background image

 

Corporate Headquarters

 

Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 

526-4000

800 553-NETS (6387)

Fax: 408 

526-4100

 

Cisco 11000 Series Secure 
Content Accelerator 
Configuration Guide 

 

April 2003

 

Text Part Number: 78-13124-06

Summary of Contents for 11000 Series

Page 1: ...tems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 526 4100 Cisco 11000 Series Secure Content Accelerator Configuration Guide April 2003 Text Part Number 78 13124 06 ...

Page 2: ...difying the equipment without Cisco s written authorization may result in the equipment no longer complying with FCC requirements for Class A or Class B digital devices In that event your right to use the equipment may be limited by FCC regulations and you may be required to correct any interference to radio or television communications at your own expense You can determine whether your equipment ...

Page 3: ...iQuick Study are service marks of Cisco Systems Inc and Aironet ASIST BPX Catalyst CCDA CCDP CCIE CCNA CCNP Cisco the Cisco Certified Internetwork Expert logo Cisco IOS the Cisco IOS logo Cisco Press Cisco Systems Cisco Systems Capital the Cisco Systems logo Empowering the Internet Generation Enterprise Solver EtherChannel EtherSwitch Fast Step GigaStack Internet Quotient IOS IP TV LightStream MGX...

Page 4: ......

Page 5: ...ion xxxv Documentation Feedback xxxvi Obtaining Technical Assistance xxxvii Cisco com xxxvii Technical Assistance Center xxxvii Cisco TAC Website xxxviii Cisco TAC Escalation Center xxxix Obtaining Additional Publications and Information xxxix C H A P T E R 1 Overview 1 1 Product Overview 1 2 Secure Content Accelerator Versions 1 3 C H A P T E R 2 Installing the Hardware and Software 2 1 Site Requ...

Page 6: ...P T E R 3 Using the QuickStart Wizard 3 1 Before You Begin 3 2 Initiating a Management Session 3 2 Serial Management and IP Address Assignment 3 2 Telnet 3 3 Starting the QuickStart Wizard 3 4 Using the QuickStart Wizard 3 5 Using the QuickStart Wizard with a Configured Appliance 3 14 C H A P T E R 4 Using the Configuration Manager 4 1 Overview 4 2 Configuration Security 4 3 Passwords 4 3 Access L...

Page 7: ...le Saving a Configuration File 4 17 Step Up Certificates and Server Gated Cryptography 4 17 Configuring Certificate Groups 4 18 Example Configuring a Certificate Group 4 18 Example Importing Certificate Groups 4 20 Using Client and Server Certificate Authentication 4 21 Example Configuring Server Certificate Authentication 4 21 Example Configuring Client Certificate Authentication 4 23 Generating ...

Page 8: ...arting the GUI 5 3 Configuring for Client Side Access 5 4 Administrative Time Out 5 5 Web Management User Interface 5 5 General Configuration Examples 5 7 Example Setting the Device Name Hostname 5 7 Example Resetting the IP Address 5 8 Example Configuring an Ethernet Interface 5 9 Example Enabling RIP 5 10 Example Adding a Route to the Routing Table 5 11 Example Working with Syslogs 5 13 Example ...

Page 9: ...cate Group 5 46 Example Importing a PKCS 12 Certificate Group 5 47 Running the Secure Server Wizard 5 48 C H A P T E R 6 FIPS Operation 6 1 FIPS Capabilities 6 2 Using FIPS Mode 6 2 Creating a Server in FIPS Mode 6 5 Command Changes 6 7 Unavailable Commands 6 7 Differing Command Behaviors 6 7 Returning to Normal Operation 6 9 More Information 6 10 A P P E N D I X A Specifications A 1 Electrical Sp...

Page 10: ...A P P E N D I X C Command Summary C 1 Input Data Format Specification C 2 Text Conventions C 2 Editing and Completion Features C 3 Command Hierarchy C 5 Configuration Security C 6 Passwords C 6 Access Lists C 7 Factory Default Reset Password C 7 Methods to Manage the Device C 7 Initiating a Management Session C 9 Serial Management and IP Address Assignment C 9 Telnet C 10 Command Listing C 10 Top ...

Page 11: ... C 35 show copyrights C 35 show cpu C 35 show date C 36 show device C 36 show dns C 37 show flows C 37 show history C 37 show interface C 38 show interface errors C 38 show interface statistics C 39 show ip domain name C 40 show ip name server C 40 show ip routes C 41 show ip statistics C 41 show keepalive monitor C 41 show log C 42 show memory C 42 show messages C 42 show netstat C 43 ...

Page 12: ...ver C 45 show rip C 45 show route C 45 show sessions C 46 show sntp C 46 show sntp server C 46 show ssl C 47 show ssl cert C 47 show ssl certgroup C 48 show ssl errors C 49 show ssl key C 54 show ssl secpolicy C 54 show ssl server C 55 show ssl session stats C 56 show ssl statistics C 58 show ssl tcp tuning C 60 show syslog C 61 show system resources C 61 show telnet C 62 show terminal C 62 show t...

Page 13: ...rface statistics C 68 clear ip routes C 68 clear ip statistics C 69 clear line C 69 clear log C 69 clear messages C 70 clear ssl session stats C 70 clear ssl statistics C 70 configure C 71 copy running configuration C 71 copy running configuration startup configuration C 72 copy startup configuration C 72 copy startup configuration running configuration C 73 copy to flash C 73 copy to running conf...

Page 14: ...list C 77 show diagnostic report C 78 show running configuration C 79 show snmp C 79 show startup configuration C 80 write flash C 81 write memory C 81 write messages C 82 write network C 82 write terminal C 83 Configuration Command Set C 84 access list C 84 clock C 85 end C 86 exit C 86 finished C 86 help C 87 hostname C 87 interface C 88 ip address C 88 ip domain name C 89 ip name server C 89 ...

Page 15: ... server C 93 registration code C 94 rip C 94 no snmp C 95 snmp access list C 96 snmp contact C 97 snmp default community C 97 snmp enable C 98 snmp location C 99 snmp trap host C 100 snmp trap type enterprise C 101 snmp trap type generic C 102 sntp interval C 103 sntp server C 104 ssl C 104 syslog C 105 telnet access list C 106 telnet enable C 107 telnet port C 107 timezone C 108 web mgmt access l...

Page 16: ...duplex C 111 end C 111 finished C 112 help C 112 speed C 112 SSL Configuration Command Set C 113 backend server C 113 cert C 114 certgroup C 115 end C 116 exit C 116 finished C 116 gencsr C 116 help C 117 import pkcs12 C 118 import pkcs7 C 118 key C 119 reverse proxy server C 120 secpolicy C 121 server C 122 tcp tuning C 122 Backend Server Configuration Command Set C 124 activate C 124 ...

Page 17: ...nable C 127 keepalive frequency C 127 keepalive maxfailure C 128 localport C 128 log url C 129 remoteport C 129 secpolicy C 130 serverauth domain name C 131 serverauth enable C 131 serverauth ignore C 132 session cache enable C 132 session cache size C 133 session cache timeout C 133 sslv2 enable C 134 sslv3 enable C 134 suspend C 135 tcp tuning C 135 tlsv1 enable C 136 transparent C 136 urlrewrit...

Page 18: ...r C 138 end C 139 exit C 139 finished C 139 help C 139 info C 140 pem C 140 pem paste C 140 Certificate Group Configuration Command Set C 142 cert C 142 end C 142 exit C 143 finished C 143 help C 143 info C 144 Key Configuration Command Set C 145 binhex C 145 der C 145 end C 146 exit C 146 finished C 146 genrsa C 146 help C 147 info C 148 net iis C 148 ...

Page 19: ...50 end C 151 exit C 151 finished C 152 help C 152 info C 152 localport C 153 log url C 153 secpolicy C 154 serverauth enable C 155 serverauth ignore C 155 session cache enable C 156 session cache size C 156 session cache timeout C 157 sslv2 enable C 157 sslv3 enable C 158 suspend C 158 tcp tuning C 159 tlsv1 enable C 159 urlrewrite C 160 Security Policy Configuration Command Set C 161 crypto C 161...

Page 20: ...e C 165 cert C 165 certgroup chain C 166 certgroup clientauth C 167 clientauth enable C 167 clientauth error C 168 clientauth verifydepth C 169 end C 170 ephemeral error C 170 ephrsa C 171 exit C 171 finished C 171 help C 172 httpheader C 172 info C 175 ip address C 175 keepalive enable C 176 keepalive frequency C 176 keepalive maxfailure C 177 key C 177 localport C 178 log url C 178 ...

Page 21: ...ut C 182 sharedcipher error C 182 sslport C 183 sslv2 enable C 183 sslv3 enable C 184 suspend C 184 tcp tuning C 185 tlsv1 enable C 185 transparent C 186 urlrewrite C 187 TCP Tuning Configuration Command Set C 189 2msltime C 189 delay ack C 190 finwt2time C 191 keepalive C 191 keepalive cnt C 192 keepalive intv C 193 max rexmit C 193 maxrt C 194 maxseg C 194 mtu C 195 nodelay C 196 nopush C 196 ...

Page 22: ... ts C 203 wnd scale C 204 A P P E N D I X D MiniMax Command Summary D 1 Text Conventions D 2 Getting Help D 3 Examples D 4 Configuring Basic Device Parameters D 4 Installing a Firmware Image Netcat D 5 Installing a Firmware Image Xmodem D 6 Extracting a Device Configuration D 8 Resetting the Environment to Factory Defaults D 9 Command Set D 11 question mark D 11 baud D 11 boot D 11 cat D 11 do D 1...

Page 23: ...t D 15 printenv D 15 rdate server D 15 reboot D 16 resetenv D 16 rm D 16 sbridge D 16 show D 17 version D 18 zap D 18 A P P E N D I X E Troubleshooting E 1 Troubleshooting the Hardware E 2 A P P E N D I X F SSL Introduction 1 Introduction to SSL 2 Port Blocking Mechanism 2 Before You Begin 4 Using Existing Keys and Certificates 4 Apache mod_SSL 5 ApacheSSL 5 ...

Page 24: ...et Password 8 Cisco SSL Configuration Components 8 Real Server IP Addresses 9 Keys 9 Certificates 9 Step Up Certificates and Server Gated Cryptography 9 Chained Certificates 10 Security Policies 10 Cisco Secure Content Accelerator Management 12 A P P E N D I X G Regulatory Information 15 Regulatory Standards Compliance 16 Canadian Radio Frequency Emissions Statement 16 FCC Class A 17 CISPR 22 EN 5...

Page 25: ...4 Resetting IP Information Configuration Example 5 9 Figure 5 5 Ethernet Interface Configuration Example 5 10 Figure 5 6 RIP Configuration Example 5 11 Figure 5 7 Routing Table Configuration Example 5 12 Figure 5 8 Adding a Route Example 5 12 Figure 5 9 Syslog Configuration Example 5 13 Figure 5 10 Access List Configuration Example 5 14 Figure 5 11 Add Access List Entry Example 5 15 Figure 5 12 Su...

Page 26: ...Policy Example 5 32 Figure 5 30 SSL Session Cache Example 5 32 Figure 5 31 Add URL Rewrite Rule Example 5 33 Figure 5 32 Add Secure Server Information Example 5 33 Figure 5 33 Add HTTP Headers Example 5 34 Figure 5 34 Add Keepalives Example 5 34 Figure 5 35 Certificate Groups Tab 5 35 Figure 5 36 Add Certificate Group Example 5 36 Figure 5 37 Assign Certificate Group Example 5 37 Figure 5 38 Confi...

Page 27: ...cure Content Accelerator Installation with a Load Balancer B 3 Figure B 3 Secure Content Accelerator In Line Installation B 5 Figure B 4 Secure Content Accelerator One Armed Non Transparent Proxy Installation B 11 Figure B 5 Secure Content Accelerator One Armed Transparent Proxy Installation B 20 Figure C 1 Command Hierarchy C 5 Figure E 1 Troubleshooting Flowchart 1 E 6 Figure E 2 Troubleshooting...

Page 28: ...Figures xxviii Cisco 11000 Series Secure Content Accelerator Configuration Guide 78 13124 06 ...

Page 29: ...tion Device Configuration B 12 Table B 3 One Armed Transparent Proxy Installation Device Configuration B 22 Table C 1 Input Data Formats C 2 Table C 2 Key Reference C 3 Table C 3 Non Privileged Command Description C 11 Table C 4 Privileged Command Description C 14 Table C 5 Configuration Command Description C 16 Table C 6 Interface Configuration Command Description C 19 Table C 7 SSL Configuration...

Page 30: ...rs continuous C 53 Table C 18 Output Description for show ssl session stats C 57 Table C 19 Output Description for show ssl statistics C 59 Table C 20 Headers Inserted with httpheader client cert Command C 173 Table C 21 Headers Inserted with httpheader session Command C 174 Table C 22 Headers Inserted with httpheader server cert Command C 174 Table D 1 Firmware Image Selection D 5 Table D 2 Firmw...

Page 31: ...on describes the contents of this guide Section Description Chapter 1 Overview This chapter describes the features and functions of the Secure Content Accelerator Chapter 2 Installing the Hardware and Software This chapter describes how to install the Secure Content Accelerator as a free standing or rack mount unit Chapter 3 Using the QuickStart Wizard This chapter provides instructions for using ...

Page 32: ...ure Content Accelerator Appendix B Deployment Examples This appendix provides examples for configuring and deploying the Secure Content Accelerator in conjunction with other networking hardware Appendix C Command Summary This appendix provides detailed command descriptions and examples to help you take advantage of Secure Content Accelerator features Appendix D MiniMax Command Summary MiniMax comm...

Page 33: ...stem to its power source Caution A caution means that a specific action you take could cause a loss of data or adversely impact use of the equipment Note A note provides important related information reminders and recommendations Bold text indicates a command in a paragraph Courier text indicates text that appears in a command line such as the command line interface or is returned by the computer ...

Page 34: ... of a new term a book title and emphasized text 1 A numbered list indicates that the order of the list items is important a An alphabetical list indicates that the order of the secondary list items is important A bulleted list indicates that the order of the list topics is unimportant An indented dashed list indicates that the order of the list topics is unimportant ...

Page 35: ...l Cisco web sites can be accessed from this URL http www cisco com public countries_languages shtml Documentation CD ROM Cisco documentation and additional literature are available in a Cisco Documentation CD ROM package which may have shipped with your product The Documentation CD ROM is updated monthly and may be more current than printed documentation The CD ROM package is available as a single...

Page 36: ... go subscription Nonregistered Cisco com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters California U S A at 408 526 7208 or elsewhere in North America by calling 800 553 NETS 6387 Documentation Feedback You can submit comments electronically on Cisco com On the Cisco Documentation home page click Feedback at the top of the page ...

Page 37: ...services programs and resources at any time from anywhere in the world Cisco com provides a broad range of features and services to help you with these tasks Streamline business processes and improve productivity Resolve technical issues with online support Download and test software packages Order Cisco learning materials and merchandise Register for online skill assessment training and certifica...

Page 38: ...e the Cisco TAC website to resolve P3 and P4 issues yourself saving both cost and time The site provides around the clock access to online tools knowledge bases and software To access the Cisco TAC website go to this URL http www cisco com tac All customers partners and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC websit...

Page 39: ...agreement number and your product serial number Obtaining Additional Publications and Information Information about Cisco products technologies and network solutions is available from various online and printed sources The Cisco Product Catalog describes the networking products offered by Cisco Systems as well as ordering and customer support services Access the Cisco Product Catalog at this URL h...

Page 40: ...t_id 44699 public_view tru e kbns 1 html Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in the design development and operation of public and private internets and intranets You can access the Internet Protocol Journal at this URL http www cisco com en US about ac123 ac147 about_cisco_the_internet_ protocol_journal html Training C...

Page 41: ... Content Accelerator Configuration Guide 78 13124 06 1 Overview This chapter describes the features and functions of the Secure Content Accelerator This chapter contains the following sections Product Overview Secure Content Accelerator Versions ...

Page 42: ...ure Content Accelerator provides Secure URL rewrite preventing URL redirects and references from breaking or circumventing SSL sessions FIPS compliant operation SCA2 only Firmware signatures are verified during startup and when a firmware image is uploaded to or loaded on the device Auto logout for increased configuration security Management via command line and Web based graphical user interfaces...

Page 43: ...ent Accelerator hardware models the SCA and SCA2 Any differences in displayed information are described where applicable The table below presents the differences between the two Secure Content Accelerator models Table 1 1 Secure Content Accelerator Model Differences Feature SCA SCA2 Maximum Connections 5000 30 000 Maximum Session Cache 75 000 300 000 Maximum SSL Servers 255 4095 Maximum Keys 255 4...

Page 44: ...Chapter 1 Overview Secure Content Accelerator Versions 1 4 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78 13124 06 ...

Page 45: ...rator as a free standing or rack mounted unit Suggestions for using the Secure Content Accelerator in conjunction with other networking hardware are described in Appendix B Deployment Examples This chapter contains the following sections Site Requirements Shipment Contents Unpacking the Secure Content Accelerator Installing the Hardware Panel Descriptions Connecting to Power Connecting to Ethernet...

Page 46: ... This guide contains important safety information you should know before working with the system Please see Appendix A Required Tools and Equipment To install the Secure Content Accelerator you need the following tools and equipment A Phillips screwdriver Rack mount screws and appropriate screwdriver Shipment Contents The Secure Content Accelerator shipment contains the following items Secure Cont...

Page 47: ...tor later 2 Remove all accessories from the shipping carton 3 Check the accessories against the items listed in the section Shipment Contents Installing the Hardware Warning Before working on a system that has an on off switch turn OFF the power and unplug the power cord This unit has more than one power cord To reduce the risk of electric shock disconnect the two power supply cords before servici...

Page 48: ...ning Review nameplate ratings for correct voltage and load requirements For safety this equipment is required to be grounded through the ground conductor of the AC power cords Do not remove the cover of the Secure Content Accelerator There are electrical shock hazards present in the unit if the cover is removed To reduce the risk of fire or electric shock do not expose the Secure Content Accelerat...

Page 49: ...ts and six screws shipped with the Secure Content Accelerator a 2 Phillips screwdriver rack mounting screws and an appropriate screwdriver 1 Position the Secure Content Accelerator with the front panel facing you 2 Position a mounting bracket on one side of the chassis aligning the holes in the bracket with the screw holes on the chassis 3 Secure the bracket to the chassis with three screws and th...

Page 50: ... port One TEST LED One RESET switch Figure 2 1 Secure Content Accelerator Front Panel The rear panel of the Secure Content Accelerator shown in Figure 2 2 contains the following connectors and switches Two power inputs Two power switches Figure 2 2 Secure Content Accelerator Rear Panel Figure 2 3 shows the LED layout of the SCA Ethernet ports Table 2 1 describes the function of each LED on the SCA...

Page 51: ...n of each LED on the device Figure 2 4 SCA2 Ethernet Port Detail Table 2 1 SCA Port LED Descriptions LED Name Color State Indication LK Green Off No link established On Link established TX Amber Blinking Transmit activity detected RX Green Blinking Receive activity detected Test Amber Off Self diagnostics are successful On Self diagnostics are running Reset Switch Test LED 100 ACT LNK Server Netwo...

Page 52: ...r power switches are in the 0 off position 2 Attach the power cables to the Secure Content Accelerator by plugging the AC power cord connector into the power receptacle at the rear panel 3 Plug the power cords into dedicated three wire grounding receptacles 4 Switch the power switches to the 1 on position Note Connect the power supplies to different circuits to further ensure appliance availabilit...

Page 53: ...ses the Network port outbound traffic uses the Server port If you are using the appliance in one port mode you must connect it so that both client requests and server traffic travel through the Network port Use only Category 5 UTP cables with RJ 45 connectors The Secure Content Accelerator Ethernet interfaces are configured as NIC ports Use a straight through cable to connect the Secure Content Ac...

Page 54: ...Chapter 2 Installing the Hardware and Software Connecting to Ethernet 2 10 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78 13124 06 ...

Page 55: ...se the configuration manager as described in Chapter 4 The QuickStart wizard presented in this chapter is available only from a CLI based management session See Chapter 5 for information about using the Secure Server wizard from a GUI based management session This chapter contains the following sections Before You Begin Initiating a Management Session Starting the QuickStart Wizard Using the Quick...

Page 56: ...pages The nature of the changes depends upon whether you are securing a previously unsecured site or adding the SSL appliance to an already secure server installation These changes are described in the section Web Site Changes in Appendix B Deployment Examples Note When using the QuickStart wizard in FIPS Mode only FIPS approved algorithms are available Initiating a Management Session Use the appr...

Page 57: ... that communicates with the serial port connected to the appliance Use these settings 9 600 baud 8 data bits no parity 1 stop bit no flow control 3 Press Return Initial information is displayed followed by an SCA prompt 4 Enter Privileged and Configuration modes and set the IP address using the following commands Replace the IP address in the example with the appropriate one SCA enable SCA configu...

Page 58: ...ot been assigned an IP address you are prompted to assign a hostname and IP address before beginning the QuickStart configuration process Would you like to specify a hostname and IP address for this device Enter the hostname for this device The hostname is a user specified device name In this example we use the name myDevice When prompted for them enter the IP address netmask and default gateway f...

Page 59: ...ure server names can consist of Arabic numerals and upper and lowercase alphabetic underscore _ hyphen and period characters Secure server names must begin with an alphabetic character and have a limit of 15 characters Enter the IP address for myServer This is the IP address of the real server to which the clear text should be sent Enter the SSL port Enter the TCP service port for the appliance to...

Page 60: ...on 1 2 Note If you are using a key created with an IIS or non PEM encoded key or certificate use the default keys and certificates included with SSL device After configuring the device with the QuickStart wizard use the configuration manager to load your own certificate and key See Example Setting up a Secure Server in Chapter 4 and SSL Configuration Command Set in Appendix C If you have the key a...

Page 61: ...me myServer Ip address 10 1 2 3 Secure Port 443 Clear Port 80 Key name default Each ssl server is associated with a certificate 1 Certificate is stored in a file on a http or ftp server 2 Want to use an existing or default Certificate Choose the option corresponding to your situation 1 2 If you have the certificate available via a URL type 1 Enter the name of the certificate for ssl server myServe...

Page 62: ...ed a key and certificate that cannot be used together you are asked whether to re enter the key and certificate If you do not choose to re enter the key and certificate your choices are accepted but the secure server is not configured correctly and will not function properly After the certificate has been properly loaded you are shown a summary and asked to specify a security policy CONFIGURE SSL ...

Page 63: ...er an invalid security policy name you receive an error message and are prompted to re enter the name Note When using the QuickStart wizard in FIPS Mode only security policies containing one or more FIPS compliant algorithms are available After the name of the security policy is accepted you are prompted to verify the logical secure server configuration SSL SERVER myServer SUMMARY The following SS...

Page 64: ... its configuration security The password you enter is not displayed Would you like to set a name for this device y n q Type y and enter a name for the SSL appliance A default gateway is needed to connect outside of your local subnet Would you like to set a default gateway for this device y n q y Enter a default gateway for this device A default gateway is needed for the device to connect outside o...

Page 65: ...SHA EXP1024 ARC4 SHA NULL MD5 NULL SHA EXP DES CBC SHA fips 3 0 DES CBC SHA DES CBC3 SHA strong 4 1 DES CBC MD5 DES CBC SHA DES CBC3 MD5 DES CBC3 SHA ARC4 MD5 ARC4 SHA all 5 0 DES CBC MD5 DES CBC SHA DES CBC3 MD5 DES CBC3 SHA ARC4 MD5 ARC4 SHA EXP ARC4 MD5 EXP ARC4 SHA EXP ARC2 MD5 EXP1024 ARC4 MD5 EXP1024 ARC2 CBC MD5 EXP1024 DES CBC SHA EXP1024 ARC4 SHA NULL MD5 NULL SHA EXP DES CBC SHA noexport...

Page 66: ...g the key V Validity The validity of the key as loaded into the device Column Description Id The number of the certificate as loaded into the device RCCG Reference Count Certificate Group The number of certificate groups using the certificate RCPS Reference Count Proxy Server The number of SSL servers using the certificate V Validity The validity of the certificate as loaded into the device Y indi...

Page 67: ...used Column Description Name The name of the SSL server Id The number of the SSL server as loaded into the device Secure SSL IP The IP address and TCP service port to monitor for SSL transaction requests Plaintext IP The IP address and TCP service port used to send decrypted SSL traffic to the server KC The validity of the key and certificate pair assigned to the SSL server U indicates the key or ...

Page 68: ...art Wizard with a Configured Appliance If you wish to run the QuickStart wizard for a previously configured Cisco Secure Content Accelerator follow these steps 1 Initiate a management session and start the configuration manager as described previously 2 Use the appropriate method to attach to the device 3 Enter Privileged mode 4 Enter the command quick start 5 Go to Using the QuickStart Wizard ...

Page 69: ...ol components This chapter contains the following sections Overview Configuration Security Before You Begin Initiating a Management Session Configuring the Device Step Up Certificates and Server Gated Cryptography Configuring Certificate Groups Using Client and Server Certificate Authentication Generating Keys and Certificates Supporting SNMP Supporting RIP Supporting Other Secure Protocols Suppor...

Page 70: ... 4 1 Figure 4 1 Configuration Manager Hierarchy To configure items in a submode activate the submode by entering a command in the mode above it For example to set the network interface speed or duplex you must first enter enable configure then interface network To return to the higher Configuration mode simply enter end or exit or press CTRL D The finished command returns to the Top Level from any...

Page 71: ...e level passwords control who can view the same data available with access level passwords as well as view sensitive data and configure the device SSL devices are shipped without passwords Setting passwords is important because the device can be administered over a network For more information about passwords see the commands password access and password enable in Appendix C Note FIPS compliant op...

Page 72: ...he factory default reset Before You Begin Before configuring the SSL appliance you must have a certificate and keys for the server You can use the files you received from the Certificate Authority copy the keys and certificate from an existing secure server use default keys and certificates preloaded in the device or generate your own keys and certificates Instructions for exporting keys and certi...

Page 73: ...hance of graphic anomalies please use the same settings with the serial terminal software The device terminal settings can be changed if necessary Use the standard ANSI setting on the serial terminal software 1 Attach the included null modem cable to the appliance port marked CONSOLE Attach the other end of the null modem cable to a serial port on the configuring computer 2 Launch any terminal emu...

Page 74: ...on with the IP address previously assigned to the appliance 2 An SCA prompt is displayed Note When prompted to supply a file name during a telnet management session you must supply it as a URL in the form of HOST PATH FILENAME using the http https ftp or tftp prefix Configuring the Device When you configure an appliance to perform SSL offloading you are actually setting up one or more logical secu...

Page 75: ...ection continue with step 3 If you wish to use a telnet connection initiate a telnet session with the IP address assigned in step 1 and go to step 3 3 Use the following commands to enter Privileged and Configuration modes and change the name of the SSL appliance to myDevice SCA enable SCA configure config CS 10 1 2 3 hostname myDevice config CS 10 1 2 3 end SCA configure config myDevice 4 Set the ...

Page 76: ...M encoded key file Return to SSL Configuration Mode config ssl myDevice key myKey create config ssl key myKey pem keyFile config ssl key myKey end config ssl myDevice Note Use the der command when using DER encoded keys and certificates the net iis command when using keys exported from IIS 4 Note Key names can consist of Arabic numerals and upper and lowercase alphabetic underscore _ hyphen and pe...

Page 77: ...PS Mode only the FIPS security policy is available Note Security policy names can consist of Arabic numerals and upper and lowercase alphabetic underscore _ hyphen and period characters Security policy names must begin with an alphabetic character and have a limit of 15 characters 5 Enter Server Configuration mode and create a server named myServer Assign the IP address 10 1 2 4 Assign port 443 fo...

Page 78: ...r This example describes how to use the configuration manager to set up a backend server 1 Enter Privileged Configuration and SSL Configuration modes SCA enable SCA configure config myDevice ssl config ssl myDevice 2 Enter Backend Server Configuration mode and create a backend server named myBackServ config ssl myDevice backend server myBackServ create config ssl backend myBackServ 3 Assign an IP ...

Page 79: ...mple Setting up a Reverse Proxy Server This example describes how to use the configuration manager to set up a reverse proxy server 1 Enter Privileged Configuration and SSL Configuration modes SCA enable SCA configure config myDevice ssl config ssl myDevice 2 Enter Reverse Proxy Server Configuration mode and create a server named myRevServ config ssl myDevice reverse proxy server myRevServ create ...

Page 80: ...ice as a proxy Example Configuring Secure URL Rewrite The Secure URL Rewrite feature prevents URL redirects and references from breaking or circumventing SSL sessions This example uses the CLI The same options are available in the GUI 1 Open a management session with the device 2 Enter Privileged Configuration and SSL Configuration modes SCA enable SCA configure config SCA ssl config ssl SCA 3 Ent...

Page 81: ... sslport 443 clearport 81 redirectonly 5 A wildcard can be used to specify multiple SSL hosts in the same domain config ssl server myServer urlrewrite mybusiness3 com sslport 443 clearport 81 Note Do not use com as a filter The definition is too broad domainName The domain or file identifier as a domain name IP address or path and file name An asterisk wild card character can be used to specify mo...

Page 82: ... 81 No For more information about URL rewriting contact your Cisco representative for a copy of the white paper SSL Offloaders and Contextual Consistency Example Configuring SNTP Servers Up to four SNTP servers can be configured on the Secure Content Accelerator Note To provide increased security we recommend using an SNTP server on the internal network Using an external SNTP server might compromi...

Page 83: ... 2 10 2 22 6 0 0 fails tries stratum 2 SNTP synchronization interval 43200 seconds config SCA The show device command and an example of returned information are presented below config SCA show device SNTP sync ing every 43200 s from 10 1 24 2 10 1 24 4 10 2 22 2 10 2 22 6 Any errors resulting from polling or synchronization are written to syslog messages Example Restricting Access using an Access ...

Page 84: ...pecific IP address config myDevice telnet access list 2 6 Exit to Privileged mode and save the configuration to flash memory If it is not saved the configuration is lost during a power cycle or when the reload command is used config myDevice finished SCA write flash SCA Note In FIPS Mode access lists can be configured but assigned only to the SNMP subsystem Configuring an Ethernet Interface The Et...

Page 85: ...ration SCA write flash SCA 3 Save the startup configuration to a file SCA copy startup configuration https www mycorp com myconfig SCA Before this file is uploaded to the device you must reload the keys and configure the passwords on the device Use the same key object names previously used to reference the keys Step Up Certificates and Server Gated Cryptography Cisco Secure Content Accelerator sup...

Page 86: ...rusted CA certificate clients accept them during SSL negotiations Example Configuring a Certificate Group The locally created certificate the intermediary CA certificate signed by a trusted CA and any other intermediary certificates are loaded into individual certificate objects that are combined into a certificate group This example demonstrates how to Load an intermediate CA certificate into a c...

Page 87: ...sl myDevice 5 Enter Certificate Group Configuration mode create the certificate group CACertGroup load the certificate object CACert and return to SSL Configuration mode config ssl myDevice certgroup CACertGroup create config ssl certgroup CACertGroup cert CACert config ssl certgroup CACertGroup end config ssl myDevice 6 Enter Server Configuration mode create the logical secure server server1 assi...

Page 88: ... Configuration modes 3 Enter SSL Configuration mode config myDevice ssl config ssl myDevice 4 Specify the PKCS 7 file to import indicating the appropriate encoding in this example PEM In this example the name of the certificate group to create is myCertGroup The certificate prefix is impt The certificate prefix is optional This command must be entered on one line config ssl myDevice import pkcs7 m...

Page 89: ...ification authentication can be configured on both backend and reverse proxy servers The configuration procedure for both server types is nearly identical This example demonstrates how to configure an existing backend server for server certificate authorization using the certificate group servTrustGroup The domain name for backend server configuration only is www mycorp com Several options are ava...

Page 90: ...rverauth enable config ssl backend myBackServ serverauth ignore none config ssl backend myBackServ certgroup serverauth servTrustGroup 5 Enter a domain name to use for certificate comparison This is necessary only for backend servers when server certificate authentication is not set to ignore domain name errors The final command must be entered on a single line config ssl backend myBackServ server...

Page 91: ...session as described previously 2 Enter Privileged and Configuration modes SCA enable SCA configure config myDevice 3 Enter SSL Configuration mode and Server Configuration mode for the server myServ config myDevice ssl config ssl myDevice server myServ config ssl server myServ 4 Enter the following commands to enable client certificate authentication set the handling of authentication of errors an...

Page 92: ...l config ssl myDevice key myGenKey create config ssl key myGenKey 2 Enter the following command to generate a 1024 bit key using the seed string lemon The key is displayed once using DES encryption The resulting key is stored on the device as well as exported to a PEM encoded file named mykey pem This command must be entered on one line config ssl key myGenKey genrsa bits 1024 encrypt des seed lem...

Page 93: ...rting SNMP Cisco Secure Content Accelerator devices have basic support for SNMP functions The device is shipped with SNMP disabled This example demonstrates how to set basic SNMP data Example Configuring SNMP 1 Initiate a management session as described previously 2 Enter Privileged and Configuration modes SCA enable SCA configure 3 Enter SNMP data and enable SNMP Access list 1 has already been cr...

Page 94: ...rt Routing Information Protocol RIP versions 1 and 2 This example demonstrates how to enable RIP version 1 packet usage Example Configuring RIP 1 Initiate a management session as described previously 2 Enter Privileged and Configuration modes SCA enable SCA configure 3 Enable reception and processing of RIP version 1 packets Then return to Privileged mode config myDevice rip v1 config myDevice end...

Page 95: ...ession as described above Enter Privileged and Configuration modes Enter a default router Enter SSL Configuration mode 2 Enter Server Configuration mode and create a server named mySecureMail Assign an IP address and netmask Assign port 995 for monitoring for POP3S S POP connections and port 110 for sending clear text Assign the appropriate key certificate and security policy Return to Privileged ...

Page 96: ...syslog ip 10 1 1 2 122 port 514 facility 1 config myDevice end SCA 4 Save the configuration to flash memory If not saved the configuration is lost during a power cycle or when the reload command is used SCA write flash SCA Disabling SSL Versions In certain situations you may want to disable individual SSL versions The SCA allows you to enable or disable these on a version by version basis for indi...

Page 97: ...ver by entering the info command config ssl server myServer info SSL version v3 tls1 6 Return to Privileged mode config ssl server myServer finished SCA 7 Save the configuration to flash memory If not saved the configuration is lost during a power cycle or when the reload command is used SCA write flash SCA Enabling Keepalives You can enable and configure keepalive GET messages between the virtual...

Page 98: ...palive messaging config ssl server myServer keepalive enable config ssl server myServer 5 Set the keepalive message frequency to 8 seconds and the failure interval to 5 non responded keepalive messages config ssl server myServer keepalive frequency 8 config ssl server myServer keepalive maxfailure 5 config ssl server myServer 6 Verify the keepalive information by entering the info command config s...

Page 99: ...out period is 15 minutes In the following example the idle timeout period is changed to 10 minutes 1 Initiate a management session as described previously 2 Enter Privileged and Configuration modes SCA enable SCA configure config myDevice 3 Reset the timeout period using the following command config myDevice password idle timeout 10 config myDevice 4 Verify the keepalive information by entering th...

Page 100: ...Chapter 4 Using the Configuration Manager Setting the Idle Timeout 4 32 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78 13124 06 ...

Page 101: ... browser based method of configuring the Secure Content Accelerator Note The GUI cannot be used to configure the Secure Content Accelerator in FIPS Mode See Chapter 6 FIPS Operation for further information This chapter contains the following sections Overview Browser and System Support Enabling Web Management Restricting Access to Web Management Starting the GUI Web Management User Interface Gener...

Page 102: ...led See the command web mgmt in Appendix C Browser and System Support The GUI has the following requirements Color recommendations The minimum display resolution required is SVGA 800x600 resolution For best results use XGA 1024x768 resolution Browser Support The GUI requires Microsoft Internet Explorer version 5 x or later or Netscape Navigator 4 77 or 6 x or later Enabling Web Management Web mana...

Page 103: ...s to the Secure Content Accelerator Create one or more access lists using either the CLI see Example Restricting Access using an Access List in Chapter 4 or the GUI as described later in this chapter Starting the GUI Follow these steps to use the GUI to manage the Secure Content Accelerator 1 Launch the Web browser 2 When configuring a device in dual port mode from a computer via the Server port e...

Page 104: ...Side Access Use the commands below as an example to set up a secure server named web on the Secure Content Accelerator allowing GUI configuration from the client side Network port myDevice attach myDevice enable myDevice configure config myDevice ssl config ssl myDevice server web create config ssl server web ip address 127 0 0 1 config ssl server web sslport 443 config ssl server web remoteport 8...

Page 105: ...e Do not create an SSL server pointing to the IP address of 127 0 0 1 and try to enable HTTPS access on the Subsystem tab in the Access content area Administrative Time Out If the device senses no activity on a GUI management session for a certain period of time the user is logged out of the device The default idle timeout period is 15 minutes This value can be reset using the Passwords tab of the...

Page 106: ...me and date parameters Access Set passwords create and manage access lists and specify subsystem access Network Manage Ethernet interfaces view network statistics view ARP information view and add to the routing table view interface statistics and errors view IP statistics set DNS information Log Set syslog message hosts and clear and view the device message log Tools Reboot the device manage runn...

Page 107: ...system at any time when an enable password has been set General Configuration Examples The following examples demonstrate how to use the GUI to configure general Secure Content Accelerator settings Note To save time make all the changes you wish then click Save to Flash to write the configuration to the device flash memory Example Setting the Device Name Hostname Follow these steps to change the h...

Page 108: ...e 5 3 Changing Hostname Configuration Example 4 Click Update Example Resetting the IP Address 1 Click Network to activate the Network tabs 2 Type the new IP address information including the appropriate netmask and default router in the Internet Address Netmask and Gateway text boxes respectively on the Settings tab The Settings page opens as shown in Figure 5 4 ...

Page 109: ...ain situations such as when changing to a different subnet redirection might not occur If the connection is not redirected manually connect to the device If you still are unable to connect use the serial configuration manager to check the device configuration and try again Example Configuring an Ethernet Interface 1 Click Network to activate the Network tabs 2 Use the list box in the Network Inter...

Page 110: ...Cisco 11000 Series Secure Content Accelerator Configuration Guide 78 13124 06 Figure 5 5 Ethernet Interface Configuration Example 3 Click Update Example Enabling RIP 1 Click Network to activate the Network tabs 2 Click the Settings tab The Settings page opens as shown in Figure 5 6 ...

Page 111: ...ral Configuration Examples Figure 5 6 RIP Configuration Example 3 Scroll to the bottom of the page if necessary to see the Rip panel 4 Select the Enabled check box 5 Click Update Example Adding a Route to the Routing Table 1 Click Network to activate the Network tabs 2 Click the Route tab The Route page opens as shown in Figure 5 7 ...

Page 112: ...0 Series Secure Content Accelerator Configuration Guide 78 13124 06 Figure 5 7 Routing Table Configuration Example 3 Scroll to the bottom of the page if necessary to see the Add Route button 4 Click Add Route The Add Route window opens as shown in Figure 5 8 Figure 5 8 Adding a Route Example ...

Page 113: ... Cancel to close the window without adding the route information Example Working with Syslogs 1 Click Log to activate the Log tabs The Settings page open automatically as shown in Figure 5 9 Figure 5 9 Syslog Configuration Example 2 Enter the IP addresses of the syslog hosts in the System Log Forwarding text boxes on the Settings tab 3 Enter the appropriate port ID and select the desired facility ...

Page 114: ...ss List This example demonstrates how to set up an access list to permit management access to the Secure Content Accelerator 1 Click Access to activate the Access tabs 2 Click the Access Control Lists tab The Access Control Lists page opens as shown in Figure 5 10 Figure 5 10 Access List Configuration Example 3 Click Add Access Entry The Add Access Control List window opens as shown in Figure 5 11...

Page 115: ...General Configuration Examples Figure 5 11 Add Access List Entry Example 4 Enter the appropriate information for the list entry See the access list command in Appendix C for more information 5 Click OK to create the access list entry and close the window 6 Click the Subsystem tab The Subsystem page opens as shown in Figure 5 12 ...

Page 116: ... Series Secure Content Accelerator Configuration Guide 78 13124 06 Figure 5 12 Subsystem Access Configuration Example 7 Type the number of the access list just created in the Access Control List Id text box of the Web Management panel You can also change the TCP port on this tab 8 Click Update ...

Page 117: ...shown in Figure 5 13 Figure 5 13 Device Reloading Example 2 If you have made changes to the device configuration but have not saved them to flash memory click Save to Flash in the Status area as shown in Figure 5 14 Caution The appliance restarts using the configuration stored in flash memory Any changes you have made but have not saved are lost Figure 5 14 Save Changes Button 3 Click Reboot on th...

Page 118: ...the Access tabs The Password page opens automatically as shown in Figure 5 15 Figure 5 15 Change Password Example 2 If an Enable password has already been assigned type it in the Old Password text box 3 Type the password to use in the New Password text box and retype it in the Confirm New Password text box 4 Click Update to set the password Note To remove an existing Enable password entirely clear...

Page 119: ...ick SNMP to activate the SNMP tabs The Settings page opens automatically as shown in Figure 5 16 Figure 5 16 SNMP Configuration Example 2 Type the default community contact information and location information in appropriate text boxes Click Update after changing the value in each field and selecting the Enabled check box 3 Click the Traps tab The Traps page opens as shown in Figure 5 17 ...

Page 120: ...guration Examples 5 20 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78 13124 06 Figure 5 17 SNMP Trap Example 4 Click Add Trap Host to specify a host to which to send trapping messages The Add Trap Host window opens as shown in Figure 5 18 ...

Page 121: ...community name in the Community text box Select the desired version of SNMP from the SNMP Version list box 6 Click OK to add the trap host 7 Set the desired traps by selecting the Enable option buttons and typing appropriate values in the Threshold Hysteresis Low and Hysteresis High text boxes If you wish to use only one trap point enter a value only in the Threshold Hysteresis Low text box Note A...

Page 122: ...rator works with SSL protocol information Example Setting up a Secure Server In this example the default SSL port 443 and remote port 81 are used The user specified key name is myKey the certificate name is myCert and the secure server name is myServer The pre loaded strong security policy is used The first step is to load a key to assign to the secure server In this example a key is imported into...

Page 123: ...ate Key window opens as shown in Figure 5 20 Figure 5 20 Add Private Key Example 4 Click From File The From File page opens a shown in Figure 5 21 In this example the key is imported from a file Alternatively you can copy the key from the key file and paste it into the Paste Private Key Here text box on the Paste tab For an example of key generation see Example Generating an RSA Private Key ...

Page 124: ...ect the appropriate Private Key File Encoding option button Type the password for the key in the Private Key Password text box Enter the key file name and path or click the Browse button to find and select the file 6 Click OK to load the key into the Secure Content Accelerator Next load a certificate to assign to the secure server In this example a certificate is imported into the GUI 7 Click the ...

Page 125: ...5 25 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78 13124 06 Chapter 5 Graphical User Interface Reference SSL Configuration Examples Figure 5 22 Certificates Tab ...

Page 126: ...Reference SSL Configuration Examples 5 26 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78 13124 06 8 Click Add Certificate The Add Certificate window opens as shown in Figure 5 23 Figure 5 23 Add Certificate Example ...

Page 127: ...ficate generation see Example Generating a Self Signed Certificate below Figure 5 24 Importing a Certificate Example 10 Type the certificate name myCert in the Certificate Name text box Select the appropriate Certificate File Encoding option button Enter the certificate fie name and path or click the Browse button to find and select the file 11 Click OK to load the certificate into the Secure Cont...

Page 128: ...rence SSL Configuration Examples 5 28 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78 13124 06 12 Click the Security Policies tab The Security Policies page opens as shown in Figure 5 25 Figure 5 25 Security Policies Tab ...

Page 129: ...y Policy The Add Security Policy window opens as shown in Figure 5 26 Figure 5 26 Add Security Policy Example 14 Type the desired name in the Security Policy Name text box Select the policies to include in the new security policy by clicking and CTRL clicking the entries in the Security Policy Algorithms list box 15 Click OK to create the policy Now set up the secure server ...

Page 130: ...isco 11000 Series Secure Content Accelerator Configuration Guide 78 13124 06 16 Click the Secure Servers tab The Secure Servers page opens as shown in Figure 5 27 Figure 5 27 Secure Servers Tab 17 Click Add Secure Server The Add Secure Server window opens as shown in Figure 5 28 ...

Page 131: ...ropriate option button This example configures a Normal Server Type the server name myServer in the Secure Server Name text box Type the IP address of the server to which to send decrypted SSL traffic in the IP Address text box Change the Clear Text Port to 81 19 If you wish to use a log server enter the appropriate information in the Log Server IP text boxes 20 You can disable any of the SSL TLS ...

Page 132: ... Scroll to the Server Certificate and Security Policy panel Select myCert from the Certificate list box Select myKey from the Private Key list box Select strong from the Security Policy list box These options are shown in Figure 5 29 Figure 5 29 Server Certificate and Security Policy Example 24 If desired alter the session cache information The SSL Session Cache panel is shown in Figure 5 30 Figur...

Page 133: ...ader Only check box to indicate only 30x series redirects referencing http rather than all instances of http such as those appearing intentionally in the application data be rewritten Note For more information see the Example Configuring Secure URL Rewrite section on page 4 12 26 Select the desired options in the Client Certificate Authentication panel shown in Figure 5 32 Figure 5 32 Add Secure S...

Page 134: ...l servers on the device and hardware servers to which they refer If no response is received from the hardware server after set amount of time maxfailure the virtual server is marked as suspended This information is configured in the Backend Server Keep Alive panel as shown in Figure 5 34 Figure 5 34 Add Keepalives Example 29 Click OK to create the secure server on the Secure Content Accelerator Th...

Page 135: ...emonstrates how to select certificates already loaded in the Secure Content Accelerator to create a certificate group Alternatively a PKCS 7 certificate group can be imported directly See Example Importing a PKCS 7 Certificate Group below for a demonstration 1 Click SSL to activate the SSL tabs 2 Click the Certificate Groups tab The Certificate Groups page is shown in Figure 5 35 Figure 5 35 Certi...

Page 136: ...tes listed in the Member Certificates list box to add to the certificate group You can also click and SHIFT click either end of a contiguous group of certificates to select all certificates in it 6 Click OK to add the certificate group to the device Follow the steps below to assign the certificate group to a secure server 1 Click SSL to activate the SSL tabs 2 Click the Secure Servers tab 3 Either...

Page 137: ...orting Other Secure Protocols The Secure Content Accelerator can be used for protocols other than pure SSL applications In this example a secure server is set up to process only POP3S S POP mail 1 Click the Secure Servers tab 2 Click Add Secure Server The Add Secure Server window opens 3 Type the server name mySecureMail in the Secure Server Name text box Type the IP address of the server to which...

Page 138: ...78 13124 06 Figure 5 38 Configuring for Other Protocols Example 4 Click OK to create the secure server in the Secure Content Accelerator Example Generating an RSA Private Key This example demonstrates how to generate an RSA private key named myOwnKey 1 Click SSL to activate the SSL tabs 2 Click Add Private Key The Add Private Key window opens ...

Page 139: ... value is proportionate to the strength of the key 6 If you want to specify any additional seed data for the random number generator type it into the Extra Random Number Generator Seed Data text box 7 Choose an option in the Display Encrypted Key for Backup list box Do Not Display Key The private key is never displayed You cannot save the key to a file for backup purposes Display key using Des Enc...

Page 140: ...Display Key was selected the key is generated and a window opens reminding you that the key cannot be displayed or exported This is shown in Figure 5 40 Click Close Figure 5 40 Key Not Displayed Example If either Display key using Des Encryption or Display key using Des3 Encryption were selected the key is generated and a window opens displaying the encrypted key This is shown in Figure 5 41 Click...

Page 141: ...5 41 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78 13124 06 Chapter 5 Graphical User Interface Reference SSL Configuration Examples Figure 5 41 Key Displayed Example ...

Page 142: ...icate This example demonstrates how to generate a certificate signing request CSR and a self signed certificate 1 Click SSL to activate the SSL tabs 2 Click the Certificates tab 3 Click Add Certificate The Add Certificate window opens 4 Click the Generate CSR Self signed Certificate tab The Generate CSR Self signed Certificate page opens as shown in Figure 5 42 Figure 5 42 Generate CSR Example ...

Page 143: ...e desired domain name country state locality organization name organization unit and e mail address in the appropriate text boxes 7 Select the appropriate message digest format for the signing request from the CSR Message Digest list box 8 Select the appropriate header from the CSR Header list box 9 Click OK The certificate is created and the Generate Certificate Signing Request CSR opens as shown...

Page 144: ...te Authority Note If you know the preferred file name convention of the CA name the file appropriately now Otherwise accept the default naming convention and rename the file later if necessary 11 Click Self sign this CSR to generate a self signed digital certificate to be used for testing while you wait for the certificate to be signed The Generate Self signed Certificate window opens as shown in ...

Page 145: ...propriate date to begin validity of the certificate from the Start Date list boxes Change the number of days the certificate is valid in the Days Valid text box if desired Click Generate Self signed Certificate The certificate is generated and a window opens allowing the certificate to be downloaded The Generate Self signed Certificate window is shown in Figure 5 45 Click Close Figure 5 45 Success...

Page 146: ...ick Add Certificate Group The Add Certificate Group window opens 4 Click the From PKCS7 File tab The Import PKCS7 File page opens as shown in Figure 5 46 Figure 5 46 Import PKCS 7 Certificate Group Example 5 Type the name of the group in the Certificate Group Name text box 6 Type the base name of the certificate in the Certificate Name Prefix text box 7 Select the encoding option for the file to i...

Page 147: ...tivate the SSL tabs 2 Click the Certificate Groups tab 3 Click Add Certificate Group The Add Certificate Group window opens 4 Click the From PKCS12 File tab The Import PKCS12 Certificate Chain window opens as shown in Figure 5 47 Figure 5 47 Import PKCS 12 Certificate Group Example 5 Type the name of the group in the Certificate Group Name text box 6 Type the key password in the Password text box ...

Page 148: ...sic SSL secure server configuration but it does not provide all the features of either the GUI or CLI alone 1 Click SSL to activate the SSL tabs 2 Click Secure Server Wizard The first screen of the wizard opens as shown in Figure 5 48 Figure 5 48 Starting the Secure Server Wizard 3 Follow the instructions and prompts in the wizard to configure the secure server When you have completed configuring ...

Page 149: ...tion This chapter describes how to use the Secure Content Accelerator in FIPS Mode for FIPS 140 2 compliant operation This chapter contains the following sections FIPS Capabilities Using FIPS Mode Command Changes Returning to Normal Operation More Information Note FIPS operation is only available on the SCA2 ...

Page 150: ...ated in FIPS Mode Non FIPS 104 2 compliant servers can be configured for compliance Management is available only via a serial connection Passwords at least eight characters in length are required at both access and configuration levels Commands that do not support FIPS compliant security measures are disabled in FIPS Mode The command prompt contains the text FIPS to indicate the device is operatin...

Page 151: ...roved algorithms are supported Only FIPS compliant servers can be used Management is available only via the serial console Passwords must be at least eight characters long Firmware signature verification is enabled Some commands are not supported Are you sure you want to do this y n n 4 The Secure Content Accelerator checks access and enable level passwords previously set if any The display reflec...

Page 152: ... Mode operation the following text is displayed Your current enable level password is not valid for FIPS mode You need to provide an access level password of at least 8 characters Enter new password Confirm password d If both the previously set access and enable level passwords are valid for FIPS Mode operation no additional text is displayed 5 The device reboots and enters FIPS Mode Enter the acc...

Page 153: ...for FIPS compliance Follow the steps below to create a FIPS compliant server 1 Connect to the Secure Content Accelerator using a serial management session and enter Privileged Configuration and SSL Modes Create a secure server named mySecServ FIPS SCA enable FIPS SCA config FIPS config SCA ssl FIPS ssl config SCA server mySecServ create FIPS ssl server mySecServ 2 Assign an IP address key certific...

Page 154: ...ed Configuration and SSL Modes Create a security policy named myFIPS FIPS SCA enable FIPS SCA config FIPS config SCA ssl FIPS ssl config SCA secpolicy myFIPS create FIPS ssl secpolicy myFIPS 2 Specify the 3DES SHA cryptographic algorithm and return to SSL Configuration Mode FIPS ssl secpolicy myFIPS crypto DES CBC3 SHA FIPS ssl secpolicy myFIPS exit FIPS ssl config SCA 3 Enter Server Configuration...

Page 155: ...ds Commands are unavailable in FIPS Mode are shown in Table 6 1 below Differing Command Behaviors Some commands behave differently while the Secure Content Accelerator is in FIPS Mode These commands and notes about their usage are presented in Table 6 2 below Table 6 1 Unavailable Commands Operational Mode Command Top Level Mode show telnet show web mgmt write file Configuration Mode telnet access...

Page 156: ...or all servers All non FIPS compliant servers are disabled by default in FIPS Mode and cannot be enabled without reconfiguring them to be FIPS compliant quick start When using the QuickStart wizard to create a server only FIPS compatible security policies are available When using the QuickStart wizard to configure an existing server only FIPS compliant servers can be configured and only security p...

Page 157: ...de secpolicy You can assign any security policy ies however if non FIPS compliant security policies are assigned the backend server is marked as FIPS suspended upon exiting Backend Server Configuration mode Reverse Proxy Server Configuration Mode secpolicy You can assign any security policy ies however if non FIPS compliant security policies are assigned the reverse proxy server is marked as FIPS ...

Page 158: ...e Information 6 10 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78 13124 06 More Information For more information about the NIST Cryptographic Module Validation Program see http csrc nist gov cryptval cmvp htm ...

Page 159: ...ration Guide 78 13124 06 A P P E N D I X A Specifications This appendix presents the specifications for both Secure Content Accelerator versions It contains the following sections Electrical Specifications Environmental Specifications Physical Specifications ...

Page 160: ...ercurrent protection Ensure that a fuse or circuit breaker no larger than 120 VAC 15A U S 240 VAC 10A international is used on the phase conductors all current carrying conductors Environmental Specifications Table A 2 describes the Secure Content Accelerator environmental specifications Table A 1 AC Electrical Specifications DC Specification Secure Content Accelerator Voltage AC 100 240 VAC 50 60...

Page 161: ...fications Physical Specifications Physical Specifications Table A 3 describes the Secure Content Accelerator physical specifications Table A 3 Physical Specifications Specification Secure Content Accelerator Chassis Dimensions H x W x D 10x1 75x17 inches 25x4 4x42 5 cm Shipping Weight 6 lbs 2 72 kg ...

Page 162: ...Appendix A Specifications Physical Specifications A 4 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78 13124 06 ...

Page 163: ... Deployment Examples The following examples demonstrate how the Secure Content Accelerator can be integrated into a network This appendix contains the following sections Single Device Load Balancing Use with the CSS Connecting the Device to a Terminal Server Web Site Changes Transparent Local Listen ...

Page 164: ... Install the appliance as instructed previously 2 Connect the Network Ethernet interface to the Internet 3 Connect the Server Ethernet interface to Web server access Load Balancing Secure Content Accelerator devices can be installed in front of or behind a load balancer If the load balancer is using URL or cookie related load balancing install the appliance in front of the load balancer In this co...

Page 165: ...tion with a Load Balancer 1 Install the appliance as instructed previously 2 Connect the Network Ethernet interface to the Internet Connect the Server Ethernet interface to the load balancer For information about configuring the Secure Content Accelerator in conjunction with the CSS 11000 Series Content Services Switch hereinafter referred to as the CSS see Use with the CSS ...

Page 166: ...Line One Armed Non Transparent Proxy One Armed Transparent Proxy In Line Placing the Secure Content Accelerator in front of the CSS increases performance of the server farm by offloading all SSL processing from the servers The Secure Content Accelerator is completely transparent to the CSS and servers This deployment is the simplest to configure because it requires no specific inter operational co...

Page 167: ...configured to ensure that bridge loops are not created If multiple Secure Content Accelerator devices are used each must be attached to a separate VLAN on the CSS and or the upstream Layer 2 switch The Secure Content Accelerator intercepts all port 443 traffic for the IP addresses configured on it decrypts the traffic and forwards it as clear text on another TCP service port to the CSS All port 80...

Page 168: ...Configuration Create a VLAN for each Secure Content Accelerator Create a VLAN for the servers Create services as required for each server adding keepalive attributes as necessary Create a default ECMP route for each load balanced Secure Content Accelerator using the upstream router as the gateway for each upstream VLAN Create Layer 5 rules for the secure content Create content rules as required fo...

Page 169: ...cp active service s3 ip address 10 176 10 12 protocol tcp active service s4 ip address 10 176 10 13 protocol tcp active OWNER owner test content http non secure port 80 vip address 10 176 11 100 protocol tcp port 80 url add service s1 add service s2 add service s3 add service s4 active content http secure port 81 vip address 10 176 11 100 add service s1 add service s2 add service s3 add service s4...

Page 170: ... version 4 1 build 200301221818 Device Type CSS SCA Device Id S N 119f04 Device OS MaxOS version 4 1 0 build 200301221818 by reading Mode no mode one port Interfaces interface network auto end interface server auto end Device ip address 10 176 10 10 netmask 255 255 255 0 hostname SCA107 timezone MST7MDT Password password idle timeout 15 SNTP sntp interval 86400 Static Routes ip route 0 0 0 0 0 0 0...

Page 171: ...le session cache size 20480 session cache timeout 300 session cache enable no clientauth enable clientauth verifydepth 1 clientauth error cert other error fail clientauth error cert not provided fail clientauth error cert has expired fail clientauth error cert not yet valid fail clientauth error cert has invalid ca fail clientauth error cert has signature failure fail clientauth error cert revoked...

Page 172: ...plications such as reverse proxy caching and content type separation can be enabled The level depends upon the type of content and the mix of HTTP 1 0 and HTTP 1 1 traffic The one armed non transparent proxy deployment is complex to configure but it provides a high degree of scalability If IP address accounting is required use the command log url when configuring the Secure Content Accelerator Thi...

Page 173: ...th a different destination port definition The Secure Content Accelerator does not use the IP address to ensure traffic is sent to the correct server because the CSS changes the destination IP address to that of the Secure Content Accelerator The Secure Content Accelerator is configured only at Layer 4 This configuration requires setting multiple destination IP destination port pairs on the Secure...

Page 174: ...services as required for each server adding keepalive attributes as necessary Create a default route to the upstream router Create Layer 4 rules for each incoming VIP and add appropriate Secure Content Accelerator services Create Layer 5 rules for the secure content Create content rules as required for non secure content Export keys and certificates from any existing secure servers if necessary As...

Page 175: ...ip address 10 176 1 1 255 255 255 0 circuit VLAN7 ip address 10 176 10 1 255 255 255 0 circuit VLAN8 ip address 10 100 132 101 255 255 0 0 SERVICE service s1 ip address 10 176 10 10 protocol tcp active service s2 ip address 10 176 10 11 protocol tcp active service s3 ip address 10 176 10 12 protocol tcp active service s4 ip address 10 176 10 13 protocol tcp active service ssl1 443 port 443 protoco...

Page 176: ...p ip address 10 176 1 4 active service ssl2 444 port 444 protocol tcp ip address 10 176 1 4 active service ssl3 443 port 443 protocol tcp ip address 10 176 1 5 active service ssl3 444 port 444 protocol tcp ip address 10 176 1 5 active service ssl4 443 port 443 protocol tcp ip address 10 176 1 6 active service ssl4 444 port 444 protocol tcp ip address 10 176 1 6 active service ssl5 443 port 443 pro...

Page 177: ...service ssl6 444 port 444 protocol tcp ip address 10 176 1 8 active OWNER owner test content http secure port 81 vip address 10 176 11 100 add service s1 add service s2 add service s3 add service s4 protocol tcp port 81 url secure active content http non secure port 80 vip address 10 176 11 100 add service s1 add service s2 add service s3 add service s4 protocol tcp port 81 url active content ssl ...

Page 178: ...78 13124 06 add service ssl2 443 add service ssl3 443 add service ssl4 443 add service ssl5 443 add service ssl6 443 active content ssl 444 protocol tcp vip address 10 176 11 101 port 443 add service ssl2 444 add service ssl1 444 add service ssl3 444 add service ssl4 444 add service ssl5 444 add service ssl6 444 active ...

Page 179: ...fg version 4 1 build 200301221818 Device Type CSS SCA Device Id S N 119f04 Device OS MaxOS version 4 1 0 build 200301221818 by reading Mode mode one port Interfaces interface network auto end interface server auto end Device ip address 10 176 10 10 netmask 255 255 255 0 hostname SCA107 timezone MST7MDT Password password idle timeout 15 SNTP sntp interval 86400 Static Routes ip route 0 0 0 0 0 0 0 ...

Page 180: ...de 78 13124 06 Telnet telnet enable Web Management web mgmt port 80 web mgmt enable SNMP Subsystem snmp enable SSL Subsystem ssl server myserver create ip address 10 176 10 20 localport 443 remoteport 81 key default 512 cert default 512 secpolicy default sslv2 enable sslv3 enable tlsv1 enable session cache size 20480 ...

Page 181: ...haredcipher error failhtml ephemeral error failhtml no httpheader client cert no httpheader server cert no httpheader session no httpheader pre filter httpheader prefix SSL ephrsa keepalive frequency 5 keepalive maxfailure 3 no keepalive enable end end One Armed Transparent Proxy This deployment uses a single CSS for load balancing up to 15 Secure Content Accelerator devices The deployment combine...

Page 182: ...deployment has several constraints No SSL client can be attached to a directly connected subnet all SSL clients must pass through an upstream router ACLs must be written so that Secure Content Accelerator management and other applications are passed through the CSS properly Static routes must be added to the CSS so that traffic that should not pass through the Secure Content Accelerator devices is...

Page 183: ...or static route in such a way that it will force all traffic to the upstream router s ECMP route all traffic matching the ACL or static route will bypass the Secure Content Accelerator devices Thus management of the Secure Content Accelerator devices and management stations requiring ICMP or SNMP to operate will not have access to SSL processing Table B 3 shows basic configuration actions for both...

Page 184: ...nt and that no cache bypass is configured Create services as required for each server adding keepalive attributes as necessary Create Layer 4 content rules to balance the Secure Content Accelerator devices you may use advanced balance ssl and application ssl to assist with SSL V 3 key reuse Create Layer 5 rules for secure content Create content rules as required for non secure content Define ACLs ...

Page 185: ... 176 2 3 1 ip route 0 0 0 0 0 0 0 0 10 176 3 3 1 ip route 0 0 0 0 0 0 0 0 10 176 4 3 1 ip route 0 0 0 0 0 0 0 0 10 176 5 3 1 ip route 0 0 0 0 0 0 0 0 10 176 6 3 1 network management station static route ip route 10 176 50 100 255 255 255 255 10 176 50 1 1 INTERFACE interface ethernet 2 bridge vlan 2 interface ethernet 3 bridge vlan 3 interface ethernet 4 bridge vlan 4 interface ethernet 5 bridge v...

Page 186: ...s 10 176 4 1 255 255 255 0 circuit VLAN5 ip address 10 176 5 1 255 255 255 0 circuit VLAN6 ip address 10 176 6 1 255 255 255 0 circuit VLAN7 ip address 10 176 10 1 255 255 255 0 circuit VLAN8 ip address 10 176 50 2 255 255 255 0 SERVICE service s1 ip address 10 176 10 10 protocol tcp active service s2 ip address 10 176 10 11 protocol tcp active service s3 ip address 10 176 10 12 protocol tcp activ...

Page 187: ... transparent cache no cache bypass ip address 10 176 2 3 active service ssl3 port 443 protocol tcp type transparent cache no cache bypass ip address 10 176 3 3 active service ssl4 port 443 protocol tcp type transparent cache no cache bypass ip address 10 176 4 3 active service ssl5 port 443 protocol tcp type transparent cache no cache bypass ip address 10 176 5 3 active service ssl6 port 443 proto...

Page 188: ...service s1 add service s2 add service s3 add service s4 protocol tcp port 81 url secure active content http non secure port 80 vip address 10 176 11 100 add service s1 add service s2 add service s3 add service s4 protocol tcp port 80 url active content ssl protocol tcp port 443 add service ssl1 add service ssl2 add service ssl3 add service ssl4 add service ssl5 add service ssl6 vip address 10 176 ...

Page 189: ...permit any any destination any eq 443 clause 20 permit any any destination any eq 81 clause 30 permit tcp any destination any eq 2932 clause 40 permit udp any destination any eq 2932 clause 50 permit udp any eq 2932 destination any prefer upstream router clause 99 permit any any destination any apply circuit VLAN6 apply circuit VLAN5 apply circuit VLAN4 apply circuit VLAN3 apply circuit VLAN2 appl...

Page 190: ...fg version 4 1 build 200301221818 Device Type CSS SCA Device Id S N 119f04 Device OS MaxOS version 4 1 0 build 200301221818 by reading Mode no mode one port Interfaces interface network auto end interface server auto end Device ip address 10 176 1 3 netmask 255 255 255 0 hostname SCA107 timezone MST7MDT Password password idle timeout 15 SNTP sntp interval 86400 Static Routes ip route 0 0 0 0 0 0 0...

Page 191: ...le session cache size 20480 session cache timeout 300 session cache enable no clientauth enable clientauth verifydepth 1 clientauth error cert other error fail clientauth error cert not provided fail clientauth error cert has expired fail clientauth error cert not yet valid fail clientauth error cert has invalid ca fail clientauth error cert has signature failure fail clientauth error cert revoked...

Page 192: ...ator via the RJ45 DB9F adapter 3 Using the line interface on the terminal server use these commands line 1 autocommand connect transport input all Note If you are using firmware older than 3 0 5 on the Secure Content Accelerator also use the command speed 115200 Web Site Changes You must make changes to your existing Web pages before users can access them 1 Install and configure the Secure Content...

Page 193: ...e issued and the command will fail Since as the name implies transparent local listen uses a local listening socket for inbound SSL connections precisely as no transparent does unique listening ports must be defined to host multiple logical SSL servers Unlike conventional transparent mode the IP address specified within the configuration will not be used to listen for inbound traffic but rather on...

Page 194: ...ow view and the second two flow entries offloader to origin server look like a transparent flow view Again it is critical to keep in mind that although transparent local listen is a hybrid proxy the model still creates two instances of the client s IP address and must employ some means of differentiation This is why even though network address translation is occurring on the redirection of traffic...

Page 195: ...ommands are available only with specific configuration connection methods Availability of each command is indicated Configuration using the GUI is described in Chapter 5 Configuration for FIPS compliant operation is presented in Chapter 6 FIPS Operation This appendix contains the following sections Input Data Format Specification Text Conventions Editing and Completion Features Command Hierarchy C...

Page 196: ...rface or is returned by the computer Courier bold text indicates commands and text you enter in a command line Italic text indicates the first occurrence of a new term book title and emphasized text In this command summary items presented in italics represent user specified information Items within angle brackets are required information Items within square brackets are optional information Items ...

Page 197: ...s CTRL A Moves cursor to the beginning of the command line CTRL B Moves cursor to the previous character CTRL C Exits the QuickStart wizard at any point the configuration is not saved CTRL D When editing a command deletes the character to the right of the cursor otherwise exits current configuration level or exits the configuration manager if at the Top Level CTRL E Moves cursor to the end of the ...

Page 198: ... the TAB or keys display all options SCA show TAB access list ip snmp arp keep alive monitor ssl copyrights memory syslog cpu messages system resources device netstat terminal dns processes version history rip interface route The TAB key can also be used to finish a command if the command is uniquely identified by user input SCA show cop TAB results in SCA show copyrights LEFT ARROW Moves the curs...

Page 199: ...curity policy and server names are case sensitive Command Hierarchy The CLI configuration manager allows you to control hardware and SSL portions of the appliance through a discreet mode and submode system The commands for the Secure Content Accelerator device fit into the logical hierarchy show in Figure C 1 Figure C 1 Command Hierarchy SSL INTERFACE KEY SECURITY POLICY CERTIFICATE CERTIFICATE GR...

Page 200: ...w easy flexible configuration without compromising the security of your network or their own configuration Passwords Cisco Secure Content Accelerator devices use two levels of password protection access and enable level Access level passwords control who can access the device via telnet and serial connections Enable level passwords control who can view the same data available with access level pas...

Page 201: ...tem Factory Default Reset Password If you have forgotten your access or enable password you can use a factory set password during a serial configuration session When prompted for a password enter FailSafe case sensitive You are asked to confirm the action The appliance reboots reloads with factory default settings Caution All configuration is lost when using the factory default reset password Meth...

Page 202: ...system A path must be included if necessary When using serial or telnet management the file name must be entered in any of the following formats http ftp https tftp URL In situations where a file is written anonymous write access must be configured on the system with these caveats http The server must be configured to accept PUT commands https The server must be configured to accept PUT commands f...

Page 203: ...oftware The device terminal settings can be changed if necessary Use the standard ANSI setting on the serial terminal software Note When operating in FIPS Mode only serial management access of available 1 Attach the included null modem cable to the appliance port marked CONSOLE Attach the other end of the null modem cable to a serial port on the configuring computer 2 Launch any terminal emulation...

Page 204: ...the IP address previously assigned to the appliance 2 An SCA prompt is displayed Note When prompted to supply a file name during a telnet management session you must supply it as a URL in the form of HOST PATH FILENAME using the http https ftp or tftp prefix Command Listing The following tables present all commands available for the device Non Privileged Command Description Privileged Command Desc...

Page 205: ...or page 33 Displays the results of the specified command at one second intervals paws page 33 Pauses the configuration manager until a key is pressed ping page 33 Sends ICMP packets to the specified IP address quit page 34 Quits the configuration manager set monitor interval page 34 Sets the number of seconds between monitor prefixed command refreshes show arp page 35 Displays the ARP cache on the...

Page 206: ...and UDP statistics for the device show keepalive monitor page 41 Displays a list of keepalive monitor IP addresses for one or more devices show log page 42 Displays diagnostic message buffer show memory page 42 Displays memory usage on the device show messages page 42 Displays the diagnostic message buffer for the device show netstat page 43 Displays the current state of the IP connection for the ...

Page 207: ...pecified certificate group loaded on the device show ssl errors page 49 Displays SSL errors reported on the device show ssl key page 54 Displays summary data for the specified private key loaded on the device show ssl secpolicy page 54 Displays summary data for the specified security policy on the device show ssl server page 55 Displays information for the specified configured logical secure serve...

Page 208: ...mands saved in the history buffer terminal length page 65 Sets the number of lines in a terminal window terminal pager page 65 Enables the terminal pager terminal reset page 66 Resets the internal state of the terminal terminal width page 66 Sets the width of the terminal window traceroute page 67 Displays the router information to the specified destination Table C 4 Privileged Command Description...

Page 209: ...tes the startup configuration of a device to its running configuration copy to flash page 73 Uploads a Cisco Secure Content Accelerator image file to the device flash copy to running configuration page 74 Uploads a saved configuration file and merges it to the running configuration of a device copy to startup configuration page 74 Uploads a saved configuration file and merges it to the startup con...

Page 210: ...es the running configuration to flash memory on a device write memory page 81 Writes the running configuration to flash memory on a device write messages page 82 Writes the diagnostic messages for the device to a file write network page 82 Writes the running configuration to a file on a remote host write terminal page 83 Displays the running configuration of the device Table C 5 Configuration Comm...

Page 211: ...ic route entry for the specified destination IP address to the device routing table ip route default page 91 Sets the default route for the current device keepalive monitor page 91 Indicates that SSL errors from the specified IP address are to be ignored mode one port page 92 Enables secure and non secure traffic to pass through the single Network Ethernet port mode pass thru page 92 Enables pass ...

Page 212: ...P trap messages snmp trap type enterprise page 101 Enables device event trap messages to be sent for a specific trap type event and event filter snmp trap type generic page 102 Enables generic SNMP traps sntp interval page 103 Sets polling interval for all configured SNTP servers sntp server page 104 Assigns an SNTP server ssl page 104 Enters SSL Configuration mode for the current device syslog pa...

Page 213: ...onfiguration Command Description Command Description auto page 111 Sets the current Ethernet interface to autonegotiation canceling any existing forced duplex or speed setting duplex page 111 Forces the current Ethernet interface to full or half duplex end page 111 Exits Interface Configuration mode and returns to Configuration mode finished page 112 Leaves Interface Configuration Mode and returns...

Page 214: ...de exit page 116 Leaves SSL Configuration mode and returns to Configuration mode finished page 116 Leaves SSL Configuration Mode and returns to Top Level mode gencsr page 116 Generates a certificate signing request and or self signed certificate help page 117 Displays help information for the specified command import pkcs12 page 118 Imports and processes a PKCS 12 file to create certificate and ke...

Page 215: ...25 Exits Backend Server Configuration mode activates all changes and returns to SSL Configuration mode exit page 125 Exits Backend Server Configuration mode activates all changes and returns to SSL Configuration mode finished page 125 Leaves Backend Server Configuration Mode and returns to Top Level mode help page 126 Displays help information for the specified command info page 126 Displays curre...

Page 216: ...auth enable page 131 Enables server certificate authentication serverauth ignore page 132 Specifies the server authentication errors to ignore session cache enable page 132 Enables session caching session cache size page 133 Specifies the size of the session cache session cache timeout page 133 Specifies the session cache length before being timed out sslv2 enable page 134 Enables SSL version 2 pr...

Page 217: ... and returns to SSL Configuration mode finished page 139 Leaves Certificate Configuration Mode and returns to Top Level mode help page 139 Displays help information for the specified command info page 140 Displays current information about the certificate object being created or edited pem page 140 Loads a PEM encoded X509 certificate into the current certificate object pem paste page 140 Allows a...

Page 218: ... binary hex encoded X 509 key to be pasted into the configuration manager der page 145 Loads a DER encoded X509 key file into the current key object end page 146 Exits Key Configuration mode activates all changes and returns to SSL Configuration mode exit page 146 Exits Key Configuration mode activates all changes and returns to SSL Configuration mode finished page 146 Leaves Key Configuration Mod...

Page 219: ...to SSL Configuration mode exit page 151 Exits Reverse Proxy Server Configuration mode activates all changes and returns to SSL Configuration mode finished page 152 Leaves Reverse Proxy Server Configuration Mode and returns to Top Level mode help page 152 Displays help information for the specified command info page 152 Displays current information about the reverse proxy server being edited or cre...

Page 220: ...ocols urlrewrite page 160 Sets or remove a specified URL rewrite rule for the current reverse proxy server Table C 13 Security Policy Configuration Command Description Command Description crypto page 161 Creates a customized security policy for the current SSL device end page 163 Exits Security Policy Configuration mode activates all changes and returns to SSL Configuration mode exit page 163 Exit...

Page 221: ...ge 169 Specifies the level of certificate within the certificate group to use when verifying client certificates end page 170 Exits Server Configuration mode activates all changes and returns to SSL Configuration mode ephemeral error page 170 Specifies device behavior when an error is caused by a client attempting to attach to a server that does not have ephemeral RSA enabled ephrsa page 171 When ...

Page 222: ...re server receives SSL traffic The SSL traffic is decrypted and sent to the real server using the TCP service port previously specified with the remoteport command log url page 178 Specifies a host for logging of URL requests remoteport page 179 Specifies the TCP service port through which non secure connections is sent session cache enable page 181 Enables session caching session cache size page ...

Page 223: ...iption 2msltime page 189 Specifies the maximum amount of time that a segment can exist on the network before being discarded delay ack page 190 Specifies the amount of time to wait before sending a delayed ACK finwt2time page 191 Specifies the amount of time to wait after acknowledgement of an initial FIN prior to closing the TCP connection keepalive page 191 Specifies the amount of time to keep a...

Page 224: ...page 199 Controls whether data is sent immediately regardless of the maxseg value or application completeness rto def page 199 Specifies the default retransmission timeout rto max page 200 Specifies the maximum allowable roundtrip timeout rto value rto min page 201 Specifies the minimum allowable roundtrip timeout rto value slow start page 202 Controls use of an algorithm determining the rate at w...

Page 225: ...tion modes manage hardware and exit the configuration manager Non Privileged Command Set The Non Privileged command set consists of the lowest level commands having the least impact on configuration and security of the devices clear screen Clears the display leaving only one prompt line clear screen Usage Guidelines Availability Serial Telnet FIPS Mode serial only cls Clears the display leaving on...

Page 226: ...nable password see Factory Default Reset Password Related Commands See the section Privileged Command Set exit Quits the configuration manager exit Usage Guidelines Availability Serial Telnet FIPS Mode serial only When executed from a serial connection the connection is not closed If an access password has been configured you are prompted for it When executed from telnet the telnet connection is c...

Page 227: ...the specified command at one second intervals monitor command Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only The interval between refreshes is set using the set monitor interval command Related Commands set monitor interval Non Privileged Command Set paws Pauses the configuration manager until a key is pressed paws Usage Guidelines Availability Serial Telnet F...

Page 228: ...Commands ip name server Configuration Command Set quit Quits the configuration manager quit Usage Guidelines Availability Serial Telnet FIPS Mode serial only When executed from a serial connection the connection is not closed If an access password has been configured you are prompted for it When executed from telnet the telnet connection is closed Related Commands exit Non Privileged Command Set s...

Page 229: ...monitor Non Privileged Command Set show arp Displays the ARP cache on the device show arp Usage Guidelines Availability Serial Telnet FIPS Mode serial only show copyrights Displays copyright information for software and hardware products show copyrights Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands show version Non Privileged Command Set show cpu Displays CPU u...

Page 230: ...n interval for display updates Press any key to stop displaying statistics show date Displays current date and time settings on the device show date Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands rdate server Configuration Command Set show device Displays information about the device show device Usage Guidelines Availability Serial Telnet FIPS Mode serial only c...

Page 231: ...n name Configuration Command Set show ip domain name Non Privileged Command Set show ip name server Non Privileged Command Set show flows Displays IP connection information for the device show flow Usage Guidelines Availability Serial Telnet FIPS Mode serial only show history Displays the last commands executed show history Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related ...

Page 232: ... Commands show interface errors Non Privileged Command Set show interface statistics Non Privileged Command Set interface Configuration Command Set See the section Interface Configuration Command Set show interface errors Displays error information for the specified Ethernet interface s show interface errors network server continuous interval value Syntax Description network Displays information f...

Page 233: ...Command Set See the section Interface Configuration Command Set show interface statistics Displays interface statistics for the specified interface s show interface statistics network server continuous interval value Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only If a single interface is not specified statistics are displayed for both interfaces If continuous ...

Page 234: ...figuration information for the device show ip domain name Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands ip domain name Configuration Command Set show dns Non Privileged Command Set show ip name server Non Privileged Command Set show ip name server Displays DNS configuration information for the device show ip name server Usage Guidelines Availability Serial Teln...

Page 235: ...ged Command Set show ip statistics Displays diagnostic IP ICMP TCP and UDP statistics for the device show ip statistics Usage Guidelines Availability Serial Telnet FIPS Mode serial only show keepalive monitor Displays a list of keepalive monitor IP addresses for one or more devices show keepalive monitor Usage Guidelines Availability Serial Telnet FIPS Mode serial only SSL errors from IP addresses...

Page 236: ... messages Privileged Command Set show messages Non Privileged Command Set show memory Displays memory usage on the device show memory zones Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only The zones flag is used to display information for each memory zone show messages Displays the diagnostic message buffer for the device show messages Usage Guidelines Availabil...

Page 237: ...netstat Displays the current state of the IP connection for the device show netstat Usage Guidelines Availability Serial Telnet FIPS Mode serial only show password Displays password configuration status and idle timeout period show password Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands password Configuration Set show password access Displays access password con...

Page 238: ...nes Availability Serial Telnet FIPS Mode serial only Related Commands password Configuration Set show password idle timeout Displays the configured password idle timeout period show password idle timeout Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands password Configuration Set show processes Displays information by thread about processes running on the device sh...

Page 239: ... rdate server Usage Guidelines Availability Serial Telnet FIPS Mode serial only show rip Displays the RIP status of the device show rip Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands rip Configuration Command Set show route Displays the routing table stored in the device show route Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Command...

Page 240: ...nly Related Commands clear line Privileged Command Set show sntp Displays all SNTP configuration information for the device show sntp Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands sntp interval Configuration Command Set sntp server Configuration Command Set show sntp server Displays SNTP server information for the device show sntp server Usage Guidelines Availa...

Page 241: ...ow ssl errors Non Privileged Command Set show ssl key Non Privileged Command Set show ssl secpolicy Non Privileged Command Set show ssl server Non Privileged Command Set show ssl statistics Non Privileged Command Set ssl Configuration Command Set See the section SSL Configuration Command Set show ssl cert Displays summary data for the specified certificate entity loaded on the device show ssl cert...

Page 242: ...figuration Command Set Certificate Configuration Command Set and Certificate Group Configuration Command Set show ssl certgroup Displays summary data for the specified certificate group loaded on the device show ssl certgroup certgroupname Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only If you do not specify a certificate group all certificate group information...

Page 243: ... Displays SSL errors reported on a single device or module Use the continuous keyword to update the statistics every second Use the interval keyword to specify an interval for display updates where value is the interval in seconds Press any key to stop displaying errors Table C 16 displays output descriptions continuous Displays errors continuously interval Specifies an interval for display update...

Page 244: ...ient has reset the connection SSL System Read Errors from client Generated when an error occurs when reading from a client SSL Read Broken Connection Error from client Generated when reading from a client after the client has reset the connection System Write Errors to remote server Generated when an error occurs when writing to a remote server Broken Connection Write Errors to remote server Gener...

Page 245: ...d block Connection refused Connection reset by peer Socket not connected Message size error Pipe error EDESTADDRREQ EDESTADDREQ Socket shutdown Unsupported protocol option Out of band data Address is not available Address already in use Address family is not supported Operation already in progress lower error I O error Destination host is down Unsupported protocol Destination network is down Desti...

Page 246: ...block Connection refused Connection reset by peer Socket not connected Message size error Pipe error EDESTADDRREQ EDESTADDREQ Socket shutdown Unsupported protocol option Out of band data Address is not available Address already in use Address family is not supported Operation already in progress lower error I O error Destination host is down Unsupported protocol Destination network is down Destina...

Page 247: ...d Command Set show ssl certgroup Non Privileged Command Set show ssl key Non Privileged Command Set show ssl secpolicy Non Privileged Command Set show ssl server Non Privileged Command Set show ssl statistics Non Privileged Command Set ssl Configuration Command Set See the section SSL Configuration Command Set Table C 17 Abbreviations Used for show ssl errors continuous Abbreviation Description AC...

Page 248: ...Privileged Command Set show ssl cert Non Privileged Command Set show ssl certgroup Non Privileged Command Set show ssl errors Non Privileged Command Set show ssl secpolicy Non Privileged Command Set show ssl server Non Privileged Command Set show ssl statistics Non Privileged Command Set ssl Configuration Command Set See the sections SSL Configuration Command Set and Key Configuration Command Set ...

Page 249: ...ver Non Privileged Command Set show ssl statistics Non Privileged Command Set ssl Configuration Command Set See the sections SSL Configuration Command Set and Security Policy Configuration Command Set show ssl server Displays information for the specified configured logical secure server of type server reverse proxy server or backend server on the device show ssl server servname Syntax Description...

Page 250: ... logical servers on the device show ssl session stats server servername continuous interval value Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only This command must be entered on a single line Use the continuous keyword to update the statistics every second Use the interval keyword to specify an interval for display updates Press any key to stop displaying infor...

Page 251: ...SSL session negotiation or renegotiation has finished SSL New Accepts Started NAS Normal Termination Server An SSLv3 or TLSv1 session negotiation the SSL handshake has been started SSL Reneg Requested RR Normal Termination Server An SSLv3 or TLSv1 renegotiation as been requested by the server Session renegotiation can occur at any time and is left to the discretion of the server or the client This...

Page 252: ...Set show ssl statistics Displays SSL statistics summed over all secure logical servers on the device show ssl statistics continuous interval value Session Removed Due to Full Cache SRFC All Servers An SSL session cache entry has been removed due to a full cache i e there was a cache miss and an entry had to be removed to accommodate the new SSL connection Section Reuse Actually Done SRAD All Serve...

Page 253: ...escription for show ssl statistics Statistic Description Active Client Connections The number of client connections currently active Active Server Connections The number of server connections currently active Active Sockets The number of currently active sockets SSL Negotiation Errors The number of SSL negotiation failures Connection Errors to remote Server The number of errors encountered when co...

Page 254: ... Set ssl Configuration Command Set See the section SSL Configuration Command Set show ssl tcp tuning Displays TCP tuning information show ssl tcp tuning all servername defaults Syntax Description Total RSA Operations in Hardware The number of RSA operations performed by the Secure Content Accelerator Total SSL Negotiations Succeeded The number of successful SSL negotiations Table C 19 Output Descr...

Page 255: ...he device are sent show syslog Usage Guidelines Availability Remote Serial Telnet FIPS Mode serial only Related Commands syslog Configuration Command Set show system resources Displays system memory and CPU usage for the device show system resources continuous interval value Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Use the continuous option to update the...

Page 256: ...tion Command Set show web management Non Privileged Command Set show terminal Displays terminal setting information show terminal Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands show history Non Privileged Command Set terminal baud Non Privileged Command Set terminal history Non Privileged Command Set terminal length Non Privileged Command Set terminal pager Non ...

Page 257: ...Usage Guidelines Availability Serial Telnet FIPS Mode serial only show web management Displays Web based GUI management information for the device show web management Usage Guidelines Availability Serial Telnet Related Commands web mgmt access list Configuration Command Set web mgmt enable Configuration Command Set web mgmt port Configuration Command Set show telnet Non Privileged Command Set term...

Page 258: ...et Non Privileged Command Set terminal width Non Privileged Command Set terminal history Sets the number of commands saved in the history buffer terminal history length no terminal history Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Use the no form of the command to disable the history list The default is 25 1200 Sets the baud to 1200 2400 Sets the baud to ...

Page 259: ...leged Command Set terminal length Sets the number of lines in a terminal window terminal length Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands show terminal Non Privileged Command Set terminal baud Non Privileged Command Set terminal history Non Privileged Command Set terminal pager Non Privileged Command Set terminal reset Non Privileged Command Set terminal wi...

Page 260: ...nal reset Resets the internal state of the terminal terminal reset Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands show terminal Non Privileged Command Set terminal baud Non Privileged Command Set terminal history Non Privileged Command Set terminal length Non Privileged Command Set terminal pager Non Privileged Command Set terminal width Non Privileged Command S...

Page 261: ...splays the router information to the specified destination traceroute ipaddr name query numretries hop numhops Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only When issued from a serial or telnet connection the command returns information based upon the device s hardware ipaddr The destination IP address name The name of the destination host serial or telnet onl...

Page 262: ...tatistics for the device clear interface statistics Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands show interface Non Privileged Command Set show interface errors Non Privileged Command Set show interface statistics Non Privileged Command Set interface Configuration Command Set See Interface Configuration Command Set clear ip routes Clears the IP routing table o...

Page 263: ...d Commands show ip statistics Non Privileged Command Set clear line Closes a specified management session clear line sessionId Syntax Description Usage Guidelines Availability Serial FIPS Mode serial only Use the show sessions command to display the open management sessions Related Commands show sessions Non Privileged Command Set clear log Clears diagnostics message buffer clear log Usage Guideli...

Page 264: ...rial only Related Commands show messages Non Privileged Command Set write messages Privileged Command Set clear ssl session stats Resets all SSL session statistics for the device clear ssl session stats Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands show ssl errors Non Privileged Command Set show ssl statistics Non Privileged Command Set clear ssl statistics Res...

Page 265: ... Configuration Command Set copy running configuration Writes the running configuration of a device to a file copy running configuration url Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only If you do not specify a URL you are prompted for it Related Commands copy running configuration startup configuration Privileged Command Set copy startup configuration Privile...

Page 266: ...onfiguration running configuration Privileged Command Set copy to running configuration Privileged Command Set copy to startup configuration Privileged Command Set copy startup configuration Writes the startup configuration of a device to a file copy startup configuration url Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands copy running configur...

Page 267: ...py to running configuration Privileged Command Set copy to startup configuration Privileged Command Set copy to flash Uploads a Cisco Secure Content Accelerator image file to the device flash copy to flash url Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only The signature is verified If you do not specify a URL you are prompted for it Related Commands copy runni...

Page 268: ...ds copy running configuration Privileged Command Set copy running configuration startup configuration Privileged Command Set copy startup configuration Privileged Command Set copy startup configuration running configuration Privileged Command Set copy to startup configuration Privileged Command Set copy to startup configuration Uploads a saved configuration file and merges it to the startup config...

Page 269: ...ation Privileged Command Set disable Exits Privileged mode for the device disable Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands enable Non Privileged Command Set erase running configuration Erases the running configuration on the device erase running configuration Usage Guidelines Availability Serial Telnet Related Commands copy running configuration Privileged...

Page 270: ...figuration Privileged Command Set fips enable Starts FIPS compliant mode for a device in Privileged mode fips enable no fips enable Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands See the section Chapter 6 FIPS Operation quick start Runs the QuickStart wizard for the device quick start Usage Guidelines Availability Serial Telnet FIPS Mode serial only Note When us...

Page 271: ...Telnet FIPS Mode serial only The device resumes operation using the startup configuration stored in the flash memory You are prompted to confirm restarting the device Note When reloading the device in FIPS Mode the firmware signature is verified show access list Displays the specified access list for the device show access list listid Syntax Description Usage Guidelines Availability Serial Telnet ...

Page 272: ...layed for the device are the following SSL Device Configuration show device Startup Configuration show startup config Running Configuration show running config Processes show processes Network Status show netstat Memory Statistics show memory Memory Zones show memory zones SSL Statistics show ssl statistics SSL Session Statistics show ssl session stats SSL Errors show ssl errors Individual reports...

Page 273: ...ng configuration Usage Guidelines Availability Serial Telnet FIPS Mode serial only Note Neither keys nor configured passwords are displayed Related Commands copy running configuration Privileged Command Set copy running configuration startup configuration Privileged Command Set copy startup configuration running configuration Privileged Command Set copy to running configuration Privileged Command ...

Page 274: ...prise Configuration Command Set snmp trap type generic Configuration Command Set show startup configuration Displays the startup configuration on a device show startup configuration Usage Guidelines Availability Serial Telnet FIPS Mode serial only Note Neither keys nor configured passwords are displayed Related Commands copy running configuration startup configuration Privileged Command Set copy s...

Page 275: ...t copy to running configuration Privileged Command Set erase running configuration Privileged Command Set show running configuration Privileged Command Set write memory Privileged Command Set write memory Writes the running configuration to flash memory on a device write memory Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands copy running configuration startup con...

Page 276: ...Command Set write network Writes the running configuration to a file on a remote host write network url Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only If you do not supply URL information you are prompted for it Related Commands copy running configuration startup configuration Privileged Command Set copy startup configuration running configuration Privileged C...

Page 277: ...t Accelerator Configuration Guide 78 13124 06 Appendix C Command Summary Top Level Command Set write terminal Displays the running configuration of the device write terminal Usage Guidelines Availability Serial Telnet FIPS Mode serial only ...

Page 278: ...cess list access list id permit deny ipaddr mask no access list id Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only To activate the access list you must also use the remote management access list snmp access list telnet access list or web mgmt access list commands A device can have up to 999 configured access lists Use the no form of the command to delete the en...

Page 279: ...S Mode however they can only be assigned to the SNMP subsystem Access lists can be assigned to other subsystems when the device is returned to normal operation Examples The following example specifies the host with the IP address 10 1 2 3 to be the only remote host to configure the Secure Content Accelerator access list 2 permit 100 1 2 3 0 0 0 0 The following example specifies only remote hosts o...

Page 280: ...e appropriate date or time Related Commands show date Non Privileged Command Set end Leaves Configuration Mode and returns to Privileged Mode end Usage Guidelines Availability Serial Telnet FIPS Mode serial only exit Leaves Configuration Mode and returns to Privileged Mode exit Usage Guidelines Availability Serial Telnet FIPS Mode serial only finished Leaves Configuration Mode and returns to Top L...

Page 281: ... serial only If you do not specify a command help information is displayed for all Configuration commands hostname Sets the identification name for the current Secure Content Accelerator hostname devname no hostname Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Use the no form of the command to clear the hostname of the current device Note The command prompt ...

Page 282: ...n Privileged Command Set show interface errors Non Privileged Command Set show interface statistics Non Privileged Command Set See also Interface Configuration Command Set ip address Sets the IP address for the current Secure Content Accelerator ip address ipaddr netmask netmask ipaddr netabbr no ip address Syntax Description network Enters Interface Configuration Mode for the Network interface se...

Page 283: ...ated Commands ip route default Configuration Command Set ip domain name Adds a DNS suffix to the list to append for resolution of unqualified names ip domain name name Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands show ip domain name Non Privileged Command Set show ip name server Non Privileged Command Set ip name server Configuration Command...

Page 284: ...ting table ip route destip mask gatewayip metric hops no ip route destip Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Use the no form of the command to delete the specified static route entry from the device s routing table Related Commands show ip routes Non Privileged Command Set show route Non Privileged Command Set destip The destination IP address mask ...

Page 285: ...lear the IP address for the default router Related Commands ip address Configuration Command Set keepalive monitor Indicates that SSL errors from the specified IP address are to be ignored keepalive monitor ipaddr no keepalive monitor ipaddr Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Up to two IP addresses set individually are allowed Related Commands show...

Page 286: ...mode Note Though completers and help information are available in all management options the command is only valid via serial management mode pass thru Enables pass through of non SSL traffic This is the default configuration mode pass thru no mode pass thru Usage Guidelines Availability Serial Telnet FIPS Mode serial only Use the no form of the command to block non SSL traffic pass through passwo...

Page 287: ...sable the timeout feature Note When using the password command in FIPS Mode to set an access or enable you must supply a password or passphrase of at least eight characters rdate server Specifies and RDATE protocol server to be used for date and time information on the device rdate server ipaddr no rdate server Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only ac...

Page 288: ...et show rdate server Non Privileged Command Set registration code Stores the registration code of the device registration code code Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only rip Enables Routing Interface Protocol RIP for the current device rip v1 v2 no rip v1 v2 Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only code The ...

Page 289: ...ond command disables on RIP v2 This has the same result as using the command rip v1 rip no rip v2 Related Commands show rip Non Privileged Command Set no snmp Disables SNMP and clears all SNMP data no snmp Note The device must be rebooted reloaded before this command takes effect Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands show snmp Non Privileged Command Set...

Page 290: ...fied access list The access list still exists but is no longer used by the SNMP subsystem Related Commands access list Configuration Command Set no snmp Configuration Command Set show access list Non Privileged Command Set show snmp Non Privileged Command Set snmp contact Configuration Command Set snmp default community Configuration Command Set snmp enable Configuration Command Set snmp location ...

Page 291: ...and Set show snmp Non Privileged Command Set snmp access list Configuration Command Set snmp default community Configuration Command Set snmp enable Configuration Command Set snmp location Configuration Command Set snmp trap host Configuration Command Set snmp trap type enterprise Configuration Command Set snmp trap type generic Configuration Command Set snmp default community Assigns a default co...

Page 292: ...e Configuration Command Set snmp location Configuration Command Set snmp trap host Configuration Command Set snmp trap type enterprise Configuration Command Set snmp trap type generic Configuration Command Set snmp enable Enables SNMP using the current SNMP configuration snmp enable no snmp enable Usage Guidelines Availability Serial Telnet FIPS Mode serial only Use the no form of the command to d...

Page 293: ...ocation information for the SNMP subsystem snmp location locInfo no snmp location Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Use the no form of the command to clear the location information Related Commands no snmp Configuration Command Set show snmp Non Privileged Command Set snmp access list Configuration Command Set snmp contact Configuration Command Se...

Page 294: ...guration Command Set snmp default community Configuration Command Set snmp enable Configuration Command Set snmp location Configuration Command Set snmp trap type enterprise Configuration Command Set snmp trap type generic Configuration Command Set v1 Specifies SNMP version 1 v2c Specifies SNMP version 2c ipaddr The IP address of the computer receiving the messages community The SNMP community If ...

Page 295: ...sl total connections Specifies trapping for total SSL connection levels ssl tps Specifies trapping for SSL transactions per second levels threshold value1 value2 Specifies the threshold option to specify one or more threshold levels where appropriate Threshold values are inappropriate for the config changed option Threshold value1 is the low level and optional threshold value2 is the high level Va...

Page 296: ...vel Command Set snmp access list Configuration Command Set snmp contact Configuration Command Set snmp default community Configuration Command Set snmp enable Configuration Command Set snmp location Configuration Command Set snmp trap host Configuration Command Set snmp trap type generic Configuration Command Set snmp trap type generic Enables generic SNMP traps snmp trap type generic no snmp trap...

Page 297: ... Command Set snmp trap type enterprise Configuration Command Set sntp interval Sets polling interval for all configured SNTP servers sntp interval seconds Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only The default interval is 86400 seconds one day the minimum and maximum intervals are 60 and 2419200 one month respectively The interval can be displayed using th...

Page 298: ... one to delete Up to four SNTP servers can be configured If the first SNTP server returns an error the next SNTP server is polled After the fourth SNTP poll returns an error the first server is polled again SNTP information can be displayed using the commands show device show sntp and write terminal Note When a hostname is used rather than an IP address the hostname is resolved as an IP address wh...

Page 299: ...ommand Set show ssl server Non Privileged Command Set show ssl statistics Non Privileged Command Set See the section SSL Configuration Command Set syslog Adds the specified IP address to the syslog list for the device syslog ipaddr port portid facility facilityid no syslog ipaddr Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only ipaddr The IP address of the devic...

Page 300: ...cess and enable passwords are differentiated as Access Authentication and Enable Authentication respectively Authentication messages contain The type of management session serial telnet or Web management The source IP address Authentication result of either invalid or successful for each action Related Commands show syslog Non Privileged Command Set telnet access list Assigns an existing access li...

Page 301: ...s for the device telnet enable no telnet enable Usage Guidelines Availability Serial Telnet Use the no form of the command to disable telnet management access Related Commands show telnet Non Privileged Command Set telnet access list Configuration Command Set telnet port Configuration Command Set telnet port Specifies the TCP service port to use for telnet management sessions telnet port portid fa...

Page 302: ...scription Usage Guidelines Availability Serial Telnet FIPS Mode serial only The zone is entered in the form of Standard Time Zone identifier GMT offset integer Daylight Savings Time Zone identifier For example MST7MDT is used for Mountain Standard Daylight Savings Time The alphabetic strings are used for display the integer is used for date and time computation The alphabetic strings are optional ...

Page 303: ...ent Non Privileged Command Set telnet access list Configuration Command Set web mgmt enable Configuration Command Set web mgmt port Configuration Command Set web mgmt enable Allows Web browser based management sessions for the device web mgmt enable no web mgmt enable Usage Guidelines Availability Serial Telnet Use the no form of the command to diable web browser based management access Related Co...

Page 304: ... Guidelines Availability Serial Telnet The port assignment is used at the next Web management connection attempt Related Commands access list Configuration Command Set show web management Non Privileged Command Set web mgmt access list Configuration Command Set web mgmt enable Configuration Command Set portid The TCP service port to be used to manage the current device via the GUI default Keyword ...

Page 305: ...Ethernet interface to configure using the interface command in Configuration mode The prompt changes to config if interfacename auto Sets the current Ethernet interface to autonegotiation canceling any existing forced duplex or speed setting auto Usage Guidelines Availability Serial Telnet FIPS Mode serial only duplex Forces the current Ethernet interface to full or half duplex duplex full half Sy...

Page 306: ... for the specified command help command Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only If you do not specify a command help information is displayed for all Interface Commands speed Forces the speed of the current Ethernet interface to 10 Mbps or 100 Mbps speed 10 100 Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only command ...

Page 307: ...ity Serial Telnet FIPS Mode serial only The no form of the command is used to remove the specified backend server A device can have a total of 255 SCA or 4095 SCA2 servers in any combination of backend reverse proxy or standard secure servers When a backend server has been specified for removal all connections are allowed to finish before the backend server is actually removed Backend server names...

Page 308: ...can have up to 511 SCA or 4095 SCA2 certificate objects Certificate names can consist of Arabic numerals and upper and lowercase alphabetic underscore _ hyphen and period characters Certificate names must begin with an alphabetic character or underscore and have a limit of 127 characters Examples The following example creates a certificate object named myCert and enters Certificate Configuration m...

Page 309: ...can have up to 63 SCA or 4095 SCA2 certificate groups Certificate group names can consist of Arabic numerals and upper and lowercase alphabetic underscore _ hyphen and period characters Certificate group names must begin with an alphabetic character or underscore and have a limit of 15 characters Examples The following example creates a certificate object named myCertGroup and enters Certificate G...

Page 310: ...net FIPS Mode serial only exit Leaves SSL Configuration mode and returns to Configuration mode exit Usage Guidelines Availability Serial Telnet FIPS Mode serial only finished Leaves SSL Configuration Mode and returns to Top Level mode finished Usage Guidelines Availability Serial Telnet FIPS Mode serial only gencsr Generates a certificate signing request and or self signed certificate gencsr key k...

Page 311: ... Related Commands See the section Key Configuration Command Set help Displays help information for the specified command help command Syntax Description keyname The name of the key to be used for generating the CSR or self signed certificate newhdr Inserts the word NEW into the CSR header This is required by some older CAs digest Displays a digest form of the certificate md5 Displays a digest form...

Page 312: ...ines Availability Serial Telnet FIPS Mode serial only If you do not specify a URL you are prompted for it Related Commands import pkcs7 SSL Command Set show ssl cert Non Privileged Command Set show ssl key Non Privileged Command Set import pkcs7 Imports and processes a PKCS 7 file to create a certificate objects and a certificate group import pkcs7 name der pem prefix prefixText url Syntax Descrip...

Page 313: ...Availability Serial Telnet FIPS Mode serial only The no form of the command is used to remove a key You cannot delete a key referenced by a server A device can have up to 255 SCA or 4095 SCA2 key objects Key names can consist of Arabic numerals and upper and lowercase alphabetic underscore _ hyphen and period characters Key names must begin with an alphabetic character or underscore and have a lim...

Page 314: ...uidelines Availability Serial Telnet FIPS Mode serial only The no form of the command is used to remove the specified reverse proxy server A device can have a total of 255 SCA or 4095 SCA2 servers in any combination of backend reverse proxy or standard secure servers When a reverse proxy server has been specified for removal all connections are allowed to finish before the reverse proxy server is ...

Page 315: ...sed to remove a security policy You cannot delete a security policy referenced by a logical secure server Security policy names can consist of Arabic numerals and upper and lowercase alphabetic underscore _ hyphen and period characters Security policy names must begin with an alphabetic character or underscore and have a limit of 15 characters Examples The following example creates a security poli...

Page 316: ...se proxy or standard secure servers When a secure server has been specified for removal all connections are finished before the server is actually removed Server names can consist of Arabic numerals and upper and lowercase alphabetic underscore _ hyphen and period characters Server names must begin with an alphabetic character or underscore and have a limit of 15 characters Related Commands show s...

Page 317: ...24 06 Appendix C Command Summary Configuration Command Set Usage Guidelines Availability Serial Telnet FIPS Mode serial only The no form of the command is used to return all TCP tuning values to factory default Related Commands See the section TCP Tuning Configuration Command Set ...

Page 318: ...ended backend server if enough information has been configured activate Usage Guidelines Availability Serial Telnet FIPS Mode serial only All backend servers are created as active servers by default Related Commands suspend Backend Server Configuration Command Set certgroup serverauth Assigns a certificate group to be used for server certificate authentication certgroup serverauth certgroupname no...

Page 319: ...xits Backend Server Configuration mode activates all changes and returns to SSL Configuration mode end Usage Guidelines Availability Serial Telnet FIPS Mode serial only exit Exits Backend Server Configuration mode activates all changes and returns to SSL Configuration mode exit Usage Guidelines Availability Serial Telnet FIPS Mode serial only finished Leaves Backend Server Configuration Mode and r...

Page 320: ...fy a command help information is displayed for all Backend Server Configuration Commands info Displays current information about the logical secure server being edited or created info Usage Guidelines Availability Serial Telnet FIPS Mode serial only ip address Sets the specified IP address for the backend server ip address ipaddr netmask mask no ip address Syntax Description command The name of th...

Page 321: ...l Telnet FIPS Mode serial only Using the no form of the command disables sending of keepalive messages Related Commands keepalive frequency Backend Server Configuration Command Set keepalive maxfailure Backend Server Configuration Command Set keepalive frequency Specifies the interval between keepalive messages keepalive frequency seconds Syntax Description Usage Guidelines Availability Serial Tel...

Page 322: ...erver Configuration Command Set keepalive frequency Backend Server Configuration Command Set localport Specifies the TCP service port through which non secure connections are received localport port default Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Caution Traffic sent on this TCP service port is not secured by SSL during transmission to the server It mus...

Page 323: ...nd to remove the specified log url server from the list Only one log url server can be configured remoteport Specifies the TCP service port through which redirected secure connections are sent remoteport port default Syntax Description ipaddr The IP address of the device to receive log url messages port Keyword indicating that a specific TCP port should be used for communications portid The TCP po...

Page 324: ...device To see a list of all loaded default and user defined security policies use the show ssl secpolicy command Related Commands secpolicy SSL Configuration Command Set show ssl secpolicy Non Privileged Command Set See the section Security Policy Configuration Command Set polname The name of the configured security policy all All pre loaded security policies default Default security policy set fi...

Page 325: ...server certificate authentication Related Commands certgroup serverauth Backend Server Configuration Command Set serverauth ignore Backend Server Configuration Command Set serverauth enable Enables server certificate authentication serverauth enable no serverauth enable Usage Guidelines Availability Serial Telnet FIPS Mode serial only Using the no form of the command disables server certificate au...

Page 326: ... used currently Use the no form of the command to cease ignoring the specific server authentication error Related Commands certgroup serverauth Backend Server Configuration Command Set serverauth enable Backend Server Configuration Command Set session cache enable Enables session caching session cache enable no session cache enable all Ignore all server authentication errors none Do not ignore ser...

Page 327: ...e Specifies the size of the session cache session cache size cachesize Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands session cache enable Backend Server Configuration Mode session cache timeout Backend Server Configuration Mode session cache timeout Specifies the session cache length before being timed out session cache timeout seconds Syntax...

Page 328: ...uidelines Availability Serial Telnet Using the no form of the command disables SSL version 2 protocols You cannot disable SSL version 2 and 3 and TLS protocols This command is not available in FIPS mode Related Commands sslv3 enable Backend Server Configuration Command Set tlsv1 enable Backend Server Configuration Command Set sslv3 enable Enables SSL version 3 protocols sslv3 enable no sslv3 enabl...

Page 329: ... in the suspended state No connections are accepted until the activate command is used If you are editing an existing backend server and you use the suspend command alone the all open connections on the server are finished and no new connections are accepted No connections are accepted until the activate command is used If you are editing an existing backend server and you use the suspend now comm...

Page 330: ...1 protocols You cannot disable SSL version 2 and 3 and TLS protocols The command no tlsv1 enable is not available in FIPS mode Related Commands sslv2 enable Backend Server Configuration Command Set sslv3 enable Backend Server Configuration Command Set transparent Enables the backend server to function as a transparent proxy default transparent no transparent Usage Guidelines Availability Serial Te...

Page 331: ...le If more than one rule has been configured you must specify the domain name of the rule to delete URL rewrite information can be displayed by using the command show ssl server Related Commands show ssl server Non Privileged Command Set domainName The domain or file identifier as a domain name IP address or path and file name sslport A keyword identifying the following portid to be used for SSL t...

Page 332: ...hex Pastes a binary hex encoded X509 certificate into the configuration manager binhex value Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only After the command is entered you are prompted to paste the certificate from the cut buffer You can use a text editor to copy the certificate from a file After the certificate is pasted you must press Enter twice to complet...

Page 333: ...al Telnet FIPS Mode serial only exit Exits Certificate Configuration mode activates all valid changes and returns to SSL Configuration mode exit Usage Guidelines Availability Serial Telnet FIPS Mode serial only finished Leaves Certificate Configuration Mode and returns to Top Level mode finished Usage Guidelines Availability Serial Telnet FIPS Mode serial only help Displays help information for th...

Page 334: ...the certificate object being created or edited info Usage Guidelines Availability Serial Telnet FIPS Mode serial only pem Loads a PEM encoded X509 certificate into the current certificate object pem url Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only If you do not enter the file name or URL you are prompted for it Related Commands pem paste Certificate Configur...

Page 335: ...l Telnet FIPS Mode serial only After the command is entered you are prompted to paste a certificate from the cut buffer You can use a text editor to copy the certificate from a file After the certificate is pasted you must press Enter twice to complete the command If a password is required you are prompted for it Related Commands pem Certificate Configuration Command Set ...

Page 336: ...ration mode The prompt changes to config ssl certgroup certgroupname cert Adds the specified existing certificate object into the current certificate group cert certObject no cert certObject Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Up to 64 certificate objects are allowed per certificate group Use the no form of the command to remove the specified certif...

Page 337: ...y Serial Telnet FIPS Mode serial only finished Leaves Certificate Group Configuration Mode and returns to Top Level mode finished Usage Guidelines Availability Serial Telnet FIPS Mode serial only help Displays help information for the specified command help command Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only If you do not specify a command help information ...

Page 338: ...nd Set C 144 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78 13124 06 info Displays current information about the certificate group being created or edited info Usage Guidelines Availability Serial Telnet FIPS Mode serial only ...

Page 339: ... X 509 key to be pasted into the configuration manager binhex value Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only After the command is entered you are prompted to paste the key from the cut buffer You can use a text editor to copy the key from a file After the key is pasted you must press Enter twice to complete the command der Loads a DER encoded X509 key fi...

Page 340: ...ilability Serial Telnet FIPS Mode serial only exit Exits Key Configuration mode activates all changes and returns to SSL Configuration mode exit Usage Guidelines Availability Serial Telnet FIPS Mode serial only finished Leaves Key Configuration Mode and returns to Top Level mode finished Usage Guidelines Availability Serial Telnet FIPS Mode serial only genrsa Generates an RSA key genrsa bits 512 1...

Page 341: ...rsa bits 1024 encrypt des seed lemon output mykey pem help Displays help information for the specified command help command Syntax Description bits Specifies the key strength 512 Specifies the key to be 512 bit strength 1024 Specifies the key to be 1024 bit strength encrypt Encrypts the generated key for display des Specifies DES to be used for the encrypted key displayed des3 Specifies DES3 to be...

Page 342: ...tion about the key being created or edited info Usage Guidelines Availability Serial Telnet FIPS Mode serial only net iis Loads a private key exported from IIS 4 only into the key entity net iis url Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only If you do not enter the URL you are prompted for it If a password is required you are prompted for it pem Loads a PE...

Page 343: ...rompted for it Related Commands pem paste Key Configuration Command Set pem paste Allows a PEM encoded X 509 key to be pasted into the configuration manager pem paste Usage Guidelines Availability Serial Telnet FIPS Mode serial only After the command is entered you are prompted to paste a key from the cut buffer You can use a text editor to copy the key from a file After the key is pasted you must...

Page 344: ...and the reverse proxy server command in SSL Configuration mode The prompt changes to config ssl rproxy servername activate Activates the current suspended reverse proxy server if enough information has been configured activate Usage Guidelines Availability Serial Telnet FIPS Mode serial only All reverse proxy servers are created as active servers by default Related Commands suspend Reverse Proxy S...

Page 345: ...up name Only one certificate group can be used Related Commands certgroup SSL Configuration Command Set show ssl certgroup Non Privileged Command Set See also Certificate Group Configuration Command Set end Exits Reverse Proxy Server Configuration mode activates all changes and returns to SSL Configuration mode end Usage Guidelines Availability Serial Telnet FIPS Mode serial only exit Exits Revers...

Page 346: ...PS Mode serial only help Displays help information for the specified command help command Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only If you do not specify a command help information is displayed for all Reverse Proxy Server Configuration Commands info Displays current information about the reverse proxy server being edited or created info Usage Guidelines ...

Page 347: ...d no log url ipaddr Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Use the no form of the command to remove the specified log url server from the list Only one log url server can be configured port The used to transfer non secure traffic default Sets the port specification to 80 ipaddr The IP address of the device to receive log url messages port Keyword indic...

Page 348: ...y policies use the show ssl secpolicy command Related Commands secpolicy SSL Configuration Command Set show ssl secpolicy Non Privileged Command Set See the section Security Policy Configuration Command Set polname The name of the configured security policy all All pre loaded security policies default Default security policy set fips FIPS 104 2 compliant security policy set noexport56 Security pol...

Page 349: ...ifies the server authentication errors to ignore serverauth ignore all none signature failure expired date cert not yet valid invalid ca domain name no serverauth ignore all none signature failure expired date cert not yet valid invalid ca domain name Syntax Description all Ignore all server authentication errors none Do not ignore server authentication errors signature failure Ignore certificate ...

Page 350: ...nable Reverse Proxy Server Configuration Command Set session cache enable Enables session caching session cache enable no session cache enable Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands session cache size Reverse Proxy Server Configuration Mode session cache timeout Reverse Proxy Server Configuration Mode session cache size Specifies the size of the session ...

Page 351: ...et FIPS Mode serial only Related Commands session cache enable Reverse Proxy Server Configuration Mode session cache size Reverse Proxy Server Configuration Mode sslv2 enable Enables SSL version 2 protocols sslv2 enable no sslv2 enable Usage Guidelines Availability Serial Telnet Using the no form of the command disables SSL version 2 protocols You cannot disable SSL version 2 and 3 and TLS protoco...

Page 352: ...Reverse Proxy Server Configuration Command Set suspend Suspends the function of the backend server suspend now Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only This command behaves in three ways If you are creating a new reverse proxy server and you use the suspend command the server is created in the suspended state No connections are accepted until the activat...

Page 353: ... tcp tuning Enters TCP Tuning Configuration mode at for this server tcp tuning Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands See the section TCP Tuning Configuration Command Set tlsv1 enable Enables TLS version 1 protocols tlsv1 enable no tlsv1 enable Usage Guidelines Availability Serial Telnet Using the no form of the command disables TLS version 1 protocols Y...

Page 354: ... rule If more than one rule has been configured you must specify the domain name of the rule to delete URL rewrite information can be displayed by using the command show ssl server Related Commands show ssl server Non Privileged Command Set domainName The domain or file identifier as a domain name IP address or path and file name sslport A keyword identifying the following portid to be used for SS...

Page 355: ... SSL device crypto fips strong weak all ARC4 MD5 ARC4 SHA DES CBC3 MD5 DES CBC3 SHA DES CBC MD5 DES CBC SHA EXP ARC2 MD5 EXP ARC4 MD5 EXP DES CBC SHA EXP1024 ARC2 CBC MD5 EXP1024 ARC4 MD5 EXP1024 ARC4 SHA EXP1024 DES CBC SHA NULL MD5 NULL SHA no crypto ARC4 MD5 ARC4 SHA DES CBC3 MD5 DES CBC3 SHA DES CBC MD5 DES CBC SHA EXP ARC2 MD5 EXP ARC4 MD5 EXP DES CBC SHA EXP1024 ARC2 CBC MD5 EXP1024 ARC4 MD5...

Page 356: ... security policy Additionally you can alter the preset cryptography schemes specified for the current security policy If you enter crypto weak and no crypto NULL MD5 commands the NULL MD5 cryptography scheme is removed from the current security policy DES CBC3 SHA 3DES 168 SHA1 RSA 1024 fips strong all DES CBC MD5 DES 56 MD5 RSA 1024 strong all DES CBC SHA DES 56 SHA1 RSA 1024 fips strong all EXP ...

Page 357: ...cies prefixed with EXP NULL These policies are considered to be export level policies Note In FIPS Mode only servers configured with FIPS approved algorithms DES CBC SHA DES CBC3 SHA EXP1024 DES CBC SHA can be active end Exits Security Policy Configuration mode activates all changes and returns to SSL Configuration mode end Usage Guidelines Availability Serial Telnet FIPS Mode serial only exit Exi...

Page 358: ...FIPS Mode serial only help Displays help information for the specified command help command Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only If you do not specify a command help information is displayed for all Security Policy Configuration Commands info Displays current information about the security policy being edited or created info Usage Guidelines Availabi...

Page 359: ...e The prompt changes to config ssl server servername activate Activates the current logical secure server if enough information has been configured activate Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands suspend Server Configuration Command Set cert Sets the specified certificate for use by the server cert certname default default 1024 default 512 Syntax Descrip...

Page 360: ...nd Set certgroup chain Enables the specified certificate group to be used as a certificate chain certgroup chain certgroupname no certgroup chain Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Use the no form of the command to remove a certificate group association When using the no flag you need not specify any certificate group name Only one certificate chai...

Page 361: ...used to disable client authentication using the certificate group When using the no flag you need not specify any certificate group name Only one certificate chain can be used Related Commands clientauth enable Server Configuration Command Set clientauth error Server Configuration Command Set clientauth verifydepth Server Configuration Command Set clientauth enable Enables client certificate authe...

Page 362: ... cert revoked cert has invalid ca cert has signature failure cert other error all Syntax Description cert not provided Certificate was not provided for authentication cert not yet valid The certificate is not valid yet cert has expired The certificate has expired cert revoked The certificate has been revoked cert has invalid ca The certificate has an invalid CA cert has signature failure The signa...

Page 363: ...and Set clientauth verifydepth Specifies the level of certificate within the certificate group to use when verifying client certificates clientauth verifydepth depth Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands certgroup clientauth Server Configuration Command Set clientauth enable Server Configuration Command Set clientauth error Server Con...

Page 364: ...r that does not have ephemeral RSA enabled ephemeral error fail failhtml redirect url Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only The default behavior is failhtml fail The client is disconnected abruptly failhtml The SSL handshake is continued and the client is sent a static HTML error page listing the reason for the error Then the SSL session is disconnect...

Page 365: ...ensures the device complies with United States commerce laws ephrsa no ephrsa Usage Guidelines Availability Serial Telnet FIPS Mode serial only The default is no ephemeral RSA Use the no form of the command to disable ephemeral RSA exit Exits Server Configuration mode activates all changes and returns to SSL Configuration mode exit Usage Guidelines Availability Serial Telnet FIPS Mode serial only ...

Page 366: ...lient custom fieldname fieldvalue pre filter prefix prefixstring server cert session no httpheader client cert client custom pre filter prefix server cert session Syntax Description command The name of the command client cert Adds the client certificate to the HTTP stream client custom Sets up custom client HTTP headers fieldname The name of the header field This text must be entered within quotes...

Page 367: ...tificate Version x509 Certificate version hostname ClientCert Data Signature Algorithm x509 Hashing and encryption method hostname ClientCert Error Error conditions hostname ClientCert Fingerprint Hash output hostname ClientCert Issuer CN x509 Certificate issuer common name hostname ClientCert issuer x509 Certificate issuer distinguished name hostname ClientCert Not After Certificate not valid aft...

Page 368: ...9v3 Basic Constraints Constraints governing the certificate Table C 20 Headers Inserted with httpheader client cert Command continued Header Field Description Table C 21 Headers Inserted with httpheader session Command Header Field Description FRONT_END_HTTPS For support of OWA 2000 hostname Session Cipher Key Size Symmetric cipher key size hostname Session Cipher Name Symmetric cipher suite hostn...

Page 369: ...cate not valid after this date hostname ServerCert Not Before Certificate not valid before this date hostname ServerCert Public Key Algorithm Public key algorithm hostname ServerCert RSA Exponent Public exponent hostname ServerCert RSA Modulus Size RSA modulus size in bits hostname ServerCert RSA Modulus RSA modulus hostname ServerCert RSA Public Key Size RSA public key size in bits hostname Serve...

Page 370: ...live enable no keepalive enable Usage Guidelines Availability Serial Telnet FIPS Mode serial only Using the no form of the command disables sending of keepalive messages Related Commands keepalive frequency Server Configuration Command Set keepalive maxfailure Server Configuration Command Set keepalive frequency Specifies the interval between keepalive messages keepalive frequency seconds Syntax D...

Page 371: ...s set to suspended keepalive maxfailure count Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands keepalive enable Server Configuration Command Set keepalive frequency Server Configuration Command Set key Sets the specified key for use by the server key keyname default default 1024 default 512 Syntax Description count The number of failed keepalive...

Page 372: ...ies the port on which the secure server receives SSL traffic The SSL traffic is decrypted and sent to the real server using the TCP service port previously specified with the remoteport command localport port default Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands remoteport Server Configuration Command Set sslport Server Configuration Command ...

Page 373: ...ervice port is not secured by SSL during transmission to the server It must be secured by another means Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands localport Server Configuration Command Set sslport Server Configuration Command Set ipaddr The IP address of the device to receive log url messages port Keyword indicating that a specific TCP port should be used f...

Page 374: ...y policies use the show ssl secpolicy command Related Commands secpolicy SSL Configuration Command Set show ssl secpolicy Non Privileged Command Set See the section Security Policy Configuration Command Set polname The name of the configured security policy all All pre loaded security policies default Default security policy set fips FIPS 104 2 compliant security policy set noexport56 Security pol...

Page 375: ...isable session caching Related Commands session cache size Server Configuration Mode session cache timeout Server Configuration Mode session cache size Specifies the size of the session cache session cache size cachesize Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands session cache enable Server Configuration Mode session cache timeout Server C...

Page 376: ...haredcipher error Specifies device behavior when an error caused by no cipher agreement is encountered sharedcipher error fail failhtml redirect url Syntax Description seconds Specifies the number of seconds before the cache times out fail The client is disconnected abruptly failhtml The SSL handshake is continued and the client is sent a static HTML error page listing the reason for the error The...

Page 377: ...fied with the remoteport command sslport port default Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Note This command has the same effects as the localport command and is included only for backwards compatibility Related Commands localport Server Configuration Command Set remoteport Server Configuration Command Set sslv2 enable Enables SSL version 2 protocols...

Page 378: ...tion Command Set sslv3 enable Enables SSL version 3 protocols sslv3 enable no sslv3 enable Usage Guidelines Availability Serial Telnet Using the no form of the command disables SSL version 3 protocols You cannot disable SSL version 2 and 3 and TLS protocols This command is not available in FIPS mode Related Commands sslv2 enable Server Configuration Command Set tlsv1 enable Server Configuration Co...

Page 379: ...tions are accepted No connections are accepted until the activate command is used If you are editing an existing server and you use the suspend now command all connections are suspended When the end command is entered the current server is removed and a new suspended server is created Related Commands activate Server Configuration Mode tcp tuning Enters TCP Tuning Configuration mode at for this se...

Page 380: ...rs to function as a transparent proxy default transparent local listen no transparent local listen Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only The no form of the command is used to disable the specified behavior The following table presents the device behavior associated with each command permutation local listen Keyword specifying a third transparency mode...

Page 381: ...ice s IP address for incoming client connections and uses the client s IP address for connecting to the hardware server no transparent The device listens on the device s IP address for incoming client connections and uses the device s IP address for connecting to the hardware server Command Behavior domainName The domain or file identifier as a domain name IP address or path and file name sslport ...

Page 382: ...ure Content Accelerator Configuration Guide 78 13124 06 than one rule has been configured you must specify the domain name of the rule to delete URL rewrite information can be displayed by using the command show ssl server Related Commands show ssl server Non Privileged Command Set ...

Page 383: ...r name in SSL Configuration mode and tcp tuning in the Server Configuration mode The prompt changes to config ssl tcpTuning server servername Per server settings override global settings and if no setting is used the factory defaults are used The mtu setting affects communications with all aspects of the device including telnet and Web management sessions and is only available directly in the SSL ...

Page 384: ...onds default no delay ack Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Delayed ACK transmissions are designed to reduce extraneous transmissions and reduce transport overhead by attempting to piggyback ACKs on data If no data is to be sent the stack will delay the ACK by the delay ack value waiting for the application to produce data to be sent As bandwidth ...

Page 385: ... of the command to return the finwt2time to the global value If no global settings exist for a parameter the factory default parameter is used instead See RFC 793 keepalive Specifies the amount of time to keep a TCP connection open without active traffic keepalive seconds default no keepalive Syntax Description seconds The number of seconds to wait after acknowledgement of an initial FIN prior to ...

Page 386: ...P Tuning Configuration Command Set keepalive intv TCP Tuning Configuration Command Set keepalive cnt Specifies the number of keepalives that are sent keepalive cnt count default no keepalive cnt Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Use the no form of the command to return the keepalive cnt to the global value If no global settings exist for a paramet...

Page 387: ...lt parameter is used instead See RFC 1122 Related Commands keepalive TCP Tuning Configuration Command Set keepalive cnt TCP Tuning Configuration Command Set max rexmit Specifies the number of times an unacknowledged segment is retransmitted max rexmit count default no max rexmit Syntax Description seconds The number of number of seconds between keepalives the valid range is from 20 to 600 inclusiv...

Page 388: ...t seconds forever default no maxrt Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Use the no form of the command to return the maxrt to the global value If no global settings exist for a parameter the factory default parameter is used instead maxseg Specifies the maximum TCP segment size maxseg bytes default no maxseg seconds The number of number of seconds a ...

Page 389: ...IP unit transmitted mtu bytes default no mtu Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only The mtu value combined with the maxseg value affects TCP fragmentation You cannot set the mtu to a value less than the maxseg 40 Use the no form of the command to return the mtu to the global value If no global settings exist for a parameter the factory default paramete...

Page 390: ...zing segments and protocol overhead A value of 1 no Nagle should be used if it is desirable to have packets with small amounts of data sent as soon as possible with no concern for overhead Use the no form of the command to return the nodelay to the global value If no global settings exist for a parameter the factory default parameter is used instead See RFC 896 nopush Controls whether data is sent...

Page 391: ...s of data such as file transfers Use the no form of the command to return the nopush to the global value If no global settings exist for a parameter the factory default parameter is used instead See RFC 1644 Related Commands push all TCP Tuning Configuration Command Set probe max Specifies the maximum window probe timeout probe max milliseconds default no probe max Syntax Description Usage Guideli...

Page 392: ... probes but the interval will not exceed the defined maximum Use the no form of the command to return the probe max to the global value If no global settings exist for a parameter the factory default parameter is used instead Related Commands probe min TCP Tuning Configuration Command Set probe min Specifies the minimum window probe timeout probe min milliseconds default no probe min Syntax Descri...

Page 393: ...l Telnet FIPS Mode serial only Enabling push all can create excessive traffic because of overhead Use the no form of the command to return the push all to the global value If no global settings exist for a parameter the factory default parameter is used instead Related Commands nopush TCP Tuning Configuration Command Set rto def Specifies the default retransmission timeout rto def milliseconds def...

Page 394: ...FC 1122 and RFC 2988 Related Commands rto max TCP Tuning Configuration Command Set rto min TCP Tuning Configuration Command Set rto max Specifies the maximum allowable roundtrip timeout rto value rto max milliseconds default no rto max Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only milliseconds The default number of milliseconds before retransmitting the valid...

Page 395: ...Configuration Command Set rto min TCP Tuning Configuration Command Set rto min Specifies the minimum allowable roundtrip timeout rto value rto min milliseconds default no rto min Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only This value should be set to less than the rto def value Use the no form of the command to return the rto min to the global value If no g...

Page 396: ...n the network traversal path The slow start algorithm uses a variable congestion window setting that increments and decrements as segments are successfully or unsuccessfully acknowledged Any time the quality latency or speed of any portion of the network is unknown e g the Internet it is a safe idea to leave slow start enabled Use the no form of the command to return the slow start to the global v...

Page 397: ...ications such as an abort in FTP data or an interrupt in telnet or rlogin Use the no form of the command to return the stdurg to the global value If no global settings exist for a parameter the factory default parameter is used instead See RFC 1122 ts Controls use of the time stamp TCP option ts 0 1 on off default no ts Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode seria...

Page 398: ...ime stamp TCP option wnd scale 0 1 on off default no wnd scale Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only The default 1 increases the TCP window from 16 bits to 32 bits The header size is not changed but by enabling the option TCP maintains the windows internally as a 32 bit value Having this option enabled can accommodate larger receive buffers 65535 by a...

Page 399: ...rious error states such as when the device fails any FIPS self test In these circumstances MiniMax allows users to exit from the error condition as gracefully as possible returning the device to a usable status The MiniMax state can be identified by the presence of the MiniMax prompt in the console The prompt displayed when the device has failed any self tests is self test failure This appendix co...

Page 400: ... text you enter in a command line Italic text indicates the first occurrence of a new term book title and emphasized text In this command summary items presented in italics represent user specified information Items within angle brackets are required information Items within square brackets are optional information Items separated by a vertical bar are options You can choose any of them Note Thoug...

Page 401: ...p show this screen hinv display hardware inventory ifconfig configured network interfaces ip change ip settings ls list flash file directory netstat show open file descriptors and sockets printenv print nvram environment rdate server assign rdate server reboot reboot minimax resetenv reset environment to factory defaults rm delete flash file sbridge add an ethernet port and start the bridge show s...

Page 402: ...o set the IP address subnet mask and default route for the SSL device 1 Enter the following commands at the MiniMax prompt Replace the IP address subnet mask and router address with appropriate ones ip address 10 1 2 5 netmask 255 255 255 0 ip route default 10 1 2 254 2 Check the environment by entering the following command An example of the associated response is included env cbaud 9600 autoboot...

Page 403: ...Use the following table to identify the firmware image for use 1 Ensure the device is connected via the null modem cable to a workstation where Netcat is available Use the CONSOLE port on the appliance 2 Ensure that the Server Ethernet interface on the device is connected to the network 3 Launch any terminal emulation application that communicates with the serial port connected to the SSL device U...

Page 404: ...connection from 10 1 6 145 2056 transfer completed 1951970 bytes received Image address 0x3a56350 Image length 951826 Signed yes Image type PHR PHX file csid 0x460313d8 version 0x00004000 system 0x00000001 product 0x00000005 arch 0x00000007 type 0x00000006 use zap to save to flash 10 Enter the following commands to save the image and restart the device zap boot 11 Messages are written to the conso...

Page 405: ...ownloading SSSS Note The S is actually a non ASCII character sent to the screen while MiniMax is waiting for the file to be sent 3 Use the terminal emulation application s commands to initiate sending the image file indicated in Table D 2 above via xmodem Note The image file transfer can take up to an hour depending on the baud Table D 2 Firmware Image Selection Firmware Image File Name Purpose cs...

Page 406: ...device zap boot 6 Messages are written to the console indicating necessary files are written The device will reboot into the serial console configuration manager Extracting a Device Configuration The best way to restore a device configuration is to use a previously saved configuration file using commands in the configuration CLI If you have not saved the configuration previously and the device has...

Page 407: ...le of the associated response is included Note any settings such as the IP address that might be required later env cbaud 9600 autoboot N autorun N verbose false netaddr 10 1 2 5 netmask 255 255 255 0 gwaddr 10 1 2 254 bootfile flash maxos bz2 TZ GMT10DST TERM ansi FIPS_MODE 0 COLUMNS 80 ROWS 25 bootdevice flash maxos bz2 build 200208160004 version 4 0 0 2 Enter resetenv to return the device to fa...

Page 408: ... Guide 78 13124 06 3 Check the environment again by entering the following command An example of the associated response is included env cbaud 9600 autoboot N autorun N verbose false netaddr 192 0 2 254 netmask 255 255 255 0 gwaddr bootfile flash maxos bz2 TZ GMT10DST TERM ansi FIPS_MODE 0 COLUMNS 80 ROWS 25 ...

Page 409: ...ax commands are available only through the serial console when the appropriate prompt is displayed question mark Displays the help screen baud Changes the baud baud baudrate Syntax Description boot Boots the device with the current flash image boot cat Lists the specified file to the terminal cat filename Syntax Description baudrate The new baud for the connection filename The path and filename to...

Page 410: ...red as full duplex h Option indicating the specified Ethernet interface s should be configured as half duplex i Option indicating both Ethernet interfaces should be configured with specifed parameters p Option identifying the Ethernet interface to be targeted by the configuration statement 0 Option indicating the specifed configuration should be applied to the Network interface 1 Option indicating...

Page 411: ...e subsequent argument as the last three octets of the MAC address When the i option is used to indicate both interfaces are to be configured the specified argument is used as the address for the Network port and the argument is incremented for the Server interface address threeoctets The last three octets of the address This argument should be entered as hex values B Option indicating the specifie...

Page 412: ...plays the configured Ethernet interfaces ifconfig Related Commands eaddr ip Changes the device IP and default route settings ip address ipaddr netmask mask ip address ipaddr maskbits ip route default ipaddr Syntax Description ip address Keywords identifying the address to change ipaddr The new IP address maskbits The numeral indicating the appropriate mask to use this netmask shortcut is used only...

Page 413: ...sh file directory ls netstat Displays open file descriptors and sockets on the device netstat printenv Prints the nvram environment to the console printenv rdate server Assigns an RDATE server rdate server ipaddr Syntax Description netmask Keyword indentifying the netmask portion of the address mask The appropriate netmask ip route default Keyword identifying the default route address routeaddr Th...

Page 414: ...niMax environment reboot resetenv Resets the MiniMax environment to factory defaults resetenv Related Commands env printenv rm Deletes a file from the flash file directory rm filename Syntax Description Related Commands ls sbridge Connects the specified Ethernet port and starts the bridge sbridge network server filename The name of the file to delete ...

Page 415: ...s follows If one active Ethernet connection is found that interface is used If two active Ethernet connections are found neither interface is used If no active Ethernet connections are found no interface is used show Displays information for the specified system show bridge download arp route Syntax Description Usage Guidelines If no system is specified a help message is displayed network Keyword ...

Page 416: ...ry Command Set D 18 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78 13124 06 version Displays firmware version information version zap Processes a downloaded image file if available and copies it to the flash zap ...

Page 417: ...t Accelerator Configuration Guide 78 13124 06 A P P E N D I X E Troubleshooting This appendix provides general troubleshooting information for the Secure Content Accelerator This appendix contains the section Troubleshooting the Hardware ...

Page 418: ...ect to NIC Ensure cables are properly wired One Power LED is unlit Ensure the Secure Content Accelerator has power Check the associated power switch power cord and power source The Secure Content Accelerator seems to have locked up Reboot the Secure Content Accelerator either by pressing the reset switch or using the reload command in the CLI If the problem continues press and hold the reset switc...

Page 419: ... management access If telnet management is disabled enter Configuration mode and use the telnet enable command Also verify the TCP port specified for management sessions If you have changed the management port from the default you must use the user configured TCP port The device might be operating in FIPS Mode Telnet management is unavailable in FIPS Mode Use a serial management session to connect...

Page 420: ...ertain situations such as when changing to a different subnet If the connection is not redirected manually connect to the device as before If you still are unable to connect use the serial configuration manager to check the appliance configuration and try again The device might be operating in FIPS Mode Web management is unavailable in FIPS Mode Use a serial management session to connect to the de...

Page 421: ...thms are available to traffic The assigned security policy must contain at lease one FIPS compliant algorithm After configuring a server it is suspended when I exit the configuration mode The device might be operating in FIPS Mode Only servers configured with FIPS 140 2 compliant algorithms are available to traffic The assigned security policy must contain at lease one FIPS compliant algorithm Tab...

Page 422: ...e the cabling and speed of all associated ports been verified No Verify physical cabling and speed of all associated ports No RMA Unit Faulty Ethernet connections Yes Is the console responsive Yes Are the console settings correct No Use a known good null modem cable set terminal to 9600 or 115 200 8 N 1 No Reboot the device using the power switches Yes Is the console responsive RMA Unit Faulty ser...

Page 423: ...1 L2 L3 network problem Yes Configure test environment and test device oepration Does the device operate as expected Continue with configuration and operation as desired Are all necessary logical services active Activate services on all devices offloader load balancer Web server etc No Does show netstat display proper listening sockets Yes Check the localport and transparency settings reload if ne...

Page 424: ...hooting Flowchart 3 Is the client set to use the appropriate socket Retest with browser client or test tool No Are any firewalls or ACLs in place Yes Verify client or test suite operability or use a different client No Eliminate ACLs or filters preventing access Does the device operate as expected No Continue with configuration and operation as desired Yes ...

Page 425: ...ed in configuring the Secure Content Accelerator Instructions for generating keys and certificates using the CLI are included in Chapter 4 Instructions for using the GUI are in Chapter 5 This chapter contains the following sections Introduction to SSL Port Blocking Mechanism Before You Begin Using Existing Keys and Certificates Configuration Security Cisco SSL Configuration Components Cisco Secure...

Page 426: ...ecrypted with the private key You can configure the Cisco Secure Content Accelerator using either the GUI or CLI or through the QuickStart wizard available through both the CLI and GUI The CLI is available through telnet or serial connections Port Blocking Mechanism During configuration you must specify the SSL and clear text decrypted TCP service ports Cisco Secure Content Accelerator devices mon...

Page 427: ... Figure F 1 Port Blocking Figure F 2 Port Blocking with Dropped Traffic For example if the server is used for both secure and non secure services you cannot use TCP service port 80 for both basic HTTP connections and for transfer of decrypted secure data between the devices and the server Below are some alternatives for this scenario ...

Page 428: ... the keys and certificate from an existing secure server use default keys and certificates preloaded in the device or generate your own keys and certificates Additionally be aware that you must make several changes to your Web pages The nature of the changes depends upon whether you are securing a previously unsecured site or adding the SSL appliance to an already secure server installation These ...

Page 429: ... key The default certificate is APACHEROOT certs crt Note the name and location of these elements Stronghold The key and certificate locations are listed in the STRONGHOLDROOT conf httpd conf file The default key is STRONGHOLDROOT ssl private key The default certificate is STRONGHOLDROOT ssl cert Note the name and location of these elements IIS 4 on Windows NT The certificate file is in the direct...

Page 430: ... Properties in the shortcut menu 4 Click the Directory Security tab 5 Click Edit in the Secure Communication panel 6 Click Key Manager 7 Click the key to export 8 On the Key menu point to Export Key and click Backup File 9 Read the security warning and click OK 10 Select a file location and enter a file name 11 Click Save 12 Exit the Internet Service Manager IIS 5 on Windows 2000 Follow these step...

Page 431: ...or click Browse to select a location manually Click Next 12 The Completing the Certificate Export Wizard panel appears Click Finish Note The key and certificate file exported from IIS 5 are in PKCS 12 format Use the import pkcs12 command in the configuration manager to load a key and certificate in this format Configuration Security Cisco Secure Content Accelerator devices allow easy flexible conf...

Page 432: ...p access list telnet access list and web mgmt access list in Appendix C Factory Default Reset Password If you have forgotten your access or enable password you can use a factory set password during a serial configuration session When prompted for a password enter FailSafe case sensitive You are asked to confirm the action The appliance reboots reloads with factory default settings Caution All conf...

Page 433: ...Certificates A certificate is loaded into the device to be used as either a single certificate or part of a certificate group Only one certificate or certificate group can be used with each server Certificates can be imported from DER and PEM encoded X 509 files IIS4 backup format NET IIS PKCS 12 files and PCKS 7 certificate groups Step Up Certificates and Server Gated Cryptography Cisco Secure Co...

Page 434: ... certificate objects that are combined into a certificate group An example of configuring a chained certificate via the configuration manager is presented in Chapter 4 See Chapter 5 for information about creating and enabling chained certificates using the GUI Security Policies Cisco Secure Content Accelerator can process a wide range of single and composite cryptography schemes The following tabl...

Page 435: ... all EXP ARC4 MD5 ARC41 40 MD5 RSA 512 weak default all EXP DES CBC SHA DES 40 SHA1 RSA 512 weak all EXP1024 ARC2 CBC MD5 ARC22 40 MD5 RSA 1024 weak default all EXP1024 ARC4 MD5 ARC41 40 MD5 RSA 1024 weak default all EXP1024 ARC4 SHA ARC41 40 SHA1 RSA 1024 weak default all EXP1024 DES CBC SHA DES 56 SHA1 RSA 1024 weak all NULL MD5 None MD5 None weak default all NULL SHA None SHA1 None weak default...

Page 436: ... browser based GUI In IP address must have been assigned to the appliance for management A device cannot be set to single port mode via the GUI Only one device can be managed at a single time Serial and telnet management commands can use symbolic hostnames in URL identifiers if the ip domain name has been set File name formats differ depending on the management method When using the GUI you can sp...

Page 437: ...ided QuickStart wizard configuration method available from both the configuration manager and GUI To use this method for configuration see Chapter 3 Brief instructions are also included for initiating a management session using the configuration manager For instructions on using telnet or serial console CLI configuration managers see Chapter 4 for instructions on using the GUI see Chapter 5 To use...

Page 438: ...Appendix F SSL Introduction Cisco Secure Content Accelerator Management F 14 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78 13124 06 ...

Page 439: ...N D I X G Regulatory Information This appendix lists the regulatory agencies that have approved the Secure Content Accelerator This appendix includes the following sections Regulatory Standards Compliance Canadian Radio Frequency Emissions Statement FCC Class A CISPR 22 EN 55022 Class A VCCI ...

Page 440: ...lly compliant with their environmental safety and emissions standards Canadian Radio Frequency Emissions Statement This Class A digital apparatus complies with Canadian ICES 003 Cet appareil numérique de la classe A est conforme à la norme NMB 003 du Canada Table G 1 Regulatory Standards Compliance Regulatory Standards Compliance Regulatory Agency Safety UL 1950 3rd CSA NRTL CAN CSA C22 2 No 950 M...

Page 441: ...ikely to cause harmful interference in which case the user will be required to correct the interference at his own expense To maintain compliance with the limits of a Class A digital device Cisco requires that you use quality interface cables when connecting to this device During testing for certification Category 5 cables were used Caution Modifications to this product not authorized by Cisco Sys...

Page 442: ...o 11000 Series Secure Content Accelerator Configuration Guide 78 13124 06 CISPR 22 EN 55022 Class A Warning This is a class A product In a domestic environment this product may cause radio interference in which case the user may be required to take adequate measures VCCI ...

Page 443: ...nt encrypts the data and connects via SSL to the server C Certificate Digital information that proves the identify of the server similar to a digital ID card Certificates are issued by Certificate Authorities Cipher An encryption algorithm F Flash memory Memory area in which device configuration may be saved configuration information not stored in the flash memory is lost during a power cycle or w...

Page 444: ...guration consisting of an IP address for the hardware web server providing content an SSL TCP service port specification a clear text port specification a key association specifying the key and certificate to use when processing transactions and a security policy specifying the cryptographic scheme s to use R Remote Port The user specified non secure TCP port used by the Cisco Secure Content Accel...

Page 445: ...abling secure transactions of data through privacy authentication and data integrity Simple Network Management Protocol SNMP An application level protocol used to monitor and perform basic configuration of network devices Server Port The user specified secure TCP port monitored by the Cisco Secure Content Accelerator for secure transaction requests ...

Page 446: ...Glossary 4 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78 13124 06 ...

Page 447: ... mod_SSL 5 ApacheSSL 5 ARP C 35 auto C 111 B backend server backend server configuration command set C 124 configuration manager example 4 10 4 11 configuring with GUI 5 34 backend server C 113 backend server configuration activate command C 124 certgroup serverauth command C 124 end command C 125 exit command C 125 finished command C 125 help command C 126 info command C 126 ip address command C ...

Page 448: ...4 C 7 8 FailSafe password 6 4 reloading the device 3 13 5 17 unauthorized modifications 17 unsecured transmissions C 128 C 179 use of keys and certificates 6 2 cert C 114 C 142 C 165 certficate groups importing 4 20 certgroup C 115 certgroup chain C 166 certgroup clientauth C 167 certgroup serverauth C 124 C 150 certificate certificate configuration command set C 138 configuration manager example ...

Page 449: ... 1 2 free standing installation 2 4 front panel 2 5 grounding 2 4 installation 2 3 MiniMax commands D 1 mounting brackets 2 5 QuickStart wizard configuration 3 1 rack mounted installation 2 5 rear panel 2 6 unpacking 2 3 website configuration B 30 clear interface statistics C 68 clear ip routes C 68 clear ip statistics C 69 clear line C 69 clear log C 69 clear messages C 70 clear screen C 31 clear...

Page 450: ...with GUI 5 35 certificate with GUI 5 24 clear text and SSL ports 2 client authentication with GUI 5 33 client side Web access 5 4 device name with GUI 5 7 enabling RIP with GUI 5 10 Ethernet interface 4 16 Ethernet interface with GUI 5 9 generating a certificate 4 24 generating a key with CLI 4 24 GUI 5 1 6 1 C 7 12 importing a certificate group with GUI 5 46 5 47 key 3 6 4 8 key with GUI 5 22 man...

Page 451: ...opy to startup configuration C 74 crypto C 161 cryptographic algorithm table of 10 CSS use with examples B 4 in line B 4 one armed proxy B 10 one armed transparent B 19 D delay ack C 190 deployment examples in line B 4 load balancing B 2 one armed proxy B 10 one armed transparent B 19 single device B 2 use with the CSS B 4 der C 138 C 145 disable C 75 duplex C 111 E enable C 31 end C 86 C 111 C 11...

Page 452: ...ring a certificate chain 5 35 configuring a key 5 22 configuring an Ethernet interface 5 9 configuring a reverse proxy server 5 34 configuring a secure server 5 30 configuring a security policy 5 27 configuring backend server 5 34 configuring other secure protocols 5 37 configuring secure server 5 22 configuring SNMP 5 19 enabling RIP 5 10 generating an RSA key 5 38 generting a certificate 5 42 im...

Page 453: ...onfiguring other secure protocols 5 37 configuring SNMP 5 19 enabling RIP 5 10 enabling Web management 5 2 generating a certificate 5 42 generating an RSA key 5 38 importing a certificate group 5 46 5 47 interface 5 5 reloading the device 5 17 resetting the IP address 5 8 restricing Web management 5 3 Secure Server wizard 5 48 setting an enable password 5 17 setting syslog hosts 5 13 starting 5 3 ...

Page 454: ...keepalive monitor C 91 keepalives configuration manager example 4 30 key configuration manager example 4 8 default 3 7 exporting 4 file formats 9 generating a key with the CLI 4 24 generating with genrsa command C 146 generating with GUI 5 38 GUI example 5 22 key association configuraiton command set C 145 loading 3 6 naming conventions 3 6 4 8 4 QuickStart wizard 3 6 using existing 4 key C 119 C ...

Page 455: ...parent B 19 single device B 2 use with the CSS B 4 nodelay C 196 non privileged command set C 31 nopush C 196 no snmp C 95 P password access 4 3 C 6 7 description 4 3 C 6 7 enable 4 3 5 17 C 6 7 FailSafe 4 4 C 7 8 setting with QuickStart wizard 3 10 password C 92 paws C 33 PCKS7 file importing 4 20 pem C 140 C 148 pem paste C 140 C 149 ping C 33 port blocking 2 power cords connecting 2 8 power sup...

Page 456: ...proxy server C 120 reverse proxy server configuration activate command C 150 certgroup serverauth command C 150 end command C 151 exit command C 151 finished command C 152 help command C 152 info command C 152 localport command C 153 log url command C 153 secpolicy command C 154 serverauth enable command C 155 serverauth ignore command C 155 session cache enable command C 156 session cache size co...

Page 457: ... 5 C 9 symbolic hostnames C 8 12 terminal settings 3 3 4 5 C 9 using the QuickStart wizard 3 4 server C 122 serverauth domain name C 131 serverauth enable C 131 C 155 server authentication certgroup serverauth command in backend server configuration command set C 124 configuring with CLI 4 21 serverauth ignore C 132 C 155 server configuration activate command C 165 C 175 cert command C 165 certgro...

Page 458: ... timeout configuration manager example 4 31 sharedcipher error C 182 shipment contents 2 2 show access list C 77 show arp C 35 show copyrights C 35 show cpu C 35 show date C 36 show device C 36 show diagnostic report C 78 show dns C 37 show flows C 37 show history C 37 show interface C 38 show interface errors C 38 show interface statistics C 39 show ip domain name C 40 show ip name server C 40 sh...

Page 459: ...nd C 95 show snmp command C 79 snmp access list command C 96 snmp contact command C 97 snmp default community command C 97 snmp enable command C 98 snmp location command C 99 snmp trap host command C 100 snmp trap type enterprise command C 101 snmp trap type generic command C 102 snmp access list C 96 snmp contact C 97 snmp default community C 97 snmp enable C 98 snmp location C 99 snmp trap host ...

Page 460: ...command C 116 exit command C 116 finished command C 116 gencsr command C 116 help command C 117 import pkcs12 command C 118 import pkcs7 command C 118 key command C 119 reverse proxy server command C 120 secpolicy command C 121 server command C 122 tcp tuning command C 122 SSL configuration command set C 113 sslport C 183 sslv2 enable C 134 C 157 C 183 sslv3 enable C 134 C 158 C 184 SSL versions c...

Page 461: ...and C 107 telnet access list C 106 telnet connection description C 7 12 initiating a managment session 3 3 4 6 C 10 symbolic hostnames C 8 12 using the QuickStart wizard 3 4 telnet enable C 107 telnet port C 107 terminal baud C 63 terminal history C 64 terminal length C 65 terminal pager C 65 terminal reset C 66 terminal settings 3 3 4 5 C 9 terminal width C 66 text conventions xxxiii C 2 D 2 time...

Page 462: ...8 web mgmt enable command C 109 web mgmt port command C 110 Web management configuring client side access 5 4 enabling 5 2 restricting access 5 3 See also GUI web mgmt access list C 108 web mgmt enable C 109 web mgmt port C 110 website configuration B 30 Windows 2000 IIS 5 6 Windows NT IIS 4 5 wnd scale C 204 write flash C 81 write memory C 81 write messages C 82 write network C 82 write terminal ...

Reviews: