fir3net
PPS-Firenetbanner-780.5x190-30-03-17

Brocade ADX - How to Configure SSL/TLS

Contents[Hide]

The Brocade ADX offers 2 ways to configure SSL. These are,

  • SSL (Termination) - Allows for SSL termination at the loadbalancer so that unencrypted traffic can be sent onto the backend servers. This is also known as client side encryption/decryption.
  • SSL Proxy - Allows for the Brocade ADX to decrypt and then re-encrypt the traffic prior to sending it onto the backend servers.

Self Signed

In order to create a self signed certificate (on the Brocade ADX) the following syntax is used:

ssl genrsa rsa.key 2048 <password>
ssl gencert certkey rsa.key signkey rsa.key <password> x509.crt

ssl profile <profile-name>
  allow-self-signed-cert

CSR

The benefit of generating a Certificate Signing Request is that the private key never leaves the LoadBalancer.

Prior to creating a CSR a key pair is created, i.e a public and a private key. Once the CSR is generated, the CSR is created using a base-64 encoded PEM format. This CSR includes the various details previously entered DN, email etc and is then sent to the CA for signing.

How is it Signed ?

The CA takes an md5 of the certificate. This hash is then encrypted using the CA`s private key.

Create Key Pair / CSR

ssl genrsa filename.key 2048 password
ssl gencsr filename.key

Transfer Certificate

Copy and paste the public certificate into a text file. This is then sent to the CA.

Transferring Certificate / Keys

The following steps show the commands required for copying certificate/keys to the Brocade ADX using scp.

NOTE
Any intermediate certificates should be appended to the public certificate before it is transferred to the ADX.

ip dns domain-name [domain name]
crypto key generate dsa
ip ssh
ip ssh scp enable

scp file.key admin@[adx ip address]:sslkeypair:filename.key:<password>:pem
scp file.cert admin@[adx ip address]:sslcert:filename.cert:pem

SSL (Termination)

In order to terminate SSL on a virtual server a SSL profile is created and assigned to the necessary Virtual Server.

ssl profile <profile name>
  keypair-file <private-key>.key
  certificate-file <cert-file>.cer
  cipher-suite rsa-with-aes-256-sha
cipher-suite rsa-with-aes-128-sha
cipher-suite rsa-with-3des-ede-cbc-sha
cipher-suite rsa-with-3des-ede-cbc-md5
disable ssl2 ssl3 // 12.4s+
session-cache server
  enable-certificate-chaining

server virtual VIP_88.88.88.88 192.168.88.88
  port ssl
  port ssl ssl-terminate <profile name>
  bind ssl rs1 http rs2 http

NOTE
 The SSL profile within this example is configured to remove weak ciphers. Should you want to allow the use of all ciphers the command cipher-suite all-cipher-suites is used.

SSL Proxy

To decrypt and then re-encrypt SSL sessions on the ADX 2 profiles need creating, a client-side profile (the same that is created when configuring standard SSL Termination) and a server-side profile that contains just the root CA certificate. These profiles are then assigned to the VIP.

ssl profile sslclient-examplecom
 keypair-file <private-key>.key
 certificate-file <cert-file>.cer
 cipher-suite all-cipher-suites
 enable-certificate-chaining
 session-cache off

ssl profile sslserver-examplecom
 ca-cert-file <cert-file>.cer
 session-cache offserver

virtual VIP_88.88.88.88 192.168.8.88
 port ssl sticky
 port ssl ssl-proxy sslclient-examplecom sslserver-examplecom
 bind ssl  rs1 ssl  rs2 ssl

NOTE
 If the server returns the root CA certificate then the ADX will fail to trust the issuer and the SSL session will fail. To resolve this ensure that the server only returns the identity and intermediate certificates.

Renegotiation

The Brocade ADX does not support Renegotiation. However in some cases the SSL handshake will fail if the 'renegotiation_info' extension is ignored by the server (RFC5746). Because of this the ADX will respond with a null response to ensure maximum capability. This feature is enabled by default via the command server ssl respond-with-renegotiation-info.

SSL/TLS Versions

Below details the various SSL/TLS protocols and at what point within the various code trains they were implemented,

Protocol Version  Implemented 
TLS1.1  12.4t 
TLS1.2 12.5.02e

For details on the various protocol versions supported within the ADX healthchecks can be found here.

NOTE This section is currently work in progress.

Troubleshooting

A great tool for troubleshooting SSL certificate issues is the command show ssl authentication-stats.

SSH@ADX# rcon virtual
SSH@ADX-vbp# show ssl authentication-stats

SSL certificate verification counters:

                  Success :         10                    Failure :         43
             Unknown user :          0           Signature failed :          0
      Certificate expired :          0        Certificate revoked :          0
      Cert not yet valid  :          0      Cert signature failed :          0
Issuer pubkey decode fail :          0           Self signed cert :          0
    Issuer cert not found :         43    Subject Issuer mismatch :          0
    Certificate untrusted :          0        Cert chain too long :          0
    Cert not sent by peer :          0

CRL counters:
          CRL load failed :          0       CRL signature failed :          0
           CRL not found :           0          CRL not yet valid :          0
              CRL expired :          0

Show Commands

  • show ssl key *
  • show ssl cert *
  • ssl clear cert xxx.cert
  • ssl clear key xxx.cert

Tags: Brocade, ADX, SSL, Certificates, TLS, CSR

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001