Page 63
Chapter 2 Commands for the Catalyst 6500 Series SSL Services Module
| | | policy http-header | | |
| | Table 2-3 HTTP Header Insertion Configuration Submode Command Descriptions (continued) | |
| | | | | |
| | Syntax | Description | |
| | | | | |
| | client-ip-port | Inserts the client IP address and information about the client port into | |
| | | the HTTP header, allowing the server to see the client IP address and | |
| | | port. | |
| | | | | |
| | custom custom-string | Inserts the custom-stringheader into the HTTP header. | |
| | | | | |
| | prefix | Adds the prefix-stringto the HTTP header to enable the server to | |
| | | identify the connections that come from the SSL module, not from other | |
| | | appliances | |
| | | | | |
| | session | Passes information that is specific to an SSL connection to the back-end | |
| | | server as session headers. | |
| | | | | |
| | | | | |
Examples | | This example shows how to enter the HTTP header insertion configuration submode: | |
| | ssl-proxy(config)#ssl-proxy context s1 | |
| | ssl-proxy(config-context)# policy http-header test1 | |
| | ssl-proxy(config-ctx-http-header-policy)# | |
This example shows how to allow the back-end server to see the attributes of the client certificate that the SSL module has authenticated and approved:
ssl-proxy(config-ctx-http-header-policy)# client-certssl-proxy(config-ctx-http-header-policy)#
This example shows how to insert the client IP address and information about the client port into the HTTP header, allowing the server to see the client IP address and port:
ssl-proxy(config-ctx-http-header-policy)# client-ip-portssl-proxy(config-ctx-http-header-policy)#
This example shows how to insert the custom-string header into the HTTP header:
ssl-proxy(config-ctx-http-header-policy)# custom "SOFTWARE VERSION:3.1(1)" ssl-proxy(config-ctx-http-header-policy)# custom "module:SSL MODULE - CATALYST 6500" ssl-proxy(config-ctx-http-header-policy)# custom type-of-proxy:server_proxy_1024_bit_key_sizessl-proxy(config-ctx-http-header-policy)#
This example shows how to add the prefix-string into the HTTP header:
ssl-proxy(config-ctx-http-header-policy)# prefix SSL-OFFLOADssl-proxy(config-ctx-http-header-policy)#
This example shows how to pass information that is specific to an SSL connection to the back-end server as session headers:
ssl-proxy(config-ctx-http-header-policy)# session ssl-proxy(config-ctx-http-header-policy)#
This example shows how to create a header alias for the standard “session-cipher-name” header:
ssl-proxy(config-ctx-http-header-policy)#alias My-Session-Cipher session-cipher-name
Catalyst 6500 Series Switch SSL Services Module Command Reference
Contents
Text Part Number OL-9105-01
Corporate Headquarters
Page
Iii
N T E N T S
Natpool
Acronyms A-1
OL-9105-01
Chapter Title Description
Audience
Organization
Related Documentation
Example, interface interface type
Conventions
Convention Description
Boldface font
Cisco.com
Obtaining Documentation
Cisco Product Security Overview
Documentation Feedback
Obtaining Technical Assistance
Reporting Security Problems in Cisco Products
Xii
Submitting a Service Request
Xiii
Obtaining Additional Publications and Information
Xiv
This chapter includes the following sections
Getting Help
How to Find Command Options
Command Comment
Complete the command. If additional
Must enter next on the command line
Mode keyword
After you enter the mode keyword
Configure terminal
Understanding Command Modes
Command Mode Access Method Prompt Exit Method
Configure terminal privileged Exec
With an interface
Using the No and Default Forms of Commands
Interface command
Image using the boot system flash filename
Character Special Meaning
Using the CLI String Search
DA-D
\$ \ \+
Aeiou
AbcdABCD
This string matches any number of asterisks
Telebit 3107 v32bis
Character
Ba?b
$\.12
Za-z0-9+
Codex telebit
Abcd
With
For example
1300
1300$ 1300space space1300 1300, ,1300, 1300 ,1300
OL-9105-01
A P T E R
Release Modification
Defaults
Command Modes Command History
Clear ssl-proxy conn
Defaults Command Modes Command History
Clear ssl-proxy content
Usage Guidelines
Clear ssl-proxy session
Clear ssl-proxy stats
Ssl-proxy#clear ssl-proxy stats
3des
Crypto pki export pem
Terminal
Des
Crypto pki import pem
Related Commands
Usage-keys
Defaults Command History
Crypto pki import pem
Exportable
Crypto pki export pem
Crypto pki export pkcs12
This example shows how to export a PKCS12 file using SCP
Crypto pki import pkcs12
This example shows how to import a PKCS12 file using SCP
Filename TP2? /users/admin-1/pkcs12/TP2.p12
Crypto
Crypto key encrypt rsa
Crypto key decrypt rsa
Name key-name
Passphrase passphrase
Crypto key encrypt rsa
Crypto key decrypt rsa
Crypto key lock rsa
Crypto key export rsa pem
Keylabel Name of the key
Optional Specifies that the key can be exported
Key nametest-keys UsageGeneral Purpose Key
System-Imports from the system file system
Crypto key import rsa pem
Instead of one general-purpose key pair
Null-Imports from the null file system
PEM-formatted RSA key to the SSL Services Module
Passphrase passphrase
Crypto key lock rsa
Crypto key lock rsa name key-namepassphrase passphrase
Name key-name Optional Name of the key
Crypto key unlock rsa name key-namepassphrase passphrase
Crypto key unlock rsa
Debug ssl-proxy
Command History Release Modification
This example shows how to turn on App debugging
Do command
Command EXEC-level command to be executed
Configuration mode
Syntax Description Defaults Command Modes Command History
Interface ssl-proxy
Syntax Description
Standby ip
Standby authentication
Standby delay minimum reload
Standby timers
Ssl-proxyconfig-subif#ip address 208.59.100.18
Ssl-proxy config# interface ssl-proxy
Natpool nat-pool-name startipaddr endipaddr netmask netmask
Context subcommand mode
This example shows how to define a pool of IP addresses
Natpool
Failed-interval seconds
Syntax Description Defaults Command Modes
Policy health-probe tcp
Interval seconds
Running on server IP address
Open-timeout seconds
Ssl-proxyconfig#ssl-proxy context ssl
Ssl-proxyconfig-context#policy health-probe tcp probe1
Page
Policy that is applied to the payload
Policy http-header
Client-cert pem
Alias
Field To Insert Description
Client-cert pem
Prefix
Client-ip-port
Custom custom-string
Inserts the custom-stringheader into the Http header
SSL-OFFLOAD-SOFTWARE VERSION3.11
Related Commands show ssl-proxy policy
Policy ssl
Close-protocol is disabled
Session-caching is enabled
Timeout session timeout absolute
SSL-Policy Configuration Submode Command Descriptions
Renegotiation interval time
Renegotiation volume size
Timeout handshake timeout
Help
OL-9105-01
This example shows how to disable a session cache
This example shows how to enable a session cache
OL-9105-01
Policy tcp
No timeout inactivity timeout-in-seconds
Delayed-ack-threshold delay
Delayed-ack-timeout timer
No timeout fin-wait timeout-in-seconds
Server to client connection, the server connection must be
No timeout reassembly time
Form of this command to return to the default setting
No tos carryover
Ssl-proxy config-ctx-tcp-policy# mss
Policy url-rewrite
Redirectonly
Ssl-proxyconfig-context#ssl-proxy policy url-rewrite test1
Pool ca
Pool ca ca-pool-name
Ca-pool-name Certificate authority pool name
Service
Certificate rsa general-purpose trustpoint
Authenticate verify all signature-only
Default certificate inservice nat server
Inservice
Virtual policy ssl ssl-policy-name
Virtual policy tcp
Vlan vlan
Related Commands show ssl-proxy service
Policy health-probe tcp Policy http-header
Service client
Vlan vlan
Nat server client natpool-name
Virtual policy ssl ssl-policy-name
Virtual policy tcp
Ssl-proxy config-ctx-ssl-proxy# server policy tcp tcppl1
Show ionterfaces
Show interfaces ssl-proxy
Show interfaces ssl-proxy 0.subinterface
Policy tcp
Ssl-proxy#show ssl-proxy buffers
This command has no default settings
Show ssl-proxy buffers
Show ssl-proxy buffers
Show ssl-proxy certificate-history
Show ssl-proxy certificate-history service name
Service name
Specific proxy service
Record 1, Timestamp000051, 163634 UTC Oct 31
Ssl-proxy# show ssl-proxy certificate-history
Related Commands service
Remote
Show ssl-proxy conn
4tuple
Local
Ssl-proxy#show ssl-proxy conn
Context name Module module
200.200.1438814 58796
Name Optional Name of the context
Context Default
Show ssl-proxy context
Show ssl-proxy context name
Details
Show ssl-proxy crash-info
Show ssl-proxy crash-info brief details
Brief
Ssl-proxy#show ssl-proxy crash-info brief
Stack top Printing 1024 bytes from stack top
Show ssl-proxy mac address
Show ssl-proxy mac address
Ssl-proxy#show ssl-proxy mac address
Natpool
Show ssl-proxy natpool
Show ssl-proxy natpool namecontext name
Context name
Url-rewrite
Show ssl-proxy policy
Health-probe tcp
Http-header
Ssl-proxy#show ssl-proxy policy tcp tcp-policy1
Ssl-proxy#show ssl-proxy policy ssl ssl-policy1
Ssl-proxy#show ssl-proxy policy health-probe tcp tcp-health
Ssl-proxy#show ssl-proxy service S6
Show ssl-proxy service
Show ssl-proxy service namecontext name
Ssl-proxy#show ssl-proxy service
Service client
Content
Show ssl-proxy stats
Show ssl-proxy stats type
Stats
This example shows how to display the PKI statistics
This example shows how to display the TCP statistics
This example shows how to display context statistics
Ssl-proxy#show ssl-proxy stats context Context name Default
Ssl-proxy# show ssl-proxy stats hdr
Ssl-proxy#show ssl-proxy stats content
This example shows how to display content statistics
Show ssl-proxy status
Show ssl-proxy status fdu ssl tcp
Show ssl-proxy status
TCP cpu is alive
Show ssl-proxy version
Show ssl-proxy version
Ssl-proxy#show ssl-proxy version
Optional Displays debug information
Show ssl-proxy vlan
Show ssl-proxy vlan vlan-iddebugmodule module
Debug
Defaults Command Modes Command History Examples
Snmp-server enable
Description description
Command Purpose and Guidelines Defaults
Ssl-proxy context
Ssl-proxy context name No ssl-proxy context name
Pool ca name
Policy ssl policy-name
Policy tcp policy-name
Policy url-rewrite policy-name
Time-interval
Seconds Global configuration
This example shows how to start a cryptographic self-test
Ssl-proxy crypto selftest
Ssl-proxy mac address
This example shows how to configure a MAC address
Related Commands show ssl-proxy mac address
Ssl-proxy config# ssl-proxy mac address 00e0.b0ff.f232
Ssl-proxy pki
This example shows how to specify the cache size
This example shows how to enable PKI event-history
Related Commands show ssl-proxy stats
Key-name Name of the key Passphrase Pass phrase
Ssl-proxy crypto key unlock rsa
Ssl-proxy ip-frag-ttl time
Time is 6 seconds Global configuration
Ssl-proxyconfig#ssl-proxy ip-frag-ttl
Ssl-proxy ip-frag-ttl
Ssl-proxy ssl ratelimit No ssl-proxy ssl ratelimit
Ssl-proxy config# ssl-proxy ssl ratelimit
Ssl-proxy config# no ssl-proxy ssl ratelimit
Ssl-proxy ssl ratelimit
Group-number is String is cisco
Standby authentication
Min-delay is 1 second Reload-delay is 5 seconds
Standby delay minimum reload
Show standby delay
Ssl-proxyconfig#interface ssl-proxy
Ssl-proxyconfig-subif#standby delay minimum 30 reload
Group-number is
Defaults Command Modes Command History Usage Guidelines
Standby ip
Secondary
100
Used by the hot standby group is learned using Hsrp
Mac-address MAC address
Standby mac-address
Standby group-numbermac-addressmac-address
No standby group-numbermac-address
102
Ssl-proxyconfig-subif#standby 1 mac-address
That is used in the end nodes
Show standby
Standby mac-refresh
Standby mac-refresh seconds no standby mac-refresh
103
Group-name Name of the standby group
Hsrp is disabled
Standby name
Standby name group-name No standby name group-name
105
Standby preempt
To become the active router
Operation returns to the default behavior
Leaves any synchronization delay if it was configured
Clients
Group-number is Priority is
Standby priority
Standby group-numberpriority priority
No standby group-numberpriority priority
108
This example shows how to change the router priority
109
Standby redirects
110
Related Commands show standby
Ssl-proxyconfig-subif#standby redirects timers 90
Show standby redirect
111
Standby timers
Msec
Optional Specifies the interval in milliseconds
112
113
Standby track
Decrement priority
Or comes back up
114
Router a Configuration
Router B Configuration
Related Commands standby preempt
On which it was entered, instead of the major interface
Standby use-bia
Standby use-bia scope interface no standby use-bia
Scope interface
Specifies Hsrp version
This example shows how to configure Hsrp version
Standby version
Standby version 1
Acronym Expansion
CEF
Cbac
CCA
CDP
Dspu
Dram
Dsap
Dscp
IDP
ICD
Icmp
IDB
MFD
MD5
Mdix
Mdss
PAE
OSI
OSM
Ospf
RPC
Rmon
ROM
Rommon
TACACS+
STP
SVC
SVI
Xerox Network System
Weighted round-robin
WRR
XNS
OL-9105-01
Acknowledgments for Open-Source Software
OL-9105-01
IN-1
# character privileged Exec mode prompt
Asterisk + plus sign Period ? command Caret
$ character
IN-2
IN-3
IN-4
IN-5
TCP
IN-6
Configuration submode User Exec mode, summary