Chapter 2 Commands for the Catalyst 6500 Series SSL Services Module

service

In most cases, all of the SSL-server-proxy configurations that are performed are also valid for the SSL-client-proxy configuration, except for the following:

You must configure a certificate for the SSL-server-proxy but you do not have to configure a certificate for the SSL-client-proxy. If you configure a certificate for the SSL-client-proxy, that certificate is sent in response to the certificate request message that is sent by the server during the client-authentication phase of the handshake protocol.

The SSL policy is attached to the virtual subcommand for the SSL server proxy service; whereas, the SSL policy is attached to the server subcommand for the SSL client proxy service.

Enter each proxy-service or proxy-client configuration submode command on its own line.

Table 2-8lists the commands that are available in proxy-service or proxy-client configuration submode.

Table 2-8 Proxy-service Configuration Submode Command Descriptions

 

Syntax

Description

 

 

 

 

authenticate verify {all signature-only}

Configures the method for certificate verification. You can specify the

 

 

following:

 

 

all—Verifies CRLs and signature authority.

 

 

signature-only—Verifies the signature only.

 

 

 

 

certificate rsa general-purpose trustpoint

Configures the certificate with RSA general-purpose keys and associates a

 

trustpoint-name

trustpoint to the certificate.

 

 

 

 

default {certificate inservice nat server

Sets a command to its default settings.

 

virtual}

 

 

 

 

 

 

 

 

description

Allows you to enter a description for proxy service.

 

 

 

 

exit

Exits from proxy-service or proxy-client configuration submode.

 

 

 

 

help

Provides a description of the interactive help system.

 

 

 

 

inservice

Declares a proxy server or client as administratively up.

 

 

 

 

nat {server client}{natpool-name}

Specifies the usage of either server NAT or client NAT for the server-side

 

 

connection that is opened by the SSL Services Module.

 

 

 

 

policy health-probe tcp policy-name

Applies a TCP health probe policy to a proxy server.

 

 

 

 

policy http-header policy-name

Applies an HTTP header insertion policy to a proxy server.

 

 

 

 

policy urlrewrite policy-name

Applies a URL rewrite policy to a proxy server.

 

 

 

 

server ipaddr ip-addrprotocol protocol

Defines the IP address of the target server for the proxy server. You can also

 

port portno [sslv2]

specify the port number and the transport protocol. The target IP address can

 

 

be a virtual IP address of an SLB device or a real IP address of a web server.

 

 

The sslv2 keyword specifies the server that is used for handling SSL version 2

 

 

traffic.

 

 

 

 

server policy tcp

Applies a TCP policy to the server side of a proxy server. You can specify the

 

server-side-tcp-policy-name

port number and the transport protocol.

 

 

 

 

trusted-caca-pool-name

Applies a trusted certificate authenticate configuration to a proxy server.

 

 

 

 

virtual ipaddr ip-addrprotocol protocol

Defines the virtual IP address of the virtual server to which the STE is

 

port portno [secondary]

proxying. You can also specify the port number and the transport protocol.

 

 

The valid values for protocol are tcp; valid values for portno is from 1 to

 

 

65535. The secondary keyword (optional) prevents the STE from replying to

 

 

the ARP request coming to the virtual IP address.

 

 

 

 

 

 

 

Catalyst 6500 Series Switch SSL Services Module Command Reference

 

 

 

 

 

 

 

 

 

 

 

 

OL-9105-01

 

 

2-53

 

 

 

 

 

Page 79
Image 79
Cisco Systems 6500 Authenticate verify all signature-only, Certificate rsa general-purpose trustpoint, Virtual Description