Appendix E: Using Certificates in HTTPS Clusters
280
Equalizer Installation and Administration Guide
Software vs. Hardware Encryption/Decryption
Without Xcel hardware SSL acceleration, all Layer 7 HTTPS encryption and decryption is performed by software,
using Equalizer’s CPU and memory. With Xcel, all SSL operations for Layer 7 HTTPS clusters are performed on
dedicated hardware, thus offloading both the servers behind Equalizer and Equalizer itself -- freeing more resources
for traffic and application management.
In terms of configuration, both software and hardware SSL operations require a list of cipher suites (encryption
algorithms) to be used to encrypt and decrypt HTTPS traffic. The supported cipher suites for each SSL processing
mode (software, Xcel I, Xcel II) are described in the section “Configuring Cipher Suites” on page 289.
Also see the section “Private Key Storage for Cluster Certificates” on page 288 for a discussion of how Equalizer
stores the private keys for your cluster certificates, and keeping private keys secure on Equalizer.
Using Certificates in a Failover Configuration
In failover configurations, if client and server certificates are
not
part of the configuration settings that are
transferred between the failover peers, you must install the server certificates (and the client certificates, if used) on
both
of the failover peers.
Enabling HTTPS with a Server Certificate
The following are the steps to follow to obtain and install a server certificate, and verify that it works.
1. Generate a Server Certificate Signing Request or a Self-Signed Server Certificate.
To get a server certificate, do
one
of the following:
a.
Create a Certificate Signing Request (CSR) and send it to a Certificate Authority for signing.
This
provides the highest level of trust to the client, as the client can be assured that the certificate it receives
from the server (in this case, Equalizer) was approved (i.e., digitally signed) by a trusted third party. Thus,
the client has the assurance of a third party that the server to which it is connecting is identifying itself
legitimately (and is not impersonating the legitimate server’s identity). See the section “Generating a CSR
and Getting It Signed by a CA” on page 282.
b.
Create a certificate and sign it yourself.
This provides a lower level of trust, since the client is essentially
trusting the server to identify itself. Self-signed certificates are relatively easy to counterfeit, and are only
recommended for use on internal, non-production, or test configurations. See the section “Generating a
Self-Signed Certificate” on page 283.
2. Create the HTTPS cluster.
When creating an HTTPS cluster, the default flags and parameters are acceptable for most server certificate
configurations.
For more information on SSL parameters, see the section “Layer 7 Security > SSL Tab (HTTPS only)” on page
120.
3. Install the Server Certificate on Equalizer.
Use the Equalizer Administration Interface to install the server certificate. See the section “Installing
Certificates for an HTTPS Cluster” on page 284.
4. Try connecting to the Cluster via HTTPS.
From a client browser, open
https://
cluster
, where
cluster
is the network node name or IP address of the
HTTPS cluster. The browser may notify you that it is accepting a certificate from the server and ask for
confirmation. Once you accept the certificate, the requested page should be displayed.
Содержание E350GX
Страница 18: ...Chapter Preface 18 Equalizer Installation and Administration Guide ...
Страница 38: ...Chapter 1 Equalizer Overview 38 Equalizer Installation and Administration Guide ...
Страница 50: ...Chapter 2 Installing and Configuring Equalizer Hardware 50 Equalizer Installation and Administration Guide ...
Страница 62: ...Chapter 3 Using the Administration Interface 62 Equalizer Installation and Administration Guide ...
Страница 80: ...Chapter 4 Equalizer Network Configuration 80 Equalizer Installation and Administration Guide ...
Страница 110: ...Chapter 5 Configuring Equalizer Operation 110 Equalizer Installation and Administration Guide ...
Страница 208: ...Chapter 7 Monitoring Equalizer Operation 208 Equalizer Installation and Administration Guide ...
Страница 240: ...Chapter 8 Using Match Rules 238 Equalizer Installation and Administration Guide ...
Страница 258: ...Chapter 9 Administering GeoClusters 254 Equalizer Installation and Administration Guide Envoy Configuration Worksheet ...
Страница 262: ...Appendix A Server Agent Probes 258 Equalizer Installation and Administration Guide ...
Страница 274: ...Appendix B Timeout Configuration 270 Equalizer Installation and Administration Guide ...
Страница 280: ...Appendix D Regular Expression Format 276 Equalizer Installation and Administration Guide ...
Страница 296: ...Appendix E Using Certificates in HTTPS Clusters 292 Equalizer Installation and Administration Guide ...
Страница 310: ...Appendix F Equalizer VLB 306 Equalizer Installation and Administration Guide ...
Страница 318: ...Appendix G Troubleshooting 314 Equalizer Installation and Administration Guide ...