beautypg.com

Applying the tcp profile to vip for ssl terminate – Brocade Virtual ADX Security Guide (Supporting ADX v03.1.00) User Manual

Page 152

background image

140

Brocade Virtual ADX Security Guide

53-1003250-01

Configuration examples for SSL Termination Mode

6

Applying the TCP profile to VIP for SSL terminate

When you apply the TCP profile on the VIP in an SSL terminate configuration, the profile is applied
to the traffic between the Brocade Virtual ADX and the real server. In the following example, the TCP
profile "nagleoff" is applied to the port ssl ssl-terminate command in the virtual server
configuration.

Virtual ADX(config)#server virtual-name-or-ip vip1

Virtual ADX(config-vs-vip1)#port ssl ssl-terminate sslprofile nagleoff

Syntax: [no] port ssl ssl-terminate ssl-profile [tcp-proxy]

Applying the TCP profile to the SSL profile for SSL terminate

When you apply the TCP profile to the SSL profile in an SSL terminate configuration, the TCP profile
is applied to the traffic between the client and the Brocade Virtual ADX. In the following example,
the TCP profile "nagleoff" is applied to the SSL profile "myprofile" and then the SSL profile is applied
to the port ssl ssl-terminate command in the virtual server configuration.

Virtual ADX(config)#ssl profile myprofile

Virtual ADX(config-ssl-profile-myprofile)#tcp-profile nagleoff

Virtual ADX(config-ssl-profile-myprofile)#exit

Virtual ADX(config)#server virtual-name-or-ip vip1

Virtual ADX(config-vs-vip1)#port ssl ssl-terminate sslprofile myprofile

Inserting a certificate in an HTTP header

The Brocade Virtual ADX optionally inserts the client certificate as the HTTP header, to allow the
real server to access the client certificate information.

When configuring this feature, you need to do the following in addition to a normal SSL
Terminate configuration:

Create a CSW policy to enable client certificate insertion

Bind CSW and the CSW policy to the SSL port on the virtual server

Define the Client Insertion mode and prefix within a CSW policy (optional)

Configuring a CSW Policy to enable client certificate insertion
A CSW Policy needs to be created that enables client certificate insertion. It can be configured as
either a default command within a CSW policy (as shown in the following example) or as an action
in response to a match in a CSW rule.

Virtual ADX(config)#csw-policy cswp1

Virtual ADX(config-csw-cswp1)#default rewrite request-insert client-cert

Syntax: [no] default rewrite request-insert client-cert

Syntax: [no] match csw rule name rewrite request-insert client-cert

Bind CSW and CSW policy to the real server

Virtual ADX(config)#server virtual-name-or-ip vip1

Virtual ADX(config-vs-vip1)#port ssl csw-policy "cswp1"

Virtual ADX(config-vs-vip1)#port ssl csw

See also other documents in the category Brocade Computer Accessories: