The Brocade ADX offers 2 ways to configure SSL. These are,
- SSL (Termination) – Allows for SSL termination at the loadbalancer so that unencrypted traffic can be sent onto the backend servers. This is also known as client side encryption/decryption.
- SSL Proxy – Allows for the Brocade ADX to decrypt and then re-encrypt the traffic prior to sending it onto the backend servers.
Self Signed
In order to create a self signed certificate (on the Brocade ADX) the following syntax is used:
ssl genrsa rsa.key 2048 <password>
ssl gencert certkey rsa.key signkey rsa.key <password> x509.crt
ssl profile <profile-name>
allow-self-signed-cert
CSR
The benefit of generating a Certificate Signing Request is that the private key never leaves the LoadBalancer.
Prior to creating a CSR a key pair is created, i.e a public and a private key. Once the CSR is generated, the CSR is created using a base-64 encoded PEM format. This CSR includes the various details previously entered DN, email etc and is then sent to the CA for signing.
How is it Signed ?
The CA takes an md5 of the certificate. This hash is then encrypted using the CA`s private key.
Create Key Pair / CSR
ssl genrsa filename.key 2048 password
ssl gencsr filename.key
Transfer Certificate
Copy and paste the public certificate into a text file. This is then sent to the CA.
Transferring Certificate / Keys
The following steps show the commands required for copying certificate/keys to the Brocade ADX using scp.
NOTE
Any intermediate certificates should be appended to the public certificate before it is transferred to the ADX.
ip dns domain-name [domain name]
crypto key generate dsa
ip ssh
ip ssh scp enable
scp file.key [email protected][adx ip address]:sslkeypair:filename.key:<password>:pem
scp file.cert [email protected][adx ip address]:sslcert:filename.cert:pem
SSL (Termination)
In order to terminate SSL on a virtual server a SSL profile is created and assigned to the necessary Virtual Server.
ssl profile <profile name>
keypair-file <private-key>.key
certificate-file <cert-file>.cer
cipher-suite rsa-with-aes-256-sha
cipher-suite rsa-with-aes-128-sha
cipher-suite rsa-with-3des-ede-cbc-sha
cipher-suite rsa-with-3des-ede-cbc-md5
disable ssl2 ssl3 // 12.4s+
session-cache server
enable-certificate-chaining
server virtual VIP_88.88.88.88 192.168.88.88
port ssl
port ssl ssl-terminate <profile name>
bind ssl rs1 http rs2 http
NOTE
The SSL profile within this example is configured to remove weak ciphers. Should you want to allow the use of all ciphers the command cipher-suite all-cipher-suites is used.
SSL Proxy
To decrypt and then re-encrypt SSL sessions on the ADX 2 profiles need creating, a client-side profile (the same that is created when configuring standard SSL Termination) and a server-side profile that contains just the root CA certificate. These profiles are then assigned to the VIP.
ssl profile sslclient-examplecom
keypair-file <private-key>.key
certificate-file <cert-file>.cer
cipher-suite all-cipher-suites
enable-certificate-chaining
session-cache off
ssl profile sslserver-examplecom
ca-cert-file <cert-file>.cer
session-cache offserver
virtual VIP_88.88.88.88 192.168.8.88
port ssl sticky
port ssl ssl-proxy sslclient-examplecom sslserver-examplecom
bind ssl rs1 ssl rs2 ssl
NOTE
If the server returns the root CA certificate then the ADX will fail to trust the issuer and the SSL session will fail. To resolve this ensure that the server only returns the identity and intermediate certificates.
Renegotiation
The Brocade ADX does not support Renegotiation. However in some cases the SSL handshake will fail if the ‘renegotiation_info’ extension is ignored by the server (RFC5746). Because of this the ADX will respond with a null response to ensure maximum capability. This feature is enabled by default via the command server ssl respond-with-renegotiation-info.
SSL/TLS Versions
Below details the various SSL/TLS protocols and at what point within the various code trains they were implemented,
Protocol Version | Implemented |
TLS1.1 | 12.4t |
TLS1.2 | 12.5.02e |
For details on the various protocol versions supported within the ADX healthchecks can be found here.
NOTE This section is currently work in progress.
Troubleshooting
A great tool for troubleshooting SSL certificate issues is the command show ssl authentication-stats.
[email protected]# rcon virtual
[email protected]# show ssl authentication-stats
SSL certificate verification counters:
Success : 10 Failure : 43
Unknown user : 0 Signature failed : 0
Certificate expired : 0 Certificate revoked : 0
Cert not yet valid : 0 Cert signature failed : 0
Issuer pubkey decode fail : 0 Self signed cert : 0
Issuer cert not found : 43 Subject Issuer mismatch : 0
Certificate untrusted : 0 Cert chain too long : 0
Cert not sent by peer : 0
CRL counters:
CRL load failed : 0 CRL signature failed : 0
CRL not found : 0 CRL not yet valid : 0
CRL expired : 0
Show Commands
- show ssl key *
- show ssl cert *
- ssl clear cert xxx.cert
- ssl clear key xxx.cert
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become a networking expert?
Here is our hand-picked selection of the best courses you can find online:
Cisco CCNA 200-301 Certification Gold Bootcamp
Complete Cyber Security Course – Network Security
Internet Security Deep Dive course
Python Pro Bootcamp
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial