Applying the tcp profile to vip for ssl proxy – Brocade Communications Systems ServerIron ADX 12.4.00a User Manual
Page 197

ServerIron ADX Security Guide
183
53-1002440-03
Configuration Examples for SSL Termination and Proxy Modes
6
You can also apply the TCP profile to the SSL profile. In the following example, the TCP profile
"nagleoff" is applied to the SSL profile: "myprofile" and then "myprofile" is applied to the port ssl
ssl-terminate command in
ServerIronADX(config)# ssl profile myprofile
ServerIronADX(config-ssl-profile-myprofile)# tcp-profile nagleoff
ServerIronADX(config-ssl-profile-myprofile)# exit
ServerIronADX(config)# server virtual-name-or-ip vip1
ServerIronADX(config-vs-vip1)# port ssl ssl-terminate sslprofile myprofile
Applying the TCP profile to VIP for SSL Proxy
In a SSL Proxy configuration, the TCP profile must be applied to the client and server SSL profiles
that are being applied to the Virtual Server.
ServerIronADX(config)# server virtual-name-or-ip vip1
ServerIronADX(config-vs-vip1)# port ssl ssl-proxy clientprofile serverprofile
ServerIronADX(config)# ssl profile clientprofile
ServerIronADX(config-ssl-profile-clientprofile)# tcp-profile nagleoff
ServerIronADX(config-ssl-profile-clientprofil)# exit
ServerIronADX(config)# ssl profile serverprofile
ServerIronADX(config-ssl-profile-serverprofile)# tcp-profile nagleoff
ServerIronADX(config-ssl-profile-serverprofile)# exit
ServerIronADX(config)# server virtual-name-or-ip vip1
ServerIronADX(config-vs-vip1)# port ssl ssl-proxy clientprofile serverprofile
Inserting a certificate in an HTTP header
The ServerIron ADX optionally inserts the client certificate as the HTTP header, to allow the real
server to access the client certificate information.
•
When configuring this feature, you need to do the following in addition to a normal SSL
Terminate configuration:
•
Create a CSW policy to enable client certificate insertion
•
Bind CSW and the CSW policy to the SSL port on the Virtual Server
•
Define the Client Insertion mode and prefix within a CSW policy (optional)
Configuring a CSW Policy to enable client certificate insertion
A CSW Policy needs to be created that enables client certificate insertion. It can be configured as
either a default command within a CSW policy (as shown in the following example) or as an action
in response to a match in a CSW rule.
ServerIronADX(config)# csw-policy cswp1
ServerIronADX(config-csw-cswp1)# default rewrite request-insert client-cert
Syntax: [no] default rewrite request-insert client-cert
Syntax: [no] match
Bind CSW and CSW policy to the Real Server
ServerIronADX(config)# server virtual-name-or-ip vip1
ServerIronADX(config-vs-vip1)# port ssl csw-policy "cswp1"
ServerIronADX(config-vs-vip1)# port ssl csw