Page 69
Chapter 2 Commands for the Catalyst 6500 Series SSL Services Module
policy ssl
When you enter the tls-rollback current command, the SSL protocol version can be either the maximum supported version or the negotiated version.
When you enter the tls-rollback any command, the SSL protocol version is not checked at all.
Examples | This example shows how to enter the SSL-policy configuration submode: |
ssl-proxy(config)#ssl-proxy context s1 ssl-proxy(config-context)#policy ssl sslpl1
ssl-proxy (config-ctx-ssl-policy)#
This example shows how to define the cipher suites that are supported for the SSL-policy:
ssl-proxy (config-ctx-ssl-policy)# cipher RSA_WITH_3DES_EDE_CBC_SHA
ssl-proxy (config-ctx-ssl-policy)#
This example shows how to enable the SSL-session closing protocol and configure the strict closing protocol behavior:
ssl-proxy (config-ctx-ssl-policy)# close-protocol strict ssl-proxy (config-ctx-ssl-policy)#
This example shows how to disable the SSL-session closing protocol:
ssl-proxy (config-ctx-ssl-policy)# no close-protocolssl-proxy (config-ctx-ssl-policy)#
These examples shows how to set a given command to its default setting:
ssl-proxy (config-ctx-ssl-policy)# default cipher ssl-proxy (config-ctx-ssl-policy)# default close-protocolssl-proxy (config-ctx-ssl-policy)# default session-cachessl-proxy (config-ctx-ssl-policy)# default version ssl-proxy (config-ctx-ssl-policy)#
This example shows how to enable a session cache:
ssl-proxy (config-ctx-ssl-policy)# session-cachessl-proxy (config-ctx-ssl-policy)#
This example shows how to disable a session cache:
ssl-proxy (config-ctx-ssl-policy)# no session-cachessl-proxy (config-ctx-ssl-policy)#
This example shows how to set the maximum number of session entries to be allocated for a given service:
ssl-proxy (config-ctx-ssl-policy)# session-cache size 22000
ssl-proxy (config-ctx-ssl-policy)#
This example shows how to configure the session timeout to absolute:
ssl-proxy (config-ctx-ssl-policy)# timeout session 30000 absolute ssl-proxy (config-ctx-ssl-policy)#
These examples show how to enable the support of different SSL versions:
ssl-proxy (config-ctx-ssl-policy)# version all ssl-proxy (config-ctx-ssl-policy)# version ssl3 ssl-proxy (config-ctx-ssl-policy)# version tls1 ssl-proxy (config-ctx-ssl-policy)#
Catalyst 6500 Series Switch SSL Services Module Command Reference
Contents
Text Part Number OL-9105-01
Corporate Headquarters
Page
Iii
N T E N T S
Natpool
Acronyms A-1
OL-9105-01
Organization
Audience
Related Documentation
Chapter Title Description
Convention Description
Conventions
Boldface font
Example, interface interface type
Cisco.com
Obtaining Documentation
Cisco Product Security Overview
Documentation Feedback
Obtaining Technical Assistance
Reporting Security Problems in Cisco Products
Xii
Submitting a Service Request
Xiii
Obtaining Additional Publications and Information
Xiv
This chapter includes the following sections
Getting Help
How to Find Command Options
Command Comment
Mode keyword
Must enter next on the command line
After you enter the mode keyword
Complete the command. If additional
Command Mode Access Method Prompt Exit Method
Understanding Command Modes
Configure terminal privileged Exec
Configure terminal
Interface command
Using the No and Default Forms of Commands
Image using the boot system flash filename
With an interface
Character Special Meaning
Using the CLI String Search
Aeiou
\$ \ \+
AbcdABCD
DA-D
Character
Telebit 3107 v32bis
Ba?b
This string matches any number of asterisks
Codex telebit
Za-z0-9+
Abcd
$\.12
1300
For example
1300$ 1300space space1300 1300, ,1300, 1300 ,1300
With
OL-9105-01
A P T E R
Command Modes Command History
Defaults
Clear ssl-proxy conn
Release Modification
Defaults Command Modes Command History
Clear ssl-proxy content
Usage Guidelines
Clear ssl-proxy session
Clear ssl-proxy stats
Ssl-proxy#clear ssl-proxy stats
Terminal
Crypto pki export pem
Des
3des
Crypto pki import pem
Related Commands
Crypto pki import pem
Defaults Command History
Exportable
Usage-keys
Crypto pki export pem
Crypto pki export pkcs12
This example shows how to export a PKCS12 file using SCP
Crypto pki import pkcs12
This example shows how to import a PKCS12 file using SCP
Filename TP2? /users/admin-1/pkcs12/TP2.p12
Crypto
Name key-name
Crypto key decrypt rsa
Passphrase passphrase
Crypto key encrypt rsa
Crypto key encrypt rsa
Crypto key decrypt rsa
Crypto key lock rsa
Crypto key export rsa pem
Keylabel Name of the key
Optional Specifies that the key can be exported
Key nametest-keys UsageGeneral Purpose Key
Instead of one general-purpose key pair
Crypto key import rsa pem
Null-Imports from the null file system
System-Imports from the system file system
PEM-formatted RSA key to the SSL Services Module
Crypto key lock rsa name key-namepassphrase passphrase
Crypto key lock rsa
Name key-name Optional Name of the key
Passphrase passphrase
Crypto key unlock rsa name key-namepassphrase passphrase
Crypto key unlock rsa
Debug ssl-proxy
Command History Release Modification
This example shows how to turn on App debugging
Do command
Command EXEC-level command to be executed
Configuration mode
Syntax Description Defaults Command Modes Command History
Interface ssl-proxy
Syntax Description
Standby delay minimum reload
Standby authentication
Standby timers
Standby ip
Ssl-proxyconfig-subif#ip address 208.59.100.18
Ssl-proxy config# interface ssl-proxy
This example shows how to define a pool of IP addresses
Context subcommand mode
Natpool
Natpool nat-pool-name startipaddr endipaddr netmask netmask
Policy health-probe tcp
Syntax Description Defaults Command Modes
Interval seconds
Failed-interval seconds
Ssl-proxyconfig#ssl-proxy context ssl
Open-timeout seconds
Ssl-proxyconfig-context#policy health-probe tcp probe1
Running on server IP address
Page
Client-cert pem
Policy http-header
Alias
Policy that is applied to the payload
Field To Insert Description
Client-cert pem
Custom custom-string
Client-ip-port
Inserts the custom-stringheader into the Http header
Prefix
SSL-OFFLOAD-SOFTWARE VERSION3.11
Related Commands show ssl-proxy policy
Session-caching is enabled
Close-protocol is disabled
Timeout session timeout absolute
Policy ssl
SSL-Policy Configuration Submode Command Descriptions
Timeout handshake timeout
Renegotiation volume size
Help
Renegotiation interval time
OL-9105-01
This example shows how to disable a session cache
This example shows how to enable a session cache
OL-9105-01
Policy tcp
Delayed-ack-timeout timer
Delayed-ack-threshold delay
No timeout fin-wait timeout-in-seconds
No timeout inactivity timeout-in-seconds
Form of this command to return to the default setting
No timeout reassembly time
No tos carryover
Server to client connection, the server connection must be
Ssl-proxy config-ctx-tcp-policy# mss
Policy url-rewrite
Redirectonly
Ssl-proxyconfig-context#ssl-proxy policy url-rewrite test1
Pool ca
Pool ca ca-pool-name
Ca-pool-name Certificate authority pool name
Service
Default certificate inservice nat server
Authenticate verify all signature-only
Inservice
Certificate rsa general-purpose trustpoint
Virtual policy ssl ssl-policy-name
Virtual policy tcp
Vlan vlan
Related Commands show ssl-proxy service
Policy health-probe tcp Policy http-header
Service client
Virtual policy ssl ssl-policy-name
Nat server client natpool-name
Virtual policy tcp
Vlan vlan
Ssl-proxy config-ctx-ssl-proxy# server policy tcp tcppl1
Show interfaces ssl-proxy 0.subinterface
Show interfaces ssl-proxy
Policy tcp
Show ionterfaces
Show ssl-proxy buffers
This command has no default settings
Show ssl-proxy buffers
Ssl-proxy#show ssl-proxy buffers
Service name
Show ssl-proxy certificate-history service name
Specific proxy service
Show ssl-proxy certificate-history
Record 1, Timestamp000051, 163634 UTC Oct 31
Ssl-proxy# show ssl-proxy certificate-history
Related Commands service
4tuple
Show ssl-proxy conn
Local
Remote
Ssl-proxy#show ssl-proxy conn
Context name Module module
200.200.1438814 58796
Show ssl-proxy context
Context Default
Show ssl-proxy context name
Name Optional Name of the context
Show ssl-proxy crash-info brief details
Show ssl-proxy crash-info
Brief
Details
Ssl-proxy#show ssl-proxy crash-info brief
Stack top Printing 1024 bytes from stack top
Show ssl-proxy mac address
Show ssl-proxy mac address
Ssl-proxy#show ssl-proxy mac address
Show ssl-proxy natpool namecontext name
Show ssl-proxy natpool
Context name
Natpool
Health-probe tcp
Show ssl-proxy policy
Http-header
Url-rewrite
Ssl-proxy#show ssl-proxy policy tcp tcp-policy1
Ssl-proxy#show ssl-proxy policy ssl ssl-policy1
Ssl-proxy#show ssl-proxy policy health-probe tcp tcp-health
Show ssl-proxy service namecontext name
Show ssl-proxy service
Ssl-proxy#show ssl-proxy service
Ssl-proxy#show ssl-proxy service S6
Service client
Content
Show ssl-proxy stats
Show ssl-proxy stats type
Stats
This example shows how to display the PKI statistics
This example shows how to display the TCP statistics
This example shows how to display context statistics
Ssl-proxy#show ssl-proxy stats context Context name Default
Ssl-proxy# show ssl-proxy stats hdr
Ssl-proxy#show ssl-proxy stats content
This example shows how to display content statistics
Show ssl-proxy status
Show ssl-proxy status fdu ssl tcp
Show ssl-proxy status
TCP cpu is alive
Show ssl-proxy version
Show ssl-proxy version
Ssl-proxy#show ssl-proxy version
Show ssl-proxy vlan vlan-iddebugmodule module
Show ssl-proxy vlan
Debug
Optional Displays debug information
Defaults Command Modes Command History Examples
Snmp-server enable
Ssl-proxy context
Command Purpose and Guidelines Defaults
Ssl-proxy context name No ssl-proxy context name
Description description
Policy tcp policy-name
Policy ssl policy-name
Policy url-rewrite policy-name
Pool ca name
This example shows how to start a cryptographic self-test
Seconds Global configuration
Ssl-proxy crypto selftest
Time-interval
Related Commands show ssl-proxy mac address
This example shows how to configure a MAC address
Ssl-proxy config# ssl-proxy mac address 00e0.b0ff.f232
Ssl-proxy mac address
Ssl-proxy pki
This example shows how to specify the cache size
This example shows how to enable PKI event-history
Related Commands show ssl-proxy stats
Key-name Name of the key Passphrase Pass phrase
Ssl-proxy crypto key unlock rsa
Ssl-proxyconfig#ssl-proxy ip-frag-ttl
Time is 6 seconds Global configuration
Ssl-proxy ip-frag-ttl
Ssl-proxy ip-frag-ttl time
Ssl-proxy config# no ssl-proxy ssl ratelimit
Ssl-proxy config# ssl-proxy ssl ratelimit
Ssl-proxy ssl ratelimit
Ssl-proxy ssl ratelimit No ssl-proxy ssl ratelimit
Group-number is String is cisco
Standby authentication
Min-delay is 1 second Reload-delay is 5 seconds
Standby delay minimum reload
Show standby delay
Ssl-proxyconfig#interface ssl-proxy
Ssl-proxyconfig-subif#standby delay minimum 30 reload
Standby ip
Defaults Command Modes Command History Usage Guidelines
Secondary
Group-number is
100
Used by the hot standby group is learned using Hsrp
Standby group-numbermac-addressmac-address
Standby mac-address
No standby group-numbermac-address
Mac-address MAC address
That is used in the end nodes
Ssl-proxyconfig-subif#standby 1 mac-address
Show standby
102
Standby mac-refresh
Standby mac-refresh seconds no standby mac-refresh
103
Standby name
Hsrp is disabled
Standby name group-name No standby name group-name
Group-name Name of the standby group
105
Standby preempt
Leaves any synchronization delay if it was configured
Operation returns to the default behavior
Clients
To become the active router
Standby group-numberpriority priority
Standby priority
No standby group-numberpriority priority
Group-number is Priority is
108
This example shows how to change the router priority
109
Standby redirects
Ssl-proxyconfig-subif#standby redirects timers 90
Related Commands show standby
Show standby redirect
110
Msec
Standby timers
Optional Specifies the interval in milliseconds
111
112
Decrement priority
Standby track
Or comes back up
113
Router B Configuration
Router a Configuration
Related Commands standby preempt
114
Standby use-bia scope interface no standby use-bia
Standby use-bia
Scope interface
On which it was entered, instead of the major interface
Standby version
This example shows how to configure Hsrp version
Standby version 1
Specifies Hsrp version
Acronym Expansion
CCA
Cbac
CDP
CEF
Dsap
Dram
Dscp
Dspu
Icmp
ICD
IDB
IDP
Mdix
MD5
Mdss
MFD
OSM
OSI
Ospf
PAE
ROM
Rmon
Rommon
RPC
SVC
STP
SVI
TACACS+
WRR
Weighted round-robin
XNS
Xerox Network System
OL-9105-01
Acknowledgments for Open-Source Software
OL-9105-01
Asterisk + plus sign Period ? command Caret
# character privileged Exec mode prompt
$ character
IN-1
IN-2
IN-3
IN-4
IN-5
TCP
IN-6
Configuration submode User Exec mode, summary