Brocade Communications Systems 12.4.00a Manual De Usuario
ServerIron ADX Security Guide
183
53-1002440-03
Configuration Examples for SSL Termination and Proxy Modes
6
You can also apply the TCP profile to the SSL profile. In the following example, the TCP profile
"nagleoff" is applied to the SSL profile: "myprofile" and then "myprofile" is applied to the port ssl
ssl-terminate command in
"nagleoff" is applied to the SSL profile: "myprofile" and then "myprofile" is applied to the port ssl
ssl-terminate command in
ServerIronADX(config)# ssl profile myprofile
ServerIronADX(config-ssl-profile-myprofile)# tcp-profile nagleoff
ServerIronADX(config-ssl-profile-myprofile)# exit
ServerIronADX(config)# server virtual-name-or-ip vip1
ServerIronADX(config-vs-vip1)# port ssl ssl-terminate sslprofile myprofile
Applying the TCP profile to VIP for SSL Proxy
In a SSL Proxy configuration, the TCP profile must be applied to the client and server SSL profiles
that are being applied to the Virtual Server.
that are being applied to the Virtual Server.
ServerIronADX(config)# server virtual-name-or-ip vip1
ServerIronADX(config-vs-vip1)# port ssl ssl-proxy clientprofile serverprofile
ServerIronADX(config)# ssl profile clientprofile
ServerIronADX(config-ssl-profile-clientprofile)# tcp-profile nagleoff
ServerIronADX(config-ssl-profile-clientprofil)# exit
ServerIronADX(config)# ssl profile serverprofile
ServerIronADX(config-ssl-profile-serverprofile)# tcp-profile nagleoff
ServerIronADX(config-ssl-profile-serverprofile)# exit
ServerIronADX(config)# server virtual-name-or-ip vip1
ServerIronADX(config-vs-vip1)# port ssl ssl-proxy clientprofile serverprofile
Inserting a certificate in an HTTP header
The ServerIron ADX optionally inserts the client certificate as the HTTP header, to allow the real
server to access the client certificate information.
server to access the client certificate information.
•
When configuring this feature, you need to do the following in addition to a normal SSL
Terminate configuration:
Terminate configuration:
•
Create a CSW policy to enable client certificate insertion
•
Bind CSW and the CSW policy to the SSL port on the Virtual Server
•
Define the Client Insertion mode and prefix within a CSW policy (optional)
Configuring a CSW Policy to enable client certificate insertion
A CSW Policy needs to be created that enables client certificate insertion. It can be configured as
either a default command within a CSW policy (as shown in the following example) or as an action
in response to a match in a CSW rule.
A CSW Policy needs to be created that enables client certificate insertion. It can be configured as
either a default command within a CSW policy (as shown in the following example) or as an action
in response to a match in a CSW rule.
ServerIronADX(config)# csw-policy cswp1
ServerIronADX(config-csw-cswp1)# default rewrite request-insert client-cert
Syntax: [no] default rewrite request-insert client-cert
Syntax: [no] match <csw rule name> rewrite request-insert client-cert
Bind CSW and CSW policy to the Real Server
ServerIronADX(config)# server virtual-name-or-ip vip1
ServerIronADX(config-vs-vip1)# port ssl csw-policy "cswp1"
ServerIronADX(config-vs-vip1)# port ssl csw