Brocade ADX – How to Configure SSL/TLS

The Brocade ADX offers 2 ways to configure SSL. These are,

  • SSL (Termination) – Allows for SSL termination at the loadbalancer so that unencrypted traffic can be sent onto the backend servers. This is also known as client side encryption/decryption.
  • SSL Proxy – Allows for the Brocade ADX to decrypt and then re-encrypt the traffic prior to sending it onto the backend servers.

Self Signed

In order to create a self signed certificate (on the Brocade ADX) the following syntax is used:

ssl genrsa rsa.key 2048 <password>
ssl gencert certkey rsa.key signkey rsa.key <password> x509.crt

ssl profile <profile-name>
  allow-self-signed-cert

CSR

The benefit of generating a Certificate Signing Request is that the private key never leaves the LoadBalancer.

Prior to creating a CSR a key pair is created, i.e a public and a private key. Once the CSR is generated, the CSR is created using a base-64 encoded PEM format. This CSR includes the various details previously entered DN, email etc and is then sent to the CA for signing.

How is it Signed ?

The CA takes an md5 of the certificate. This hash is then encrypted using the CA`s private key.

Create Key Pair / CSR

ssl genrsa filename.key 2048 password
ssl gencsr filename.key

Transfer Certificate

Copy and paste the public certificate into a text file. This is then sent to the CA.

Transferring Certificate / Keys

The following steps show the commands required for copying certificate/keys to the Brocade ADX using scp.

NOTE
Any intermediate certificates should be appended to the public certificate before it is transferred to the ADX.

ip dns domain-name [domain name]
crypto key generate dsa
ip ssh
ip ssh scp enable

scp file.key admin@[adx ip address]:sslkeypair:filename.key:<password>:pem
scp file.cert admin@[adx ip address]:sslcert:filename.cert:pem

SSL (Termination)

In order to terminate SSL on a virtual server a SSL profile is created and assigned to the necessary Virtual Server.

ssl profile <profile name>
  keypair-file <private-key>.key
  certificate-file <cert-file>.cer
  cipher-suite rsa-with-aes-256-sha 
  cipher-suite rsa-with-aes-128-sha
  cipher-suite rsa-with-3des-ede-cbc-sha
  cipher-suite rsa-with-3des-ede-cbc-md5
  disable ssl2 ssl3 // 12.4s+
  session-cache server
  enable-certificate-chaining

server virtual VIP_88.88.88.88 192.168.88.88
  port ssl
  port ssl ssl-terminate <profile name>
  bind ssl rs1 http rs2 http

NOTE
 The SSL profile within this example is configured to remove weak ciphers. Should you want to allow the use of all ciphers the command cipher-suite all-cipher-suites is used.

SSL Proxy

To decrypt and then re-encrypt SSL sessions on the ADX 2 profiles need creating, a client-side profile (the same that is created when configuring standard SSL Termination) and a server-side profile that contains just the root CA certificate. These profiles are then assigned to the VIP.

ssl profile sslclient-examplecom
 keypair-file <private-key>.key
 certificate-file <cert-file>.cer
 cipher-suite all-cipher-suites
 enable-certificate-chaining
 session-cache off 

ssl profile sslserver-examplecom
 ca-cert-file <cert-file>.cer
 session-cache offserver

virtual VIP_88.88.88.88 192.168.8.88
 port ssl sticky
 port ssl ssl-proxy sslclient-examplecom sslserver-examplecom
 bind ssl  rs1 ssl  rs2 ssl

NOTE
 If the server returns the root CA certificate then the ADX will fail to trust the issuer and the SSL session will fail. To resolve this ensure that the server only returns the identity and intermediate certificates.

Renegotiation

The Brocade ADX does not support Renegotiation. However in some cases the SSL handshake will fail if the ‘renegotiation_info’ extension is ignored by the server (RFC5746). Because of this the ADX will respond with a null response to ensure maximum capability. This feature is enabled by default via the command server ssl respond-with-renegotiation-info.

SSL/TLS Versions

Below details the various SSL/TLS protocols and at what point within the various code trains they were implemented,

Protocol Version Implemented 
TLS1.1 12.4t 
TLS1.212.5.02e

For details on the various protocol versions supported within the ADX healthchecks can be found here.

NOTE This section is currently work in progress.

Troubleshooting

A great tool for troubleshooting SSL certificate issues is the command show ssl authentication-stats.

SSH@ADX# rcon virtual
SSH@ADX-vbp# show ssl authentication-stats

SSL certificate verification counters:

                  Success :         10                    Failure :         43
             Unknown user :          0           Signature failed :          0
      Certificate expired :          0        Certificate revoked :          0
      Cert not yet valid  :          0      Cert signature failed :          0
Issuer pubkey decode fail :          0           Self signed cert :          0
    Issuer cert not found :         43    Subject Issuer mismatch :          0
    Certificate untrusted :          0        Cert chain too long :          0
    Cert not sent by peer :          0

CRL counters:
          CRL load failed :          0       CRL signature failed :          0
           CRL not found :           0          CRL not yet valid :          0
              CRL expired :          0

Show Commands

  • show ssl key *
  • show ssl cert *
  • ssl clear cert xxx.cert
  • ssl clear key xxx.cert
Rick Donato
Latest posts by Rick Donato (see all)

Want to become a networking expert?

Here is our hand-picked selection of the best courses you can find online:
Cisco CCNA 200-301 Certification Gold Bootcamp
Complete Cyber Security Course – Network Security
Internet Security Deep Dive course
Python Pro Bootcamp
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial