background image

3-9

Cisco 11000 Series Secure Content Accelerator Configuration Guide

78-13124-05 

Chapter 3      Using the QuickStart Wizard

Using the QuickStart Wizard

ARC4 is compatible with RC4™ RSA Data Security; ARC2 is compatible with 
RC2™ RSA Data Security.

Enter the security policy for ssl-server ‘myServer’ [default]: 

At the prompt, enter the name of the security policy to use, or simply press Enter 
to use the “default” security policy. The “strong” policy includes the most secure 
algorithms. The “weak” policy algorithms are less secure and appropriate for 
export use. The “default” policy algorithms are those most commonly used. See 
Appendix F for more algorithm information. If you enter an invalid security 
policy name, you receive an error message and are prompted to re-enter the name.

Note

When using the QuickStart wizard in FIPS Mode, only security 
policies containing one or more FIPS-compliant algorithms are 
available. 

After the name of the security policy is accepted, you are prompted to verify the 
logical secure server configuration.

SSL-SERVER ‘myServer’ SUMMARY

The following SSL-server will be created:

SSL-server name

:myServer

IP address

:10.1.2.3

Secure Port

:443

Clear Port

:80

Key name

:default

Cert name

:default

Security Policy name

:strong

Is the above information correct? (y/n) :

If the information is correct, type y. The logical secure server you have configured 
is created. If you type n, the server configuration process restarts using the current 
secure server.

Would you like to use the QuickStart wizard to create another 

ssl-server? (y/n):

Summary of Contents for CSS11501 - 100Mbps Ethernet Load Balancing Device

Page 1: ...West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 526 4100 Cisco 11000 Series Secure Content Accelerator Configuration Guide Software Version 4 1 0 December 2002 Text Part Number 78 13124 05 ...

Page 2: ...difying the equipment without Cisco s written authorization may result in the equipment no longer complying with FCC requirements for Class A or Class B digital devices In that event your right to use the equipment may be limited by FCC regulations and you may be required to correct any interference to radio or television communications at your own expense You can determine whether your equipment ...

Page 3: ...iQuick Study are service marks of Cisco Systems Inc and Aironet ASIST BPX Catalyst CCDA CCDP CCIE CCNA CCNP Cisco the Cisco Certified Internetwork Expert logo Cisco IOS the Cisco IOS logo Cisco Press Cisco Systems Cisco Systems Capital the Cisco Systems logo Empowering the Internet Generation Enterprise Solver EtherChannel EtherSwitch Fast Step GigaStack Internet Quotient IOS IP TV LightStream MGX...

Page 4: ......

Page 5: ...Documentation xxxv Documentation Feedback xxxv Obtaining Technical Assistance xxxvi Cisco com xxxvi Technical Assistance Center xxxvi Cisco TAC Web Site xxxvii Cisco TAC Escalation Center xxxviii C H A P T E R 1 Overview 1 1 Product Overview 1 2 Secure Content Accelerator Versions 1 3 C H A P T E R 2 Installing the Hardware and Software 2 1 Site Requirements 2 2 Required Tools and Equipment 2 2 Sh...

Page 6: ...rt Wizard 3 1 Before You Begin 3 2 Initiating a Management Session 3 2 Serial Management and IP Address Assignment 3 2 Telnet 3 3 Starting the QuickStart Wizard 3 4 Using the QuickStart Wizard 3 5 Using the QuickStart Wizard with a Configured Appliance 3 14 C H A P T E R 4 Using the Configuration Manager 4 1 Overview 4 2 Configuration Security 4 3 Passwords 4 3 Access Lists 4 3 Factory Default Res...

Page 7: ...iguration File 4 17 Step Up Certificates and Server Gated Cryptography 4 17 Configuring Certificate Groups 4 18 Example Configuring a Certificate Group 4 18 Example Importing Certificate Groups 4 20 Using Client and Server Certificate Authentication 4 21 Example Configuring Server Certificate Authentication 4 21 Example Configuring Client Certificate Authentication 4 23 Generating Keys and Certifi...

Page 8: ... for Client Side Access 5 4 Administrative Time Out 5 5 Web Management User Interface 5 5 General Configuration Examples 5 7 Example Setting the Device Name Hostname 5 7 Example Resetting the IP Address 5 8 Example Configuring an Ethernet Interface 5 9 Example Enabling RIP 5 10 Example Adding a Route to the Routing Table 5 11 Example Working with Syslogs 5 13 Example Restricting Access using an Ac...

Page 9: ...ple Importing a PKCS 12 Certificate Group 5 47 Running the Secure Server Wizard 5 48 C H A P T E R 6 FIPS Operation 6 1 FIPS Capabilities 6 2 Using FIPS Mode 6 2 Creating a Server in FIPS Mode 6 5 Command Changes 6 7 Unavailable Commands 6 7 Differing Command Behaviors 6 7 Returning to Normal Operation 6 9 More Information 6 10 A P P E N D I X A Specifications A 1 Electrical Specifications A 2 Env...

Page 10: ...rent Local Listen B 31 A P P E N D I X C Command Summary C 1 Input Data Format Specification C 2 Text Conventions C 2 Editing and Completion Features C 3 Command Hierarchy C 5 Configuration Security C 6 Passwords C 6 Access Lists C 7 Factory Default Reset Password C 7 Methods to Manage the Device C 7 Initiating a Management Session C 9 Serial Management and IP Address Assignment C 9 Telnet C 10 To...

Page 11: ... C 15 show copyrights C 15 show cpu C 15 show date C 16 show device C 16 show dns C 16 show flows C 17 show history C 17 show interface C 18 show interface errors C 18 show interface statistics C 19 show ip domain name C 20 show ip name server C 20 show ip routes C 21 show ip statistics C 21 show keepalive monitor C 21 show log C 22 show memory C 22 show messages C 22 show netstat C 23 ...

Page 12: ...ver C 25 show rip C 25 show route C 25 show sessions C 26 show sntp C 26 show sntp server C 26 show ssl C 27 show ssl cert C 27 show ssl certgroup C 28 show ssl errors C 29 show ssl key C 34 show ssl secpolicy C 34 show ssl server C 35 show ssl session stats C 36 show ssl statistics C 38 show ssl tcp tuning C 40 show syslog C 41 show system resources C 41 show telnet C 42 show terminal C 42 show t...

Page 13: ...rface statistics C 48 clear ip routes C 48 clear ip statistics C 49 clear line C 49 clear log C 49 clear messages C 50 clear ssl session stats C 50 clear ssl statistics C 50 configure C 51 copy running configuration C 51 copy running configuration startup configuration C 52 copy startup configuration C 52 copy startup configuration running configuration C 53 copy to flash C 53 copy to running conf...

Page 14: ...list C 57 show diagnostic report C 58 show running configuration C 59 show snmp C 59 show startup configuration C 60 write flash C 61 write memory C 61 write messages C 62 write network C 62 write terminal C 63 Configuration Command Set C 64 access list C 64 clock C 65 end C 66 exit C 66 finished C 66 help C 67 hostname C 67 interface C 68 ip address C 68 ip domain name C 69 ip name server C 69 ...

Page 15: ... rdate server C 73 registration code C 74 rip C 74 no snmp C 75 snmp access list C 76 snmp contact C 77 snmp default community C 77 snmp enable C 78 snmp location C 79 snmp trap host C 80 snmp trap type enterprise C 81 snmp trap type generic C 82 sntp interval C 83 sntp server C 84 ssl C 84 syslog C 85 telnet access list C 86 telnet enable C 87 telnet port C 87 timezone C 88 web mgmt access list C...

Page 16: ... C 91 duplex C 91 end C 91 finished C 92 help C 92 speed C 92 SSL Configuration Command Set C 93 backend server C 93 cert C 94 certgroup C 95 end C 96 exit C 96 finished C 96 gencsr C 96 help C 97 import pkcs12 C 98 import pkcs7 C 98 key C 99 reverse proxy server C 100 secpolicy C 101 server C 102 tcp tuning C 102 Backend Server Configuration Command Set C 104 activate C 104 ...

Page 17: ...nable C 107 keepalive frequency C 107 keepalive maxfailure C 108 localport C 108 log url C 109 remoteport C 109 secpolicy C 110 serverauth domain name C 111 serverauth enable C 111 serverauth ignore C 112 session cache enable C 112 session cache size C 113 session cache timeout C 113 sslv2 enable C 114 sslv3 enable C 114 suspend C 115 tcp tuning C 115 tlsv1 enable C 116 transparent C 116 urlrewrit...

Page 18: ...r C 118 end C 119 exit C 119 finished C 119 help C 119 info C 120 pem C 120 pem paste C 120 Certificate Group Configuration Command Set C 122 cert C 122 end C 122 exit C 123 finished C 123 help C 123 info C 124 Key Configuration Command Set C 125 binhex C 125 der C 125 end C 126 exit C 126 finished C 126 genrsa C 126 help C 127 info C 128 net iis C 128 ...

Page 19: ...30 end C 131 exit C 131 finished C 132 help C 132 info C 132 localport C 133 log url C 133 secpolicy C 134 serverauth enable C 135 serverauth ignore C 135 session cache enable C 136 session cache size C 136 session cache timeout C 137 sslv2 enable C 137 sslv3 enable C 138 suspend C 138 tcp tuning C 139 tlsv1 enable C 139 urlrewrite C 140 Security Policy Configuration Command Set C 141 crypto C 141...

Page 20: ...e C 145 cert C 145 certgroup chain C 146 certgroup clientauth C 147 clientauth enable C 147 clientauth error C 148 clientauth verifydepth C 149 end C 150 ephemeral error C 150 ephrsa C 151 exit C 151 finished C 151 help C 152 httpheader C 152 info C 153 ip address C 153 keepalive enable C 154 keepalive frequency C 154 keepalive maxfailure C 155 key C 155 localport C 156 log url C 156 ...

Page 21: ...ut C 159 sharedcipher error C 160 sslport C 161 sslv2 enable C 161 sslv3 enable C 162 suspend C 162 tcp tuning C 163 tlsv1 enable C 163 transparent C 164 urlrewrite C 165 TCP Tuning Configuration Command Set C 167 2msltime C 167 delay ack C 168 finwt2time C 169 keepalive C 169 keepalive cnt C 170 keepalive intv C 171 max rexmit C 171 maxrt C 172 maxseg C 172 mtu C 173 nodelay C 174 nopush C 174 ...

Page 22: ...180 ts C 181 wnd scale C 182 A P P E N D I X D MiniMax Command Summary D 1 Text Conventions D 2 Getting Help D 3 Examples D 4 Configuring Basic Device Parameters D 4 Installing a MaxOS Image Netcat D 5 Installing a MaxOS Image Xmodem D 6 Extracting a Device Configuration D 7 Resetting the Environment to Factory Defaults D 8 Command Set D 10 question mark D 10 baud D 10 boot D 10 cat D 10 do D 11 e...

Page 23: ...t D 14 printenv D 14 rdate server D 14 reboot D 15 resetenv D 15 rm D 15 sbridge D 15 show D 16 version D 17 zap D 17 A P P E N D I X E Troubleshooting E 1 Troubleshooting the Hardware E 2 A P P E N D I X F SSL Introduction 1 Introduction to SSL 2 Port Blocking Mechanism 2 Before You Begin 4 Using Existing Keys and Certificates 4 Apache mod_SSL 5 ApacheSSL 5 ...

Page 24: ...et Password 8 Cisco SSL Configuration Components 8 Real Server IP Addresses 9 Keys 9 Certificates 9 Step Up Certificates and Server Gated Cryptography 9 Chained Certificates 10 Security Policies 10 Cisco Secure Content Accelerator Management 12 A P P E N D I X G Regulatory Information 15 Regulatory Standards Compliance 16 Canadian Radio Frequency Emissions Statement 16 FCC Class A 17 CISPR 22 EN 5...

Page 25: ...4 Resetting IP Information Configuration Example 5 9 Figure 5 5 Ethernet Interface Configuration Example 5 10 Figure 5 6 RIP Configuration Example 5 11 Figure 5 7 Routing Table Configuration Example 5 12 Figure 5 8 Adding a Route Example 5 12 Figure 5 9 Syslog Configuration Example 5 13 Figure 5 10 Access List Configuration Example 5 14 Figure 5 11 Add Access List Entry Example 5 15 Figure 5 12 Su...

Page 26: ...Policy Example 5 32 Figure 5 30 SSL Session Cache Example 5 32 Figure 5 31 Add URL Rewrite Rule Example 5 33 Figure 5 32 Add Secure Server Information Example 5 33 Figure 5 33 Add HTTP Headers Example 5 34 Figure 5 34 Add Keepalives Example 5 34 Figure 5 35 Certificate Groups Tab 5 35 Figure 5 36 Add Certificate Group Example 5 36 Figure 5 37 Assign Certificate Group Example 5 37 Figure 5 38 Confi...

Page 27: ...with a Load Balancer B 3 Figure B 3 Secure Content Accelerator In Line Installation B 5 Figure B 4 Secure Content Accelerator Transparent Sandwich Installation B 8 Figure B 5 Secure Content Accelerator One Armed Non Transparent Proxy Installation B 17 Figure B 6 Secure Content Accelerator One Armed Transparent Proxy Installation B 23 Figure C 1 Command Hierarchy C 5 Figure E 1 Troubleshooting Flow...

Page 28: ...Figures xxviii Cisco 11000 Series Secure Content Accelerator Configuration Guide 78 13124 05 ...

Page 29: ...n B 6 Table B 2 Transparent Sandwich Installation Device Configuration B 10 Table B 3 One Armed Non Transparent Proxy Installation Device Configuration B 18 Table B 4 One Armed Transparent Proxy Installation Device Configuration B 25 Table C 1 Input Data Formats C 2 Table C 2 Key Reference C 3 Table C 3 Output Description for show ssl errors C 29 Table C 4 Abbreviations Used for show ssl errors co...

Page 30: ...Tables xxx Cisco 11000 Series Secure Content Accelerator Configuration Guide 78 13124 05 ...

Page 31: ...on describes the contents of this guide Section Description Chapter 1 Overview This chapter describes the features and functions of the Secure Content Accelerator Chapter 2 Installing the Hardware and Software This chapter describes how to install the Secure Content Accelerator as a free standing or rack mount unit Chapter 3 Using the QuickStart Wizard This chapter provides instructions for using ...

Page 32: ...ure Content Accelerator Appendix B Deployment Examples This appendix provides examples for configuring and deploying the Secure Content Accelerator in conjunction with other networking hardware Appendix C Command Summary This appendix provides detailed command descriptions and examples to help you take advantage of Secure Content Accelerator features Appendix D MiniMax Command Summary MiniMax comm...

Page 33: ...stem to its power source Caution A caution means that a specific action you take could cause a loss of data or adversely impact use of the equipment Note A note provides important related information reminders and recommendations Bold text indicates a command in a paragraph Courier text indicates text that appears in a command line such as the command line interface or is returned by the computer ...

Page 34: ...the list topics is unimportant Obtaining Documentation The following sections explain how to obtain documentation from Cisco Systems World Wide Web You can access the most current Cisco documentation on the World Wide Web at the following URL http www cisco com Translated documentation is available at the following URL http www cisco com public countries_languages shtml Documentation CD ROM Cisco ...

Page 35: ...n through a local account representative by calling Cisco corporate headquarters California USA at 408 526 7208 or elsewhere in North America by calling 800 553 NETS 6387 Documentation Feedback If you are reading Cisco product documentation on Cisco com you can submit technical comments electronically Click Leave Feedback at the bottom of the Cisco Documentation home page After you complete the fo...

Page 36: ...rvices programs and resources at any time from anywhere in the world Cisco com is a highly integrated Internet application and a powerful easy to use tool that provides a broad range of features and services to help you to Streamline business processes and improve productivity Resolve technical issues with online support Download and test software packages Order Cisco learning materials and mercha...

Page 37: ...priority of the problem and the conditions of service contracts when applicable Cisco TAC Web Site The Cisco TAC Web Site allows you to resolve P3 and P4 issues yourself saving both cost and time The site provides around the clock access to online tools knowledge bases and software To access the Cisco TAC Web Site go to the following URL http www cisco com tac All customers partners and resellers ...

Page 38: ...ou contact the TAC Escalation Center with a P1 or P2 problem a Cisco TAC engineer will automatically open a case To obtain a directory of toll free Cisco TAC telephone numbers for your country go to the following URL http www cisco com warp public 687 Directory DirTAC shtml Before calling please check with your network operations center to determine the level of Cisco support services to which you...

Page 39: ... Content Accelerator Configuration Guide 78 13124 05 1 Overview This chapter describes the features and functions of the Secure Content Accelerator This chapter contains the following sections Product Overview Secure Content Accelerator Versions ...

Page 40: ...ure Content Accelerator provides Secure URL rewrite preventing URL redirects and references from breaking or circumventing SSL sessions FIPS compliant operation SCA2 only Firmware signatures are verified during startup and when a firmware image is uploaded to or loaded on the device Auto logout for increased configuration security Management via command line and Web based graphical user interfaces...

Page 41: ...ent Accelerator hardware models the SCA and SCA2 Any differences in displayed information are described where applicable The table below presents the differences between the two Secure Content Accelerator models Table 1 1 Secure Content Accelerator Model Differences Feature SCA SCA2 Maximum Connections 5000 30 000 Maximum Session Cache 75 000 300 000 Maximum SSL Servers 255 4095 Maximum Keys 255 4...

Page 42: ...Chapter 1 Overview Secure Content Accelerator Versions 1 4 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78 13124 05 ...

Page 43: ...rator as a free standing or rack mounted unit Suggestions for using the Secure Content Accelerator in conjunction with other networking hardware are described in Appendix B Deployment Examples This chapter contains the following sections Site Requirements Shipment Contents Unpacking the Secure Content Accelerator Installing the Hardware Panel Descriptions Connecting to Power Connecting to Ethernet...

Page 44: ... This guide contains important safety information you should know before working with the system Please see Appendix A Required Tools and Equipment To install the Secure Content Accelerator you need the following tools and equipment A Phillips screwdriver Rack mount screws and appropriate screwdriver Shipment Contents The Secure Content Accelerator shipment contains the following items Secure Cont...

Page 45: ...tor later 2 Remove all accessories from the shipping carton 3 Check the accessories against the items listed in the section Shipment Contents Installing the Hardware Warning Before working on a system that has an on off switch turn OFF the power and unplug the power cord This unit has more than one power cord To reduce the risk of electric shock disconnect the two power supply cords before servici...

Page 46: ...ning Review nameplate ratings for correct voltage and load requirements For safety this equipment is required to be grounded through the ground conductor of the AC power cords Do not remove the cover of the Secure Content Accelerator There are electrical shock hazards present in the unit if the cover is removed To reduce the risk of fire or electric shock do not expose the Secure Content Accelerat...

Page 47: ...ts and six screws shipped with the Secure Content Accelerator a 2 Phillips screwdriver rack mounting screws and an appropriate screwdriver 1 Position the Secure Content Accelerator with the front panel facing you 2 Position a mounting bracket on one side of the chassis aligning the holes in the bracket with the screw holes on the chassis 3 Secure the bracket to the chassis with three screws and th...

Page 48: ... port One TEST LED One RESET switch Figure 2 1 Secure Content Accelerator Front Panel The rear panel of the Secure Content Accelerator shown in Figure 2 2 contains the following connectors and switches Two power inputs Two power switches Figure 2 2 Secure Content Accelerator Rear Panel Figure 2 3 shows the LED layout of the SCA Ethernet ports Table 2 1 describes the function of each LED on the SCA...

Page 49: ...n of each LED on the device Figure 2 4 SCA2 Ethernet Port Detail Table 2 1 SCA Port LED Descriptions LED Name Color State Indication LK Green Off No link established On Link established TX Amber Blinking Transmit activity detected RX Green Blinking Receive activity detected Test Amber Off Self diagnostics are successful On Self diagnostics are running Reset Switch Test LED 100 ACT LNK Server Netwo...

Page 50: ...r power switches are in the 0 off position 2 Attach the power cables to the Secure Content Accelerator by plugging the AC power cord connector into the power receptacle at the rear panel 3 Plug the power cords into dedicated three wire grounding receptacles 4 Switch the power switches to the 1 on position Note Connect the power supplies to different circuits to further ensure appliance availabilit...

Page 51: ...ses the Network port outbound traffic uses the Server port If you are using the appliance in one port mode you must connect it so that both client requests and server traffic travel through the Network port Use only Category 5 UTP cables with RJ 45 connectors The Secure Content Accelerator Ethernet interfaces are configured as NIC ports Use a straight through cable to connect the Secure Content Ac...

Page 52: ...Chapter 2 Installing the Hardware and Software Connecting to Ethernet 2 10 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78 13124 05 ...

Page 53: ...se the configuration manager as described in Chapter 4 The QuickStart wizard presented in this chapter is available only from a CLI based management session See Chapter 5 for information about using the Secure Server wizard from a GUI based management session This chapter contains the following sections Before You Begin Initiating a Management Session Starting the QuickStart Wizard Using the Quick...

Page 54: ...eb pages The nature of the changes depends upon whether you are securing a previously unsecured site or adding the SSL appliance to an already secure server installation These changes are described in the section Web Site Changes in Appendix B Deployment Examples Note When using the QuickStart wizard in FIPS Mode only FIPS approved algorithms are available Initiating a Management Session Use the a...

Page 55: ... that communicates with the serial port connected to the appliance Use these settings 9 600 baud 8 data bits no parity 1 stop bit no flow control 3 Press Return Initial information is displayed followed by an SCA prompt 4 Enter Privileged and Configuration modes and set the IP address using the following commands Replace the IP address in the example with the appropriate one SCA enable SCA configu...

Page 56: ...ot been assigned an IP address you are prompted to assign a hostname and IP address before beginning the QuickStart configuration process Would you like to specify a hostname and IP address for this device Enter the hostname for this device The hostname is a user specified device name In this example we use the name myDevice When prompted for them enter the IP address netmask and default gateway f...

Page 57: ...ure server names can consist of Arabic numerals and upper and lowercase alphabetic underscore _ hyphen and period characters Secure server names must begin with an alphabetic character and have a limit of 15 characters Enter the IP address for myServer This is the IP address of the real server to which the clear text should be sent Enter the SSL port Enter the TCP service port for the appliance to...

Page 58: ...on 1 2 Note If you are using a key created with an IIS or non PEM encoded key or certificate use the default keys and certificates included with SSL device After configuring the device with the QuickStart wizard use the configuration manager to load your own certificate and key See Example Setting up a Secure Server in Chapter 4 and SSL Configuration Command Set in Appendix C If you have the key a...

Page 59: ...me myServer Ip address 10 1 2 3 Secure Port 443 Clear Port 80 Key name default Each ssl server is associated with a certificate 1 Certificate is stored in a file on a http or ftp server 2 Want to use an existing or default Certificate Choose the option corresponding to your situation 1 2 If you have the certificate available via a URL type 1 Enter the name of the certificate for ssl server myServe...

Page 60: ...ed a key and certificate that cannot be used together you are asked whether to re enter the key and certificate If you do not choose to re enter the key and certificate your choices are accepted but the secure server is not configured correctly and will not function properly After the certificate has been properly loaded you are shown a summary and asked to specify a security policy CONFIGURE SSL ...

Page 61: ...er an invalid security policy name you receive an error message and are prompted to re enter the name Note When using the QuickStart wizard in FIPS Mode only security policies containing one or more FIPS compliant algorithms are available After the name of the security policy is accepted you are prompted to verify the logical secure server configuration SSL SERVER myServer SUMMARY The following SS...

Page 62: ... its configuration security The password you enter is not displayed Would you like to set a name for this device y n q Type y and enter a name for the SSL appliance A default gateway is needed to connect outside of your local subnet Would you like to set a default gateway for this device y n q y Enter a default gateway for this device A default gateway is needed for the device to connect outside o...

Page 63: ...SHA EXP1024 ARC4 SHA NULL MD5 NULL SHA EXP DES CBC SHA fips 3 0 DES CBC SHA DES CBC3 SHA strong 4 1 DES CBC MD5 DES CBC SHA DES CBC3 MD5 DES CBC3 SHA ARC4 MD5 ARC4 SHA all 5 0 DES CBC MD5 DES CBC SHA DES CBC3 MD5 DES CBC3 SHA ARC4 MD5 ARC4 SHA EXP ARC4 MD5 EXP ARC4 SHA EXP ARC2 MD5 EXP1024 ARC4 MD5 EXP1024 ARC2 CBC MD5 EXP1024 DES CBC SHA EXP1024 ARC4 SHA NULL MD5 NULL SHA EXP DES CBC SHA noexport...

Page 64: ...g the key V Validity The validity of the key as loaded into the device Column Description Id The number of the certificate as loaded into the device RCCG Reference Count Certificate Group The number of certificate groups using the certificate RCPS Reference Count Proxy Server The number of SSL servers using the certificate V Validity The validity of the certificate as loaded into the device Y indi...

Page 65: ...used Column Description Name The name of the SSL server Id The number of the SSL server as loaded into the device Secure SSL IP The IP address and TCP service port to monitor for SSL transaction requests Plaintext IP The IP address and TCP service port used to send decrypted SSL traffic to the server KC The validity of the key and certificate pair assigned to the SSL server U indicates the key or ...

Page 66: ...art Wizard with a Configured Appliance If you wish to run the QuickStart wizard for a previously configured Cisco Secure Content Accelerator follow these steps 1 Initiate a management session and start the configuration manager as described previously 2 Use the appropriate method to attach to the device 3 Enter Privileged mode 4 Enter the command quick start 5 Go to Using the QuickStart Wizard ...

Page 67: ...ol components This chapter contains the following sections Overview Configuration Security Before You Begin Initiating a Management Session Configuring the Device Step Up Certificates and Server Gated Cryptography Configuring Certificate Groups Using Client and Server Certificate Authentication Generating Keys and Certificates Supporting SNMP Supporting RIP Supporting Other Secure Protocols Suppor...

Page 68: ... 4 1 Figure 4 1 Configuration Manager Hierarchy To configure items in a submode activate the submode by entering a command in the mode above it For example to set the network interface speed or duplex you must first enter enable configure then interface network To return to the higher Configuration mode simply enter end or exit or press CTRL D The finished command returns to the Top Level from any...

Page 69: ...e level passwords control who can view the same data available with access level passwords as well as view sensitive data and configure the device SSL devices are shipped without passwords Setting passwords is important because the device can be administered over a network For more information about passwords see the commands password access and password enable in Appendix C Note FIPS compliant op...

Page 70: ...he factory default reset Before You Begin Before configuring the SSL appliance you must have a certificate and keys for the server You can use the files you received from the Certificate Authority copy the keys and certificate from an existing secure server use default keys and certificates preloaded in the device or generate your own keys and certificates Instructions for exporting keys and certi...

Page 71: ...hance of graphic anomalies please use the same settings with the serial terminal software The device terminal settings can be changed if necessary Use the standard ANSI setting on the serial terminal software 1 Attach the included null modem cable to the appliance port marked CONSOLE Attach the other end of the null modem cable to a serial port on the configuring computer 2 Launch any terminal emu...

Page 72: ...on with the IP address previously assigned to the appliance 2 An SCA prompt is displayed Note When prompted to supply a file name during a telnet management session you must supply it as a URL in the form of HOST PATH FILENAME using the http https ftp or tftp prefix Configuring the Device When you configure an appliance to perform SSL offloading you are actually setting up one or more logical secu...

Page 73: ...ection continue with step 3 If you wish to use a telnet connection initiate a telnet session with the IP address assigned in step 1 and go to step 3 3 Use the following commands to enter Privileged and Configuration modes and change the name of the SSL appliance to myDevice SCA enable SCA configure config CS 10 1 2 3 hostname myDevice config CS 10 1 2 3 end SCA configure config myDevice 4 Set the ...

Page 74: ...M encoded key file Return to SSL Configuration Mode config ssl myDevice key myKey create config ssl key myKey pem keyFile config ssl key myKey end config ssl myDevice Note Use the der command when using DER encoded keys and certificates the net iis command when using keys exported from IISþ4 Note Key names can consist of Arabic numerals and upper and lowercase alphabetic underscore _ hyphen and pe...

Page 75: ...PS Mode only the FIPS security policy is available Note Security policy names can consist of Arabic numerals and upper and lowercase alphabetic underscore _ hyphen and period characters Security policy names must begin with an alphabetic character and have a limit of 15 characters 5 Enter Server Configuration mode and create a server named myServer Assign the IP address 10 1 2 4 Assign port 443 fo...

Page 76: ...r This example describes how to use the configuration manager to set up a backend server 1 Enter Privileged Configuration and SSL Configuration modes SCA enable SCA configure config myDevice ssl config ssl myDevice 2 Enter Backend Server Configuration mode and create a backend server named myBackServ config ssl myDevice backend server myBackServ create config ssl backend myBackServ 3 Assign an IP ...

Page 77: ...mple Setting up a Reverse Proxy Server This example describes how to use the configuration manager to set up a reverse proxy server 1 Enter Privileged Configuration and SSL Configuration modes SCA enable SCA configure config myDevice ssl config ssl myDevice 2 Enter Reverse Proxy Server Configuration mode and create a server named myRevServ config ssl myDevice reverse proxy server myRevServ create ...

Page 78: ...ice as a proxy Example Configuring Secure URL Rewrite The Secure URL Rewrite feature prevents URL redirects and references from breaking or circumventing SSL sessions This example uses the CLI The same options are available in the GUI 1 Open a management session with the device 2 Enter Privileged Configuration and SSL Configuration modes SCA enable SCA configure config SCA ssl config ssl SCA 3 Ent...

Page 79: ... sslport 443 clearport 81 redirectonly 5 A wildcard can be used to specify multiple SSL hosts in the same domain config ssl server myServer urlrewrite mybusiness3 com sslport 443 clearport 81 Note Do not use com as a filter The definition is too broad domainName The domain or file identifier as a domain name IP address or path and file name An asterisk wild card character can be used to specify mo...

Page 80: ... 81 No For more information about URL rewriting contact your Cisco representative for a copy of the white paper SSL Offloaders and Contextual Consistency Example Configuring SNTP Servers Up to four SNTP servers can be configured on the Secure Content Accelerator Note To provide increased security we recommend using an SNTP server on the internal network Using an external SNTP server might compromi...

Page 81: ...ratum 2 10 2 22 6 0 0 fails tries stratum 2 SNTP synchronization interval 43200 seconds config SCA The show device command and an example of returned information are presented below config SCA show device SNTP sync ing every 43200 s from 10 1 24 2 10 1 24 4 10 2 22 2 10 2 22 6 Anyerrorsresultingfrompollingor synchronizationarewrittentosyslogmessages Example Restricting Access using an Access List ...

Page 82: ...pecific IP address config myDevice telnet access list 2 6 Exit to Privileged mode and save the configuration to flash memory If it is not saved the configuration is lost during a power cycle or when the reload command is used config myDevice finished SCA write flash SCA Note In FIPS Mode access lists can be configured but assigned only to the SNMP subsystem Configuring an Ethernet Interface The Et...

Page 83: ...ration SCA write flash SCA 3 Save the startup configuration to a file SCA copy startup configuration https www mycorp com myconfig SCA Before this file is uploaded to the device you must reload the keys and configure the passwords on the device Use the same key object names previously used to reference the keys Step Up Certificates and Server Gated Cryptography Cisco Secure Content Accelerator sup...

Page 84: ...rusted CA certificate clients accept them during SSL negotiations Example Configuring a Certificate Group The locally created certificate the intermediary CA certificate signed by a trusted CA and any other intermediary certificates are loaded into individual certificate objects that are combined into a certificate group This example demonstrates how to Load an intermediate CA certificate into a c...

Page 85: ...sl myDevice 5 Enter Certificate Group Configuration mode create the certificate group CACertGroup load the certificate object CACert and return to SSL Configuration mode config ssl myDevice certgroup CACertGroup create config ssl certgroup CACertGroup cert CACert config ssl certgroup CACertGroup end config ssl myDevice 6 Enter Server Configuration mode create the logical secure server server1 assi...

Page 86: ... Configuration modes 3 Enter SSL Configuration mode config myDevice ssl config ssl myDevice 4 Specify the PKCS 7 file to import indicating the appropriate encoding in this example PEM In this example the name of the certificate group to create is myCertGroup The certificate prefix is impt The certificate prefix is optional This command must be entered on one line config ssl myDevice import pkcs7 m...

Page 87: ...ification authentication can be configured on both backend and reverse proxy servers The configuration procedure for both server types is nearly identical This example demonstrates how to configure an existing backend server for server certificate authorization using the certificate group servTrustGroup The domain name for backend server configuration only is www mycorp com Several options are ava...

Page 88: ...rverauth enable config ssl backend myBackServ serverauth ignore none config ssl backend myBackServ certgroup serverauth servTrustGroup 5 Enter a domain name to use for certificate comparison This is necessary only for backend servers when server certificate authentication is not set to ignore domain name errors The final command must be entered on a single line config ssl backend myBackServ server...

Page 89: ...session as described previously 2 Enter Privileged and Configuration modes SCA enable SCA configure config myDevice 3 Enter SSL Configuration mode and Server Configuration mode for the server myServ config myDevice ssl config ssl myDevice server myServ config ssl server myServ 4 Enter the following commands to enable client certificate authentication set the handling of authentication of errors an...

Page 90: ...l config ssl myDevice key myGenKey create config ssl key myGenKey 2 Enter the following command to generate a 1024 bit key using the seed string lemon The key is displayed once using DES encryption The resulting key is stored on the device as well as exported to a PEM encoded file named mykey pem This command must be entered on one line config ssl key myGenKey genrsa bits 1024 encrypt des seed lem...

Page 91: ...rting SNMP Cisco Secure Content Accelerator devices have basic support for SNMP functions The device is shipped with SNMP disabled This example demonstrates how to set basic SNMP data Example Configuring SNMP 1 Initiate a management session as described previously 2 Enter Privileged and Configuration modes SCA enable SCA configure 3 Enter SNMP data and enable SNMP Access list 1 has already been cr...

Page 92: ...rt Routing Information Protocol RIP versions 1 and 2 This example demonstrates how to enable RIP version 1 packet usage Example Configuring RIP 1 Initiate a management session as described previously 2 Enter Privileged and Configuration modes SCA enable SCA configure 3 Enable reception and processing of RIP version 1 packets Then return to Privileged mode config myDevice rip v1 config myDevice end...

Page 93: ...ession as described above Enter Privileged and Configuration modes Enter a default router Enter SSL Configuration mode 2 Enter Server Configuration mode and create a server named mySecureMail Assign an IP address and netmask Assign port 995 for monitoring for POP3S S POP connections and port 110 for sending clear text Assign the appropriate key certificate and security policy Return to Privileged ...

Page 94: ...syslog ip 10 1 1 2 122 port 514 facility 1 config myDevice end SCA 4 Save the configuration to flash memory If not saved the configuration is lost during a power cycle or when the reload command is used SCA write flash SCA Disabling SSL Versions In certain situations you may want to disable individual SSL versions The SCA allows you to enable or disable these on a version by version basis for indi...

Page 95: ...his server by entering the info command config ssl server myServer info SSL version v3 tls1 6 Return to Privileged mode config ssl server myServer finished SCA 7 Save the configuration to flash memory If not saved the configuration is lost during a power cycle or when the reload command is used SCA write flash SCA Enabling Keepalives Y oucanenable and configure keepalive GET messages between the v...

Page 96: ...palive messaging config ssl server myServer keepalive enable config ssl server myServer 5 Set the keepalive message frequency to 8 seconds and the failure interval to 5 non responded keepalive messages config ssl server myServer keepalive frequency 8 config ssl server myServer keepalive maxfailure 5 config ssl server myServer 6 Verify the keepalive information by entering the info command config s...

Page 97: ...out period is 15 minutes In the following example the idle timeout period is changed to 10 minutes 1 Initiate a management session as described previously 2 Enter Privileged and Configuration modes SCA enable SCA configure config myDevice 3 Reset the timeout period using the following command config myDevice password idle timeout 10 config myDevice 4 Verify the keepalive information by entering th...

Page 98: ...Chapter 4 Using the Configuration Manager Setting the Idle Timeout 4 32 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78 13124 05 ...

Page 99: ... browser based method of configuring the Secure Content Accelerator Note The GUI cannot be used to configure the Secure Content Accelerator in FIPS Mode See Chapter 6 FIPS Operation for further information This chapter contains the following sections Overview Browser and System Support Enabling Web Management Restricting Access to Web Management Starting the GUI Web Management User Interface Gener...

Page 100: ...led See the command web mgmt in Appendix C Browser and System Support The GUI has the following requirements Color recommendations The minimum display resolution required is SVGA 800x600 resolution For best results use XGA 1024x768 resolution Browser Support The GUI requires Microsoft Internet Explorer version 5 x or later or Netscape Navigator 4 77 or 6 x or later Enabling Web Management Web mana...

Page 101: ...s to the Secure Content Accelerator Create one or more access lists using either the CLI see Example Restricting Access using an Access List in Chapter 4 or the GUI as described later in this chapter Starting the GUI Follow these steps to use the GUI to manage the Secure Content Accelerator 1 Launch the Web browser 2 When configuring a device in dual port mode from a computer via the Server port e...

Page 102: ...Side Access Use the commands below as an example to set up a secure server named web on the Secure Content Accelerator allowing GUI configuration from the client side Network port myDevice attach myDevice enable myDevice configure config myDevice ssl config ssl myDevice server web create config ssl server web ip address 127 0 0 1 config ssl server web sslport 443 config ssl server web remoteport 8...

Page 103: ...e Do not create an SSL server pointing to the IP address of 127 0 0 1 and try to enable HTTPS access on the Subsystem tab in the Access content area Administrative Time Out If the device senses no activity on a GUI management session for a certain period of time the user is logged out of the device The default idle timeout period is 15 minutes This value can be reset using the Passwords tab of the...

Page 104: ...me and date parameters Access Set passwords create and manage access lists and specify subsystem access Network Manage Ethernet interfaces view network statistics view ARP information view and add to the routing table view interface statistics and errors view IP statistics set DNS information Log Set syslog message hosts and clear and view the device message log Tools Reboot the device manage runn...

Page 105: ...system at any time when an enable password has been set General Configuration Examples The following examples demonstrate how to use the GUI to configure general Secure Content Accelerator settings Note To save time make all the changes you wish then click Save to Flash to write the configuration to the device flash memory Example Setting the Device Name Hostname Follow these steps to change the h...

Page 106: ...e 5 3 Changing Hostname Configuration Example 4 Click Update Example Resetting the IP Address 1 Click Network to activate the Network tabs 2 Type the new IP address information including the appropriate netmask and default router in the Internet Address Netmask and Gateway text boxes respectively on the Settings tab The Settings page opens as shown in Figure 5 4 ...

Page 107: ...ain situations such as when changing to a different subnet redirection might not occur If the connection is not redirected manually connect to the device If you still are unable to connect use the serial configuration manager to check the device configuration and try again Example Configuring an Ethernet Interface 1 Click Network to activate the Network tabs 2 Use the list box in the Network Inter...

Page 108: ...Cisco 11000 Series Secure Content Accelerator Configuration Guide 78 13124 05 Figure 5 5 Ethernet Interface Configuration Example 3 Click Update Example Enabling RIP 1 Click Network to activate the Network tabs 2 Click the Settings tab The Settings page opens as shown in Figure 5 6 ...

Page 109: ...ral Configuration Examples Figure 5 6 RIP Configuration Example 3 Scroll to the bottom of the page if necessary to see the Rip panel 4 Select the Enabled check box 5 Click Update Example Adding a Route to the Routing Table 1 Click Network to activate the Network tabs 2 Click the Route tab The Route page opens as shown in Figure 5 7 ...

Page 110: ...0 Series Secure Content Accelerator Configuration Guide 78 13124 05 Figure 5 7 Routing Table Configuration Example 3 Scroll to the bottom of the page if necessary to see the Add Route button 4 Click Add Route The Add Route window opens as shown in Figure 5 8 Figure 5 8 Adding a Route Example ...

Page 111: ... Cancel to close the window without adding the route information Example Working with Syslogs 1 Click Log to activate the Log tabs The Settings page open automatically as shown in Figure 5 9 Figure 5 9 Syslog Configuration Example 2 Enter the IP addresses of the syslog hosts in the System Log Forwarding text boxes on the Settings tab 3 Enter the appropriate port ID and select the desired facility ...

Page 112: ...ss List This example demonstrates how to set up an access list to permit management access to the Secure Content Accelerator 1 Click Access to activate the Access tabs 2 Click the Access Control Lists tab The Access Control Lists page opens as shown in Figure 5 10 Figure 5 10 Access List Configuration Example 3 Click Add Access Entry The Add Access Control List window opens as shown in Figure 5 11...

Page 113: ...General Configuration Examples Figure 5 11 Add Access List Entry Example 4 Enter the appropriate information for the list entry See the access list command in Appendix C for more information 5 Click OK to create the access list entry and close the window 6 Click the Subsystem tab The Subsystem page opens as shown in Figure 5 12 ...

Page 114: ... Series Secure Content Accelerator Configuration Guide 78 13124 05 Figure 5 12 Subsystem Access Configuration Example 7 Type the number of the access list just created in the Access Control List Id text box of the Web Management panel You can also change the TCP port on this tab 8 Click Update ...

Page 115: ...shown in Figure 5 13 Figure 5 13 Device Reloading Example 2 If you have made changes to the device configuration but have not saved them to flash memory click Save to Flash in the Status area as shown in Figure 5 14 Caution The appliance restarts using the configuration stored in flash memory Any changes you have made but have not saved are lost Figure 5 14 Save Changes Button 3 Click Reboot on th...

Page 116: ...ate the Access tabs The Password page opens automatically as shown in Figure 5 15 Figure 5 15 Change Password Example 2 If an Enable password has already been assigned type it in the Old Password text box 3 Type the password to use in the New Password text box and retype it in the Confirm New Password text box 4 Click Update to set the password Note T o remove an existing Enable password entirely ...

Page 117: ...ick SNMP to activate the SNMP tabs The Settings page opens automatically as shown in Figure 5 16 Figure 5 16 SNMP Configuration Example 2 Type the default community contact information and location information in appropriate text boxes Click Update after changing the value in each field and selecting the Enabled check box 3 Click the Traps tab The Traps page opens as shown in Figure 5 17 ...

Page 118: ...guration Examples 5 20 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78 13124 05 Figure 5 17 SNMP Trap Example 4 Click Add Trap Host to specify a host to which to send trapping messages The Add Trap Host window opens as shown in Figure 5 18 ...

Page 119: ...community name in the Community text box Select the desired version of SNMP from the SNMP Version list box 6 Click OK to add the trap host 7 Set the desired traps by selecting the Enable option buttons and typing appropriate values in the Threshold Hysteresis Low and Hysteresis High text boxes If you wish to use only one trap point enter a value only in the Threshold Hysteresis Low text box Note A...

Page 120: ...rator works with SSL protocol information Example Setting up a Secure Server In this example the default SSL port 443 and remote port 81 are used The user specified key name is myKey the certificate name is myCert and the secure server name is myServer The pre loaded strong security policy is used The first step is to load a key to assign to the secure server In this example a key is imported into...

Page 121: ...ate Key window opens as shown in Figure 5 20 Figure 5 20 Add Private Key Example 4 Click From File The From File page opens a shown in Figure 5 21 In this example the key is imported from a file Alternatively you can copy the key from the key file and paste it into the Paste Private Key Here text box on the Paste tab For an example of key generation see Example Generating an RSA Private Key ...

Page 122: ...ect the appropriate Private Key File Encoding option button Type the password for the key in the Private Key Password text box Enter the key file name and path or click the Browse button to find and select the file 6 Click OK to load the key into the Secure Content Accelerator Next load a certificate to assign to the secure server In this example a certificate is imported into the GUI 7 Click the ...

Page 123: ...5 25 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78 13124 05 Chapter 5 Graphical User Interface Reference SSL Configuration Examples Figure 5 22 Certificates Tab ...

Page 124: ...Reference SSL Configuration Examples 5 26 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78 13124 05 8 Click Add Certificate The Add Certificate window opens as shown in Figure 5 23 Figure 5 23 Add Certificate Example ...

Page 125: ...ficate generation see Example Generating a Self Signed Certificate below Figure 5 24 Importing a Certificate Example 10 Type the certificate name myCert in the Certificate Name text box Select the appropriate Certificate File Encoding option button Enter the certificate fie name and path or click the Browse button to find and select the file 11 Click OK to load the certificate into the Secure Cont...

Page 126: ...rence SSL Configuration Examples 5 28 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78 13124 05 12 Click the Security Policies tab The Security Policies page opens as shown in Figure 5 25 Figure 5 25 Security Policies Tab ...

Page 127: ...y Policy The Add Security Policy window opens as shown in Figure 5 26 Figure 5 26 Add Security Policy Example 14 Type the desired name in the Security Policy Name text box Select the policies to include in the new security policy by clicking and CTRL clicking the entries in the Security Policy Algorithms list box 15 Click OK to create the policy Now set up the secure server ...

Page 128: ...isco 11000 Series Secure Content Accelerator Configuration Guide 78 13124 05 16 Click the Secure Servers tab The Secure Servers page opens as shown in Figure 5 27 Figure 5 27 Secure Servers Tab 17 Click Add Secure Server The Add Secure Server window opens as shown in Figure 5 28 ...

Page 129: ...ropriate option button This example configures a Normal Server Type the server name myServer in the Secure Server Name text box Type the IP address of the server to which to send decrypted SSL traffic in the IP Address text box Change the Clear Text Port to 81 19 If you wish to use a log server enter the appropriate information in the Log Server IP text boxes 20 You can disable any of the SSL TLS ...

Page 130: ...licy panel Select myCert from the Certificate list box Select myKey from the Private Key list box Select strong from the Security Policy list box These options are shown in Figure 5 29 Figure 5 29 Server Certificate and Security Policy Example 23 If desired alter the session cache information The SSL Session Cache panel is shown in Figure 5 30 Figure 5 30 SSL Session Cache Example 24 Set up Secure...

Page 131: ...ader Only check box to indicate only 30x series redirects referencing http rather than all instances of http such as those appearing intentionally in the application data be rewritten Note For more information see the Example Configuring Secure URL Rewrite section on page 4 12 25 Select the desired options in the Client Certificate Authentication panel shown in Figure 5 32 Figure 5 32 Add Secure S...

Page 132: ...l servers on the device and hardware servers to which they refer If no response is received from the hardware server after set amount of time maxfailure the virtual server is marked as suspended This information is configured in the Backend Server Keep Alive panel as shown in Figure 5 34 Figure 5 34 Add Keepalives Example 28 Click OK to create the secure server on the Secure Content Accelerator Th...

Page 133: ...emonstrates how to select certificates already loaded in the Secure Content Accelerator to create a certificate group Alternatively a PKCS 7 certificate group can be imported directly See Example Importing a PKCS 7 Certificate Group below for a demonstration 1 Click SSL to activate the SSL tabs 2 Click the Certificate Groups tab The Certificate Groups page is shown in Figure 5 35 Figure 5 35 Certi...

Page 134: ...tes listed in the Member Certificates list box to add to the certificate group You can also click and SHIFT click either end of a contiguous group of certificates to select all certificates in it 6 Click OK to add the certificate group to the device Follow the steps below to assign the certificate group to a secure server 1 Click SSL to activate the SSL tabs 2 Click the Secure Servers tab 3 Either...

Page 135: ...orting Other Secure Protocols The Secure Content Accelerator can be used for protocols other than pure SSL applications In this example a secure server is set up to process only POP3S S POP mail 1 Click the Secure Servers tab 2 Click Add Secure Server The Add Secure Server window opens 3 Type the server name mySecureMail in the Secure Server Name text box Type the IP address of the server to which...

Page 136: ...rotocols Example 4 Click OK to create the secure server in the Secure Content Accelerator Example Generating an RSA Private Key This example demonstrates how to generate an RSA private key named myOwnKey 1 Click SSL to activate the SSL tabs 2 Click Add Private Key The Add Private Key window opens 3 Click the Generate tab The Generate an RSA Private Key window opens as shown in Figure 5 39 ...

Page 137: ...key 6 If you want to specify any additional seed data for the random number generator type it into the Extra Random Number Generator Seed Data text box 7 Choose an option in the Display Encrypted Key for Backup list box Do Not Display Key The private key is never displayed You cannot save the key to a file for backup purposes Display key using Des Encryption The private key is displayed using DES ...

Page 138: ...Display Key was selected the key is generated and a window opens reminding you that the key cannot be displayed or exported This is shown in Figure 5 40 Click Close Figure 5 40 Key Not Displayed Example If either Display key using Des Encryption or Display key using Des3 Encryption were selected the key is generated and a window opens displaying the encrypted key This is shown in Figure 5 41 Click...

Page 139: ...5 41 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78 13124 05 Chapter 5 Graphical User Interface Reference SSL Configuration Examples Figure 5 41 Key Displayed Example ...

Page 140: ...icate This example demonstrates how to generate a certificate signing request CSR and a self signed certificate 1 Click SSL to activate the SSL tabs 2 Click the Certificates tab 3 Click Add Certificate The Add Certificate window opens 4 Click the Generate CSR Self signed Certificate tab The Generate CSR Self signed Certificate page opens as shown in Figure 5 42 Figure 5 42 Generate CSR Example ...

Page 141: ...e desired domain name country state locality organization name organization unit and e mail address in the appropriate text boxes 7 Select the appropriate message digest format for the signing request from the CSR Message Digest list box 8 Select the appropriate header from the CSR Header list box 9 Click OK The certificate is created and the Generate Certificate Signing Request CSR opens as shown...

Page 142: ...te Authority Note If you know the preferred file name convention of the CA name the file appropriately now Otherwise accept the default naming convention and rename the file later if necessary 11 Click Self sign this CSR to generate a self signed digital certificate to be used for testing while you wait for the certificate to be signed The Generate Self signed Certificate window opens as shown in ...

Page 143: ...propriate date to begin validity of the certificate from the Start Date list boxes Change the number of days the certificate is valid in the Days Valid text box if desired Click Generate Self signed Certificate The certificate is generated and a window opens allowing the certificate to be downloaded The Generate Self signed Certificate window is shown in Figure 5 45 Click Close Figure 5 45 Success...

Page 144: ...ick Add Certificate Group The Add Certificate Group window opens 4 Click the From PKCS7 File tab The Import PKCS7 File page opens as shown in Figure 5 46 Figure 5 46 Import PKCS 7 Certificate Group Example 5 Type the name of the group in the Certificate Group Name text box 6 Type the base name of the certificate in the Certificate Name Prefix text box 7 Select the encoding option for the file to i...

Page 145: ...tivate the SSL tabs 2 Click the Certificate Groups tab 3 Click Add Certificate Group The Add Certificate Group window opens 4 Click the From PKCS12 File tab The Import PKCS12 Certificate Chain window opens as shown in Figure 5 47 Figure 5 47 Import PKCS 12 Certificate Group Example 5 Type the name of the group in the Certificate Group Name text box 6 Type the key password in the Password text box ...

Page 146: ...sic SSL secure server configuration but it does not provide all the features of either the GUI or CLI alone 1 Click SSL to activate the SSL tabs 2 Click Secure Server Wizard The first screen of the wizard opens as shown in Figure 5 48 Figure 5 48 Starting the Secure Server Wizard 3 Follow the instructions and prompts in the wizard to configure the secure server When you have completed configuring ...

Page 147: ...tion This chapter describes how to use the Secure Content Accelerator in FIPS Mode for FIPS 140 2 compliant operation This chapter contains the following sections FIPS Capabilities Using FIPS Mode Command Changes Returning to Normal Operation More Information Note FIPS operation is only available on the SCA2 ...

Page 148: ...ated in FIPS Mode Non FIPS 104 2 compliant servers can be configured for compliance Management is available only via a serial connection Passwords at least eight characters in length are required at both access and configuration levels Commands that do not support FIPS compliant security measures are disabled in FIPS Mode The command prompt contains the text FIPS to indicate the device is operatin...

Page 149: ...roved algorithms are supported Only FIPS compliant servers can be used Management is available only via the serial console Passwords must be at least eight characters long Firmware signature verification is enabled Some commands are not supported Are you sure you want to do this y n n 4 The Secure Content Accelerator checks access and enable level passwords previously set if any The display reflec...

Page 150: ... Mode operation the following text is displayed Your current enable level password is not valid for FIPS mode You need to provide an access level password of at least 8 characters Enter new password Confirm password d If both the previously set access and enable level passwords are valid for FIPS Mode operation no additional text is displayed 5 The device reboots and enters FIPS Mode Enter the acc...

Page 151: ...for FIPS compliance Follow the steps below to create a FIPS compliant server 1 Connect to the Secure Content Accelerator using a serial management session and enter Privileged Configuration and SSL Modes Create a secure server named mySecServ FIPS SCA enable FIPS SCA config FIPS config SCA ssl FIPS ssl config SCA server mySecServ create FIPS ssl server mySecServ 2 Assign an IP address key certific...

Page 152: ...ed Configuration and SSL Modes Create a security policy named myFIPS FIPS SCA enable FIPS SCA config FIPS config SCA ssl FIPS ssl config SCA secpolicy myFIPS create FIPS ssl secpolicy myFIPS 2 Specify the 3DES SHA cryptographic algorithm and return to SSL Configuration Mode FIPS ssl secpolicy myFIPS crypto DES CBC3 SHA FIPS ssl secpolicy myFIPS exit FIPS ssl config SCA 3 Enter Server Configuration...

Page 153: ...ds Commands are unavailable in FIPS Mode are shown in Table 6 1 below Differing Command Behaviors Some commands behave differently while the Secure Content Accelerator is in FIPS Mode These commands and notes about their usage are presented in Table 6 2 below Table 6 1 Unavailable Commands Operational Mode Command Top Level Mode show telnet show web mgmt write file Configuration Mode telnet access...

Page 154: ...or all servers All non FIPS compliant servers are disabled by default in FIPS Mode and cannot be enabled without reconfiguring them to be FIPS compliant quick start When using the QuickStart wizard to create a server only FIPS compatible security policies are available When using the QuickStart wizard to configure an existing server only FIPS compliant servers can be configured and only security p...

Page 155: ...de secpolicy You can assign any security policy ies however if non FIPS compliant security policies are assigned the backend server is marked as FIPS suspended upon exiting Backend Server Configuration mode Reverse Proxy Server Configuration Mode secpolicy You can assign any security policy ies however if non FIPS compliant security policies are assigned the reverse proxy server is marked as FIPS ...

Page 156: ...e Information 6 10 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78 13124 05 More Information For more information about the NIST Cryptographic Module Validation Program see http csrc nist gov cryptval cmvp htm ...

Page 157: ...ration Guide 78 13124 05 A P P E N D I X A Specifications This appendix presents the specifications for both Secure Content Accelerator versions It contains the following sections Electrical Specifications Environmental Specifications Physical Specifications ...

Page 158: ...ercurrent protection Ensure that a fuse or circuit breaker no larger than 120 VAC 15A U S 240 VAC 10A international is used on the phase conductors all current carrying conductors Environmental Specifications Table A 2 describes the Secure Content Accelerator environmental specifications Table A 1 AC Electrical Specifications DC Specification Secure Content Accelerator Voltage AC 100 240 VAC 50 60...

Page 159: ...fications Physical Specifications Physical Specifications Table A 3 describes the Secure Content Accelerator physical specifications Table A 3 Physical Specifications Specification Secure Content Accelerator Chassis Dimensions H x W x D 10x1 75x17 inches 25x4 4x42 5 cm Shipping Weight 6 lbs 2 72 kg ...

Page 160: ...Appendix A Specifications Physical Specifications A 4 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78 13124 05 ...

Page 161: ... Deployment Examples The following examples demonstrate how the Secure Content Accelerator can be integrated into a network This appendix contains the following sections Single Device Load Balancing Use with the CSS Connecting the Device to a Terminal Server Web Site Changes Transparent Local Listen ...

Page 162: ... Install the appliance as instructed previously 2 Connect the Network Ethernet interface to the Internet 3 Connect the Server Ethernet interface to Web server access Load Balancing Secure Content Accelerator devices can be installed in front of or behind a load balancer If the load balancer is using URL or cookie related load balancing install the appliance in front of the load balancer In this co...

Page 163: ...er Ethernet interface to the load balancer For information about configuring the Secure Content Accelerator in conjunction with the CSS 11000 Series Content Services Switch hereinafter referred to as the CSS see Use with the CSS Use with the CSS Using the Secure Content Accelerator with the CSS allows Layer 4 load balancing of the Secure Content Accelerator and Layer 5 routing and load balancing f...

Page 164: ...ses performance of the server farm by offloading all SSL processing from the servers The Secure Content Accelerator is completely transparent to the CSS and servers This deployment is the simplest to configure because it requires no specific inter operational configuration on either the Secure Content Accelerator or the CSS However the deployment provides a low level of scalability based upon the ...

Page 165: ...configured to ensure that bridge loops are not created If multiple Secure Content Accelerator devices are used each must be attached to a separate VLAN on the CSS and or the upstream Layer 2 switch The Secure Content Accelerator intercepts all port 443 traffic for the IP addresses configured on it decrypts the traffic and forwards it as clear text on another TCP service port to the CSS All port 80...

Page 166: ...Configuration Create a VLAN for each Secure Content Accelerator Create a VLAN for the servers Create services as required for each server adding keepalive attributes as necessary Create a default ECMP route for each load balanced Secure Content Accelerator using the upstream router as the gateway for each upstream VLAN Create Layer 5 rules for the secure content Create content rules as required fo...

Page 167: ...cp active service s3 ip address 10 176 10 12 protocol tcp active service s4 ip address 10 176 10 13 protocol tcp active OWNER owner test content http non secure port 80 vip address 10 176 11 100 protocol tcp port 80 url add service s1 add service s2 add service s3 add service s4 active content http secure port 81 vip address 10 176 11 100 add service s1 add service s2 add service s3 add service s4...

Page 168: ...tween two CSS devices allowing load balancing of up to 15 Secure Content Accelerator devices Applications such as reverse proxy caching and content type separation can be enabled The transparent sandwich deployment is moderately difficult to configure with good scalability A minimum of two CSS devices are required Figure B 4 shows a typical deployment Figure B 4 Secure Content Accelerator Transpar...

Page 169: ...t decrypts the traffic and forwards it as clear text on another TCP service port to the downstream CSS The downstream CSS is configured with Layer 5 rules for all origin servers and multiple ECMP routes each to a different upstream VLAN The default ECMP configuration is to prefer ingress ensuring that outbound traffic needing to be encrypted is routed to the Secure Content Accelerator responsible ...

Page 170: ...that VIP can be routed over the VLAN specified for port 80 and SSL traffic terminated on origin servers Export keys and certificates from any existing secure servers if necessary Assign an IP address to each Secure Content Accelerator as specified in the CSS configuration Assign a default route for each Secure Content Accelerator using the upstream CS VLAN circuit IP address as the gateway Set up ...

Page 171: ... 0 0 0 0 0 10 100 1 1 1 ip route 10 176 10 0 255 255 255 0 10 176 11 0 INTERFACE interface ethernet 2 bridge vlan 2 interface ethernet 3 bridge vlan 3 interface ethernet 4 bridge vlan 4 interface ethernet 5 bridge vlan 5 interface ethernet 6 bridge vlan 6 interface ethernet 7 bridge vlan 7 interface ethernet 8 bridge vlan 8 CIRCUIT circuit VLAN1 ip address 10 176 1 1 255 255 255 0 circuit VLAN2 ip...

Page 172: ...5 255 255 0 circuit VLAN7 ip address 10 176 11 1 255 255 255 0 circuit VLAN8 ip address 10 100 132 101 255 255 0 0 SERVICE service ssl1 port 443 protocol tcp ip address 10 176 1 3 type transparent cache active service ssl2 port 443 protocol tcp ip address 10 176 2 3 type transparent cache active service ssl3 port 443 protocol tcp ip address 10 176 3 3 type transparent cache active service ssl4 por...

Page 173: ...service ssl5 port 443 protocol tcp ip address 10 176 5 3 type transparent cache active service ssl6 port 443 protocol tcp ip address 10 176 6 3 type transparent cache active OWNER owner test content ssl protocol tcp port 443 add service ssl1 add service ssl2 add service ssl3 add service ssl4 add service ssl5 add service ssl6 active ...

Page 174: ...0 0 0 0 0 10 176 2 1 1 ip route 0 0 0 0 0 0 0 0 10 176 3 1 1 ip route 0 0 0 0 0 0 0 0 10 176 4 1 1 ip route 0 0 0 0 0 0 0 0 10 176 5 1 1 ip route 0 0 0 0 0 0 0 0 10 176 6 1 1 ip route 0 0 0 0 0 0 0 0 10 176 11 1 1 INTERFACE interface ethernet 2 bridge vlan 2 interface ethernet 3 bridge vlan 3 interface ethernet 4 bridge vlan 4 interface ethernet 5 bridge vlan 5 interface ethernet 6 bridge vlan 6 i...

Page 175: ...0 circuit VLAN6 ip address 10 176 6 3 255 255 255 0 circuit VLAN7 ip address 10 176 10 1 255 255 255 0 circuit VLAN8 ip address 10 176 11 2 255 255 255 0 circuit VLAN1 ip address 10 176 1 3 255 255 255 0 SERVICE service s1 ip address 10 176 10 10 protocol tcp active service s2 ip address 10 176 10 11 protocol tcp active service s3 ip address 10 176 10 12 protocol tcp active service s4 ip address 1...

Page 176: ...oad balancing SSL offloading and Layer 5 switching allowing load balancing at up to the limit of transactions per second of the CSS Applications such as reverse proxy caching and content type separation can be enabled The level depends upon the type of content and the mix of HTTP 1 0 and HTTP 1 1 traffic The one armed non transparent proxy deployment is complex to configure but it provides a high ...

Page 177: ...th a different destination port definition The Secure Content Accelerator does not use the IP address to ensure traffic is sent to the correct server because the CSS changes the destination IP address to that of the Secure Content Accelerator The Secure Content Accelerator is configured only at Layer 4 This configuration requires setting multiple destination IP destination port pairs on the Secure...

Page 178: ...services as required for each server adding keepalive attributes as necessary Create a default route to the upstream router Create Layer 4 rules for each incoming VIP and add appropriate Secure Content Accelerator services Create Layer 5 rules for the secure content Create content rules as required for non secure content Export keys and certificates from any existing secure servers if necessary As...

Page 179: ...ip address 10 176 1 1 255 255 255 0 circuit VLAN7 ip address 10 176 10 1 255 255 255 0 circuit VLAN8 ip address 10 100 132 101 255 255 0 0 SERVICE service s1 ip address 10 176 10 10 protocol tcp active service s2 ip address 10 176 10 11 protocol tcp active service s3 ip address 10 176 10 12 protocol tcp active service s4 ip address 10 176 10 13 protocol tcp active service ssl1 443 port 443 protoco...

Page 180: ...p ip address 10 176 1 4 active service ssl2 444 port 444 protocol tcp ip address 10 176 1 4 active service ssl3 443 port 443 protocol tcp ip address 10 176 1 5 active service ssl3 444 port 444 protocol tcp ip address 10 176 1 5 active service ssl4 443 port 443 protocol tcp ip address 10 176 1 6 active service ssl4 444 port 444 protocol tcp ip address 10 176 1 6 active service ssl5 443 port 443 pro...

Page 181: ...service ssl6 444 port 444 protocol tcp ip address 10 176 1 8 active OWNER owner test content http secure port 81 vip address 10 176 11 100 add service s1 add service s2 add service s3 add service s4 protocol tcp port 81 url secure active content http non secure port 80 vip address 10 176 11 100 add service s1 add service s2 add service s3 add service s4 protocol tcp port 81 url active content ssl ...

Page 182: ... add service ssl3 444 add service ssl4 444 add service ssl5 444 add service ssl6 444 active One Armed Transparent Proxy This deployment uses a single CSS for load balancing up to 15 Secure Content Accelerator devices The deployment combines the single CSS solution of the proxy deployment with the transparency of the sandwich deployment The one armed transparent proxy deployment is the most complex...

Page 183: ...deployment has several constraints No SSL client can be attached to a directly connected subnet all SSL clients must pass through an upstream router ACLs must be written so that Secure Content Accelerator management and other applications are passed through the CSS properly Static routes must be added to the CSS so that traffic that should not pass through the Secure Content Accelerator devices is...

Page 184: ...or static route in such a way that it will force all traffic to the upstream router s ECMP route all traffic matching the ACL or static route will bypass the Secure Content Accelerator devices Thus management of the Secure Content Accelerator devices and management stations requiring ICMP or SNMP to operate will not have access to SSL processing Table B 4 shows basic configuration actions for both...

Page 185: ...nt and that no cache bypass is configured Create services as required for each server adding keepalive attributes as necessary Create Layer 4 content rules to balance the Secure Content Accelerator devices you may use advanced balance ssl and application ssl to assist with SSL V 3 key reuse Create Layer 5 rules for secure content Create content rules as required for non secure content Define ACLs ...

Page 186: ... 176 2 3 1 ip route 0 0 0 0 0 0 0 0 10 176 3 3 1 ip route 0 0 0 0 0 0 0 0 10 176 4 3 1 ip route 0 0 0 0 0 0 0 0 10 176 5 3 1 ip route 0 0 0 0 0 0 0 0 10 176 6 3 1 network management station static route ip route 10 176 50 100 255 255 255 255 10 176 50 1 1 INTERFACE interface ethernet 2 bridge vlan 2 interface ethernet 3 bridge vlan 3 interface ethernet 4 bridge vlan 4 interface ethernet 5 bridge v...

Page 187: ...s 10 176 4 1 255 255 255 0 circuit VLAN5 ip address 10 176 5 1 255 255 255 0 circuit VLAN6 ip address 10 176 6 1 255 255 255 0 circuit VLAN7 ip address 10 176 10 1 255 255 255 0 circuit VLAN8 ip address 10 176 50 2 255 255 255 0 SERVICE service s1 ip address 10 176 10 10 protocol tcp active service s2 ip address 10 176 10 11 protocol tcp active service s3 ip address 10 176 10 12 protocol tcp activ...

Page 188: ... transparent cache no cache bypass ip address 10 176 2 3 active service ssl3 port 443 protocol tcp type transparent cache no cache bypass ip address 10 176 3 3 active service ssl4 port 443 protocol tcp type transparent cache no cache bypass ip address 10 176 4 3 active service ssl5 port 443 protocol tcp type transparent cache no cache bypass ip address 10 176 5 3 active service ssl6 port 443 proto...

Page 189: ...service s1 add service s2 add service s3 add service s4 protocol tcp port 81 url secure active content http non secure port 80 vip address 10 176 11 100 add service s1 add service s2 add service s3 add service s4 protocol tcp port 80 url active content ssl protocol tcp port 443 add service ssl1 add service ssl2 add service ssl3 add service ssl4 add service ssl5 add service ssl6 vip address 10 176 ...

Page 190: ...cuit VLAN5 apply circuit VLAN4 apply circuit VLAN3 apply circuit VLAN2 apply circuit VLAN1 Connecting the Device to a Terminal Server The Secure Content Accelerator can be connected to a terminal server such as the Cisco 2511 Access Server You will need a standard RJ45 DB9F adapter CAB 9AS FDTE part number 74 0495 01 1 Attach the RJ45 DB9F adapter to the CONSOLE port of the Secure Content Accelera...

Page 191: ...o broaden compatibility between offloaders and some models of load balancing and content switching gear Additionally it enables transparent mode interoperation with the CSS without having to use the type transparent cache or the no cache bypass directives within the services definitions This simplifies ACL implementations as well as the overall configuration on the CSS Transparent local listen is ...

Page 192: ...ontent and services portion of the CSS configuration is nearly identical to the configuration used in non transparent proxy mode while the network portion of the CSS configuration mirrors that used in transparent mode The flows from the perspective of the CSS are essentially a combination of what is expected in transparent and non transparent modes the first two flow entries client to offloader lo...

Page 193: ...ommands are available only with specific configuration connection methods Availability of each command is indicated Configuration using the GUI is described in Chapter 5 Configuration for FIPS compliant operation is presented in Chapter 6 FIPS Operation This appendix contains the following sections Input Data Format Specification Text Conventions Editing and Completion Features Command Hierarchy C...

Page 194: ...rface or is returned by the computer Courier bold text indicates commands and text you enter in a command line Italic text indicates the first occurrence of a new term book title and emphasized text In this command summary items presented in italics represent user specified information Items within angle brackets are required information Items within square brackets are optional information Items ...

Page 195: ...s CTRL A Moves cursor to the beginning of the command line CTRL B Moves cursor to the previous character CTRL C Exits the QuickStart wizard at any point the configuration is not saved CTRL D When editing a command deletes the character to the right of the cursor otherwise exits current configuration level or exits the configuration manager if at the Top Level CTRL E Moves cursor to the end of the ...

Page 196: ... the TAB or keys display all options SCA show TAB access list ip snmp arp keep alive monitor ssl copyrights memory syslog cpu messages system resources device netstat terminal dns processes version history rip interface route The TAB key can also be used to finish a command if the command is uniquely identified by user input SCA show cop TAB results in SCA show copyrights LEFT ARROW Moves the curs...

Page 197: ...curity policy and server names are case sensitive Command Hierarchy The CLI configuration manager allows you to control hardware and SSL portions of the appliance through a discreet mode and submode system The commands for the Secure Content Accelerator device fit into the logical hierarchy show in Figure C 1 Figure C 1 Command Hierarchy SSL INTERFACE KEY SECURITY POLICY CERTIFICATE CERTIFICATE GR...

Page 198: ...w easy flexible configuration without compromising the security of your network or their own configuration Passwords Cisco Secure Content Accelerator devices use two levels of password protection access and enable level Access level passwords control who can access the device via telnet and serial connections Enable level passwords control who can view the same data available with access level pas...

Page 199: ...tem Factory Default Reset Password If you have forgotten your access or enable password you can use a factory set password during a serial configuration session When prompted for a password enter FailSafe case sensitive You are asked to confirm the action The appliance reboots reloads with factory default settings Caution All configuration is lost when using the factory default reset password Meth...

Page 200: ...ystem A path must be included if necessary When using serial or telnet management the file name must be entered in any of the following formats http ftp https tftp URL In situations where a file is written anonymous write access must be configured on the system with these caveats http The server must be configured to accept PUT commands https The server must be configured to accept PUT commands ft...

Page 201: ...oftware The device terminal settings can be changed if necessary Use the standard ANSI setting on the serial terminal software Note When operating in FIPS Mode only serial management access of available 1 Attach the included null modem cable to the appliance port marked CONSOLE Attach the other end of the null modem cable to a serial port on the configuring computer 2 Launch any terminal emulation...

Page 202: ...s ftp or tftp prefix Telnet After you have assigned an IP address to the Cisco Secure Content Accelerator using the serial connection configuration manager you can connect to the appliance via telnet 1 Initiate a telnet session with the IP address previously assigned to the appliance 2 An SCA prompt is displayed Note When prompted to supply a file name during a telnet management session you must s...

Page 203: ...tion modes manage hardware and exit the configuration manager Non Privileged Command Set The Non Privileged command set consists of the lowest level commands having the least impact on configuration and security of the devices clear screen Clears the display leaving only one prompt line clear screen Usage Guidelines Availability Serial Telnet FIPS Mode serial only cls Clears the display leaving on...

Page 204: ...nable password see Factory Default Reset Password Related Commands See the section Privileged Command Set exit Quits the configuration manager exit Usage Guidelines Availability Serial Telnet FIPS Mode serial only When executed from a serial connection the connection is not closed If an access password has been configured you are prompted for it When executed from telnet the telnet connection is c...

Page 205: ...the specified command at one second intervals monitor command Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only The interval between refreshes is set using the set monitor interval command Related Commands set monitor interval Non Privileged Command Set paws Pauses the configuration manager until a key is pressed paws Usage Guidelines Availability Serial Telnet F...

Page 206: ...Commands ip name server Configuration Command Set quit Quits the configuration manager quit Usage Guidelines Availability Serial Telnet FIPS Mode serial only When executed from a serial connection the connection is not closed If an access password has been configured you are prompted for it When executed from telnet the telnet connection is closed Related Commands exit Non Privileged Command Set s...

Page 207: ...monitor Non Privileged Command Set show arp Displays the ARP cache on the device show arp Usage Guidelines Availability Serial Telnet FIPS Mode serial only show copyrights Displays copyright information for software and hardware products show copyrights Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands show version Non Privileged Command Set show cpu Displays CPU u...

Page 208: ...l for display updates Press any key to stop displaying statistics show date Displays current date and time settings on the device show date Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands rdate server Configuration Command Set show device Displays information about the device show device Usage Guidelines Availability Serial Telnet FIPS Mode serial only show dns s...

Page 209: ...Set show ip domain name Non Privileged Command Set show ip name server Non Privileged Command Set show flows Displays IP connection information for the device show flow Usage Guidelines Availability Serial Telnet FIPS Mode serial only show history Displays the last commands executed show history Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands show terminal Top Le...

Page 210: ... Commands show interface errors Non Privileged Command Set show interface statistics Non Privileged Command Set interface Configuration Command Set See the section Interface Configuration Command Set show interface errors Displays error information for the specified Ethernet interface s show interface errors network server continuous interval value Syntax Description network Displays information f...

Page 211: ...Command Set See the section Interface Configuration Command Set show interface statistics Displays interface statistics for the specified interface s show interface statistics network server continuous interval value Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only If a single interface is not specified statistics are displayed for both interfaces If continuous ...

Page 212: ...figuration information for the device show ip domain name Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands ip domain name Configuration Command Set show dns Non Privileged Command Set show ip name server Non Privileged Command Set show ip name server Displays DNS configuration information for the device show ip name server Usage Guidelines Availability Serial Teln...

Page 213: ...ged Command Set show ip statistics Displays diagnostic IP ICMP TCP and UDP statistics for the device show ip statistics Usage Guidelines Availability Serial Telnet FIPS Mode serial only show keepalive monitor Displays a list of keepalive monitor IP addresses for one or more devices show keepalive monitor Usage Guidelines Availability Serial Telnet FIPS Mode serial only SSL errors from IP addresses...

Page 214: ... messages Privileged Command Set show messages Non Privileged Command Set show memory Displays memory usage on the device show memory zones Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only The zones flag is used to display information for each memory zone show messages Displays the diagnostic message buffer for the device show messages Usage Guidelines Availabil...

Page 215: ...netstat Displays the current state of the IP connection for the device show netstat Usage Guidelines Availability Serial Telnet FIPS Mode serial only show password Displays password configuration status and idle timeout period show password Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands password Configuration Set show password access Displays access password con...

Page 216: ...nes Availability Serial Telnet FIPS Mode serial only Related Commands password Configuration Set show password idle timeout Displays the configured password idle timeout period show password idle timeout Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands password Configuration Set show processes Displays information by thread about processes running on the device sh...

Page 217: ... rdate server Usage Guidelines Availability Serial Telnet FIPS Mode serial only show rip Displays the RIP status of the device show rip Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands rip Configuration Command Set show route Displays the routing table stored in the device show route Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Command...

Page 218: ...nly Related Commands clear line Privileged Command Set show sntp Displays all SNTP configuration information for the device show sntp Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands sntp interval Configuration Command Set sntp server Configuration Command Set show sntp server Displays SNTP server information for the device show sntp server Usage Guidelines Availa...

Page 219: ...ow ssl errors Non Privileged Command Set show ssl key Non Privileged Command Set show ssl secpolicy Non Privileged Command Set show ssl server Non Privileged Command Set show ssl statistics Non Privileged Command Set ssl Configuration Command Set See the section SSL Configuration Command Set show ssl cert Displays summary data for the specified certificate entity loaded on the device show ssl cert...

Page 220: ...figuration Command Set Certificate Configuration Command Set and Certificate Group Configuration Command Set show ssl certgroup Displays summary data for the specified certificate group loaded on the device show ssl certgroup certgroupname Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only If you do not specify a certificate group all certificate group information...

Page 221: ...e Displays SSL errors reported on a single device or module Use the continuous keyword to update the statistics every second Use the interval keyword to specify an interval for display updates where value is the interval in seconds Press any key to stop displaying errors Table C 3 displays output descriptions continuous Displays errors continuously interval Specifies an interval for display update...

Page 222: ...lient has reset the connection SSL System Read Errors from client Generated when an error occurs when reading from a client SSL Read Broken Connection Error from client Generated when reading from a client after the client has reset the connection System Write Errors to remote server Generated when an error occurs when writing to a remote server Broken Connection Write Errors to remote server Gene...

Page 223: ...d block Connection refused Connection reset by peer Socket not connected Message size error Pipe error EDESTADDRREQ EDESTADDREQ Socket shutdown Unsupported protocol option Out of band data Address is not available Address already in use Address family is not supported Operation already in progress lower error I O error Destination host is down Unsupported protocol Destination network is down Desti...

Page 224: ...block Connection refused Connection reset by peer Socket not connected Message size error Pipe error EDESTADDRREQ EDESTADDREQ Socket shutdown Unsupported protocol option Out of band data Address is not available Address already in use Address family is not supported Operation already in progress lower error I O error Destination host is down Unsupported protocol Destination network is down Destina...

Page 225: ...d Command Set show ssl certgroup Non Privileged Command Set show ssl key Non Privileged Command Set show ssl secpolicy Non Privileged Command Set show ssl server Non Privileged Command Set show ssl statistics Non Privileged Command Set ssl Configuration Command Set See the section SSL Configuration Command Set Table C 4 Abbreviations Used for show ssl errors continuous Abbreviation Description ACP...

Page 226: ...Privileged Command Set show ssl cert Non Privileged Command Set show ssl certgroup Non Privileged Command Set show ssl errors Non Privileged Command Set show ssl secpolicy Non Privileged Command Set show ssl server Non Privileged Command Set show ssl statistics Non Privileged Command Set ssl Configuration Command Set See the sections SSL Configuration Command Set and Key Configuration Command Set ...

Page 227: ...ver Non Privileged Command Set show ssl statistics Non Privileged Command Set ssl Configuration Command Set See the sections SSL Configuration Command Set and Security Policy Configuration Command Set show ssl server Displays information for the specified configured logical secure server of type server reverse proxy server or backend server on the device show ssl server servname Syntax Description...

Page 228: ...e logical servers on the device show ssl session stats server servername continuous interval value Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only This command must be entered on a single line Use the continuous keyword to update the statistics every second Use the interval keyword to specify an interval for display updates Press any key to stop displaying info...

Page 229: ... SSL session negotiation or regotiation has finished SSL New Accepts Started NAS Normal Termination Server An SSLv3 or TLSv1 session negotiation the SSL handshake has been started SSL Reneg Requested RR Normal Termination Server An SSLv3 or TLSv1 renegotiation as been requesed by the server Session renegotiation can occur at any time and is left to the discretion of the server or the client This t...

Page 230: ...Set show ssl statistics Displays SSL statistics summed over all secure logical servers on the device show ssl statistics continuous interval value Session Removed Due to Full Cache SRFC All Servers An SSL session cache entry has been removed due to a full cache i e there was a cache miss and an entry had to be removed to accommodate the new SSL connection Section Reuse Actually Done SRAD All Serve...

Page 231: ...scription for show ssl statistics Statistic Description Active Client Connections The number of client connections currently active Active Server Connections The number of server connections currently active Active Sockets The number of currently active sockets SSL Negotiation Errors The number of SSL negotiation failures Connection Errors to remote Server The number of errors encountered when con...

Page 232: ...d Set ssl Configuration Command Set See the section SSL Configuration Command Set show ssl tcp tuning Displays TCPtuning information show ssl tcp tuning all servername defaults Syntax Description Total RSA Operations in Hardware The number of RSA operations performed by the Secure Content Accelerator Total SSL Negotiations Succeeded The number of successful SSL negotiations Table C 6 Output Descri...

Page 233: ...e device are sent show syslog Usage Guidelines Availability Remote Serial Telnet FIPS Mode serial only Related Commands syslog Configuration Command Set show system resources Displays system memory and CPU usage for the device show system resources continuous interval value Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Use the continuous option to update the ...

Page 234: ...tion Command Set show web management Non Privileged Command Set show terminal Displays terminal setting information show terminal Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands show history Non Privileged Command Set terminal baud Non Privileged Command Set terminal history Non Privileged Command Set terminal length Non Privileged Command Set terminal pager Non ...

Page 235: ...Usage Guidelines Availability Serial Telnet FIPS Mode serial only show web management Displays Web based GUI management information for the device show web management Usage Guidelines Availability Serial Telnet Related Commands web mgmt access list Configuration Command Set web mgmt enable Configuration Command Set web mgmt port Configuration Command Set show telnet Non Privileged Command Set term...

Page 236: ...et Non Privileged Command Set terminal width Non Privileged Command Set terminal history Sets the number of commands saved in the history buffer terminal history length no terminal history Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Use the no form of the command to disable the history list The default is 25 1200 Sets the baud to 1200 2400 Sets the baud to ...

Page 237: ...leged Command Set terminal length Sets the number of lines in a terminal window terminal length Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands show terminal Non Privileged Command Set terminal baud Non Privileged Command Set terminal history Non Privileged Command Set terminal pager Non Privileged Command Set terminal reset Non Privileged Command Set terminal wi...

Page 238: ...nal reset Resets the internal state of the terminal terminal reset Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands show terminal Non Privileged Command Set terminal baud Non Privileged Command Set terminal history Non Privileged Command Set terminal length Non Privileged Command Set terminal pager Non Privileged Command Set terminal width Non Privileged Command S...

Page 239: ...splays the router information to the specified destination traceroute ipaddr name query numretries hop numhops Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only When issued from a serial or telnet connection the command returns information based upon the device s hardware ipaddr The destination IP address name The name of the destination host serial or telnet onl...

Page 240: ...tatistics for the device clear interface statistics Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands show interface Non Privileged Command Set show interface errors Non Privileged Command Set show interface statistics Non Privileged Command Set interface Configuration Command Set See Interface Configuration Command Set clear ip routes Clears the IP routing table o...

Page 241: ...d Commands show ip statistics Non Privileged Command Set clear line Closes a specified management session clear line sessionId Syntax Description Usage Guidelines Availability Serial FIPS Mode serial only Use the show sessions command to display the open management sessions Related Commands show sessions Non Privileged Command Set clear log Clears diagnostics message buffer clear log Usage Guideli...

Page 242: ...rial only Related Commands show messages Non Privileged Command Set write messages Privileged Command Set clear ssl session stats Resets all SSL session statistics for the device clear ssl session stats Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands show ssl errors Non Privileged Command Set show ssl statistics Non Privileged Command Set clear ssl statistics Res...

Page 243: ... Configuration Command Set copy running configuration Writes the running configuration of a device to a file copy running configuration url Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only If you do not specify a URL you are prompted for it Related Commands copy running configuration startup configuration Privileged Command Set copy startup configuration Privile...

Page 244: ...onfiguration running configuration Privileged Command Set copy to running configuration Privileged Command Set copy to startup configuration Privileged Command Set copy startup configuration Writes the startup configuration of a device to a file copy startup configuration url Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands copy running configur...

Page 245: ...py to running configuration Privileged Command Set copy to startup configuration Privileged Command Set copy to flash Uploads a Cisco Secure Content Accelerator image file to the device flash copy to flash url Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only The signature is verified If you do not specify a URL you are prompted for it Related Commands copy runni...

Page 246: ...ds copy running configuration Privileged Command Set copy running configuration startup configuration Privileged Command Set copy startup configuration Privileged Command Set copy startup configuration running configuration Privileged Command Set copy to startup configuration Privileged Command Set copy to startup configuration Uploads a saved configuration file and merges it to the startup config...

Page 247: ...ation Privileged Command Set disable Exits Privileged mode for the device disable Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands enable Non Privileged Command Set erase running configuration Erases the running configuration on the device erase running configuration Usage Guidelines Availability Serial Telnet Related Commands copy running configuration Privileged...

Page 248: ...figuration Privileged Command Set fips enable Starts FIPS compliant mode for a device in Privileged mode fips enable no fips enable Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands See the section Chapter 6 FIPS Operation quick start Runs the QuickStart wizard for the device quick start Usage Guidelines Availability Serial Telnet FIPS Mode serial only Note When us...

Page 249: ...Telnet FIPS Mode serial only The device resumes operation using the startup configuration stored in the flash memory You are prompted to confirm restarting the device Note When reloading the device in FIPS Mode the firmware signature is verified show access list Displays the specified access list for the device show access list listid Syntax Description Usage Guidelines Availability Serial Telnet ...

Page 250: ...layed for the device are the following SSL Device Configuration show device Startup Configuration show startup config Running Configuration show running config Processes show processes Network Status show netstat Memory Statistics show memory Memory Zones show memory zones SSL Statistics show ssl statistics SSL Session Statistics show ssl session stats SSL Errors show ssl errors Individual reports...

Page 251: ...ng configuration Usage Guidelines Availability Serial Telnet FIPS Mode serial only Note Neither keys nor configured passwords are displayed Related Commands copy running configuration Privileged Command Set copy running configuration startup configuration Privileged Command Set copy startup configuration running configuration Privileged Command Set copy to running configuration Privileged Command ...

Page 252: ...prise Configuration Command Set snmp trap type generic Configuration Command Set show startup configuration Displays the startup configuration on a device show startup configuration Usage Guidelines Availability Serial Telnet FIPS Mode serial only Note Neither keys nor configured passwords are displayed Related Commands copy running configuration startup configuration Privileged Command Set copy s...

Page 253: ...t copy to running configuration Privileged Command Set erase running configuration Privileged Command Set show running configuration Privileged Command Set write memory Privileged Command Set write memory Writes the running configuration to flash memory on a device write memory Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands copy running configuration startup con...

Page 254: ...Command Set write network Writes the running configuration to a file on a remote host write network url Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only If you do not supply URL information you are prompted for it Related Commands copy running configuration startup configuration Privileged Command Set copy startup configuration running configuration Privileged C...

Page 255: ...t Accelerator Configuration Guide 78 13124 05 Appendix C Command Summary Top Level Command Set write terminal Displays the running configuration of the device write terminal Usage Guidelines Availability Serial Telnet FIPS Mode serial only ...

Page 256: ...cess list Use the no form of the command to delete the entire specified access list access list id permit deny ipaddr mask no access list id Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only To activate the access list you must also use the remote management access list snmp access list telnet access list or web mgmt access list commands A device can have up to 9...

Page 257: ...S Mode however they can only be assigned to the SNMP subsystem Access lists can be assigned to other subsystems when the device is returned to normal operation Examples The following example specifies the host with the IP address 10 1 2 3 to be the only remote host to configure the Secure Content Accelerator access list 2 permit 100 1 2 3 0 0 0 0 The following example specifies only remote hosts o...

Page 258: ...e appropriate date or time Related Commands show date Non Privileged Command Set end Leaves Configuration Mode and returns to Privileged Mode end Usage Guidelines Availability Serial Telnet FIPS Mode serial only exit Leaves Configuration Mode and returns to Privileged Mode exit Usage Guidelines Availability Serial Telnet FIPS Mode serial only finished Leaves Configuration Mode and returns to Top L...

Page 259: ... serial only If you do not specify a command help information is displayed for all Configuration commands hostname Sets the identification name for the current Secure Content Accelerator hostname devname no hostname Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Use the no form of the command to clear the hostname of the current device Note The command prompt ...

Page 260: ...n Privileged Command Set show interface errors Non Privileged Command Set show interface statistics Non Privileged Command Set See also Interface Configuration Command Set ip address Sets the IP address for the current Secure Content Accelerator ip address ipaddr netmask netmask ipaddr netabbr no ip address Syntax Description network Enters Interface Configuration Mode for the Network interface se...

Page 261: ...ated Commands ip route default Configuration Command Set ip domain name Ads a DNS suffix to the list to append for resolution of unqualified names ip domain name name Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands show ip domain name Non Privileged Command Set show ip name server Non Privileged Command Set ip name server Configuration Command ...

Page 262: ...ting table ip route destip mask gatewayip metric hops no ip route destip Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Use the no form of the command to delete the specified static route entry from the device s routing table Related Commands show ip routes Non Privileged Command Set show route Non Privileged Command Set destip The destination IP address mask ...

Page 263: ...lear the IP address for the default router Related Commands ip address Configuration Command Set keepalive monitor Indicates that SSL errors from the specified IP address are to be ignored keepalive monitor ipaddr no keepalive monitor ipaddr Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Up to two IP addresses set individually are allowed Related Commands show...

Page 264: ...mode Note Though completers and help information are available in all management options the command is only valid via serial management mode pass thru Enables pass through of non SSL traffic This is the default configuration mode pass thru no mode pass thru Usage Guidelines Availability Serial Telnet FIPS Mode serial only Use the no form of the command to block non SSL traffic pass through passwo...

Page 265: ...sable the timeout feature Note When using the password command in FIPS Mode to set an access or enable you must supply a password or passphrase of at least eight characters rdate server Specifies and RDATE protocol server to be used for date and time information on the device rdate server ipaddr no rdate server Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only ac...

Page 266: ...et show rdate server Non Privileged Command Set registration code Stores the registration code of the device registration code code Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only rip Enables Routing Interface Protocol RIP for the current device rip v1 v2 no rip v1 v2 Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only code The ...

Page 267: ...ond command disables on RIP v2 This has the same result as using the command rip v1 rip no rip v2 Related Commands show rip Non Privileged Command Set no snmp Disables SNMP and clears all SNMP data no snmp Note The device must be rebooted reloaded before this command takes effect Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands show snmp Non Privileged Command Set...

Page 268: ...fied access list The access list still exists but is no longer used by the SNMP subsystem Related Commands access list Configuration Command Set no snmp Configuration Command Set show access list Non Privileged Command Set show snmp Non Privileged Command Set snmp contact Configuration Command Set snmp default community Configuration Command Set snmp enable Configuration Command Set snmp location ...

Page 269: ...and Set show snmp Non Privileged Command Set snmp access list Configuration Command Set snmp default community Configuration Command Set snmp enable Configuration Command Set snmp location Configuration Command Set snmp trap host Configuration Command Set snmp trap type enterprise Configuration Command Set snmp trap type generic Configuration Command Set snmp default community Assigns a default co...

Page 270: ...e Configuration Command Set snmp location Configuration Command Set snmp trap host Configuration Command Set snmp trap type enterprise Configuration Command Set snmp trap type generic Configuration Command Set snmp enable Enables SNMP using the current SNMP configuration snmp enable no snmp enable Usage Guidelines Availability Serial Telnet FIPS Mode serial only Use the no form of the command to d...

Page 271: ...ocation information for the SNMP subsystem snmp location locInfo no snmp location Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Use the no form of the command to clear the location information Related Commands no snmp Configuration Command Set show snmp Non Privileged Command Set snmp access list Configuration Command Set snmp contact Configuration Command Se...

Page 272: ...guration Command Set snmp default community Configuration Command Set snmp enable Configuration Command Set snmp location Configuration Command Set snmp trap type enterprise Configuration Command Set snmp trap type generic Configuration Command Set v1 Specifies SNMP version 1 v2c Specifies SNMP version 2c ipaddr The IP address of the computer receiving the messages community The SNMP community If ...

Page 273: ...l total connections Specifies trapping for total SSL connection levels ssl tps Specifies trapping for SSL transactions per second levels threshold value1 value2 Specifies the threshold option to specify one or more threshold levels where appropriate Threshold values are inappropriate for the config changed option Threshold value1 is the low level and optional threshold value2 is the high level Val...

Page 274: ...el Command Set snmp access list Configuration Command Set snmp contact Configuration Command Set snmp default community Configuration Command Set snmp enable Configuration Command Set snmp location Configuration Command Set snmp trap host Configuration Command Set snmp trap type generic Configuration Command Set snmp trap type generic Enables generic SNMP traps snmp trap type generic no snmp trap ...

Page 275: ...Command Set snmp trap type enterprise Configuration Command Set sntp interval Sets polling interval for all configured SNTP servers sntp interval seconds Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only The default interval is 86400 seconds one day the minimum and maximum intervals are 60 and 2419200 one month respectively The interval can be displayed using the...

Page 276: ... one to delete Up to four SNTP servers can be configured If the first SNTP server returns an error the next SNTP server is polled After the fourth SNTP poll returns an error the first server is polled again SNTP information can be displayed using the commands show device show sntp and write terminal Note When a hostname is used rather than an IP address the hostname is resolved as an IP address wh...

Page 277: ...mmand Set show ssl server Non Privileged Command Set show ssl statistics Non Privileged Command Set See the section SSL Configuration Command Set syslog Adds the specified IP address to the syslog list for the device syslog ipaddr port portid facility facilityid no syslog ipaddr Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only ipaddr The IP address of the device...

Page 278: ...cess and enable passwords are differentiated as Access Authentication and Enable Authentication respectively Authentication messages contain The type of management session serial telnet or Web management The source IP address Authetication result of either invalid or successful for each action Related Commands show syslog Non Privileged Command Set telnet access list Assigns an existing access lis...

Page 279: ...s for the device Use the no form of the command to disable telnet management access telnet enable no telnet enable Usage Guidelines Availability Serial Telnet Related Commands show telnet Non Privileged Command Set telnet access list Configuration Command Set telnet port Configuration Command Set telnet port Specifies the TCP service port to use for telnet management sessions telnet port portid de...

Page 280: ...cription Usage Guidelines Availability Serial Telnet FIPS Mode serial only The zone is entered in the form of Standard Time Zone identifier GMT offset integer Daylight Savings Time Zone identifier For example MST7MDT is used for Mountain Standard Daylight Savings Time The alphabetic strings are used for display the integer is used for date and time computation The alphabetic strings are optional t...

Page 281: ...nt Non Privileged Command Set telnet access list Configuration Command Set web mgmt enable Configuration Command Set web mgmt port Configuration Command Set web mgmt enable Allows Web browser based management sessions for the device web mgmt enable no web mgmt enable Usage Guidelines Availability Serial Telnet Use the no form of the command to diable web browser based management access Related Com...

Page 282: ...Guidelines Availability Serial Telnet The port assignment is used at the next Web management connection attempt Related Commands access list Configuration Command Set show web management Non Privileged Command Set web mgmt access list Configuration Command Set web mgmt enable Configuration Command Set portid The TCP service port to be used to manage the current device via the GUI default Keyword i...

Page 283: ...Ethernet interface to configure using the interface command in Configuration mode The prompt changes to config if interfacename auto Sets the current Ethernet interface to autonegotiation canceling any existing forced duplex or speed setting auto Usage Guidelines Availability Serial Telnet FIPS Mode serial only duplex Forces the current Ethernet interface to full or half duplex duplex full half Sy...

Page 284: ...for the specified command help command Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only If you do not specify a command help information is displayed for all Interface Commands speed Forces the speed of the current Ethernet interface to 10þMbps or 100þMbps speed 10 100 Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only command T...

Page 285: ...ity Serial Telnet FIPS Mode serial only The no form of the command is used to remove the specified backend server A device can have a total of 255 SCA or 4095 SCA2 servers in any combination of backend reverse proxy or standard secure servers When a backend server has been specified for removal all connections are allowed to finish before the backend server is actually removed Backend server names...

Page 286: ...can have up to 511 SCA or 4095 SCA2 certificate objects Certificate names can consist of Arabic numerals and upper and lowercase alphabetic underscore _ hyphen and period characters Certificate names must begin with an alphabetic character or underscore and have a limit of 127 characters Examples The following example creates a certificate object named myCert and enters Certificate Configuration m...

Page 287: ...can have up to 63 SCA or 4095 SCA2 certificate groups Certificate group names can consist of Arabic numerals and upper and lowercase alphabetic underscore _ hyphen and period characters Certificate group names must begin with an alphabetic character or underscore and have a limit of 15 characters Examples The following example creates a certificate object named myCertGroup and enters Certificate G...

Page 288: ...net FIPS Mode serial only exit Leaves SSL Configuration mode and returns to Configuration mode exit Usage Guidelines Availability Serial Telnet FIPS Mode serial only finished Leaves SSL Configuration Mode and returns to Top Level mode finished Usage Guidelines Availability Serial Telnet FIPS Mode serial only gencsr Generates a certificate signing request and or self signed certificate gencsr key k...

Page 289: ... Related Commands See the section Key Configuration Command Set help Displays help information for the specified command help command Syntax Description keyname The name of the key to be used for generating the CSR or self signed certificate newhdr Inserts the word NEW into the CSR header This is required by some older CAs digest Displays a digest form of the certificate md5 Displays a digest form...

Page 290: ...nes Availability Serial Telnet FIPS Mode serial only If you do not specify a URL you are prompted for it Related Commands import pkcs7 SSL Command Set show ssl cert Non Privileged Command Set show ssl key Non Privileged Command Set import pkcs7 Imports and processes a PKCS 7 file to create a certificate objects and a certificate group import pkcs7 name der pem prefix prefixText url Syntax Descript...

Page 291: ...vailability Serial Telnet FIPS Mode serial only The no form of the command is used to remove a key You cannot delete a key referenced by a server A device can have up to 255 SCA or 4095 SCA2 key objects Key names can consist of Arabic numerals and upper and lowercase alphabetic underscore _ hyphen and period characters Key names must begin with an alphabetic character or underscore and have a limi...

Page 292: ...uidelines Availability Serial Telnet FIPS Mode serial only The no form of the command is used to remove the specified reverse proxy server A device can have a total of 255 SCA or 4095 SCA2 servers in any combination of backend reverse proxy or standard secure servers When a reverse proxy server has been specified for removal all connections are allowed to finish before the reverse proxy server is ...

Page 293: ...sed to remove a security policy You cannot delete a security policy referenced by a logical secure server Security policy names can consist of Arabic numerals and upper and lowercase alphabetic underscore _ hyphen and period characters Security policy names must begin with an alphabetic character or underscore and have a limit of 15 characters Examples The following example creates a security poli...

Page 294: ...se proxy or standard secure servers When a secure server has been specified for removal all connections are finished before the server is actually removed Server names can consist of Arabic numerals and upper and lowercase alphabetic underscore _ hyphen and period characters Server names must begin with an alphabetic character or underscore and have a limit of 15 characters Related Commands show s...

Page 295: ...24 05 Appendix C Command Summary Configuration Command Set Usage Guidelines Availability Serial Telnet FIPS Mode serial only The no form of the command is used to return all TCP tuning values to factory default Related Commands See the section TCP Tuning Configuration Command Set ...

Page 296: ...ended backend server if enough information has been configured activate Usage Guidelines Availability Serial Telnet FIPS Mode serial only All backend servers are created as active servers by default Related Commands suspend Backend Server Configuration Command Set certgroup serverauth Assigns a certificate group to be used for server certificate authentication certgroup serverauth certgroupname no...

Page 297: ...xits Backend Server Configuration mode activates all changes and returns to SSL Configuration mode end Usage Guidelines Availability Serial Telnet FIPS Mode serial only exit Exits Backend Server Configuration mode activates all changes and returns to SSL Configuration mode exit Usage Guidelines Availability Serial Telnet FIPS Mode serial only finished Leaves Backend Server Configuration Mode and r...

Page 298: ...fy a command help information is displayed for all Backend Server Configuration Commands info Displays current information about the logical secure server being edited or created info Usage Guidelines Availability Serial Telnet FIPS Mode serial only ip address Sets the specified IP address for the backend server ip address ipaddr netmask mask no ip address Syntax Description command The name of th...

Page 299: ...l Telnet FIPS Mode serial only Using the no form of the command disables sending of keepalive messages Related Commands keepalive frequency Backend Server Configuration Command Set keepalive maxfailure Backend Server Configuration Command Set keepalive frequency Specifies the interval between keepalive messages keepalive frequency seconds Syntax Description Usage Guidelines Availability Serial Tel...

Page 300: ...erver Configuration Command Set keepalive frequency Backend Server Configuration Command Set localport Specifies the TCP service port through which non secure connections are received localport port default Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Caution Traffic sent on this TCP service port is not secured by SSL during transmission to the server It mus...

Page 301: ...nd to remove the specified log url server from the list Only one log url server can be configured remoteport Specifies the TCP service port through which redirected secure connections are sent remoteport port default Syntax Description ipaddr The IP address of the device to receive log url messages port Keyword indicating that a specific TCP port should be used for communications portid The TCP po...

Page 302: ...device To see a list of all loaded default and user defined security policies use the show ssl secpolicy command Related Commands secpolicy SSL Configuration Command Set show ssl secpolicy Non Privileged Command Set See the section Security Policy Configuration Command Set polname The name of the configured security policy all All pre loaded security policies default Default security policy set fi...

Page 303: ...server certificate authentication Related Commands certgroup serverauth Backend Server Configuration Command Set serverauth ignore Backend Server Configuration Command Set serverauth enable Enables server certificate authentication serverauth enable no serverauth enable Usage Guidelines Availability Serial Telnet FIPS Mode serial only Using the no form of the command disables server certificate au...

Page 304: ... used currently Use the no form of the command to cease ignoring the specific server authentication error Related Commands certgroup serverauth Backend Server Configuration Command Set serverauth enable Backend Server Configuration Command Set session cache enable Enables session caching session cache enable no session cache enable all Ignore all server authentication errors none Do not ignore ser...

Page 305: ...e Specifies the size of the session cache session cache size cachesize Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands session cache enable Backend Server Configuration Mode session cache timeout Backend Server Configuration Mode session cache timeout Specifies the session cache length before being timed out session cache timeout seconds Syntax...

Page 306: ...uidelines Availability Serial Telnet Using the no form of the command disables SSL version 2 protocols You cannot disable SSL version 2 and 3 and TLS protocols This command is not available in FIPS mode Related Commands sslv3 enable Backend Server Configuration Command Set tlsv1 enable Backend Server Configuration Command Set sslv3 enable Enables SSL version 3 protocols sslv3 enable no sslv3 enabl...

Page 307: ... in the suspended state No connections are accepted until the activate command is used If you are editing an existing backend server and you use the suspend command alone the all open connections on the server are finished and no new connections are accepted No connections are accepted until the activate command is used If you are editing an existing backend server and you use the suspend now comm...

Page 308: ...1 protocols You cannot disable SSL version 2 and 3 and TLS protocols The command no tlsv1 enable is not available in FIPS mode Related Commands sslv2 enable Backend Server Configuration Command Set sslv3 enable Backend Server Configuration Command Set transparent Enables the backend server to function as a transparent proxy default transparent no transparent Usage Guidelines Availability Serial Te...

Page 309: ...le If more than one rule has been configured you must specify the domain name of the rule to delete URL rewrite information can be displayed by using the command show ssl server Related Commands show ssl server Non Privileged Command Set domainName The domain or file identifier as a domain name IP address or path and file name sslport A keyword identifying the following portid to be used for SSL t...

Page 310: ...hex Pastes a binary hex encoded X509 certificate into the configuration manager binhex value Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only After the command is entered you are prompted to paste the certificate from the cut buffer You can use a text editor to copy the certificate from a file After the certificate is pasted you must press Enter twice to complet...

Page 311: ...al Telnet FIPS Mode serial only exit Exits Certificate Configuration mode activates all valid changes and returns to SSL Configuration mode exit Usage Guidelines Availability Serial Telnet FIPS Mode serial only finished Leaves Certificate Configuration Mode and returns to Top Level mode finished Usage Guidelines Availability Serial Telnet FIPS Mode serial only help Displays help information for th...

Page 312: ...the certificate object being created or edited info Usage Guidelines Availability Serial Telnet FIPS Mode serial only pem Loads a PEM encoded X509 certificate into the current certificate object pem url Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only If you do not enter the file name or URL you are prompted for it Related Commands pem paste Certificate Configur...

Page 313: ...l Telnet FIPS Mode serial only After the command is entered you are prompted to paste a certificate from the cut buffer You can use a text editor to copy the certificate from a file After the certificate is pasted you must press Enter twice to complete the command If a password is required you are prompted for it Related Commands pem Certificate Configuration Command Set ...

Page 314: ...ration mode The prompt changes to config ssl certgroup certgroupname cert Adds the specified existing certificate object into the current certificate group cert certObject no cert certObject Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Up to 64 certificate objects are allowed per certificate group Use the no form of the command to remove the specified certif...

Page 315: ...y Serial Telnet FIPS Mode serial only finished Leaves Certificate Group Configuration Mode and returns to Top Level mode finished Usage Guidelines Availability Serial Telnet FIPS Mode serial only help Displays help information for the specified command help command Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only If you do not specify a command help information ...

Page 316: ...nd Set C 124 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78 13124 05 info Displays current information about the certificate group being created or edited info Usage Guidelines Availability Serial Telnet FIPS Mode serial only ...

Page 317: ... X 509 key to be pasted into the configuration manager binhex value Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only After the command is entered you are prompted to paste the key from the cut buffer You can use a text editor to copy the key from a file After the key is pasted you must press Enter twice to complete the command der Loads a DER encoded X509 key fi...

Page 318: ...ilability Serial Telnet FIPS Mode serial only exit Exits Key Configuration mode activates all changes and returns to SSL Configuration mode exit Usage Guidelines Availability Serial Telnet FIPS Mode serial only finished Leaves Key Configuration Mode and returns to Top Level mode finished Usage Guidelines Availability Serial Telnet FIPS Mode serial only genrsa Generates an RSA key genrsa bits 512 1...

Page 319: ...rsa bits 1024 encrypt des seed lemon output mykey pem help Displays help information for the specified command help command Syntax Description bits Specifies the key strength 512 Specifies the key to be 512 bit strength 1024 Specifies the key to be 1024 bit strength encrypt Encrypts the generated key for display des Specifies DES to be used for the encrypted key displayed des3 Specifies DES3 to be...

Page 320: ...tion about the key being created or edited info Usage Guidelines Availability Serial Telnet FIPS Mode serial only net iis Loads a private key exported from IIS 4 only into the key entity net iis url Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only If you do not enter the URL you are prompted for it If a password is required you are prompted for it pem Loads a PE...

Page 321: ...rompted for it Related Commands pem paste Key Configuration Command Set pem paste Allows a PEM encoded X 509 key to be pasted into the configuration manager pem paste Usage Guidelines Availability Serial Telnet FIPS Mode serial only After the command is entered you are prompted to paste a key from the cut buffer You can use a text editor to copy the key from a file After the key is pasted you must...

Page 322: ...and the reverse proxy server command in SSL Configuration mode The prompt changes to config ssl rproxy servername activate Activates the current suspended reverse proxy server if enough information has been configured activate Usage Guidelines Availability Serial Telnet FIPS Mode serial only All reverse proxy servers are created as active servers by default Related Commands suspend Reverse Proxy S...

Page 323: ...up name Only one certificate group can be used Related Commands certgroup SSL Configuration Command Set show ssl certgroup Non Privileged Command Set See also Certificate Group Configuration Command Set end Exits Reverse Proxy Server Configuration mode activates all changes and returns to SSL Configuration mode end Usage Guidelines Availability Serial Telnet FIPS Mode serial only exit Exits Revers...

Page 324: ...PS Mode serial only help Displays help information for the specified command help command Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only If you do not specify a command help information is displayed for all Reverse Proxy Server Configuration Commands info Displays current information about the reverse proxy server being edited or created info Usage Guidelines ...

Page 325: ...d no log url ipaddr Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Use the no form of the command to remove the specified log url server from the list Only one log url server can be configured port The used to transfer non secure traffic default Sets the port specification to 80 ipaddr The IP address of the device to receive log url messages port Keyword indic...

Page 326: ...y policies use the show ssl secpolicy command Related Commands secpolicy SSL Configuration Command Set show ssl secpolicy Non Privileged Command Set See the section Security Policy Configuration Command Set polname The name of the configured security policy all All pre loaded security policies default Default security policy set fips FIPS 104 2 compliant security policy set noexport56 Security pol...

Page 327: ...rrors to ignore serverauth ignore all none signature failure expired date cert not yet valid invalid ca domain name no serverauth ignore all none signature failure expired date cert not yet valid invalid ca domain name Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only all Ignore all server authentication errors none Do not ignore server authentication errors sign...

Page 328: ...uration Command Set session cache enable Enables session caching session cache enable no session cache enable Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands session cache size Reverse Proxy Server Configuration Mode session cache timeout Reverse Proxy Server Configuration Mode session cache size Specifies the size of the session cache session cache size cachesiz...

Page 329: ...et FIPS Mode serial only Related Commands session cache enable Reverse Proxy Server Configuration Mode session cache size Reverse Proxy Server Configuration Mode sslv2 enable Enables SSL version 2 protocols sslv2 enable no sslv2 enable Usage Guidelines Availability Serial Telnet Using the no form of the command disables SSL version 2 protocols You cannot disable SSL version 2 and 3 and TLS protoco...

Page 330: ...Reverse Proxy Server Configuration Command Set suspend Suspends the function of the backend server suspend now Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only This command behaves in three ways If you are creating a new reverse proxy server and you use the suspend command the server is created in the suspended state No connections are accepted until the activat...

Page 331: ... tcp tuning Enters TCP Tuning Configuration mode at for this server tcp tuning Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands See the section TCP Tuning Configuration Command Set tlsv1 enable Enables TLS version 1 protocols tlsv1 enable no tlsv1 enable Usage Guidelines Availability Serial Telnet Using the no form of the command disables TLS version 1 protocols Y...

Page 332: ... rule If more than one rule has been configured you must specify the domain name of the rule to delete URL rewrite information can be displayed by using the command show ssl server Related Commands show ssl server Non Privileged Command Set domainName The domain or file identifier as a domain name IP address or path and file name sslport A keyword identifying the following portid to be used for SS...

Page 333: ... device crypto fips strong weak all ARC4 MD5 ARC4 SHA DES CBC3 MD5 DES CBC3 SHA DES CBC MD5 DES CBC SHA EXP ARC2 MD5þ EXP ARC4 MD5 EXP DES CBC SHA EXP1024 ARC2 CBC MD5þ EXP1024 ARC4 MD5þ EXP1024 ARC4 SHA EXP1024 DES CBC SHAþ NULL MD5 NULL SHA no crypto ARC4 MD5 ARC4 SHA DES CBC3 MD5 DES CBC3 SHA DES CBC MD5 DES CBC SHA EXP ARC2 MD5þ EXP ARC4 MD5 EXP DES CBC SHA EXP1024 ARC2 CBC MD5þ EXP1024 ARC4 M...

Page 334: ...security policy Additionally you can alter the preset cryptography schemes specified for the current security policy If you enter crypto weak and no crypto NULL MD5 commands the NULL MD5 cryptography scheme is removed from the current security policy DES CBC3 SHA 3DES 168 SHA1 RSA 1024 fips strong all DES CBC MD5 DES 56 MD5 RSA 1024 strong all DES CBC SHA DES 56 SHA1 RSA 1024 fips strong all EXP A...

Page 335: ...cies prefixed with EXP NULL These policies are considered to be export level policies Note In FIPS Mode only servers configured with FIPS approved algorithms DES CBC SHA DES CBC3 SHA EXP1024 DES CBC SHA can be active end Exits Security Policy Configuration mode activates all changes and returns to SSL Configuration mode end Usage Guidelines Availability Serial Telnet FIPS Mode serial only exit Exi...

Page 336: ...FIPS Mode serial only help Displays help information for the specified command help command Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only If you do not specify a command help information is displayed for all Security Policy Configuration Commands info Displays current information about the security policy being edited or created info Usage Guidelines Availabi...

Page 337: ...e The prompt changes to config ssl server servername activate Activates the current logical secure server if enough information has been configured activate Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands suspend Server Configuration Command Set cert Sets the specified certificate for use by the server cert certname default default 1024 default 512 Syntax Descrip...

Page 338: ...e specified certificate group to be used as a certificate chain The no form of the command is used to disable certificate chaining certgroup chain certgroupname no certgroup chain Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Use the no form of the command to remove a certificate group association When using the no flag you need not specify any certificate gr...

Page 339: ...used to disable client authentication using the certificate group When using the no flag you need not specify any certificate group name Only one certificate chain can be used Related Commands clientauth enable Server Configuration Command Set clientauth error Server Configuration Command Set clientauth verifydepth Server Configuration Command Set clientauth enable Enables client certificate authe...

Page 340: ... cert revoked cert has invalid ca cert has signature failure cert other error all Syntax Description cert not provided Certificate was not provided for authentication cert not yet valid The certificate is not valid yet cert has expired The certificate has expired cert revoked The certificate has been revoked cert has invalid ca The certificate has an invalid CA cert has signature failure The signa...

Page 341: ...and Set clientauth verifydepth Specifies the level of certificate within the certificate group to use when verifying client certificates clientauth verifydepth depth Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands certgroup clientauth Server Configuration Command Set clientauth enable Server Configuration Command Set clientauth error Server Con...

Page 342: ...r that does not have ephemeral RSA enabled ephemeral error fail failhtml redirect url Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only The default behavior is failhtml fail The client is disconnected abruptly failhtml The SSL handshake is continued and the client is sent a static HTML error page listing the reason for the error Then the SSL session is disconnect...

Page 343: ...ensures the device complies with United States commerce laws ephrsa no ephrsa Usage Guidelines Availability Serial Telnet FIPS Mode serial only The default is no ephemeral RSA Use the no form of the command to disable ephemeral RSA exit Exits Server Configuration mode activates all changes and returns to SSL Configuration mode exit Usage Guidelines Availability Serial Telnet FIPS Mode serial only ...

Page 344: ...lient custom fieldname fieldvalue pre filter prefix prefixstring server cert session no httpheader client cert client custom pre filter prefix server cert session Syntax Description command The name of the command client cert Adds the client certificate to the HTTP stream client custom Sets up custom client HTTP headers fieldname The name of the header field This text must be entered within quotes...

Page 345: ...ical secure server being edited or created info Usage Guidelines Availability Serial Telnet FIPS Mode serial only ip address Sets the specified IP address for the logical secure server Using the no form of the command clears the IP address for the logical secure server ip address ipaddr netmask mask no ip address Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only ...

Page 346: ...and disables sending of keepalive messages Related Commands keepalive frequency Server Configuration Command Set keepalive maxfailure Server Configuration Command Set keepalive frequency Specifies the interval between keepalive messages keepalive frequency seconds Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands keepalive enable Server Configura...

Page 347: ...mmand Set keepalive frequency Server Configuration Command Set key Sets the specified key for use by the server key keyname default default 1024 default 512 Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Only one key is allowed per server If you enter this command with a different key that reference replaces the earlier one count The number of failed keepalive...

Page 348: ...sent to the real server using the TCP service port previously specified with the remoteport command localport port default Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands remoteport Server Configuration Command Set sslport Server Configuration Command Set log url Specifies a host for logging of URL requests log url ipaddr port portid facility f...

Page 349: ...ervice port is not secured by SSL during transmission to the server It must be secured by another means Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands localport Server Configuration Command Set sslport Server Configuration Command Set ipaddr The IP address of the device to receive log url messages port Keyword indicating that a specific TCP port should be used f...

Page 350: ...w ssl secpolicy command Related Commands secpolicy SSL Configuration Command Set show ssl secpolicy Non Privileged Command Set See the section Security Policy Configuration Command Set session cache enable Enables session caching polname The name of the configured security policy all All pre loaded security policies default Default security policy set fips FIPS 104 2 compliant security policy set ...

Page 351: ...n Mode session cache timeout Server Configuration Mode session cache size Specifies the size of the session cache session cache size cachesize Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Related Commands session cache enable Server Configuration Mode session cache timeout Server Configuration Mode session cache timeout Specifies the session cache length bef...

Page 352: ...aredcipher error fail failhtml redirect url Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only The default behavior is failhtml seconds Specifies the number of seconds before the cache times out fail The client is disconnected abruptly failhtml The SSL handshake is continued and the client is sent a static HTML error page listing the reason for the error Then the ...

Page 353: ...l only Note This command has the same effects as the localport command and is included only for backwards compatibility Related Commands localport Server Configuration Command Set remoteport Server Configuration Command Set sslv2 enable Enables SSL version 2 protocols sslv2 enable no sslv2 enable Usage Guidelines Availability Serial Telnet Using the no form of the command disables SSL version 2 pr...

Page 354: ...3 protocols sslv3 enable no sslv3 enable Usage Guidelines Availability Serial Telnet Using the no form of the command disables SSL version 3 protocols You cannot disable SSL version 2 and 3 and TLS protocols This command is not available in FIPS mode Related Commands sslv2 enable Server Configuration Command Set tlsv1 enable Server Configuration Command Set suspend Suspends the function of the ser...

Page 355: ... all open connections on the server are finished and no new connections are accepted No connections are accepted until the activate command is used If you are editing an existing server and you use the suspend now command all connections are suspended When the end command is entered the current server is removed and a new suspended server is created Related Commands activate Server Configuration M...

Page 356: ... Set transparent Enables to servers to function as a transparent proxy default transparent local listen no transparent local listen Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only The no form of the command is used to disable the specified behavior The following table presents the device behavior associated with each command permutation local listen Keyword spe...

Page 357: ...ice s IP address for incoming client connections and uses the client s IP address for connecting to the hardware server no transparent The device listens on the device s IP address for incoming client connections and uses the device s IP address for connecting to the hardware server Command Behavior domainName The domain or file identifier as a domain name IP address or path and file name sslport ...

Page 358: ...ure Content Accelerator Configuration Guide 78 13124 05 than one rule has been configured you must specify the domain name of the rule to delete URL rewrite information can be displayed by using the command show ssl server Related Commands show ssl server Non Privileged Command Set ...

Page 359: ...r name in SSL Configuration mode and tcp tuning in the Server Configuration mode The prompt changes to config ssl tcpTuning server servername Per server settings override global settings and if no setting is used the factory defaults are used The mtu setting affects communications with all aspects of the device including telnet and Web management sessions and is only available directly in the SSL ...

Page 360: ...onds default no delay ack Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Delayed ACK transmissions are designed to reduce extraneous transmissions and reduce transport overhead by attempting to piggyback ACKs on data If no data is to be sent the stack will delay the ACK by the delay ack value waiting for the application to produce data to be sent As bandwidth ...

Page 361: ... of the command to return the finwt2time to the global value If no global settings exist for a parameter the factory default parameter is used instead See RFC 793 keepalive Specifies the amount of time to keep a TCP connection open without active traffic keepalive seconds default no keepalive Syntax Description seconds The number of seconds to wait after acknowledgement of an initial FIN prior to ...

Page 362: ...P Tuning Configuration Command Set keepalive intv TCP Tuning Configuration Command Set keepalive cnt Specifies the number of keepalives that are sent keepalive cnt count default no keepalive cnt Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Use the no form of the command to return the keepalive cnt to the global value If no global settings exist for a paramet...

Page 363: ...lt parameter is used instead See RFC 1122 Related Commands keepalive TCP Tuning Configuration Command Set keepalive cnt TCP Tuning Configuration Command Set max rexmit Specifies the number of times an unacknowledged segment is retransmitted max rexmit count default no max rexmit Syntax Description seconds The number of number of seconds between keepalives the valid range is from 20 to 600 inclusiv...

Page 364: ...t seconds forever default no maxrt Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only Use the no form of the command to return the maxrt to the global value If no global settings exist for a parameter the factory default parameter is used instead maxseg Specifies the maximum TCP segment size maxseg bytes default no maxseg seconds The number of number of seconds a ...

Page 365: ...IP unit transmitted mtu bytes default no mtu Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only The mtu value combined with the maxseg value affects TCP fragmentation You cannot set the mtu to a value less than the maxseg 40 Use the no form of the command to return the mtu to the global value If no global settings exist for a parameter the factory default paramete...

Page 366: ...zing segments and protocol overhead A value of 1 no Nagle should be used if it is desirable to have packets with small amounts of data sent as soon as possible with no concern for overhead Use the no form of the command to return the nodelay to the global value If no global settings exist for a parameter the factory default parameter is used instead See RFC 896 nopush Controls whether data is sent...

Page 367: ...s of data such as file transfers Use the no form of the command to return the nopush to the global value If no global settings exist for a parameter the factory default parameter is used instead See RFC 1644 Related Commands push all TCP Tuning Configuration Command Set probe max Specifies the maximum window probe timeout probe max milliseconds default no probe max Syntax Description Usage Guideli...

Page 368: ... probes but the interval will not exceed the defined maximum Use the no form of the command to return the probe max to the global value If no global settings exist for a parameter the factory default parameter is used instead Related Commands probe min TCP Tuning Configuration Command Set probe min Specifies the minimum window probe timeout probe min milliseconds default no probe min Syntax Descri...

Page 369: ...l Telnet FIPS Mode serial only Enabling push all can create excessive traffic because of overhead Use the no form of the command to return the push all to the global value If no global settings exist for a parameter the factory default parameter is used instead Related Commands nopush TCP Tuning Configuration Command Set rto def Specifies the default retransmission timeout rto def milliseconds def...

Page 370: ...FC 1122 and RFC 2988 Related Commands rto max TCP Tuning Configuration Command Set rto min TCP Tuning Configuration Command Set rto max Specifies the maximum allowable roundtrip timeout rto value rto max milliseconds default no rto max Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only milliseconds The default number of milliseconds before retransmitting the valid...

Page 371: ...Configuration Command Set rto min TCP Tuning Configuration Command Set rto min Specifies the minimum allowable roundtrip timeout rto value rto min milliseconds default no rto min Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only This value should be set to less than the rto def value Use the no form of the command to return the rto min to the global value If no g...

Page 372: ...n the network traversal path The slow start algorithm uses a variable congestion window setting that increments and decrements as segments are successfully or unsuccessfully acknowledged Any time the quality latency or speed of any portion of the network is unknown e g the Internet it is a safe idea to leave slow start enabled Use the no form of the command to return the slow start to the global v...

Page 373: ...ications such as an abort in FTP data or an interrupt in telnet or rlogin Use the no form of the command to return the stdurg to the global value If no global settings exist for a parameter the factory default parameter is used instead See RFC 1122 ts Controls use of the time stamp TCP option ts 0 1 on off default no ts Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode seria...

Page 374: ...ime stamp TCP option wnd scale 0 1 on off default no wnd scale Syntax Description Usage Guidelines Availability Serial Telnet FIPS Mode serial only The default 1 increases the TCP window from 16 bits to 32 bits The header size is not changed but by enabling the option TCP maintains the windows internally as a 32 bit value Having this option enabled can accommodate larger receive buffers 65535 by a...

Page 375: ...rious error states such as when the device fails any FIPS self test In these circumstances MiniMax allows users to exit from the error condition as gracefully as possible returning the device to a usable status The MiniMax state can be identified by the presence of the MiniMax prompt in the console The prompt displayed when the device has failed any self tests is self test failure This appendix co...

Page 376: ... text you enter in a command line Italic text indicates the first occurrence of a new term book title and emphasized text In this command summary items presented in italics represent user specified information Items within angle brackets are required information Items within square brackets are optional information Items separated by a vertical bar are options You can choose any of them Note Thoug...

Page 377: ...p show this screen hinv display hardware inventory ifconfig configured network interfaces ip change ip settings ls list flash file directory netstat show open file descriptors and sockets printenv print nvram environment rdate server assign rdate server reboot reboot minimax resetenv reset environment to factory defaults rm delete flash file sbridge add an ethernet port and start the bridge show s...

Page 378: ...o set the IP address subnet mask and default route for the SSL device 1 Enter the following commands at the MiniMax prompt Replace the IP address subnet mask and router address with appropriate ones ip address 10 1 2 5 netmask 255 255 255 0 ip route default 10 1 2 254 2 Check the environment by entering the following command An example of the associated response is included env cbaud 9600 autoboot...

Page 379: ...t zip 1 Ensure the device is connected via the null modem cable to a workstation where Netcat is available Use the CONSOLE port on the appliance 2 Ensure that the Server Ethernet interface on the device is connected to the network 3 Launch any terminal emulation application that communicates with the serial port connected to the SSL device Use these settings 9600 baud 8 data bits no parity 1 stop ...

Page 380: ...p boot 11 Messages are written to the console indicating necessary files are written The device will reboot into the serial console configuration manager Installing a MaxOS Image Xmodem This example uses the Xmodem to download the image to MiniMax over the console serial line The MaxOS image can be found on the distribution CD accompanying the device 1 Launch any terminal emulation application tha...

Page 381: ...t 0x00000005 arch 0x00000007 type 0x00000006 use zap to save to flash 5 Enter the following commands to save the image and restart the device zap boot 6 Messages are written to the console indicating necessary files are written The device will reboot into the serial console configuration manager Extracting a Device Configuration The best way to restore a device configuration is to use a previously...

Page 382: ...onment by entering the following command An example of the associated response is included Note any settings such as the IP address that might be required later env cbaud 9600 autoboot N autorun N verbose false netaddr 10 1 2 5 netmask 255 255 255 0 gwaddr 10 1 2 254 bootfile flash maxos bz2 TZ GMT10DST TERM ansi FIPS_MODE 0 COLUMNS 80 ROWS 25 bootdevice flash maxos bz2 build 200208160004 version ...

Page 383: ...d Summary Examples 3 Check the environment again by entering the following command An example of the associated response is included env cbaud 9600 autoboot N autorun N verbose false netaddr 192 0 2 254 netmask 255 255 255 0 gwaddr bootfile flash maxos bz2 TZ GMT10DST TERM ansi FIPS_MODE 0 COLUMNS 80 ROWS 25 ...

Page 384: ...ax commands are available only through the serial console when the appropriate prompt is displayed question mark Displays the help screen baud Changes the baud baud baudrate Syntax Description boot Boots the device with the current flash image boot cat Lists the specified file to the terminal cat filename Syntax Description baudrate The new baud for the connection filename The path and filename to...

Page 385: ...red as full duplex h Option indicating the specified Ethernet interface s should be configured as half duplex i Option indicating both Ethernet interfaces should be configured with specifed parameters p Option identifying the Ethernet interface to be targeted by the configuration statement 0 Option indicating the specifed configuration should be applied to the Network interface 1 Option indicating...

Page 386: ...e subsequent argument as the last three octets of the MAC address When the i option is used to indicate both interfaces are to be configured the specified argument is used as the address for the Network port and the argument is incremented for the Server interface address threeoctets The last three octets of the address This argument should be entered as hex values B Option indicating the specifie...

Page 387: ...plays the configured Ethernet interfaces ifconfig Related Commands eaddr ip Changes the device IP and default route settings ip address ipaddr netmask mask ip address ipaddr maskbits ip route default ipaddr Syntax Description ip address Keywords identifying the address to change ipaddr The new IP address maskbits The numeral indicating the appropriate mask to use this netmask shortcut is used only...

Page 388: ...sh file directory ls netstat Displays open file descriptors and sockets on the device netstat printenv Prints the nvram environment to the console printenv rdate server Assigns an RDATE server rdate server ipaddr Syntax Description netmask Keyword indentifying the netmask portion of the address mask The appropriate netmask ip route default Keyword identifying the default route address routeaddr Th...

Page 389: ...niMax environment reboot resetenv Resets the MiniMax environment to factory defaults resetenv Related Commands env printenv rm Deletes a file from the flash file directory rm filename Syntax Description Related Commands ls sbridge Connects the specified Ethernet port and starts the bridge sbridge network server filename The name of the file to delete ...

Page 390: ...s follows If one active Ethernet connection is found that interface is used If two active Ethernet connections are found neither interface is used If no active Ethernet connections are found no interface is used show Displays information for the specified system show bridge download arp route Syntax Description Usage Guidelines If no system is specified a help message is displayed network Keyword ...

Page 391: ...ontent Accelerator Configuration Guide 78 13124 05 Appendix D MiniMax Command Summary Command Set version Displays firmware version information version zap Processes a downloaded image file if available and copies it to the flash zap ...

Page 392: ...Appendix D MiniMax Command Summary Command Set D 18 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78 13124 05 ...

Page 393: ...t Accelerator Configuration Guide 78 13124 05 A P P E N D I X E Troubleshooting This appendix provides general troubleshooting information for the Secure Content Accelerator This appendix contains the section Troubleshooting the Hardware ...

Page 394: ...ect to NIC Ensure cables are properly wired One Power LED is unlit Ensure the Secure Content Accelerator has power Check the associated power switch power cord and power source The Secure Content Accelerator seems to have locked up Reboot the Secure Content Accelerator either by pressing the reset switch or using the reload command in the CLI If the problem continues press and hold the reset switc...

Page 395: ... management access If telnet management is disabled enter Configuration mode and use the telnet enable command Also verify the TCP port specified for management sessions If you have changed the management port from the default you must use the user configured TCP port The device might be operating in FIPS Mode Telnet management is unavailable in FIPS Mode Use a serial management session to connect...

Page 396: ...ertain situations such as when changing to a different subnet If the connection is not redirected manually connect to the device as before If you still are unable to connect use the serial configuration manager to check the appliance configuration and try again The device might be operating in FIPS Mode Web management is unavailable in FIPS Mode Use a serial management session to connect to the de...

Page 397: ...thms are available to traffic The assigned security policy must contain at lease one FIPS compliant algorithm After configuring a server it is suspended when I exit the configuration mode The device might be operating in FIPS Mode Only servers configured with FIPS 140 2 compliant algorithms are available to traffic The assigned security policy must contain at lease one FIPS compliant algorithm Tab...

Page 398: ...e the cabling and speed of all associated ports been verified No Verify physical cabling and speed of all associated ports No RMA Unit Faulty Ethernet connections Yes Is the console responsive Yes Are the console settings correct No Use a known good null modem cable set terminal to 9600 or 115 200 8 N 1 No Reboot the device using the power switches Yes Is the console responsive RMA Unit Faulty ser...

Page 399: ...1 L2 L3 network problem Yes Configure test environment and test device oepration Does the device operate as expected Continue with configuration and operation as desired Are all necessary logical services active Activate services on all devices offloader load balancer Web server etc No Does show netstat display proper listening sockets Yes Check the localport and transparency settings reload if ne...

Page 400: ...hooting Flowchart 3 Is the client set to use the appropriate socket Retest with browser client or test tool No Are any firewalls or ACLs in place Yes Verify client or test suite operability or use a different client No Eliminate ACLs or filters preventing access Does the device operate as expected No Continue with configuration and operation as desired Yes ...

Page 401: ...ed in configuring the Secure Content Accelerator Instructions for generating keys and certificates using the CLI are included in Chapter 4 Instructions for using the GUI are in Chapter 5 This chapter contains the following sections Introduction to SSL Port Blocking Mechanism Before You Begin Using Existing Keys and Certificates Configuration Security Cisco SSL Configuration Components Cisco Secure...

Page 402: ...ecrypted with the private key You can configure the Cisco Secure Content Accelerator using either the GUI or CLI or through the QuickStart wizard available through both the CLI and GUI The CLI is available through telnet or serial connections Port Blocking Mechanism During configuration you must specify the SSL and clear text decrypted TCP service ports Cisco Secure Content Accelerator devices mon...

Page 403: ... Figure F 1 Port Blocking Figure F 2 Port Blocking with Dropped Traffic For example if the server is used for both secure and non secure services you cannot use TCP service port 80 for both basic HTTP connections and for transfer of decrypted secure data between the devices and the server Below are some alternatives for this scenario ...

Page 404: ... the keys and certificate from an existing secure server use default keys and certificates preloaded in the device or generate your own keys and certificates Additionally be aware that you must make several changes to your Web pages The nature of the changes depends upon whether you are securing a previously unsecured site or adding the SSL appliance to an already secure server installation These ...

Page 405: ... key The default certificate is APACHEROOT certs crt Note the name and location of these elements Stronghold The key and certificate locations are listed in the STRONGHOLDROOT conf httpd conf file The default key is STRONGHOLDROOT ssl private key The default certificate is STRONGHOLDROOT ssl cert Note the name and location of these elements IIS 4 on Windows NT The certificate file is in the direct...

Page 406: ... Properties in the shortcut menu 4 Click the Directory Security tab 5 Click Edit in the Secure Communication panel 6 Click Key Manager 7 Click the key to export 8 On the Key menu point to Export Key and click Backup File 9 Read the security warning and click OK 10 Select a file location and enter a file name 11 Click Save 12 Exit the Internet Service Manager IIS 5 on Windowsþ2000 Follow these step...

Page 407: ...or click Browse to select a location manually Click Next 12 The Completing the Certificate Export Wizard panel appears Click Finish Note The key and certificate file exported from IISþ5 are in PKCS 12 format Use the import pkcs12 command in the configuration manager to load a key and certificate in this format Configuration Security Cisco Secure Content Accelerator devices allow easy flexible conf...

Page 408: ...p access list telnet access list and web mgmt access list in Appendix C Factory Default Reset Password If you have forgotten your access or enable password you can use a factory set password during a serial configuration session When prompted for a password enter FailSafe case sensitive You are asked to confirm the action The appliance reboots reloads with factory default settings Caution All conf...

Page 409: ...Certificates A certificate is loaded into the device to be used as either a single certificate or part of a certificate group Only one certificate or certificate group can be used with each server Certificates can be imported from DER and PEM encoded X 509 files IIS4 backup format NET IIS PKCS 12 files and PCKS 7 certificate groups Step Up Certificates and Server Gated Cryptography Cisco Secure Co...

Page 410: ... certificate objects that are combined into a certificate group An example of configuring a chained certificate via the configuration manager is presented in Chapter 4 See Chapter 5 for information about creating and enabling chained certificates using the GUI Security Policies Cisco Secure Content Accelerator can process a wide range of single and composite cryptography schemes The following tabl...

Page 411: ... all EXP ARC4 MD5 ARC41 40 MD5 RSA 512 weak default all EXP DES CBC SHA DES 40 SHA1 RSA 512 weak all EXP1024 ARC2 CBC MD5 ARC22 40 MD5 RSA 1024 weak default all EXP1024 ARC4 MD5 ARC41 40 MD5 RSA 1024 weak default all EXP1024 ARC4 SHA ARC41 40 SHA1 RSA 1024 weak default all EXP1024 DES CBC SHA DES 56 SHA1 RSA 1024 weak all NULL MD5 None MD5 None weak default all NULL SHA None SHA1 None weak default...

Page 412: ... browser based GUI In IP address must have been assigned to the appliance for management A device cannot be set to single port mode via the GUI Only one device can be managed at a single time Serial and telnet management commands can use symbolic hostnames in URL identifiers if the ip domain name has been set File name formats differ depending on the management method When using the GUI you can sp...

Page 413: ...ided QuickStart wizard configuration method available from both the configuration manager and GUI To use this method for configuration see Chapter 3 Brief instructions are also included for initiating a management session using the configuration manager For instructions on using telnet or serial console CLI configuration managers see Chapter 4 for instructions on using the GUI see Chapter 5 To use...

Page 414: ...Appendix F SSL Introduction Cisco Secure Content Accelerator Management F 14 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78 13124 05 ...

Page 415: ...N D I X G Regulatory Information This appendix lists the regulatory agencies that have approved the Secure Content Accelerator This appendix includes the following sections Regulatory Standards Compliance Canadian Radio Frequency Emissions Statement FCC Class A CISPR 22 EN 55022 Class A VCCI ...

Page 416: ...lly compliant with their environmental safety and emissions standards Canadian Radio Frequency Emissions Statement This Class A digital apparatus complies with Canadian ICES 003 Cet appareil numérique de la classe A est conforme à la norme NMB 003 du Canada Table G 1 Regulatory Standards Compliance Regulatory Standards Compliance Regulatory Agency Safety UL 1950 3rd CSA NRTL CAN CSA C22 2 No 950 M...

Page 417: ...ikely to cause harmful interference in which case the user will be required to correct the interference at his own expense To maintain compliance with the limits of a Class A digital device Cisco requires that you use quality interface cables when connecting to this device During testing for certification Category 5 cables were used Caution Modifications to this product not authorized by Cisco Sys...

Page 418: ...o 11000 Series Secure Content Accelerator Configuration Guide 78 13124 05 CISPR 22 EN 55022 Class A Warning This is a class A product In a domestic environment this product may cause radio interference in which case the user may be required to take adequate measures VCCI ...

Page 419: ...nt encrypts the data and connects via SSL to the server C Certificate Digital information that proves the identify of the server similar to a digital ID card Certificates are issued by Certificate Authorities Cipher An encryption algorithm F Flash memory Memory area in which device configuration may be saved configuration information not stored in the flash memory is lost during a power cycle or w...

Page 420: ...guration consisting of an IP address for the hardware web server providing content an SSL TCP service port specification a clear text port specification a key association specifying the key and certificate to use when processing transactions and a security policy specifying the cryptographic scheme s to use R Remote Port The user specified non secure TCP port used by the Cisco Secure Content Accel...

Page 421: ...abling secure transactions of data through privacy authentication and data integrity Simple Network Management Protocol SNMP An application level protocol used to monitor and perform basic configuration of network devices Server Port The user specified secure TCP port monitored by the Cisco Secure Content Accelerator for secure transaction requests ...

Page 422: ...Glossary 4 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78 13124 05 ...

Page 423: ...tic route configuration B 24 connecting Network and Server ports 2 9 factory default reset 4 4 C 7 8 FailSafe password 6 4 reloading the device 3 13 5 17 unauthorized modifications 17 unsecured transmissions C 108 C 157 use of keys and certificates 6 2 certficate groups importing 4 20 certificate certificate configuration command set C 118 configuration manager example 4 8 default 3 8 exporting 4 ...

Page 424: ...configuration command set C 147 clientauth enable command in server configuration command set C 147 clientauth error command in server configuration command set C 148 clientauth verifydepth command in server configuration command set C 149 configuring with CLI 4 23 GUI example 5 33 client IP accounting B 16 completion features C 3 configuration QuickStart wizard 3 1 configuration manager backend s...

Page 425: ...ith GUI 5 22 management method comparison C 7 12 non privileged command set C 11 other secure protocols 4 27 5 37 password 3 10 privileged command set C 48 QuickStart wizard 3 1 reloading with GUI 5 17 remote configuration manager C 7 12 reverse proxy server with GUI 5 34 RIP 4 26 secure server 4 8 secure server with GUI 5 22 5 30 Secure Server wizard in GUI 5 48 security policy 3 8 4 9 4 10 4 11 ...

Page 426: ...4 configuring SSL versions 4 28 configuring syslog 4 28 configuring URL rewrite 4 12 enabling chained certificates 4 18 enabling keepalives 4 30 generating a certificate 4 24 generating a key 4 24 setting idle timeout 4 31 setting up a backend server 4 10 4 11 setting up a secure server 4 8 setting up basic device parameters example GUI adding a route 5 11 client authentication 5 33 configuring ac...

Page 427: ...figuring an Ethernet interface 5 9 configuring a reverse proxy server 5 34 configuring a secure server 5 22 5 30 configuring a security policy 5 27 configuring backend server 5 34 configuring client authentication 5 33 configuring client side access 5 4 configuring device name 5 7 configuring other secure protocols 5 37 configuring SNMP 5 19 enabling RIP 5 10 enabling Web management 5 2 generating...

Page 428: ...ing 3 6 naming conventions 3 6 4 8 4 QuickStart wizard 3 6 using existing 4 M management session initiating 3 2 4 5 C 9 MiniMax commands D 1 mounting brackets 2 5 N network deployment in line B 4 load balancing B 2 one armed transparent B 22 single device B 2 transparent sandwich B 8 use with the CSS B 3 non privileged command set C 11 P password access 4 3 C 6 7 description 4 3 C 6 7 enable 4 3 5...

Page 429: ...ion 8 GUI example 5 22 5 30 naming conventions 3 5 server configuration command set C 145 Secure Server wizard 5 48 secure URL rewrite product overview 1 2 security policy configuration manager example 4 9 4 10 4 11 cryptographic algorithms table 10 default 3 8 description 10 GUI example 5 27 naming conventions 4 9 QuickStart wizard 3 8 security policy configuration command set C 141 serial connec...

Page 430: ...ple 4 25 GUI example 5 19 MIB II support 1 2 SNTP product overview 1 2 SNTP servers configuration manager example 4 14 specifications electrical A 2 environmental A 2 physical A 3 SSL Cisco configuration components 8 GUI examples 5 22 introduction 2 versions supported 1 3 SSL commands C 93 backend server configuraiton command set C 104 certificate configuration command set C 118 certificate group ...

Page 431: ...ions xxxiii C 2 D 2 tools for installation 2 2 top level command set C 11 troubleshooting E 2 U URL rewrite configuration manager example 4 12 W warning CISPR 22 EN 55022 Class A 18 equipment rack stability 2 5 grounding 2 4 power systems A 2 shock hazard 2 3 2 4 site requirement 2 2 Web management configuring client side access 5 4 enabling 5 2 restricting access 5 3 See also GUI website configur...

Page 432: ...Index 10 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78 13124 04 ...

Reviews: