Brocade ADX - How to Configure SSL/TLS
The Brocade ADX offers 2 ways to configure SSL. These are,
- SSL (Termination) - Allows for SSL termination at the loadbalancer so that unencrypted traffic can be sent onto the backend servers. This is also known as client side encryption/decryption.
- SSL Proxy - Allows for the Brocade ADX to decrypt and then re-encrypt the traffic prior to sending it onto the backend servers.
In order to create a self signed certificate (on the Brocade ADX) the following syntax is used:
ssl genrsa rsa.key 2048 <password>
ssl gencert certkey rsa.key signkey rsa.key <password> x509.crt
ssl profile <profile-name>
The benefit of generating a Certificate Signing Request is that the private key never leaves the LoadBalancer.
Prior to creating a CSR a key pair is created, i.e a public and a private key. Once the CSR is generated, the CSR is created using a base-64 encoded PEM format. This CSR includes the various details previously entered DN, email etc and is then sent to the CA for signing.
How is it Signed ?
The CA takes an md5 of the certificate. This hash is then encrypted using the CA`s private key.
Create Key Pair / CSR
ssl genrsa filename.key 2048 password
ssl gencsr filename.key
Copy and paste the public certificate into a text file. This is then sent to the CA.
Transferring Certificate / Keys
The following steps show the commands required for copying certificate/keys to the Brocade ADX using scp.
Any intermediate certificates should be appended to the public certificate before it is transferred to the ADX.
ip dns domain-name [domain name]
crypto key generate dsa
ip ssh scp enable
scp file.key admin@[adx ip address]:sslkeypair:filename.key:<password>:pem
scp file.cert admin@[adx ip address]:sslcert:filename.cert:pem
In order to terminate SSL on a virtual server a SSL profile is created and assigned to the necessary Virtual Server.
ssl profile <profile name>
disable ssl2 ssl3 // 12.4s+
server virtual VIP_126.96.36.199 192.168.88.88
port ssl ssl-terminate <profile name>
bind ssl rs1 http rs2 http
The SSL profile within this example is configured to remove weak ciphers. Should you want to allow the use of all ciphers the command cipher-suite all-cipher-suites is used.
To decrypt and then re-encrypt SSL sessions on the ADX 2 profiles need creating, a client-side profile (the same that is created when configuring standard SSL Termination) and a server-side profile that contains just the root CA certificate. These profiles are then assigned to the VIP.
ssl profile sslclient-examplecom
ssl profile sslserver-examplecom
virtual VIP_188.8.131.52 192.168.8.88
port ssl sticky
port ssl ssl-proxy sslclient-examplecom sslserver-examplecom
bind ssl rs1 ssl rs2 ssl
If the server returns the root CA certificate then the ADX will fail to trust the issuer and the SSL session will fail. To resolve this ensure that the server only returns the identity and intermediate certificates.
The Brocade ADX does not support Renegotiation. However in some cases the SSL handshake will fail if the 'renegotiation_info' extension is ignored by the server (RFC5746). Because of this the ADX will respond with a null response to ensure maximum capability. This feature is enabled by default via the command server ssl respond-with-renegotiation-info.
Below details the various SSL/TLS protocols and at what point within the various code trains they were implemented,
For details on the various protocol versions supported within the ADX healthchecks can be found here.
NOTE This section is currently work in progress.
A great tool for troubleshooting SSL certificate issues is the command show ssl authentication-stats.
SSH@ADX# rcon virtual
SSH@ADX-vbp# show ssl authentication-stats
SSL certificate verification counters:
Success : 10 Failure : 43
Unknown user : 0 Signature failed : 0
Certificate expired : 0 Certificate revoked : 0
Cert not yet valid : 0 Cert signature failed : 0
Issuer pubkey decode fail : 0 Self signed cert : 0
Issuer cert not found : 43 Subject Issuer mismatch : 0
Certificate untrusted : 0 Cert chain too long : 0
Cert not sent by peer : 0
CRL load failed : 0 CRL signature failed : 0
CRL not found : 0 CRL not yet valid : 0
CRL expired : 0
- show ssl key *
- show ssl cert *
- ssl clear cert xxx.cert
- ssl clear key xxx.cert