Cisco Systems OL-7029-01

3-67

Catalyst 6500 Series Switch Content Switching Module with SSL Command Reference

OL-7029-01

Chapter3 Commands Specific to the Cont ent Switching Module with SSL

ssl-proxy service

In most cases, all of the SSL-server-proxy configurations that are performed are also valid for the

SSL-client-proxy configuration, except for the following:

•You must configure a certificate for the SSL-server-proxy but you do not have to configure a

certificate for the SSL-client-proxy. If you configure a certificate for the SSL-client-proxy, that

certificate is sent in response to the certificate request message that is sent by the server during the

client-authentication phase of the handshake protocol.

•The SSL policy is attached to the virtual subcommand for ssl-server-proxy where as it is attached to

server SSL-client-proxy subcommand.

Enter each proxy-service or proxy-client configuration submode command on its own line.

Table 3 -8 lists the commands that are available in proxy -service or proxy-client configuration submode.

Table3-8 Proxy-service Configuration Submode Command Descriptions

Syntax Description

authenticate verify {all | signature-only} Configures the method for certificate verification. You can specify the

following:

•all—Verifies CRLs and signature authority.

•signature-only—Verifies the signature only.

certificate rsa general-purpose trustpoint

trustpoint-name

Configures the certificate with RSA general-purpose keys and associates a

trustpoint to the certificate.

default {certificate | inservice | nat | server

| virtual}

Sets a command to its default settings.

exit Exits from proxy-service or proxy-client configuration submode.

help Provides a description of the interactive help system.

inservice Declares a proxy server or client as administratively up.

nat {server | client natpool-name} Specifies the usage of either server NAT or client NAT for the server-side

connection that is opened by the Content Switching Module with SSL.

policy urlrewrite policy-name Applies a URL rewrite policy to a proxy server.

server ipaddr ip-addr protocol protocol

port portno [sslv2]

Defines the IP address of the target server for the proxy server. You can also

specify the port number and the transport protocol. The target IP address can

be a virtual IP address of an SLB device or a real IP address of a web server.

The sslv2 keyword specifies the server that is used for handling SSL

version 2 traffic.

server policy tcp

server-side-tcp-policy-name

Applies a TCP policy to the server side of a proxy server. You can specify the

port number and the transport protocol.

trusted-ca ca-pool-name Applies a trusted certificate authenticate configuration to a proxy server.

virtual {ipaddr ip-addr} {protocol

protocol} {port portno} secondary

Defines the virtual IP address of the virtual server to which the STE is

proxying. You can also specify the port number and the transport protocol.

The valid values for protocol aretcp; valid values for portno is from 1 to

65535. The secondary keyword (required) prevents the STE from replying to

the ARP request coming to the virtual IP address.

virtual {policy ssl ssl-policy-name} Applies an SSL policy with the client side of a proxy server.

virtual {policy tcp

client-side-tcp-policy-name}

Applies a TCP policy to the client side of a proxy server.