Manuals / Intel / TV and Video / TV Mount

Intel A31032-001 manual SSL Processing, Mapping, Automapping

Models: A31032-001

1 196

Download 196 pages 18.6 Kb

Page 43

C H A P T E R 3

SSL Processing

NOTE: The 7110 supports a maximum of 100 mappings, while the 7115 supports up to 1000.

NOTE: Remember to save the configuration (with the config save command) after making mapping changes.

SSL Processing

The Intel® NetStructure™ 7110/7115 e-Commerce Accelerator handles several SSL protocols, for example, HTTPS (which is the default). For security purposes, you can block access to specified IPs or ports (see “Blocking” section). Traffic that is not mapped or blocked flows through transparently (see “Failure” section). Supported protocols are listed below. (Ports listed are “well-known” port assignments. Any available port may be used.)

•HTTPS 443 (default)

•IMAPS 993

•POP3S 995

•SMTPS 465

•NNTPS 563

•LDAPS 636

Mapping

Keypairs and their associated certificates are referenced by a keyID. A server is identified by a unique combination of server IP and network port. Mapping is the process of associating a keyID with a server (using server IP, network port, and server port). The 7110/

7115 supports two types of mapping:

•Automapping

•Manual mapping

Automapping

Automapped entries are identified by a server IP address of zero (0.0.0.0). When a server IP address of zero is specified, the 7110/ 7115 intercepts packets to any server IP address with the matching network ports. As with any mapping entry, the combination of server IP address and network port must be unique.

The initial configuration for the 7110/7115 provides an automapping entry for network port 443 and server port 80. This is associated with the internally generated default keypair and certificate with the keyID

3-21

Image 43

Intel A31032-001 manual SSL Processing, Mapping, Automapping

Contents

Version Intel NetStructure 7110/7115 e-Commerce Accelerator Trademarks Copyright Table of Contents Theory of Operation Scenarios Remote Management Alarms and Monitoring Troubleshooting Appendix a Front Panel List of Figures Xii About this User Guide Introduction Remote Management New in This Release Before You Begin Who Should Use this Book How to Use this Book Glossary defines terms appearing in this User Guide Page Installation and Initial Configuration Rack Installation Installing the 7110/7115 Free- Standing or in a Rack Network Connections Free-Standing Installation Inline LED Admin Terminal ConnectionStatus Check Network and Server LEDs HyperTerminal§ Paste Operations Continuing Configuration TroubleshootingServer and Network LEDs Security Theory of OperationSingle Server Acceleration Multiple Servers 7110/7115 in Single Server Configuration Positioning 7110/7115 between ITM Device and Client Network Working with Internet Traffic Management ITM Devices Scalability and Cascading Positioning 7110/7115 between ITM Device and ServerSpilling and Throttling Availability Keys and Certificates Cutting and Pasting with HyperTerminal§ Intel 7115 create sign ProcedureCreate a key Type the create key command at the prompt Create a Certificate Signing Request Intel 7115 export sign mywebserver Certificate REQUEST----- linesAsciix Enter Enter Typically, the CSR will look something like this Exporting a Key/Certificate from a Server Save the configuration when the server has been mappedApache Interface to Open SSL§ modssl Apache SSL§ Importing into the 7110/7115 Stronghold§Intel 7115 import key mywebserver Save the configuration when the server has been mapped Intel 7115 create cert mywebserver Enter the create cert command with the keyIDCreating a new Key/Certificate on the 7110/7115 Create a key as follows Overview Global Site Certificates Example Global Site Certificate Paste ProcedureIntel 7115 import cert keyID Intel 7115 set redirect A P T E R Redirection Clients and Unsupported Ciphers Intel 7115 set redirect 2 none Intel 7115 show redirect Client AuthenticationTo disable a redirect URL for a mapping Intel 7115 show redirect Intel 7115 import clientca Next, import the client CA certificate for Map ID Generate the client CA certificate Creating a Client CA Certificate using OpenSSL§Generate a certificate signing request Mapping SSL ProcessingAutomapping Manual mapping Automapping with user-specified key and certificateAutomapping with multiple port combinations Deleting automapping entries Combining automapping and manual mapping Use the show block command to verify All IPs, Specific Port Subnet IP, Specific PortUse show block to verify Delete a Block Use the show block command to confirm the blockIntel 7115 delete block Failure Conditions, Fail-safe, and Fail-through Scenarios Syntax Manual Configuration Procedure for ScenarioScenario 1-Single Server Intel 7115delete map 1 Intel 7115list maps Scenario 2-Multiple Servers This scenario shows how to configure two or more servers ID KeyID Assumptions Scenario 3-Multiple 7110/ 7115s, Cascaded Multiple Cascaded 7110/7115s Intel 7115 export config Intel 7115 import config Save the configurationAfter verification y or refusal n, the prompt reappears Intel 7115set egressmac none To reverse this process Online Help Command Reference Abbreviation to Uniqueness Command Line InterfaceUser Authentication Command Line Prompt A P T E R Command Line Interface Command History Input Editing CommandsMoving the Insertion Point Cut and Paste Command Summary Nic Password Reboot Command Command Options ImportInline List Command Command Options Set Command Command Options Show Ttychar SetsnmpShowsnmp Status Help Commands Command ReferenceStatus Command Import key SSL CommandsCommand Description Create key Delete key Show key Command Description Export keyList keys Export cert Command Description Create certDelete cert Import cert Set ciphers Command Description Show certDisplay the expanded certificate including PEM format Displays all certificates Show redirect Command Description Set redirectShow clientca Delete clientca Command Description Import clientcaCreate sign Export sign Command Description Delete signShow sign keyID Field Command Description Set defcertIssuer e-mail address. You can change all, some or none Display the default certificate creation information Show clienttmo Command Description Set kstrengthShow kstrength Set clienttmo Show servertmo Command Description Set servertmoDisplays the currently specified server timeout value Client request is rejected Show block Port Mapping CommandsCommand Definition Create block Delete block Delete permit Command Definition Create permitShow permit List maps Command Definition Create mapDelete map mapID Show map Command Description Bypass Operational CommandsInline Show spill Command Description Set spill Command Description Set ip Remote Management CommandsMaxremotesessions Show telnet Command Description Set telnetSet telnetport Set sshport Command Description Show telnetportSet ssh Show ssh Showsnmp snmp Command Description Setsnmp snmpSetsnmp snmpinfo Snmpcommunity CommandDescriptionDelete Snmp community strings Trapcommunity Command Description Setsnmp trapauthenList trapcommunity Intel 7115 delete trapcommunity Delete trapcommunity Delete Snmp trap community strings Set rscwindow Alarms and Monitoring CommandsCommand Description Set alarms Show alarms Set utlwindow Command Description Show rscwindowSet utlhighwater Show utllowwater Command Description Set utllowwaterShow utlwindow Show utlhighwater Intel 7115 show ovlwindow CommandDescription Show ovlwindow Command Description Show config Configuration CommandsDisplay current volatile configuration settings Intel 7115 show config default Default configuration Config save Command Description Config compareConfig reset Config default Import a configuration file paste, xmodem, uudecode Command Description Export configConfiguration specifics are displayed Import config Import patch Command Description Import upgradeList system Returns to factory configuration settings Command Description Factorydefault Set date Administration CommandsCommand Description Password Show info Set idleto Command Description Set egressmacSet ether Show ether Set serial Command Description Set moreNic Set prompt Exit Logging CommandsCommand Description Show serial Command Description List logs Command Description Delete logDelete saved log/trace files from /flash/logs All deletes all logs Overview Remote Management Limitations Remote Management CLI Commands A P T E R Overview Local Serial Console Remote Telnet Sessions Unix-prompttelnet Remote Console, TelnetChanging the Telnet Port To display the Telnet port Disabling Telnet To verify Telnet disableEnable remote SSh sessions Remote SSh Sessions Changing the SSh Port Unix-promptssh -1 adminPasswordpassword Remote Console, SSh To display the SSh port To verify SSh disableIntel 7115 set ssh disable Disabling SSh Intel MIB Tree Standards Compliance Ceo-header.my Where to find MIB FilesSupported MIBs Management Information Base-II MIB-II Intel Enterprise MIBs Following is a summary of the 7110/7115 private MIB Enterprise Private MIB SummaryPage Snmp ThrottlesPerSec Number of throttles per second Snmp Standard Snmp Traps Trap SummaryPrivate Traps in ssl-appliance-mib.my Intel 7115 setsnmp snmp disable Intel 7115 showsnmp snmp Intel 7115 setsnmp snmp enable Intel 7115 showsnmp snmpEnabling Snmp Intel 7115 showsnmp snmpinfo Specifying Snmp Information Intel 7115 delete snmpcommunity Community String Trap Community String Use CLI commands, setsnmp trapcommunity, list Access Control Page Alarms Monitoring Set alarms All, esc, rsc, utl, ovl, nls None Show alarms CLI commands for alarm configuration are For example Alarm TypesESC Encryption Status Change Alarm Alarm Modifiers and Messages Extended Data RSC Alarm CLI CommandsTo set Overload Alarm time window RSC Refused SSL Connections Intel 7115 set rscwindow Intel 7115 show rscwindow UTL Utilization Threshold AlarmTo display Overload Alarm time window This alarm monitors three utilization threshold values To set Utilization Threshold Alarm low-water value UTL Alarm CLI commandsTo set Utilization Threshold Alarm time window To set Utilization Threshold Alarm high-water value Intel 7115 set ovlwindow Intel 7115 show ovlwindow OVL Overload AlarmOVL Alarm CLI Commands Intel 7115 set ovlwindow seconds Range NLS Network Link Status Alarm Alarm Logging Intel 7115 status Respend Inline Ip 10.1.11.34 netmask Intel 7115 status alarms Example, status alarms command Monitor report format Report ConfigurationMonitoring Monitoring Reports Intel 7115 set monitoringfields Monitoring Reports CLI Commands Intel 7115 show monitoringfields Intel 7115 set monitoring enable Intel 7115 show monitoringPage Software Updates Press y for yes at the Continue with upgrade? prompt Using Windows§ HyperTerminal§Intel 7115 import upgrade Connect the serial cable to the 7110/7115 auxiliary console Command import patch Intel 7115import upgrade To send the uuencoded file use the ~ command Intel 7115import patch Page Troubleshooting Intel 7115 set clienttmo See Global Site Certificates Error message Intermediate Different media Error message ServerSettings Then use the nic command to force LEDs Front Panel Processing Buttons and SwitchesPress to physically force bypass mode bypass 7110/7115 Front Panel LEDs Overload See Appendix B, Failure Connectors Failure/Bypass Modes Enable 7110/7115 processing Bypass Button Fail-through Switch Security Level P E N D I X B Fail-through Switch Security Level Page Cipher Strength Supported Ciphers SSL Version Level RC464 RC2 SSLv2RC2128 RC4-64 SSLv2Page Taiwan Class a EMI Statement Regulatory Information FCC Part 15 Compliance Statement Vcci Statement CE Compliance Statement Canada Compliance Statement Industry Canada Vcci Class a Japan Australia Cispr 22 Statement Avertissement Warnung Advertencias Wichtige Sicherheitshinweise Wichtige Sicherheitshinweise Page END User Terms and Conditions of Sale and Software License Terms and Conditions and Software LicensePage P E N D I X E Page Year warranty Process of being installed Export Law Regulations Page Glossary Glossary-2 Glossary-3 Glossary-4 Japan only Support ServicesWorldwide Access to Technical Support North America only Support-2 Intel NetStructure 7110/7115 e-Commerce Accelerator User Support-4 Index D E Index-3 Index-4