Cisco Systems 6500 manual SSL-Policy Configuration Submode Command Descriptions

Page 66

Chapter 2 Commands for the Catalyst 6500 Series SSL Services Module

policy ssl

Release

Modification

SSL Services Module

This command was changed to add the following subcommands:

Release 2.1(5)

cert-req empty

 

 

tls-rollback [current any]

 

 

SSL Services Module

The policy ssl command (entered in context subcommand mode) replaces

Release 3.1(1)

the ssl-proxy policy ssl command (entered in global subcommand mode).

 

This command was changed to add the following submode commands:

 

cipher rsa-exp-with-des40-cbc-sha

 

cipher rsa-exp-with-rc4-40-md5

 

cipher rsa-exp1024-with-des-cbc-sha

 

cipher rsa-exp1024-with-rc4-56-md5

 

cipher rsa-exp1024-with-rc4-56-sha

 

cipher rsa-with-null-md5

 

renegotiation volume

 

renegotiation interval

 

renegotiation wait-time

 

renegotiation optional

 

 

 

Usage Guidelines Each SSL-policy configuration submode command is entered on its own line.

Table 2-4lists the commands available in SSL-policy configuration submode.

Table 2-4 SSL-Policy Configuration Submode Command Descriptions

 

Syntax

Description

 

 

 

 

 

 

cert-req empty

Allows you to specify that the SSL Services Module backend service always

 

 

 

 

returns the certificate associated with the trustpoint and does not look for a

 

 

 

 

CA-name match.

 

 

 

 

 

cipher-suite {all all-export all-strong

Allows you to configure a list of cipher-suites acceptable to the proxy-server.

 

rsa-exp-with-des40-cbc-sha

 

 

 

 

rsa-exp-with-rc4-40-md5

 

 

 

 

rsa-exp1024-with-des-cbc-sha

 

 

 

 

rsa-exp1024-with-rc4-56-md5

 

 

 

 

rsa-exp1024-with-rc4-56-sha

 

 

 

 

rsa-with-3des-ede-cbc-sha

 

 

 

 

rsa-with-des-cbc-sha rsa-with-null-md5

 

 

 

 

rsa-with-rc4-128-md5

 

 

 

 

rsa-with-rc4-128-sha}

 

 

 

 

 

 

 

 

[no] close-protocol {strict none}

Allows you to configure the SSL close-protocol behavior. Use the no form

 

 

 

 

of this command to disable close protocol.

 

 

 

 

 

default {cipher close-protocol

Sets a command to its default settings.

 

session-cache version}

 

 

 

 

 

 

 

 

exit

Exits from SSL-policy configuration submode.

 

 

 

 

 

 

 

 

 

Catalyst 6500 Series Switch SSL Services Module Command Reference

 

 

 

 

2-40

 

 

OL-9105-01

 

 

 

 

 

Image 66
Contents Corporate Headquarters Text Part Number OL-9105-01Page N T E N T S IiiNatpool Acronyms A-1 OL-9105-01 Related Documentation AudienceOrganization Chapter Title DescriptionBoldface font ConventionsConvention Description Example, interface interface typeObtaining Documentation Cisco.comDocumentation Feedback Cisco Product Security OverviewReporting Security Problems in Cisco Products Obtaining Technical AssistanceSubmitting a Service Request XiiObtaining Additional Publications and Information XiiiXiv Getting Help This chapter includes the following sectionsHow to Find Command Options Command Comment After you enter the mode keyword Must enter next on the command lineMode keyword Complete the command. If additionalConfigure terminal privileged Exec Understanding Command ModesCommand Mode Access Method Prompt Exit Method Configure terminalImage using the boot system flash filename Using the No and Default Forms of CommandsInterface command With an interfaceUsing the CLI String Search Character Special MeaningAbcdABCD \$ \ \+Aeiou DA-DBa?b Telebit 3107 v32bisCharacter This string matches any number of asterisksAbcd Za-z0-9+Codex telebit $\.121300$ 1300space space1300 1300, ,1300, 1300 ,1300 For example1300 WithOL-9105-01 A P T E R Clear ssl-proxy conn DefaultsCommand Modes Command History Release ModificationClear ssl-proxy content Defaults Command Modes Command HistoryClear ssl-proxy session Usage GuidelinesClear ssl-proxy stats Ssl-proxy#clear ssl-proxy stats Des Crypto pki export pemTerminal 3desRelated Commands Crypto pki import pemExportable Defaults Command HistoryCrypto pki import pem Usage-keysCrypto pki export pem Crypto pki export pkcs12 This example shows how to export a PKCS12 file using SCP Crypto pki import pkcs12 This example shows how to import a PKCS12 file using SCP Filename TP2? /users/admin-1/pkcs12/TP2.p12Crypto Passphrase passphrase Crypto key decrypt rsaName key-name Crypto key encrypt rsaCrypto key encrypt rsa Crypto key decrypt rsaCrypto key lock rsa Crypto key export rsa pem Keylabel Name of the keyOptional Specifies that the key can be exported Key nametest-keys UsageGeneral Purpose Key Null-Imports from the null file system Crypto key import rsa pemInstead of one general-purpose key pair System-Imports from the system file systemPEM-formatted RSA key to the SSL Services Module Name key-name Optional Name of the key Crypto key lock rsaCrypto key lock rsa name key-namepassphrase passphrase Passphrase passphraseCrypto key unlock rsa Crypto key unlock rsa name key-namepassphrase passphraseDebug ssl-proxy Command History Release Modification This example shows how to turn on App debugging Do command Command EXEC-level command to be executedConfiguration mode Syntax Description Defaults Command Modes Command History Interface ssl-proxySyntax Description Standby timers Standby authenticationStandby delay minimum reload Standby ipSsl-proxy config# interface ssl-proxy Ssl-proxyconfig-subif#ip address 208.59.100.18Natpool Context subcommand modeThis example shows how to define a pool of IP addresses Natpool nat-pool-name startipaddr endipaddr netmask netmaskInterval seconds Syntax Description Defaults Command ModesPolicy health-probe tcp Failed-interval secondsSsl-proxyconfig-context#policy health-probe tcp probe1 Open-timeout secondsSsl-proxyconfig#ssl-proxy context ssl Running on server IP addressPage Alias Policy http-headerClient-cert pem Policy that is applied to the payloadField To Insert Description Client-cert pem Inserts the custom-stringheader into the Http header Client-ip-portCustom custom-string PrefixRelated Commands show ssl-proxy policy SSL-OFFLOAD-SOFTWARE VERSION3.11Timeout session timeout absolute Close-protocol is disabledSession-caching is enabled Policy sslSSL-Policy Configuration Submode Command Descriptions Help Renegotiation volume sizeTimeout handshake timeout Renegotiation interval timeOL-9105-01 This example shows how to enable a session cache This example shows how to disable a session cacheOL-9105-01 Policy tcp No timeout fin-wait timeout-in-seconds Delayed-ack-threshold delayDelayed-ack-timeout timer No timeout inactivity timeout-in-secondsNo tos carryover No timeout reassembly timeForm of this command to return to the default setting Server to client connection, the server connection must beSsl-proxy config-ctx-tcp-policy# mss Policy url-rewrite Ssl-proxyconfig-context#ssl-proxy policy url-rewrite test1 RedirectonlyPool ca Pool ca ca-pool-nameCa-pool-name Certificate authority pool name Service Inservice Authenticate verify all signature-onlyDefault certificate inservice nat server Certificate rsa general-purpose trustpointVirtual policy ssl ssl-policy-name Virtual policy tcpVlan vlan Related Commands show ssl-proxy service Service client Policy health-probe tcp Policy http-headerVirtual policy tcp Nat server client natpool-nameVirtual policy ssl ssl-policy-name Vlan vlanSsl-proxy config-ctx-ssl-proxy# server policy tcp tcppl1 Policy tcp Show interfaces ssl-proxyShow interfaces ssl-proxy 0.subinterface Show ionterfacesShow ssl-proxy buffers This command has no default settingsShow ssl-proxy buffers Ssl-proxy#show ssl-proxy buffersSpecific proxy service Show ssl-proxy certificate-history service nameService name Show ssl-proxy certificate-historySsl-proxy# show ssl-proxy certificate-history Record 1, Timestamp000051, 163634 UTC Oct 31Related Commands service Local Show ssl-proxy conn4tuple RemoteContext name Module module Ssl-proxy#show ssl-proxy conn200.200.1438814 58796 Show ssl-proxy context name Context DefaultShow ssl-proxy context Name Optional Name of the contextBrief Show ssl-proxy crash-infoShow ssl-proxy crash-info brief details DetailsStack top Printing 1024 bytes from stack top Ssl-proxy#show ssl-proxy crash-info briefShow ssl-proxy mac address Show ssl-proxy mac addressSsl-proxy#show ssl-proxy mac address Context name Show ssl-proxy natpoolShow ssl-proxy natpool namecontext name NatpoolHttp-header Show ssl-proxy policyHealth-probe tcp Url-rewriteSsl-proxy#show ssl-proxy policy ssl ssl-policy1 Ssl-proxy#show ssl-proxy policy tcp tcp-policy1Ssl-proxy#show ssl-proxy policy health-probe tcp tcp-health Ssl-proxy#show ssl-proxy service Show ssl-proxy serviceShow ssl-proxy service namecontext name Ssl-proxy#show ssl-proxy service S6Service client Content Show ssl-proxy statsShow ssl-proxy stats type Stats This example shows how to display the TCP statistics This example shows how to display the PKI statisticsThis example shows how to display context statistics Ssl-proxy#show ssl-proxy stats context Context name DefaultSsl-proxy# show ssl-proxy stats hdr This example shows how to display content statistics Ssl-proxy#show ssl-proxy stats contentShow ssl-proxy status Show ssl-proxy status fdu ssl tcpShow ssl-proxy status TCP cpu is alive Show ssl-proxy version Show ssl-proxy versionSsl-proxy#show ssl-proxy version Debug Show ssl-proxy vlanShow ssl-proxy vlan vlan-iddebugmodule module Optional Displays debug informationSnmp-server enable Defaults Command Modes Command History ExamplesSsl-proxy context name No ssl-proxy context name Command Purpose and Guidelines DefaultsSsl-proxy context Description descriptionPolicy url-rewrite policy-name Policy ssl policy-namePolicy tcp policy-name Pool ca nameSsl-proxy crypto selftest Seconds Global configurationThis example shows how to start a cryptographic self-test Time-intervalSsl-proxy config# ssl-proxy mac address 00e0.b0ff.f232 This example shows how to configure a MAC addressRelated Commands show ssl-proxy mac address Ssl-proxy mac addressSsl-proxy pki This example shows how to specify the cache size This example shows how to enable PKI event-historyRelated Commands show ssl-proxy stats Ssl-proxy crypto key unlock rsa Key-name Name of the key Passphrase Pass phraseSsl-proxy ip-frag-ttl Time is 6 seconds Global configurationSsl-proxyconfig#ssl-proxy ip-frag-ttl Ssl-proxy ip-frag-ttl timeSsl-proxy ssl ratelimit Ssl-proxy config# ssl-proxy ssl ratelimitSsl-proxy config# no ssl-proxy ssl ratelimit Ssl-proxy ssl ratelimit No ssl-proxy ssl ratelimitStandby authentication Group-number is String is ciscoStandby delay minimum reload Min-delay is 1 second Reload-delay is 5 secondsShow standby delay Ssl-proxyconfig#interface ssl-proxySsl-proxyconfig-subif#standby delay minimum 30 reload Secondary Defaults Command Modes Command History Usage GuidelinesStandby ip Group-number isUsed by the hot standby group is learned using Hsrp 100No standby group-numbermac-address Standby mac-addressStandby group-numbermac-addressmac-address Mac-address MAC addressShow standby Ssl-proxyconfig-subif#standby 1 mac-addressThat is used in the end nodes 102Standby mac-refresh Standby mac-refresh seconds no standby mac-refresh103 Standby name group-name No standby name group-name Hsrp is disabledStandby name Group-name Name of the standby groupStandby preempt 105Clients Operation returns to the default behaviorLeaves any synchronization delay if it was configured To become the active routerNo standby group-numberpriority priority Standby priorityStandby group-numberpriority priority Group-number is Priority isThis example shows how to change the router priority 108Standby redirects 109Show standby redirect Related Commands show standbySsl-proxyconfig-subif#standby redirects timers 90 110Optional Specifies the interval in milliseconds Standby timersMsec 111112 Or comes back up Standby trackDecrement priority 113Related Commands standby preempt Router a ConfigurationRouter B Configuration 114Scope interface Standby use-biaStandby use-bia scope interface no standby use-bia On which it was entered, instead of the major interfaceStandby version 1 This example shows how to configure Hsrp versionStandby version Specifies Hsrp versionAcronym Expansion CDP CbacCCA CEFDscp DramDsap DspuIDB ICDIcmp IDPMdss MD5Mdix MFDOspf OSIOSM PAERommon RmonROM RPCSVI STPSVC TACACS+XNS Weighted round-robinWRR Xerox Network SystemOL-9105-01 Acknowledgments for Open-Source Software OL-9105-01 $ character # character privileged Exec mode promptAsterisk + plus sign Period ? command Caret IN-1IN-2 IN-3 IN-4 TCP IN-5Configuration submode User Exec mode, summary IN-6
Related manuals
Manual 20 pages 62.17 Kb Manual 112 pages 18.84 Kb Manual 262 pages 31.67 Kb