appropriate keys and certificates following the
procedure in the Keys and Certificates section in Chapter 3.
3. Create a mapping for Server 1 with the create map command.
HP SA7150> create map
Server IP [0.0.0.0]: 1.1.1.30
Network port [443]:
Cleartext (serv er) port [80]:
KeyID to use for mappi ng: default
HP SA7150>
4. Create a mapping for Server 2. As in the previous step, use the
create map command to specify the parameters as prompted.
HP SA7150> create map
Server IP [0.0.0.0]: 1.1.1.31
Network port [443]:
Cleartext (serv er) port [80]:
KeyID to use for mappi ng: default
HP SA7150>
Server 1
10.1.1.30
Server 2
10.1.1.31
61
C H A P T E R 4 HP e-Commerce/XML Server Accelerator SA7150 User Guide
5. Use the list map command to view the mapping. (Multiple keys
and certificates can also be imported and each mapped to
individual servers. If you do this, at least one field in the
certificate information—usually the common name—must be
unique.)
HP SA7150> list map
Map Net Ser Cipher Re- Client well
ID KeyID Server IP Port Port Suites direct Auth XML form
== ===== ========= ===== ==== ======== ===== ===== === ====
1 default Any 443 80 all(v2+v3) n n n N/A
2 default 1.1.1.30 443 80 all(v2+v3) n n n N/A
3 default 1.1.1.31 443 80 all(v2+v3) n n n N/A
HP SA7150>
6. After you have manually c rea ted a map ping, the def ault mapp in g
can be deleted. In this case, delete MapID number 1 . MapID
number 2 becomes MapID number 1 when the default is deleted.
HP SA7150> de lete map 1
HP SA7150> list map
Map Net Ser Cipher Re- Client well
ID KeyID Server IP Port Port Suites direct Auth XML form
== ===== ========= ===== ==== ======== ===== ===== === ====
1 default 1.1.1.30 443 80 all(v2+v3) n n n N/A
2 default 1.1.1.31 443 80 all(v2+v3) n n n N/A
HP SA7150>
To configure a third or f ourth web server to oper ate with the SA7150,
repeat the steps above, specifying a different IP address for each
server.
62
7. Save the configuration when mapping is completed for the
server(s).
HP SA7150> co nfig save
Saving configuration to flash...
Configuration saved to flash
HP SA7150>
C H A P T E R 4Scenario 4—Cascaded SA7150s
Scenario 4—Cascaded SA7150s
This scenario shows how to cascade SA7150s for additional
performance and availability. The same procedures apply that were
performed in Scenario 3. In addition, the complete configuration of
the first SA7150 is exported to the second SA7150 in line.
Initial
Configuration
HP e-Commerce/XML Server
Router
Accelerator SA7150
•Two or more SA7150s must be physically installed on the same
network. To cascade multiple SA7150s, connect from the server
port of the first SA7150 to the network port of the next SA7150
in line, and then again connect from the server port to the
network port of the next SA7150 in line, or to the server. (See
Chapter 2: Installation and Initial Configur a tion, for more
information.)
•The first SA7150 should be fully configur ed; any necessary keys,
certificates, or maps must exist. The complete configuration is
exported from the first, then imported to the next SA7150 in line.
This procedure is repeated for any additional SA7150s in line.
XML Server 1
XML Server 2
HP e-Commerce/XML Ser v er
Accelerator SA7150
hub/switch
XML Server 3
Multiple (Cascaded) SA7150s
63
C H A P T E R 4 HP e-Commerce/XML Server Accelerator SA7150 User Guide
Procedure for
Scenario 4
NOTE: The SA7150
restarts when spill is
enabled. Depending on
the size of the current
configuration file, it can
require from 30 seconds
to seven minutes to return
to operations.
1. Configure the SA7150 farthest from the server as described in
any of the preceding scenarios. Remain connected to that specific
SA7150 for the export configuration procedure.
2. At the command prompt, type th e set spill enable command.
This allows overflow traffic to be transferred to the second
SA7150 for processing.
3. Save the configuration.
HP SA7150> co nfig save
Saving configuration to flash...
Configuration saved to flash
HP SA7150>
4. Export the configuration. Use the export config command.
Choose xmodem mode (x) to export.
HP SA7150> export config
Export protocol : (xmodem, ascii) [ascii]: x
Beginning export...
5. Select Receive from the HyperTerminal* Transfer menu.
6. T ype or use the Browse button to specify the directo ry where you
wish to place the received file.
7. Select xmodem as the receiving protocol.
8. Click the Receive button.
64
9. Specify a filename for the received file and click OK. The
operation concludes and the normal prompt reappears.
Use Ctrl-X to kill transmission
Export successful!
HP SA7150>
10. Connect to the second SA7150, either through the console
connection or another window (if both are connected to the same
PC).
11. Import the configuration. Use the import config command to
begin the process. Select xmodem (x) and press Enter to begin
the import process.
HP SA7150> import config
Import protocol: (paste, xmodem) [paste]: x
Use Ctl-X to cancel up load
12. Select Send from the HyperTerminal* Transfer menu.
13. Type or use the Browse button to specify the file to send.
C H A P T E R 4Scenario 4—Cascaded SA7150s
14. Select xmodem as the sending protocol.
15. Click the Send button. The transfer completes and then you are
prompted to verify that you wish to install this configuration.
Do you want to install this config ? [y]: y
16. After verification (y) or refusal (n), the prompt reappears.
HP SA7150>
17. Save the configuration.
HP SA7150> co nfig save
Saving configuration to flash...
Configuration saved to flash
HP SA7150>
18. Repeat steps 11-17 for any additional SA7150s. On the last
SA7150 in the chain, disable spilling with the set spill disable
command.
65
C H A P T E R 4 HP e-Commerce/XML Server Accelerator SA7150 User Guide
Scenario 5—Different Ingress and Egress
Routers
This scenario describes the configuration of a SA7150 when the
ingress and egress traffic paths are different. This scenario includes:
•One or more servers
•One or more cascaded SA7150s
•One or more ingress routers
•One egress router
HP e-Commerce/XML Server
Accelerator SA7150
Server
Client
Ingress Router
Egress Router
Switch
Procedure for
Scenario 5
NOTE: Execute an “arp
–a” (or equivalent
command for your OS) on
the server to display the
MAC address of the
default gateway. This is
the address you should
use.
66
Installation with Ingress and Egress Routers
1. Configure your SA7150 (as described in any of the previous scenarios).
2. Determine the MAC address of the egress router you wish to
route outbound traffic through.
3. At the CLI prompt, enter the default egress router.
HP SA7150> se t egress_mac 00:11:22:33:44:55
Egress MAC set to 00:1 1:22:33:44:55
HP SA7150> co nfig save
Saving configuration to flash...
Configuration saved to flash
HP SA7150>
4. To reverse this process:
HP SA7150> se t egress_mac none
C H A P T E R 4Scenario 6—Configuring a Firewall
Scenario 6—Configuring a Firewall
This scenario describes the recommended network configuration to
allow a SA7150 to provide SSL services for a single server that also
serves plain-text HTTP documents. Actual procedures for adjusting
the firewall and server configurations vary widely depending upon
the products used, so the steps outlined here are necessarily
approximations and must be adjusted as required by the particula rs of
your environment. Please consult your server and firewall
documentation for additional information.
HP e-Commerce/XML Server Accelerator SA7150
Firewall
Server
Single SA7150 configured with single server and firewall
Server
Configuration
Servers providing both HTTP and HTTPS services typically have
two instances of the Web Server process configured:
•One listening on the standard HTTP port of 80, providing
unencrypted access to non-sensitive information, and
•Another listening on port 443 provid ing access to SSL encr ypted
sensitive information.
Port NumberConnection TypeContent Served
80HTTPNon-sensitive
443HTTPSSensitive
67
C H A P T E R 4 HP e-Commerce/XML Server Accelerator SA7150 User Guide
For the SA7150 to provide SSL services, the web server process
providing port 443 services requires two modifications.
•First, because the SA7150 performs all of the SSL processing,
the web server process must be configured to expect only
standard HTTP (unenc rypted) connections, even for sensitive
content.
•Second, the web server process must be configured to listen for
these HTTP connections on a port other than the standard
HTTPS port (443). In this scenario we configure the port 443
service to listen on port 81.
Port NumberConnection TypeContent Served
80HTTPNon-sensitive
81HTTPSensitive
68
SA7150 Configuration
The SA7150 must be configur ed to int ercep t HTTPS co nnecti ons on
port 443 and forward them to the server. In t he precedin g section, we
configured the server to provide access t o sensitive dat a through po rt
81, so that should be the clear text port when creating a server
assignment (or “map”) on the SA7150. Perform the following steps
to create the server assignment:
1. Perform the installation as described in Chapter 2 and access the
command line prompt.
2. Acquire the appropriate keys and certificates following the
procedure in the “Keys and Certificates” section in Chapter 3.
3. Create a mapping for the server . Use the create map command to
specify the server IP address, ports, and keyID.
HP SA7150> create map
Server IP (0.0.0.0): 1.1.1.3
SSL (network) port [443]:
Cleartext (server) port [80]: 81
KeyID to use for mappi ng: serv1
C H A P T E R 4Scenario 6—Configuring a Firewall
NOTE: The device
automatically adjust s the
list of MapIDs as they are
created and deleted, thus
MapID 2 becomes MapID
1 when the default (the
original MapID 1) is
deleted.
NOTE: In this
configuration, the
firewall may occasionally
report the blocking of
outbound packets from
the Server on port 81.
This is normal—a sideeffect of the varying
latencies characteristic of
Internet traffic—and does
not indicate a problem
with the configuration.
4. Once a user-created server assignment exists, the default
mapping can be deleted. In this example, delete MapID
number 1.
HP SA7150> list map
Map Net Ser Cipher Re- Client well
ID KeyID Server IP Port Port Suites direct Auth XML form
== ===== ========= ===== ==== ======== ===== ===== === ====
1 default 1.1.1.3 443 81 all(v2+v3) n n n N/A
5. Save the configuration.
HP SA7150> config save
Saving configuration to flash...
Configuration saved to flash
HP SA7150>
Firewall Configuration
Absent a firewall, outside clients would be able to connect to services
on the web server and possibly gain access to sensitive data —on port
80 using HTTP to access non-sensitive data, on port 443 using
HTTPS to access sensitive data, and on port 81 using HTTP to access
that same sensitive data. Obviously, allowing access to sensitive data
over an unencrypted connection on port 81 is not desirable.
Consequently a firewall should be configured to prevent such access.
PortAccess
80Allowed
443Allowed
All OthersDenied
69
C H A P T E R 4 HP e-Commerce/XML Server Accelerator SA7150 User Guide
Notes
70
Online Help
Command Reference
The HP e-Commerce/XML Server Accelerator SA7150 is fully
configurable through the Command Line Interface (CLI). The CLI is
accessible through both the console and aux console RS232 ports or
remotely via Telne t and SSH.
The SA7150 provides online help with the following options:
•Type help to display a summary of commands.
•Type hel p <command> (or ? <command>) for a de scription
of a specific command or, if relevant, a list of subcommands you
can enter from within <command>.
•Type help us age (or ? usage)to display al l commands and
their usage.
•Type tty_char to display a list of special terminal editing
characters.
C H A P T E R 5 HP e-Commerce/XML Server Accelerator SA7150 User Guide
Command Line Interface
The CLI handles all user interactions on the console and auxiliary
console RS232 ports. One instance per port runs at all times.
User
Authentication
Command Line
Prompt
Abbreviation
to Uniqueness
To gain access to the CLI, the user must first be authenticated by
providing a password at the logon ban ner prompt . The logon banner
provides build versio n information and the seri al number.
The standard command line prompt for the SA7150 is:
HP SA7150>
The prompt can be changed with the set prompt command.
It is not always necessary to type t he entire command. CLI commands
can be abbreviated to uniqueness. For example, “del” as show bel ow
is sufficient to represent the delete command:
C H A P T E R 5 HP e-Commerce/XML Server Accelerator SA7150 User Guide
Command Reference
Help
Commands
CommandDescription
help
help <command>
help usage
tty_char
Display the list of available commands.
Display usage for a single command.
Display all commands and their usage.
View the available list of keyboard shortcut commands.
Status
Command
Command Description
status
Display device statistics. Several modes are available, as described
below. (Default: realtime.)
Syntax:
HP SA7150> status <line | realtime | alarms |
<log> >
where:
<line> specifies a line-oriented display of statistics.
<realtime> specifies that statistics be displayed in realtime.
<alarms> shows current alarm events.
<log> shows statistics and alarm events in a specified log file.
80
C H A P T E R 5Command Reference
XML
Commands
CommandDescription
create server
delete server
Specify an XML server. Prompts for a unique name, a unique IP
address/port pair , and the correct MAC addr ess to identify a server
to fulfill XML requests.
NOTE: Server names are case insensitive.
Example:
HP SA7150>create server
Server Name: Standard
Server IP: 10.1.1.2
Cleartext (server) port [80]: 8080
Server MAC Addr es s:00:a0:c9:fc:84:ab
HP SA7150>
Delete the specified XML server name from the system.
NOTE: Use the show server command to identify existing servers.
Syntax:
HP SA7150> delete server <serverName>
81
C H A P T E R 5 HP e-Commerce/XML Server Accelerator SA7150 User Guide
CommandDescription
insert server
show server
XML servers exist in a numeric hierarchy reflecting the order in
which they were created with the create server command . The
system assigns a server index number to each server as it is
created, incrementing the number with each new server. This order
is relevant to XML operations—in cases in which a document has
a match with two XML patter ns of two different servers, the
message is sent to the server with the lower index number. This
command allows you to alter the order within that hierarchy by
assigning an index number to a server.
NOTE: Before using this command , e xecute the show server
command to view the current hierarchy of server index numbers.
Syntax:
HP SA7150> insert server <ServerID>
Example:
insert server 2
Name: Gold
Server IP: 10.1.1.6
Cleartext (server) port [80]: 8080
Server MAC Addr es s: 22:33:44:55:66:77
Display the list of XML servers along with Server names, IDs, IP
addresses, and ports.
82
Example:
HP SA7150> show server
Server ID S erve r IP Port MA C Ad dres s S erve r Nam e
1 10.1.1.2 80 00:a0:c9:fc:84:a b St an da rd
2 10.1.1.4 80 01:a9:bw:cf:69:c d Pr em ie r
C H A P T E R 5Command Reference
CommandDescription
create pattern
Create an XML pattern for a specified server. Patterns associated
with a given server are uniquely identified by a system-generated
numeric pattern ID. After you execute the command, you are
prompted to enter the URI expression followed by the XML
expression. After a pattern is created the system prompts the user
to enter another pattern.
Syntax:
HP SA7150> create pattern <serverName>
HP SA7150> create pattern Standard
URI Expression: */purchase.asp
XML Expression: //From[Id=’acme’]
Enter another pattern? [n]: n
URI Expression is the string identifying the target of the HTTP
POST (wildcards can be used).
XML Expression is the string to which incoming XML data is
compared. Documents containing strings matching a pattern are
sent to the server associated with the matched pattern.
The SA7150 checks each expression for syntactical correctness as
it’s entered. If it detects an error during this check it presents a
message similar to the one belo w. (Messages vary depending on t he
nature of the error.)
Improper use of ’*’ character in URI
Expression
After both the URI and XML expressions have been entered, the
SA7150 checks for “duplicate patterns,” i.e., it verifies that the
newly created pattern hasn’t already been defined. If it detects a
duplicate it displays th e following message:
A pattern with th is URI and XML expression
already exists
83
C H A P T E R 5 HP e-Commerce/XML Server Accelerator SA7150 User Guide
CommandDescription
delete pattern
Delete an XML pattern specified by server and pattern ID.
NOTE: Use the show pattern command to identify existing
patterns.
Syntax:
HP SA7150> delete pattern <serverName>
<patternID>
Example:
HP SA7150> delete pattern Standard 1
84
C H A P T E R 5Command Reference
CommandDescription
show pattern
Display the list of XML patterns for:
•all servers, or
•a specified server
When executed without the server name parameter, the command
displays all patterns defined fo r a ll server s. When a ser ver na me is
specified the command displays only the patterns defined for that
server. Pattern IDs appear in the left column, the content of the
pattern appears to the rig ht. Note that in the “Pattern” column the
URI expression and XML expressi on component s are separ ated by
the ampersand character (&) with a space on either side.
Example (single, specified server):
HP SA7150> show pat te rn Standard
Server: Standa rd
Pattern ID Pattern
========== =========
1 * & //gold
2 * & //order
Example (all servers):
HP SA7150> show pat te rn
Server: Standa rd
Pattern ID Pattern
========== =========
1 * & //std
Server: gold
Pattern ID Pattern
========== =========
1 * & //gold
2 * & //order [amount>1000]
Server: silver
Pattern ID Pattern
========== =========
1 * & //silver
85
C H A P T E R 5 HP e-Commerce/XML Server Accelerator SA7150 User Guide
CommandDescription
set xml
Enables processing based on the XML patterns defined for a
specified map. Default: disabled.
NOTE: Setting the comma nd t o “enable” has no effect if no X ML
servers are defined.
NOTE: Enabling xml automatically enables xml_well_formed
(see below) for the specified map, while disabling xml
automatically disables xml_well_formed (assuming it has not
previously been manually disabled).
Syntax:
HP SA7150> set xml <mapID> enable
Where <mapID> is the index of the map whose defined XML
patterns you wish to enable.
Example:
HP SA7150> set xml 1 enable
86
C H A P T E R 5Command Reference
CommandDescription
set xml_well_formed
Enables or disables the SA7150’s feature for the de tection of
malformed XML data coming in via HTTP POST.
xml_well_formed norm a lly works in parallel with the xml
command (see above), that is, it is automatically enabled for a
specified map when xml is enabled for that map, and automatically
disabled (for a specified map) when xml is disabled (for that map).
(Thus the only independ ent control options are to disable
xml_well_formed when xml is enabled and to re-enable it without
having disabled xml.)
xml_well_formed functions as follows:
•If xml_well_formed is enabled, when malformed XML data is
found in an incoming request the
SA7150 terminates the
connection and returns HTTP Error 403 to the clien t with the
message, “XML data is not well-formed.”
•If xml_well_formed is disabled, when malformed XML data is
found in an incoming request the default server is used.
Syntax:
HP SA7150> set xm l_ well_formed <mapID>
<enable | disable>
Where <mapID> is the identifier of the map for which you wish
to enable the xml-well-formed check.
Example:
HP SA7150> set xml_well_formed 1 disable
87
C H A P T E R 5 HP e-Commerce/XML Server Accelerator SA7150 User Guide
Port Mapping
Commands
CommandDefinition
create block
These commands are used to execute the operations described in
Chapter 3’s Mapping and Blocking sections.
Create a block to preclude access to specified IP addresses or
through specified ports. A single IP, a single port, or all ports can
be blocked. If fewer than all ports are to be blocked, you must
repeat the create bloc k command for each one.
Example:
HP SA7150> create block
Client IP to block [0.0.0.0]: 10.1.2.1
Client IP mask [0.0.0.0]: 255.255.0.0
Server IP to block [0.0.0.0]: 20.1.2.1
Server IP mask [0.0.0.0]: 255.255.0.0
Server Port to block: 80
Server Port mask [0 xffff]:
HP SA7150>
delete block
Delete a block specified by index number. Use show block (see
below) to correlate existing blocks with their numbers.
Example:
HP SA7150> delete block 1
show block
88
Display all existing blocks.
Example:
HP SA7150> show block
-------blocks :
--------(1) block 10.1.2. 1 255.255.0.0 20.1.2.1
255.255.0.0 80 0xffff
----------
C H A P T E R 5Command Reference
CommandDefinition
create permit
delete permit
show permit
Create a configuration allowing a specified user access to specified
servers and ports, and/or denying the specified user access to
specified servers and ports.
Example:
HP SA7150> create permit
Client IP to permit [0.0.0.0]:10.1.2.1
Client IP mask [0.0.0.0]:255.255.0.0
Server IP to permit [0.0.0.0]:20.1.2.1
Server IP mask [0.0.0.0]:255.255.0.0
Server Port to permit: 443
Server Port mask [0 xffff]:
HP SA7150>
Delete a permit specified by index number. Use show permit (see
below) to correlate existing permits with their num bers.
Example:
HP SA7150> delete permit 1
Display permits currently in force.
Example:
HP SA7150> show permit
-------permits :
--------(1) permit 10.1.2.1 255.255.0.0 20.1.2.1
255.255.0.0 44 3 0xffff
---------HP SA7150>
89
C H A P T E R 5 HP e-Commerce/XML Server Accelerator SA7150 User Guide
CommandDefinition
create map
Create a mapping that associates server IP, SSL port, and Key ID,
and clear text port (clear text maps only).
Example 1 (for SSL operation):
HP SA7150> create map
Server IP [0.0.0.0]: 1.1.1.1
Network port [443]: 443
Cleartext (server) port [80]: 8080
KeyID to use for map pi ng: 4
NOTE: The Key ID (SSL operations only—not app licable to clea r
text maps) used with a new mapping must exist prior to executing
create map. Use create key to create a new Key ID. Also, a
certificate must be associated with the key ID prior to using the
mapping. (See Chapter 3 for details.)
Example 2 (clear text map for unencrypted XML processing):
HP SA7150> create map
Server IP [0.0.0.0]: 1.1.1.1
Network port [443]:
Cleartext (server) port [80]:
KeyID to use for map pi ng:
Cleartext map for XML only? [n]: y
delete map <mapID>
show map
90
NOTE: Do not specify a KeyID when creating a clear text map.
Delete a mapping.
NOTE: All MapIDs of a higher number than the one specified for
deletion are decremented by one when this command is executed.
Syntax:
HP SA7150> delete map <n>
where <n> is the Map ID of the mapping you wish to delete.
Display all mappings. (Same as list maps.)
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.