beautypg.com

Applying the tcp profile to vip for ssl proxy – Brocade Communications Systems ServerIron ADX 12.4.00a User Manual

Page 197

background image

ServerIron ADX Security Guide

183

53-1002440-03

Configuration Examples for SSL Termination and Proxy Modes

6

You can also apply the TCP profile to the SSL profile. In the following example, the TCP profile
"nagleoff" is applied to the SSL profile: "myprofile" and then "myprofile" is applied to the port ssl
ssl-terminate command in

ServerIronADX(config)# ssl profile myprofile

ServerIronADX(config-ssl-profile-myprofile)# tcp-profile nagleoff

ServerIronADX(config-ssl-profile-myprofile)# exit

ServerIronADX(config)# server virtual-name-or-ip vip1

ServerIronADX(config-vs-vip1)# port ssl ssl-terminate sslprofile myprofile

Applying the TCP profile to VIP for SSL Proxy

In a SSL Proxy configuration, the TCP profile must be applied to the client and server SSL profiles
that are being applied to the Virtual Server.

ServerIronADX(config)# server virtual-name-or-ip vip1

ServerIronADX(config-vs-vip1)# port ssl ssl-proxy clientprofile serverprofile

ServerIronADX(config)# ssl profile clientprofile

ServerIronADX(config-ssl-profile-clientprofile)# tcp-profile nagleoff

ServerIronADX(config-ssl-profile-clientprofil)# exit

ServerIronADX(config)# ssl profile serverprofile

ServerIronADX(config-ssl-profile-serverprofile)# tcp-profile nagleoff

ServerIronADX(config-ssl-profile-serverprofile)# exit

ServerIronADX(config)# server virtual-name-or-ip vip1

ServerIronADX(config-vs-vip1)# port ssl ssl-proxy clientprofile serverprofile

Inserting a certificate in an HTTP header

The ServerIron ADX optionally inserts the client certificate as the HTTP header, to allow the real
server to access the client certificate information.

When configuring this feature, you need to do the following in addition to a normal SSL
Terminate configuration:

Create a CSW policy to enable client certificate insertion

Bind CSW and the CSW policy to the SSL port on the Virtual Server

Define the Client Insertion mode and prefix within a CSW policy (optional)

Configuring a CSW Policy to enable client certificate insertion
A CSW Policy needs to be created that enables client certificate insertion. It can be configured as
either a default command within a CSW policy (as shown in the following example) or as an action
in response to a match in a CSW rule.

ServerIronADX(config)# csw-policy cswp1

ServerIronADX(config-csw-cswp1)# default rewrite request-insert client-cert

Syntax: [no] default rewrite request-insert client-cert

Syntax: [no] match rewrite request-insert client-cert

Bind CSW and CSW policy to the Real Server

ServerIronADX(config)# server virtual-name-or-ip vip1

ServerIronADX(config-vs-vip1)# port ssl csw-policy "cswp1"

ServerIronADX(config-vs-vip1)# port ssl csw