Sun Fire B10p SSL Proxy Blade Version 1.1 Administration Guide
|
|
This chapter describes the steps required to initialize and configure an SSL proxy blade for use in a network environment. This setup procedure assumes that the SSL proxy blade has already been installed according to the previous installation instructions and all relevant network cables are connected.
This chapter contains the following sections:
Initializing the SSL Proxy Blade
To use the SSL proxy blade, it must be initialized with required information using the blade console, which is accessible through the Sun Fire B1600 system controller. Once the SSL proxy blade has been initially configured, it can be managed through Telnet.
To Initialize the SSL Proxy Blade
|
1. Gather the required information.
When the SSL proxy blade is powered on for the first time, you must set the values for the parameters listed in TABLE 3-1 before the device can operate correctly. Use the empty value column as a worksheet.
TABLE 3-1 Worksheet of Values for the SSL Proxy Blade Initialization
Parameter Name
|
Default
|
Value
|
Description
|
Name
|
SSL proxy blade
|
|
Name for the SSL proxy blade for administration purposes.
|
Management (admin) IP address
|
0.0.0.0
|
|
IP address for administration by means of Telnet.
|
Administration port netmask
|
255.255.255.0
|
|
Netmask for the local administration subnet.
|
Default gateway
|
0.0.0.0
|
|
IP address of the gateway in the local subnet.
|
Security officer password
|
so
|
|
Initial security officer password. Should be changed by the security officer.
|
Management VLAN
|
0
|
|
This parameter must be set based on your network setup.
|
Traffic ports
|
|
|
|
Secure/clear portpair
|
443/880
|
|
TCP port numbers for secure/clear client traffic.
|
Certificates
|
none
|
|
If you have no certificates, then you can create a key and generate a signing request. For simplicity, in this setup we will create a self-signed certificate.
|
Keys
|
none
|
|
RSA private key that can be used to generate a certificate request or a self-signed certificate.
|
Services IP addresses
|
none
|
|
Each service supports a server. To set up the services, you need the IP address of each HTTP server for which the SSL proxy blade should process SSL traffic.
|
2. Set up the SSL proxy blade.
a. Log on to the SSL proxy blade.
When the SSL Proxy blade console is accessed, the Login: prompt displays after the boot process completes.
# telnet B1600_sc_ip-addr
sc> console Sn
Login: so
Password:
|
Where n is the slot number for the SSL proxy blade.
Note - For initial setup you must be logged in as the security officer (so).
|
After validating the user and password the command prompt should now be displayed: CLI#
b. Change the security officer password with the command:
For more information about user access and privileges see the User Access.
c. Run the setup command.
After logging in for the first time you need to run the setup command before setting any configuration information. The setup command prompts you for the required information listed above.
CLI# setup
Enter secure port (https) (443):
Enter clear port (http) (880):
Change the password:
Enter login password:
Enter new password:
Re-enter new password:
Password changed.
Setup has completed successfully.
You should add keys and services to complete the configuration.
To save the configuration enter: config save
CLI#
|
The setup command configures the blade for the first time. You can use specific commands to change the initial parameters later.
3. Verify that the blade is connected.
a. To verify connectivity, ping any host on the same subnet from the SSL proxy blade. The ping should report the host to be alive.
CLI# ping ip-addr
PING 192.50.50.11 from 192.100.100.205: 56 data bytes
64 bytes from 192.50.50.11: icmp_seq=0 ttl=255 time=0 ms
--- ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0/0/0 ms
host is alive.
CLI#
|
Note - In the previous command the IP address (ip-addr) must be entered as a numeric IP address and not a hostname.
|
b. To verify Telnet, use Telnet to connect to the SSL proxy blade.
This option allows you to continue the setup process from a local area network.
To Create Keys and Certificates
|
Before the SSL proxy blade can process SSL traffic, the keys and certificates must be installed.
See Keys and Certificates for more information on the import and create commands.
1. Create a key.
CLI# create key keyname
Enter key strength (1024): 512|1024|2048
Key keyname generated.
|
2. Create a certificate.
You may create a self-signed certificate for a temporary certificate used for testing purposes and internal use.
CLI# create certificate
Enter key name: keyname
Enter country (US): abbreviated_country
Enter state or province (CA): abbreviated_state
Enter locality (Company Town): town_name
Enter common name (www.company-name.com): www1.my-company.com
Enter organization (Company Name): my_company_name
Enter organization unit (Company Unit): department
Enter email address (support@company-name.com): email@company_name.domain
Certificate generated.
|
Or, you may create a certificate request then export it from the SSL proxy blade to be sent to a certificate authority for signing.
CLI# create certrequest
Enter key name: keyname
Enter country (US): abbreviated_country
Enter state or province (CA): abbreviated_state
Enter locality (Company Town): town_name
Enter common name (www.company-name.com): www1.my-company.com
Enter organization (Company Name): my_company_name
Enter organization unit (Company Unit): department
Enter email address (support@company-name.com): email@company_name.domain
Certificate generated.
|
3. Hand off this certificate request to a certificate authority. Use this certificate authority to generate the certificate. After receiving the signed certificate from the certificate authority, use the following import certificate command or import ftp|tftp certificate commands to import the certificate into the system.
CLI# import tftp certificate
|
4. Export the certificate request.
CLI# export ftp certrequest
Enter key name: keyname
Enter remote file name (certificate-request.txt):
Enter remote path (/home/b10puser):
Enter remote IP Address: (192.168.1.28):
Enter remote user name (b10b10puser):
Enter remote user password:****
connecting and writing [/home/b10puser/certificate-request.txt] to 192.168.1.28
Sent: [729] bytes
Certificate signing request exported.
|
To Create Services for the Servers
|
After the certificates have been installed, you can create services for each server. The services enable the SSL proxy blade to process SSL traffic.
Create a service:
CLI# create service
Enter service name: new_servicename
Enter key name: keyname
Enter server IP Address: (0.0.0.0): server_ip-addr
Enter cipher (export/best/optional/high/medium/low) (best): cipher
Enter portpair number (1..4) (1): 1
Service new_servicename created.
|
See Services for a full explanation of service settings.
To Verify and Save the Configuration
|
1. Use the show config or show all commands to display the current SSL proxy blade configuration.
CLI# show all
port 1:
management (admin) IP: 192.50.50.205
management (admin) netmask: 255.255.255.0
management (admin) gateway: 0.0.0.0
port 2:
management (admin) IP: 0.0.0.0
management (admin) netmask: 255.255.255.0
management (admin) gateway: 0.0.0.0
... ...
portpair 1:
secure port: 443
clear port: 880
portpair 2:
secure port: 0
clear port: 0
portpair 3:
secure port: 0
clear port: 0
portpair 4:
secure port: 0
clear port: 0
... ...
CLI#
|
Other configuration information can be displayed using the commands described in TABLE 3-2.
2. Save the configuration as permanent.
When you log out you will be reminded if the configuration has not been saved and given an option to cancel the logout. Configuration changes that are not saved will be lost if the SSL proxy blade is rebooted. The command config compare can determine if the configuration in memory is different than the permanent configuration stored in flash.
3. Verify and start processing.
Note - Browsers have preloaded recognized CA certificates. Thus, with self-signed certificates as used in this example, a browser will not recognize the CA and issues a warning.
|
a. Check version and feature of the stored software.
- The show version and show features commands display information about the SSL proxy blade version and enabled capabilities, respectively. This information identifies the exact SSL proxy blade version and model. The show boot command displays the version of internal hardware/software components and is provided for diagnostic purposes.
b. Use the following CLI# commands to display important information about the SSL proxy blade configuration.
TABLE 3-2 Commands to Display Configuration Information
Command
|
Description
|
show portpair
|
Shows all TCP port settings
|
show all
|
Shows all system information
|
show config
|
Shows all system information
|
show snmp
|
Shows the SNMP agent
|
show service
|
Shows all current services
|
show log
|
Shows logging config. information
|
show stats
|
Shows statistics
|
show features
|
Shows software license information
|
show version
|
Shows software version
|
show boot
|
Shows release version information
|
show state
|
Shows various system settings
|
show link
|
Shows inband port link settings
|
show interface
|
Shows inband interface settings
|
These and other show commands are described in detail in Appendix G.
c. Start processing.
After adding certificates, services, and configuring the Sun Fire B10n content load balancing blade, you can start the SSL proxy blade using the start command. The start command is used to start the SSL proxy blade processing SSL traffic.
4. Exit the CLI interface.
After the setup process is finished, and the SSL proxy blade is successfully processing traffic, use the logout command to exit the command-line interface. You can also exit the CLI by typing the following:
Sun Fire B10p SSL Proxy Blade Version 1.1 Administration Guide
|
817-7321-10
|
|
Copyright © 2004, Sun Microsystems, Inc. All Rights Reserved.