Brocade Communications Systems 12.4.00a Manual De Usuario
184
ServerIron ADX Security Guide
53-1002440-03
Configuration Examples for SSL Termination and Proxy Modes
6
Define client Iinsertion mode and prefix
The client certificate insertion mode and prefix can be optionally configured within a CSW policy as
described in the following. To configure the client insertion mode, use the default rewrite
request-insert command as shown.
The client certificate insertion mode and prefix can be optionally configured within a CSW policy as
described in the following. To configure the client insertion mode, use the default rewrite
request-insert command as shown.
ServerIronADX(config)# csw-policy cswp1
ServerIronADX(config-csw-cswp1)# default rewrite request-insert client-cert
Syntax: [no] default rewrite request-insert client-cert [entire-chain | leaf-cert | wellknown-fields]
Selecting the entire-chain parameter directs the ServerIron ADX to insert the entire chain including
the leaf certificate in BASE64 encoded form. This is the default mode.
the leaf certificate in BASE64 encoded form. This is the default mode.
Selecting the leaf-cert parameter directs the ServerIron ADX to insert only the leaf certificate in
BASE64 encoded form, even though the certificate chain is present.
BASE64 encoded form, even though the certificate chain is present.
If the wellknown-fields parameter is selected the important information of the client certificate is
retrieved and inserted as the HTTP headers, in plain text. If this mode is chosen, the following
headers are inserted: "Client-Cert-Version", "Client-Cert-Serial", "Client-Cert-Start", "Client-Cert-End",
"Client-Cert-Subject", "Client-Cert-Subject-CN", "Client-Cert-SubjectAlt-CN", "Client-Cert-Issuer" and
"Client-Cert-Issuer-CN".
retrieved and inserted as the HTTP headers, in plain text. If this mode is chosen, the following
headers are inserted: "Client-Cert-Version", "Client-Cert-Serial", "Client-Cert-Start", "Client-Cert-End",
"Client-Cert-Subject", "Client-Cert-Subject-CN", "Client-Cert-SubjectAlt-CN", "Client-Cert-Issuer" and
"Client-Cert-Issuer-CN".
You can add a prefix to the default HTTP names using the default rewrite request-insert
certheader-prefix command. In the following example, the prefix "SSL" added to the HTTP header
"Client-Cert" would become "SSL-Client-Cert".
certheader-prefix command. In the following example, the prefix "SSL" added to the HTTP header
"Client-Cert" would become "SSL-Client-Cert".
ServerIronADX(config)# csw-policy cswp1
ServerIronADX(config-csw-cswp1)# default rewrite request-insert client-cert
certheader-prefix "SSL"
Syntax: [no] default rewrite request-insert client-cert certheader-prefix <prefix>
The value specified by the <prefix> variable is added to the default HTTP name.
The HTTP header names are shown in Table 18.
Other protocols supported for SSL
SSL acceleration support is provided to other popular protocols such as LDAPS, POP3S, and IMAPS.
Configuration of SSL acceleration support for these protocols is shown the following example.
Configuration of SSL acceleration support for these protocols is shown the following example.
TABLE 18
HTTP Header Names and Descriptions
Header Names
Descriptions
Client-Cert
The entire client certificate chain or the leaf certificate.
Client-Cert-Version
Version of the client certificate.
Client-Cert-Serial
Serial number of the client certificate.
Client-Cert-Start
Date certificate not valid before.
Client-Cert-End
Date certificate not valid after.
Client-Cert-Subject
Subject's distinguished name.
Client-Cert-Subject-CN
Subject's common name.
Client-Cert-Subject-Alt-CN
Subject's alternative name.
Client-Cert-Issuer
Issuer's distinguished name.
Client-Cert-Issuer-CN
Issuer's common name.