Alteon SSL Accelerator 4.1.2 User's Guide and Command Reference

User’s Guide and Command Reference

Alteon SSL AcceleratorTM 4.1.2 Secure Sockets Layer Offload Device Part Number: 212939-F, November 2003

4655 Great America Parkway Santa Clara, CA 95054 Phone 1-800-4Nortel www.nortelnetworks.com Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Copyright 2003 Nortel Networks, Inc., 4655 Great America Parkway, Santa Clara, California 95054, USA. All rights reserved. Part Number: 212939-F. This document is protected by copyright and distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this document may be reproduced in any form by any means without prior written authorization of Nortel Networks, Inc. Documentation is provided “as is” without warranty of any kind, either express or implied, including any kind of implied or express warranty of non- infringement or the implied warranties of merchantability or fitness for a particular purpose. U.S. Government End Users: This document is provided with a “commercial item” as defined by FAR 2.101 (Oct 1995) and contains “commercial technical data” and “commercial software documentation” as those terms are used in FAR 12.211-12.212 (Oct 1995). Government End Users are authorized to use this documentation only in accordance with those rights and restrictions set forth herein, consistent with FAR 12.211- 12.212 (Oct 1995), DFARS 227.7202 (JUN 1995) and DFARS 252.227-7015 (Nov 1995). Nortel Networks, Inc. reserves the right to change any products described herein at any time, and without notice. Nortel Networks, Inc. assumes no responsibility or liability arising from the use of products described herein, except as expressly agreed to in writing by Nortel Networks, Inc. The use and purchase of this product does not convey a license under any patent rights, trademark rights, or any other intellectual property rights of Nortel Networks, Inc. CryptoSwift® HSM is a registered trademark of Rainbow Technologies, Inc. Portions of this manual are Copyright 2001 Rainbow Technologies, Inc. All rights reserved. Export This product, software and related technology is subject to U.S. export control and may be subject to export or import regulations in other countries. Purchaser must strictly comply with all such laws and regulations. A license to export or reexport may be required by the U.S. Department of Commerce. Licensing This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young ([email protected]). This product includes software written by Tim Hudson ([email protected]). This product includes software developed by the Apache Software Foundation (http://www.apache.org/).

See Appendix D, “License Information,” for more information.

2 212939-F, November 2003

Contents

Preface 13 Who Should Use This Book 13 Related Documentation 13 How This Book Is Organized 14 New Product Names 15 Typographic Conventions 16 How to Get Help 17

Part 1: User’s Guide

Chapter 1: Introducing the ASA 21 Features 22 Performance 22 Scalability and Redundancy 22 Certificate and Key Management 22 Advanced Processing 23 Load Balancing of Secure SSL Sessions 23 Networking 23 Statistics Viewing 24 Logging Capabilities 24 Management 24 Supported Standards 24 Compatibility 24 SSL VPN 25 New Software Features 26 SSL Acceleration 26 SSL VPN 26

3 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Chapter 2: Introducing the ASA 310-FIPS 27 HSM Overview 27 Extended Mode vs. FIPS Mode 28 FIPS 140-1 Level 3 Security 29 The Concept of iKey Authentication 29 Types of iKeys 29 Wrap Keys for ASA 310-FIPS Clusters 30 Available Operations and iKeys Required 31 Additional HSM Information 32

Chapter 3: Initial Setup 33 Clusters 33 Ports and Interfaces within a Cluster 34 Configuration at Boot Up 35 Installing and Adding ASAs 36 Installing an ASA in a New Cluster 36 Adding an ASA to an Existing Cluster 39 Installing and Adding an ASA 310-FIPS 42 Installing an ASA 310-FIPS in a New Cluster 43 Adding an ASA 310-FIPS to an Existing Cluster 49 Reinstalling the Software 56

Chapter 4: Upgrading the ASA Software 59 Performing Minor/Major Release Upgrades 60 Activating the Software Upgrade Package 61 Upgrading a Mixed ASA Cluster 63

Chapter 5: Managing Users and Groups 65 User Rights and Group Membership 65 Adding a New User 66 Changing a User’s Group Assignment 70 Changing a User’s Password 71 Changing Your Own Password 71 Changing Another User’s Password 72 Deleting a User 73

4 Contents 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Chapter 6: Managing Certificates and Client Authentication 75 Generating and Submitting a CSR Using the CLI 76 Adding Certificates to the ASA 81 Using a Copy-and-Paste Operation to Add Certificates 82 Using a Copy-and-Paste Operation to Add a Private Key 84 Using TFTP or FTP to Add Certificates and Keys 86 Update Existing Certificate 88 Create a New Certificate 88 Configuring a Virtual SSL Server for Client Authentication 89 Generating Client Certificates on the ASA 91 Managing Revocation of Client Certificates 95 Revoking Client Certificates Issued by an External CA 96 Revoking Client Certificates Issued within your Own Organization 97 Creating Your Own Certificate Revocation List 98

Chapter 7: Using the Quick Server Setup Wizard 101 Create an HTTP Server 101 Create a Socks server 106 Create a Portal Server 108

Chapter 8: The Command Line Interface 111 Connecting to the ASA 112 Establishing a Console Connection 112 Establishing a Telnet Connection 113 Establishing a Connection Using SSH (Secure Shell) 114 Accessing the ASA 116 CLI vs. Setup 117 Command Line History and Editing 118 Idle Timeout 118

Contents 5 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Chapter 9: Troubleshooting the ASA 119 Cannot Connect to ASA via Telnet or SSH 120 Verify the Current Configuration 120 Enable Telnet or SSH Access 120 Check the Access List 120 Check the IP Address Configuration 121 Cannot Add an ASA to a Cluster 122 Cannot Contact the MIP 123 Check the Access List 123 Add Interface 1 IP Addresses and MIP to Access List 123 The ASA Stops Responding 124 Telnet or SSH Connection to the Management IP Address 124 Console Connection 124 A User Password is Lost 125 Administrator User Password 125 Operator User Password 125 Boot User Password 125 An ASA HSM Stops Processing Traffic 126 Resetting HSM Cards on the ASA 310-FIPS 128 An ASA 310-FIPS Cluster Must be Reconstructed onto New Devices 131 System Diagnostics 135 Installed Certificates and Virtual SSL Servers 135 Network Diagnostics 135 Active Alarms and the Events Log File 137 Error Log Files 137

Part 2: Command Reference

6 Contents 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Chapter 10: ASA Command Reference 141 Menu Basics 141 Global Commands 142 Command Line History and Editing 144 Command Line Interface Shortcuts 146 Command Stacking 146 Command Abbreviation 146 Tab Completion 146 Using Submenu Name as Command Argument 147 Using Slashes (/) and Spaces in Commands 148 The Main Menu 149 Menu Summary 149 Information Menu 150 Events Menu 154 HSM Command 155 iSD List Command 155 Information Local Command 155 Information Ethernet Command 155 Statistics Menu 156 Cluster Wide SSL Statistics Server Menu 158 Local Statistics Menu 161 Single iSD Statistics Menu 163 Single ISD Statistics for Virtual SSL Server Menu 165 Single iSD Host SSL Server Healthcheck Command 170 Single iSD Host SSL Server Poolstatus Command 170 AAA Statistics Menu 171 Configuration Menu 172 Viewing, Applying and Removing Changes 174

Contents 7 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

SSL Configuration Menu 175 DNS Client Settings Configuration 177 Certificate Management Configuration 179 Certificate Revocation Configuration 185 Automatic CRL Menu 187 SSL Server Management Configuration 190 Network Traffic Dump Commands 194 SSL Settings Configuration 196 SSL Server TCP Settings Configuration 199 SSL Server HTTP Settings Configuration 201 SSL Server HTTP Rewrite Configuration 207 SSL Server WWW Authentication Settings Configuration 208 SSL Server DNS Settings Configuration 210 Socks Settings Configuration 211 HTTP Proxy Settings Configuration 214 Portal Settings Configuration 217 Advanced Settings Menu 220 Load Balancing Strings Configuration 222 Connection Pooling Configuration 225 Traffic Syslog Configuration 226 Standalone Menu 228 IP List Menu 230 Load Balancing Settings 232 Cookie Settings Configuration 236 Health Check Script Configuration 240 Remote SSL Connect Configuration 243 Remote SSL Connect Verify Configuration 245 Backend Server Configuration 246 SSL Connect Configuration 249 SSL Connect Verify Configuration 251

8 Contents 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Xnet Menu 252 Xnet Domain Configuration 253 SSL VPN Portal Configuration 256 Portal Colors Configuration 258 Authentication Configuration 259 RADIUS Configuration 261 Radius Servers Menu 263 LDAP Configuration 264 LDAP Servers Menu 266 NTLM Configuration 268 NTLM Servers Menu 269 Local Database Configuration 270 Advanced Settings Configuration 273 Network Access Configuration 274 Subnet Access Configuration 275 Service Access Configuration 276 Application Specific Menu 278 Client Filter Configuration 280 Group Configuration 282 Access Rule Configuration 285 Link Configuration 287 Port Forwarder Link Configuration 292 Extended Profile Configuration 295 RADIUS Accounting Configuration 297 RADIUS Accounting Servers Configuration 298

Contents 9 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

System Configuration 299 Cluster Wide Routes Configuration 300 Date and Time Configuration 301 NTP Servers Configuration 302 DNS Servers Configuration 303 Syslog Servers Configuration 304 Cluster Management Configuration 305 iSD Host Configuration 306 Host Routes Configuration 310 Interface Configuration 311 Interface Ports Configuration 313 Host Ethernet Port Configuration 314 System Access Configuration 315 Administrative Applications Configuration 316 SNMP Management Configuration 318 SNMPv2-MIB Configuration 319 SNMP Community Configuration 320 SNMP Notification Target Configuration 321 Audit Configuration 322 RADIUS Audit Server Configuration 324 Browser-Based Management Configuration 325 Browser-Based Management Configuration with SSL 326 User Access Configuration 327 Edit User Menu 329 User Access Groups Menu 330 Current System Configuration 331 Boot Menu 332 Software Management Menu 334 Current Software Status Command 336 Maintenance Menu 337 Hardware Security Module Menu 339

Part 3: Appendices

Appendix A: Supported Ciphers 343 Cipher List Formats 345 Modifying a Cipher List 345 Supported Cipher Strings and Meanings 347

10 Contents 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Appendix B: The ASA SNMP Agent 349 Supported MIBs 350 The SNMPv2 MIB 350 The Alteon iSD Platform MIB 350 The Alteon iSD-SSL MIB 351 Supported Traps 351

Appendix C: Syslog Messages 353 List of Syslog Messages 353

Appendix D: License Information 357

Appendix E: HSM Security Policy 363

Appendix F: Definition of Key Codes 381 Syntax Description 381 Allowed Special Characters 382 Redefinable Keys 383 Example of a Key Code Definition File 384

Glossary 385

Index 393

Contents 11 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

12 Contents 212939-F, November 2003 Preface

This User’s Guide and Command Reference describes how to configure and use the Nortel Networks Alteon SSL Accelerator (ASA) with SSL offload and VPN software.

Who Should Use This Book

This User’s Guide and Command Reference is intended for network installers and system administrators engaged in configuring and maintaining a network. It assumes that you are familiar with Ethernet concepts and IP addressing.

Related Documentation

For full documentation on installing and using the Alteon SSL Accelerator’s many features, see the following manuals:

Alteon SSL Accelerator 4.1.2 Application Guide (part number 212940-F November 2003) Provides examples on how to configure the ASA with SSL offload and VPN software. Alteon SSL Accelerator Hardware Installation Guide (part number 212941-B, August 2002) Describes installation of the ASA 310, ASA 310 FIPS, and ASA 410 hardware models. Alteon SSL Accelerator BBI Quick Guide (part number 215310-B, November 2003) Describes configuration via the Browser-Based Interface. Alteon SSL Accelerator 4.1.2 Release Notes (part number 212942-F, November 2003) Lists new features available in version 4.1.2 and provides up-to-date product information.

13 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

How This Book Is Organized

The chapters in this book are organized as follows:

Part 1: User’s Guide Chapter 1, “Introducing the ASA” provides an overview of the major features of the Alteon SSL Accelerator, including its physical layout and the basic concepts of its operation.

Chapter 2, “Introducing the ASA 310-FIPS” provides information about the ASA 310 equipped with HSM cards, as well as information about the available security modes and the concept of iKey authentication.

Chapter 3, “Initial Setup” describes how to install the ASA in a new cluster, and how to add an ASA to an existing cluster. The chapter also provides information about the concept of ASA clusters, as well as the usage and configuration of ports and networks within a cluster. A section describing how to reinstall the software is also included.

Chapter 4, “Upgrading the ASA Software” describes how to upgrade the ASA software for a minor release upgrade, and a major release upgrade.

Chapter 5, “Managing Users and Groups” describes the management of users, groups, and passwords. The chapter also explains how the Administrator user role can be fully separated from the Certificate Administrator user role.

Chapter 6, “Managing Certificates and Client Authentication” describes how to generate and prepare keys and certificates for use with the ASA.

Chapter 7, “Using the Quick Server Setup Wizard” describes how to use the Quick Server Setup wizard.

Chapter 8, “The Command Line Interface” describes how to connect to the ASA and access the information and configuration menus.

Chapter 9, “Troubleshooting the ASA” provides suggestions for troubleshooting basic problems. Information about performing system diagnostics on the ASA is also included, as well as a few operations related to the ASA 310-FIPS model.

14 Preface 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Part 2: Command Reference Chapter 10, “ASA Command Reference” provides an overview of the ASA menu system and details of all menus and options.

Part 3: Appendices Appendix A, “Supported Ciphers” provides a list of ciphers supported in this product.

Appendix B, “The ASA SNMP Agent” provides information about the SNMP agent on the ASA, and which MIBs (Management Information Bases) are supported.

Appendix C, “Syslog Messages”, contains a list of all syslog messages that can be sent to a syslog server that is added to the ASA system configuration.

Appendix D, “License Information” provides licensing information for the software used in this product.

Appendix E, “HSM Security Policy” provides detailed information on the security policy of the HSM card that comes installed in the ASA 310-FIPS.

“Glossary” includes definitions of terminology used throughout this document.

New Product Names

All references to the old product name – iSD-SSL or iSD – in commands or screen outputs should be interpreted as Alteon SSL Accelerator, or ASA in short.

All references to Xnet (e.g. Xnet domain) apply to the SSL VPN feature. All references to Alteon Application Switch should be interpreted as applying to both Alteon Application Switch and Alteon Web Switch.

Preface 15 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Typographic Conventions

The following table describes the typographic styles used in this book.

Table 1 Typographic Conventions

Typeface or Meaning Example Symbol

AaBbCc123 This type is used for names of commands, View the readme.txt file. files, and directories used within the text.

It also depicts on-screen computer output and Main# prompts.

AaBbCc123 This bold type appears in command exam- Main# sys ples. It shows text that must be typed in exactly as shown.

This italicized type appears in command To establish a Telnet session, enter: examples as a parameter placeholder. Replace host# telnet the indicated text with the appropriate real name or value when using the command. Do not type the brackets.

This also shows book titles, special terms, or Read your User’s Guide thoroughly. words to be emphasized.

[ ] Command items shown inside brackets are host# ls [-a] optional and can be used or excluded as the situation demands. Do not type the brackets.

16 Preface 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

How to Get Help

If you purchased a service contract for your Nortel Networks product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller for assistance.

If you purchased a Nortel Networks service program, contact one of the following Nortel Net- works Technical Solutions Centers:

Technical Solutions Center Telephone

Europe, Middle East, and Africa 00800 8008 9009 or +44 (0) 870 907 9009

North America (800) 4NORTEL or (800) 466-7835

Asia Pacific (61) (2) 8870-8800

China (800) 810-5000

Additional information about the Nortel Networks Technical Solutions Centers is available at the following URL:

http://www.nortelnetworks.com/help/contact/global An Express Routing Code (ERC) is available for many Nortel Networks products and services. When you use an ERC, your call is routed to a technical support person who specializes in supporting that product or service. To locate an ERC for your product or service, refer to the following URL:

http://www.nortelnetworks.com/help/contact/erc/index.html

Preface 17 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

18 Preface 212939-F, November 2003

Part 1: User’s Guide

This section introduces the Alteon SSL Accelerator and provides information on how to perform initial setup, software upgrades, and common tasks involving certificates and client authentication. Troubleshooting information, as well as information about how to access the command line interface, is also included.

For instructions relating to the Alteon SSL VPN feature included in version 4.1.2, read Part 2 of the Application Guide. Software commands are however listed together with the rest of the ASA commands in Chapter 10, “ASA Command Reference.”

This User’s Guide section contains the following topics:

Chapter 1, “Introducing the ASA Chapter 2, “Introducing the ASA 310-FIPS Chapter 3, “Initial Setup Chapter 4, “Upgrading the ASA Software Chapter 5, “Managing Users and Groups Chapter 6, “Managing Certificates and Client Authentication Chapter 7, “Using the Quick Server Setup Wizard Chapter 8, “The Command Line Interface Chapter 9, “Troubleshooting the ASA

212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

20 Part 1: User’s Guide 212939-F, November 2003

CHAPTER 1 Introducing the ASA

The Alteon SSL Accelerator (ASA) is a peripheral Secure Socket Layer (SSL) offload platform that attaches to an Alteon Application Switch or a comparable switch from another vendor. The ASA performs a TCP three-way handshake with the client through the Alteon Application Switch and performs all the SSL encryption and decryption for the session. Com- bined with the load balancing features of the Alteon Application Switch, the ASA offloads SSL encryption/decryption functions from back-end servers.

For more information on the basic operations of the ASA, see the “Public Key Infrastructure and SSL” chapter in the Application Guide.

Added on to the SSL acceleration features, the SSL VPN feature supports remote access to intranet resources (such as applications, mail, files, intranet web pages) via a secure connection.

For more information on the SSL VPN feature see Part 2 of the Application Guide.

The ASA is delivered on following hardware platforms.

ASA 310 ASA 410 VPN 3050 For detailed technical specification of the hardware platforms, see the “Specifications” appendix in the Alteon SSL Accelerator Hardware Installation Guide and the Alteon VPN 3050 Hardware Installation Guide.

The ASA is also available with a FIPS-compliant Hardware Security Module (HSM):

ASA 310-FIPS For more information about ASA 310-FIPS, see “Introducing the ASA 310-FIPS” on page 27.

21 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Features

Performance Accelerates SSL processing—offloads SSL encryption and decryption from the back end server. Depending on your model, supports from 600 to 2000 SSL transactions per second for each ASA device.

Scalability and Redundancy Provides dynamic scalability—up to 256 ASAs can be added to each cluster. Supports 256 virtual SSL servers. Provides dynamic plug and play—ASAs can be added to or removed from a cluster dynamically without disrupting network traffic. Provides a single system image (SSI)—all ASAs in a given cluster are configured as a single system. Ability to create multiple clusters of ASAs, each capable of serving its own group of real servers. High level of redundancy in the master/slave cluster design; even if three master ASAs in a cluster would fail, additional slave ASAs will still be operational and can accept configuration changes.

Certificate and Key Management Supports certificate and key management—private keys generated in Apache, OpenSSL, Stronghold, WebLogic, and Microsoft IIS 4.0 can be imported. Supports client authentication, generation of client certificates, revocation of client certificates, and automatic retrieval of CRLs. Supports validation of private keys and certificates via the command line interface. Supports generation of certificate signing requests (CSR) via the command line interface. Supports creation of test certificates (self-signed) via the command line interface, for instant testing of SSL features. Supports automatic retrieval of Certificate Revocation Lists (CRL) via HTTP, TFTP, or LDAP (version 3). Support for PKCS7 certificates, where the user is prompted to select a certificate when the certificate file contains multiple certificates.

22 Chapter 1: Introducing the ASA 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Support for adding an X-Client-Cert multiline HTTP header to a client request. Using this feature will make the ASA insert the entire client certificate (in PEM format) as a multiline HTTP header. The backend Web servers can then perform additional user authentication, based on the information in the client certificate. The backend servers can also make use of any auxiliary fields in the client certificate.

Advanced Processing Supports rewriting of client requests—customized error messages can be sent to the client’s Web browser if the browser is unable to perform the required cipher strength. With- out this feature, the client request would simply be rejected during the SSL handshake. Ability to transmit extra SSL information to the backend servers, such as the negotiated cipher suit and client certificate information (in case client certificates were required by the virtual SSL server). The information is conveyed by configuring the virtual SSL server to add an extra SSL header to the client’s request.

Load Balancing of Secure SSL Sessions Supports end to end encryption, in which traffic between the ASA(s) and backend servers can also be encrypted. Benefits of SSL acceleration are maintained, with minimal performance degradation. Supports load balancing of encrypted and unencrypted traffic for up to 256 backend servers, with health checking and persistent client connections.

Networking Supports creating multiple interfaces within a cluster, to separate client traffic and management traffic for example. Support for clustering over multiple subnets. Supports assigning two physical network ports to one interface, in order to create a port failover (high availability) solution where one ASA is attached to two Alteon Application Switches. Support for configuring the sizes of TCP send and receive buffers. Supports Ethernet autonegotiation. In network environments where autonegotiation is not used, the Ethernet autonegotiation feature can be disabled. Instead, a fixed speed of 10, 100, or 1000 Mbit per second can then be specified for each particular port on each ASA host in the cluster. Supports pooling and reuse of previously used backend connections.

Chapter 1: Introducing the ASA 23 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Supports addition of a Front-End-HTTPS header to a client request. When using Outlook Web Access (OWA) for Microsoft Exchange in combination with the ASA, the virtual SSL server can be configured to add this extra header. The Front-End-HTTPS header enables the receiving OWA server to transform embedded HTTP URLs in a correct manner.

Statistics Viewing Supports histograms to measure transactions per second (TPS) and throughput. Statistics can be viewed for individual or multiple ASAs in a cluster. Ability to show statistics for the local Ethernet NICs.

Logging Capabilities Support for traffic logging via UDP syslog messages. UDP syslog messages for all HTTP requests handled by an SSL server can be sent to a configured syslog server. This feature can be used as an alternative to performing traffic logging on the backend Web servers in environments where traffic logging must be performed on the SSL terminating device itself due to laws or regulations. Support for RADIUS accounting and auditing.

Management Configuration via built-in command line interface, accessible via both Telnet, Secure Shell and the Serial port. Ability to control remote access via Telnet and Secure Shell down to specific machines. Configuration via Web User Interface

Supported Standards Supports SSL version 2.0 and 3.0, plus TLS version 1.0. Supports SMTPS, POP3S, and IMAPS in addition to the standard HTTPS. Supports SNMP version 1 and SNMP version 2c.

Compatibility Compatible with all Alteon Application Switches, Alteon Web Switches and comparable switches from other vendors.

24 Chapter 1: Introducing the ASA 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

SSL VPN The SSL VPN feature supports remote access to intranet resources (such as applications, mail, files, intranet web pages) via a secure connection. The underlying protocol used for these sessions is SSL.

With the SSL VPN feature activated, mobile workers, telecommuters and partners can access information and/or applications on the intranet. What information should be accessible to the user after login is determined by access rules (ACLs).

The intranet’s resources can be accessed in two ways:

From any computer connected to the Internet (browser-based mode). The user connects to the VPN portal via the web browser. When authorized, available services/resources on the intranet are displayed on a portal web page provided by the ASA. From a computer with the SSL VPN client software installed (transparent mode). The user starts the desired application, e.g. his or her mail client. If the destination matches a domain name or IP address defined in the SSL VPN client, the request is redirected to the ASA for authorization. When authorized, the user’s request is passed on to the original destination, e.g. the intranet mail server. The SSL VPN feature is added on to the SSL accelerator features, which makes it possible to use the product for normal SSL acceleration duty as well.

For configuration examples, see Part Two of the Application Guide.

Chapter 1: Introducing the ASA 25 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

New Software Features

SSL Acceleration Support for SSL Acceleration of Web sites containing absolute links. See page 217.

SSL VPN Native Outlook support. Enables full access to an intranet Microsoft Exchange server through a secure connection. Available on the SSL VPN Portal’s Advanced tab and as a group link. See page 292. New command for configuring a group for users whose NTLM password has expired. By defining a group link for the password expiry group, users can automatically be directed to a single site where the password can be changed. See page 268. New command for enabling secure SSL transfer (LDAPS) of requests sent between the ASA and the LDAP server. See page 264. Support for retrieving group information from another authentication scheme (Local database or LDAP) besides the one used for authentication. See page 273. New command for hiding the Nortel logo bottom left on the SSL VPN Portal. See page 256. Support for persistent cookies for the Portal login session. See page 217. Support for proxy chaining via an intranet HTTP Proxy server. Available for the features on the SSL VPN Portal’s Advanced tab and for the corresponding group links, i.e. Termi- nal, Proxy and Forwarder. See page 287. Support for auto configuration/clearing of browser settings removed for the HTTP Proxy feature on the SSL VPN Portal’s Advanced tab as well as for the Proxy group link. Various enhancements/fixes described in the Release Notes.

26 Chapter 1: Introducing the ASA 212939-F, November 2003

CHAPTER 2 Introducing the ASA 310-FIPS

This section provides information about the ASA 310-FIPS model, which comes installed with the HSM (Hardware Security Module) card. The HSM card complies with all the security requirements specified by the Federal Information Processing Standard (FIPS) 140-1, Level 3 standards. Each ASA 310-FIPS device is equipped with two identical HSM cards.

NOTE – When using the ASA 310-FIPS device in a cluster, remember that all Alteon SSL Accelerator devices in the cluster must be of the ASA 310-FIPS model.

HSM Overview

The HSM card found on the ASA 310-FIPS model is an SSL accelerator, just like the ordinary CryptoSwift card found on the regular models of both the ASA 310 and the ASA 410. In addition to cryptographic acceleration, the HSM card brings extra security to sensitive operations and is designed to withstand physical tampering.

The HSM card provides a secure storage area for cryptographic key information. The storage area is secured by a constantly monitored tamper detection circuit. If tampering is detected, the battery backup power to memory circuits on the card is removed. Critical security parameters, such as private keys that are contained in the storage area, will then be destroyed and rendered useless to the intruder. Any sensitive information that is transferred between two HSM cards within the same ASA 310-FIPS, or between any number of HSM cards within a cluster of ASA 310-FIPS devices, is encrypted using a shared secret stored (also known as a wrap key) on the HSM card.

27 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Some user operations require a two-phase authentication, which involves using both hardware tokens (called iKeys) and an associated password to provide an extra layer of security. For example, if the ASA 310-FIPS is power cycled (as in the case of theft), no SSL traffic is processed until the operator logs in to the HSM card using both an iKey and the correct password. All cryptographic requests, such as generating private keys or performing encryption, are automatically routed to the HSM card by the ASA application and performed on the HSM card only.

Extended Mode vs. FIPS Mode

When installing the very first ASA 310-FIPS into a new cluster, you can choose to initialize the HSM cards in either Extended mode or FIPS mode. Extended mode is the default selection, and is appropriate whenever your security policy does not explicitly require that you conform to the FIPS 140-1, Level 3 standard (see below for more information).

The main difference between Extended mode and FIPS mode involves how private keys are handled. For both modes, all private keys are stored encrypted in the database on the ASA 310 FIPS. When the HSM card is initialized in Extended mode, the encrypted private key needed to perform a specific operation is transferred to the HSM card over the PCI bus. The private key is then decrypted on the HSM card itself, using the wrap key that was generated during the initialization and since stored on the card. The private key is thus never exposed in plain text out- side the HSM card.

When the HSM card is initialized in FIPS mode, the encrypted private key needed to perform a specific operation is read from the database into RAM, together with the wrap key from the HSM card. The private key is then decrypted in RAM, where it remains accessible for subsequent operations.

Also, when the ASA 310-FIPS is initialized in FIPS mode, all private keys must be generated on the ASA 310-FIPS device itself. Importing private keys, or certificate files that contain private keys, is not allowed due to the FIPS security requirements. This means that certain CLI commands that are used for importing certificates and keys via a copy and paste operation, or via TFTP/FTP, cannot be used when the ASA 310-FIPS is initialized in FIPS mode.

28 Chapter 2: Introducing the ASA 310-FIPS 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

FIPS 140-1 Level 3 Security The HSM card contains all of the security requirements specified by the FIPS 140-1, Level 3 standards. FIPS 140-1 is a U.S. government standard for implementations of cryptographic modules, that is, hardware or software that encrypts and decrypts data or performs other cryptographic operations (such as creating or verifying digital signatures).

FIPS 140-1 is binding on U.S. government agencies deploying applications that use cryptography in order to secure sensitive but unclassified (SBU) information, unless those agencies have been specifically exempted from compliance by the relevant U.S. laws refer- enced in the standard.

For more information about the FIPS specification, visit http://csrc.nist.gov/publications/fips/index.html and scroll down to “FIPS 140-1”.

The Concept of iKey Authentication

Access to sensitive data on a ASA 310-FIPS is protected by a combination of hardware tokens (called iKeys), passwords, and encryption procedures.

The iKey is a cryptographic token that is used as part of the authentication process for certain operations involving the HSM cards. Whenever you perform an operation on the ASA 310 FIPS calling for iKey authentication, you are prompted by the Command Line Interface to insert the requested iKey into the USB port on the appropriate HSM card. (When prompted for a particular iKey, a flashing LED always directs you to the correct HSM card.)

Types of iKeys For each HSM card there are two unique iKeys used for identity-based authentication: the HSM-SO iKey, and the HSM-USER iKey. Each of these iKeys define the two user roles available: Security Officer and User. A password must be defined for each user role, and the passwords are directly associated with the corresponding iKey. The ASA 310-FIPS is equipped with two HSM cards, and you therefore need to maintain two pairs of HSM-SO and HSM- USER iKeys with their associated passwords for each single ASA 310-FIPS device.

After a HSM card has been initialized, that card will only accept the HSM-SO and HSM- USER iKeys that were used when initializing that particular card. You cannot create backup copies of the associated HSM-SO iKey and HSM-USER iKey, and a lost HSM-SO or HSM- USER password cannot be retrieved. It is therefore extremely important that you establish rou- tines for how the iKeys are handled.

Chapter 2: Introducing the ASA 310-FIPS 29 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Wrap Keys for ASA 310-FIPS Clusters In addition to the HSM-SO and HSM-USER iKeys specific for each HSM card, one pair of iKeys (the black HSM-CODE iKeys) need also be maintained for each cluster of ASA 310- FIPS units.

NOTE – You are strongly recommended to label two of the black HSM-CODE iKeys “CODE- SO” and “CODE-USER” respectively; these iKeys will be referred to as such both in the documentation and in the Command Line Interface.

During the initialization of the first ASA 310-FIPS in a cluster, a wrap key is automatically generated. The wrap key is a secret shared among all ASA 310-FIPS in the cluster. It encrypts and decrypts sensitive information that is sent over the PCI bus within an ASA 310-FIPS, and over the network among the ASA 310-FIPS devices in the cluster. By inserting the CODE-SO iKey and the CODE-USER iKey in turns when requested by the Setup utility, the wrap key is split onto these two iKeys. When adding an additional ASA 310-FIPS to the cluster, the CODE-SO and the CODE-USER iKeys are used to transfer the wrap key to the HSM cards on ASA device(s) that have been added. Once the wrap key has been transferred, all synchroniza- tion of sensitive information within the cluster takes place transparently to the user.

No passwords are associated with the CODE-SO and CODE-USER iKeys. However, for all operations that involves using the CODE-SO and CODE-USER iKeys, these keys are used in addition to the HSM-SO and HSM-USER iKeys (which in turn require the correct passwords for successful authentication).

CAUTION—If you enter the wrong password for the HSM-USER fifteen (15) times in a row, ! the HSM-USER iKey will be rendered unusable. This is due to the strict security specifications placed on the ASA 310-FIPS.

30 Chapter 2: Introducing the ASA 310-FIPS 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Available Operations and iKeys Required For information about the type of iKeys required to perform a specific operation, see Table 2-1.

Table 2-1 Available Operations and iKeys Required

Type of iKey Required

Operation Performed HSM-SO HSM-USER CODE-SO and CODE-USER

Installing a new ASA 310-FIPS in a new cluster

Adding an ASA 310-FIPS to an existing cluster

Logging in to the HSM card

Splitting the wrap key onto a pair of CODE iKeys

Changing the HSM-SO iKey password Note: To resume normal operations after having changed the HSM-SO iKey password, the HSM-USER iKey is required to re-login to the HSM card.

Changing the HSM-USER iKey password

Chapter 2: Introducing the ASA 310-FIPS 31 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Additional HSM Information

For detailed information about installing a new ASA 310-FIPS in a new cluster or adding an ASA 310-FIPS in an existing cluster, see “Installing and Adding an ASA 310-FIPS” on page 42. For detailed information about how to log in to the HSM card after a reboot, see “An ASA HSM Stops Processing Traffic” on page 126. For information about how to split the wrap key onto a backup set of CODE-SO and CODE-USER iKeys, or how to change an HSM-SO or HSM-USER iKey password, see “Hardware Security Module Menu” on page 339. For information about how to reset the HSM cards, see “Resetting HSM Cards on the ASA 310-FIPS” on page 128. For information about HSM card LED status, see Chapter 1 of the Alteon SSL Accelerator Hardware Installation Guide. For information about the HSM card’s security policy, see Appendix E, “HSM Security Policy. To view the HSM card’s FIPS 140-1 validation certificate, see Appendix B, “FIPS 140-1 Validation Certificate” in the Alteon SSL Accelerator Hardware Installation Guide

32 Chapter 2: Introducing the ASA 310-FIPS 212939-F, November 2003

CHAPTER 3 Initial Setup

This chapter covers the basic setup and initialization process for the Alteon SSL Accelerator (ASA). It introduces the concept of ASA clusters, and provides detailed instructions for reinstalling the ASA software, should it become necessary.

Clusters

All ASAs are members of a cluster. A cluster is a group of ASAs that share the same configuration parameters. There can be more than one ASA cluster in the network, each with its own set of parameters and services to be used with different real servers. Every cluster has a Man- agement IP (MIP) address, which is an IP alias to one of the ASAs in the cluster. The MIP address identifies the cluster and is used when making configuration changes via a Telnet or SSH connection or when configuring the system using the Web User Interface.

Each time you perform an initial setup of an ASA and select new in the Setup menu, you create a new cluster which initially only has one single member. You can add one or more ASAs to any existing cluster by performing an initial setup and select join in the Setup menu.

When using an Alteon Application Switch, all ASAs in a cluster can form a Real Server Group. Traffic intended for the ASA cluster can then be load balanced by the Alteon Applica- tion Switch.

The configuration parameters are stored in a database, which is replicated among the ASAs designated as masters in a cluster. By default, the first four ASAs in a given cluster are set up as masters. Additional ASAs are automatically set up as slaves, which means they depend on a master ASA in the same cluster for proper configuration. However, even if three of the masters fail, the remaining ASA(s) are still operational and can have configuration changes made to them.

The ASA software supports clustering over multiple subnets. If more than one ASA is required and the ASA you wish to join to the cluster is installed in a different subnet, the new ASA must be configured as a slave. Master ASAs cannot exist on different intranet subnets.

33 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Ports and Interfaces within a Cluster

When installing an ASA in a new cluster, or adding an ASA to an existing cluster, you are asked to specify a port number by the Setup utility. The port number you specify refers to a physical port on the network interface card of a particular ASA model.

The ASA 310 or ASA 410 Copper NIC, which is equipped with two integrated Intel PRO/100+ copper port NICs for Ethernet or Fast Ethernet, has two ports numbered 1 and 2 respectively.

The ASA 310 or ASA 410 Fiber NIC, which is equipped with one 3Com Gigabit fiber-optic port NIC for Gigabit Ethernet in addition to the dual integrated Intel PRO/100+ NICs, has three ports. Ports 1 and 2 refer to the integrated ports on the Intel PRO/100+ NIC, whereas port 3 refers to the 3Com Gigabit fiber-optic port NIC.

The Setup utility will automatically detect the number of available ports and display the valid range within square brackets when prompting for a port number. The port number you specify in the Setup utility is initially assigned to Interface 1, which is always present. When adding additional ASAs to the cluster, you need to make sure you specify a port number that is currently used on Interface 1.

NOTE – In order to make use of the 3Com Gigabit fiber-optic port NIC found on the ASA 310 or ASA 410 Fiber NIC model, all devices in the cluster must be of this same model. If your cluster consists of other ASA models besides the ASA 310 or ASA 410 Fiber NIC model, only the dual integrated ports on the Intel PRO/100+ NIC (also) found on the ASA 310 or ASA 410 Fiber NIC model can be used.

After you have installed one or more ASAs in a cluster, you can create a separate interface within the cluster (exclusively used for client traffic, and not for management purposes for example), and assign an unused port to that interface. You can also assign more than one port to one interface, in order to configure a failover solution with the ASA connected to two Alteon Application Switches, should one NIC fail.

For more information on the commands used to create an additional interface, see “Interface Configuration” on page 311.

For more information on assigning ports to a particular interface, see “Interface Ports Configu- ration” on page 313.

34 Chapter 3: Initial Setup 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Configuration at Boot Up

When starting an ASA for the very first time, you need to:

Connect the ASA uplink port to a compatible port on the Alteon Application Switch. Connect a terminal to the console port. For more information, see “Connecting to the ASA” on page 112. Press the power-on button. Wait until you get a login prompt. Log in as user: admin, password: admin

NOTE – If you have the ASA 310-FIPS model, please see the instructions from page page 43 and onwards.

When you log in after having started the ASA the first time, you will automatically enter the setup utility menu (see Figure 3-1). After selecting join or new, you will be prompted for the minimum information required to make the ASA operational.

[Setup Menu] join - Join an existing iSD cluster new - Initialize iSD as a new installation boot - Boot Menu info - Information Menu exit - Exit [global command, always available]

Figure 3-1 The Setup Menu

The amount of information you need to provide will depend on whether you are installing the ASA to join an existing cluster of ASAs, or if you are installing it as a single ASA that is connected to the Alteon Application Switch. If you are installing the ASA to join an existing cluster, less information is needed because the ASA will fetch most of the configuration from the other ASA(s) in the cluster. In either case you must provide an IP address for the ASA itself and the default gateway, as well as provide the network mask (or accept the suggested value of 255.255.255.0). You will also be asked to provide a Management IP address. When you select join in the Setup menu, you will be asked for the Management IP address already assigned to the existing cluster.

Chapter 3: Initial Setup 35 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

CAUTION—Each ASA cluster in the network must have a unique MIP address. The MIP ! address you assign to a cluster when selecting new in the Setup menu must be different from all other IP addresses used on your network, including the IP address you assign to each particular ASA in the cluster.

Installing and Adding ASAs

Installing an ASA in a New Cluster When you log in after having started the ASA the first time, you will automatically enter the setup utility menu (see Figure 3-1).

1. To install an ASA as a single device connected to the Alteon Application Switch, or to install an ASA as the first member in a new cluster, choose new from the Setup menu. When you select new in the Setup menu, you need to assign a Management IP address to the new cluster that is created, even though the cluster initially only contains a single ASA.

[Setup Menu] join - Join an existing iSD cluster new - Initialize iSD as a new installation boot - Boot Menu info - Information Menu exit - Exit [global command, always available] >> Setup# new Setup will guide you through the initial configuration of the iSD.

2. Configure the port number for the management network, and the basic IP network settings.

(new setup, continued) Enter port number for the management network [1-3]: 1 Enter IP address for this machine: Enter network mask [255.255.255.0]: Enter VLAN tag id (or zero for no VLAN) [0]: Enter gateway IP address (or blank to skip): Enter the Management IP (MIP) address: Trying to contact gateway...ok Making sure the MIP does not exist...ok

36 Chapter 3: Initial Setup 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Answer the requested information to enable network access of the ASA. Make sure that the IP address you assign to the machine, and the Management IP address you assign to the cluster are unique on your network and that they are within the same network address range.

If a connected router or switch attaches VLAN tag IDs to incoming packets, specify the VLAN tag ID used.

The gateway IP address you specify must also be within the same network address range as the machine IP address and the Management IP address. If not, a built-in control function in the Setup utility will detect the erroneous configuration and ask you to check your network settings before trying again.

You will only be prompted for a port number when installing an ASA Copper NIC or Fiber NIC. The valid range of port numbers depend on the particular model:

For the ASA 310 or ASA 410 Copper NIC, equipped with two integrated Intel PRO/100+ copper port NICs for Ethernet or Fast Ethernet, valid port numbers are 1 or 2. Both ports are identical in terms of performance. When installing an ASA 310 or ASA 410 Copper NIC, you are recommended to specify port number 1 for the initial interface (Interface 1) that is configured during the installation. After the installation is complete, you can change the port value for the existing interface, or configure an additional interface to which you assign port number 2. For the ASA 310 or ASA 410 Fiber NIC, which is equipped with one 3Com Gigabit fiber- optic port NIC for Gigabit Ethernet in addition to the dual integrated Intel PRO/100+ NICs, valid port numbers are 1 through 3. Port number 3 refers to the enhanced 3Com Gigabit fiber-optic port NIC. When installing an ASA 310 or ASA 410 Fiber NIC, you may want to specify port number 3 for the default Interface 1 configured during the installation. This instructs the ASA to use the enhanced 3Com Gigabit fiber-optic port for the initial interface. To use the 3Com Gigabit fiber-optic port NIC found on the ASA 310 or ASA 410 Fiber NIC model, make sure all devices in the cluster are of this same model. If your cluster consists of other models besides the ASA 310 or ASA 410 Fiber NIC model, only the dual integrated ports on the Intel PRO/100+ NIC (ports 1 and 2) can be used. In this case, you should therefore specify port 1 for the management interface.

NOTE – When adding additional ASAs to the cluster (by selecting join in the Setup utility), you must specify the port number that is currently used in and assigned to the management interface (Interface 1). In most cases, this will be the same port number as the one you specify in the Setup utility when selecting new.

Chapter 3: Initial Setup 37 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

3. Configure the time zone and NTP and DNS server settings. If you don’t have access to the IP address of an NTP server or DNS server at this point, you can configure these items after the initial setup is completed. See page 302 for information on how to configure NTP servers, and page 303 for information on how to configure DNS servers.

(new setup, continued) Enter a timezone or ’select’ [select]: Select a continent or ocean: Select a country: Select a region: Selected timezone: Enter the current date (YYYY-MM-DD) [2003-03-01]: Enter the current time (HH:MM:SS) [09:26:16]: Enter NTP server address (or blank to skip): Enter DNS server address (or blank to skip):

4. Generate new SSH host keys and define a password for the admin user. In order to maintain a high level of security when accessing the ASA via a SSH connection, it is recommended that you accept the default choice to generate new SSH host keys.

Make sure you remember the password you define for the admin user. You will need to provide the correct admin user password when logging in to the cluster for configuration purposes, and also when adding another ASA to the cluster by performing a join in the Setup menu.

(new setup, continued) Generate new SSH host keys (yes/no) [yes]: This may take a few seconds...ok Enter a password for the "admin" user: Re-enter to confirm:

38 Chapter 3: Initial Setup 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

5. When the Setup utility has finished, log in to the ASA and continue with the configuration. Log in as the admin user with the password you defined in Step 4, and the Main menu is displayed. You can now continue the configuration of the ASA using the command line interface (CLI). For more information about the CLI, see “The Command Line Interface” on page 111.

Initializing system...... ok Setup successful. Relogin to configure.

Adding an ASA to an Existing Cluster After having installed the first ASA in a cluster, additional ASAs may be added to the same cluster by specifying the Management IP (MIP) address that identifies the cluster.

You add additional ASAs to an existing cluster by selecting join from the Setup menu in the ASA, after it has booted. This is the only way to add a new ASA to an existing cluster. Trying to select new from the Setup menu and provide the Management IP address of the existing cluster will not work. The reason to this is that new indicates creating a new cluster, and each cluster must have a unique Management IP address.

Master ASAs cannot exist on different intranet subnets. If the ASA you are joining is installed on a different subnet, this ASA must be configured as a slave.

NOTE – If the Access list consists of entries, i.e. IP addresses for control of Telnet and SSH access, also add the Management IP address (MIP), the IP address of Interface 1 of the existing ASA and the intranet IP address you have in mind for the new ASA to the Access list. This must be done before joining the new ASA, otherwise the ASAs will be unable to communicate. Use the cfg/sys/accesslist command.

To successfully perform a join from the Setup menu, all the ASAs in a cluster must run the same software version. If the ASA you are about to add has a different software version, you need to adjust it to run the same software version as on the ASA(s) currently installed in the cluster. This must be done before performing a join. For more information, see “Reinstalling the Software” on page 56. Another option is to upgrade the whole cluster to the same software version as on the new ASA. For more information, see “Performing Minor/Major Release Upgrades” on page 60. You can check the currently installed software version by using the /boot/software/cur command.

Chapter 3: Initial Setup 39 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

When you log in after having started the ASA the first time, you will automatically enter the setup utility menu (see Figure 3-1).

1. Choose join from the Setup menu to add an ASA to an existing cluster.

[Setup Menu] join - Join an existing iSD cluster new - Initialize iSD as a new installation boot - Boot Menu info - Information Menu exit - Exit [global command, always available] >> Setup# join Setup will guide you through the initial configuration of the iSD.

2. Specify the port number that is used in the cluster for the default management interface, enter the machine IP address, and the cluster management IP address. Assign a unique IP address to the device and provide the Management IP address of the (existing) cluster to which you want to add the ASA. Make sure that the IP address you assign to the device is within the same network address range as the Management IP address of the cluster. If not, a built-in control function in the Setup utility will detect the error and ask you to check your configuration before trying again.

If a connected router or switch attaches VLAN tag IDs to incoming packets, specify the VLAN tag ID used.

To check the Management IP of an existing cluster, connect to the cluster and use the /cfg/sys/cluster/cur command.

(join setup, continued) Enter port number for the management network [1-3]: 1 Enter IP address for this machine: Enter network mask [255.255.255.0]: Enter VLAN tag id (or zero for no VLAN) [0]:

The system is initialized by connecting to the management server on an existing iSD, which must be operational and initialized. Enter the Management IP (MIP) address:

40 Chapter 3: Initial Setup 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

NOTE – You will only be prompted for a port number when adding an ASA 310 or ASA 410 Copper NIC or an ASA 310 or ASA 410 Fiber NIC to a cluster. Make sure you specify the port number that is currently used on Interface 1 in the cluster. On an ASA 310 or ASA 410 Fiber NIC, port number 3 corresponds to the enhanced Gigabit fiber-optic port. To check the port assignment on Interface 1 of an existing cluster, connect to the cluster and use the /cfg/sys/cluster/host #/interface 1/cur command.

3. Provide the correct admin user password, and specify the appropriate iSD type. Type the correct password for the admin user.

When adding up to three additional ASAs to a cluster containing a single ASA, you may configure each additional ASA as either master or slave. For up to three additional ASAs, the default setting is master. When adding one or more ASAs to a cluster that already contains four ASAs, each additional ASA is automatically configured as slave. It is recommended that there are 2-4 master ASAs in each cluster, so in most cases there is no need to change the default setting. If needed, you can always reconfigure an ASA by changing the Type setting after the initial setup. For more information, see the type command under “iSD Host Config- uration” on page 306.

(join setup, continued) Enter the existing admin user password: Enter the type of this iSD (master/slave) [master]: ...... ok

4. Wait until the Setup utility has finished.

(join setup, continued) Setup successful.

The setup utility is now finished. The ASA that has now been added to the cluster will automatically pick up all configuration data from one of the already installed ASAs in the cluster. After a short while you will get a login prompt.

If needed, you can now continue with the configuration of the ASA FIPS units using the command line interface (CLI). Log in as the admin user, and the Main menu is displayed. For more information about the CLI, see “The Command Line Interface” on page 111.

Chapter 3: Initial Setup 41 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Installing and Adding an ASA 310-FIPS

The ASA 310-FIPS model is an ASA 310 where the ordinary SSL accelerator card has been replaced by the HSM (Hardware Security Module) SSL accelerator card. For more information about the ASA 310-FIPS model, see “Introducing the ASA 310-FIPS” on page 27.

After having installed the first ASA 310-FIPS, additional ASA 310-FIPS units can be added to the same cluster by specifying the Management IP (MIP) address that identifies the cluster. For more information about adding an ASA 310-FIPS to an existing cluster, see page 49.

Before installing or adding an ASA 310-FIPS, please make sure that you have fully understood the concept of iKeys. You might also want to decide the labeling scheme you want to use for identifying which iKey is used to initialize a certain HSM card, and also label two of the black cluster-specific iKeys “CODE-SO” and “CODE-USER” respectively in advance. For more information about the concept of iKeys and the ASA 310-FIPS model in general, see “Intro- ducing the ASA 310-FIPS” on page 27. You should also decide a password scheme since you will define passwords not only for the admin user, but also for the HSM-SO iKeys, the HSM- USER iKeys, and possibly a secret passphrase (when selecting FIPS mode).

42 Chapter 3: Initial Setup 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Installing an ASA 310-FIPS in a New Cluster When you log in as the admin user after having started the ASA 310-FIPS the first time, the Setup menu is displayed.

1. Choose new from the Setup menu to install the ASA 310-FIPS as the first member in a new cluster.

2. Configure the port number for the management interface, and the basic IP network settings. Provide answers to the requested information to enable network access of the ASA 310-FIPS. Make sure that the IP address you assign to the machine, and the Management IP address you assign to the cluster (a new cluster is actually created, even though it only contains a single ASA 310-FIPS to start with), are unique on your network and that they are within the same network address range. The gateway IP address you specify must also be within the same network address range as the machine IP address and the Management IP address. If not, a built- in control function in the Setup utility will detect the erroneous configuration and ask you to check your network settings before trying again.

(new setup, continued) Enter port number for the management network [1-2]: 1 Enter IP address for this machine: Enter network mask [255.255.255.0]: Enter gateway IP address (or blank to skip): Enter the Management IP (MIP) address: Trying to contact gateway...ok Making sure the MIP does not exist...ok

Chapter 3: Initial Setup 43 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

4. Generate new SSH host keys and define a password for the admin user. In order to maintain a high level of security when accessing the ASA 310-FIPS via a SSH connection, it is recommended that you accept the default choice to generate new SSH host keys. Note that both Telnet access and SSH access to the ASA 310-FIPS is disabled by default. If your security policy permits accessing the ASA 310-FIPS over the network for configuration purposes, you are recommended to enable only SSH connections. For more information about using SSH, see “Establishing a Connection Using SSH (Secure Shell)” on page 114.

(new setup, continued) Generate new SSH host keys (yes/no) [yes]: This may take a few seconds...ok Enter a password for the "admin" user: Re-enter to confirm:

Make sure you remember the password you define for the admin user. You will need to provide the correct admin user password when logging in to the cluster for configuration purposes, and also when adding another ASA 310-FIPS to the cluster by performing a join in the Setup menu.

5. Choose the appropriate security mode for the ASA 310-FIPS cluster. Decide which security mode to use for the new ASA 310-FIPS cluster—FIPS mode or Extended Security mode. The default Extended Security mode should be used whenever your security policy does not explicitly require conforming to the FIPS 140-1, Level 3 standard.

44 Chapter 3: Initial Setup 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

For more information about the FIPS mode and the Extended Security mode, see “Introducing the ASA 310-FIPS” on page 27.

(new setup, continued) Use FIPS or Extended Security Mode? (fips/extended) [extended]:

6. Initialize HSM card 0 by inserting the first pair of HSM-SO and HSM-USER iKeys, and by defining passwords. Step 6 and Step 7 are related to initializing the HSM cards that your ASA 310-FIPS is equipped with. The Setup utility will identify the first HSM card as card 0, and the second HSM card as card 1. Each HSM card is initialized by inserting the proper iKeys and defining a password for each user role. To successfully initialize both HSM cards, you need to have the following iKeys:

One pair of iKeys to be used for initializing HSM card 0. The purple HSM Security Officer iKey, embossed with “HSM-SO”. The blue HSM User iKey, embossed with “HSM-USER”. Label these iKeys and HSM card 0 in a way so that the connection between them is obvious. After HSM card 0 has been initialized, this card will only accept the HSM-SO and HSM-USER iKeys that were used when initializing this particular HSM card. Even if you choose to use the same HSM-SO and HSM-USER passwords when you initialize card 1 as the passwords you defined when initializing card 0, the HSM-SO and HSM-USER iKeys for card 1 are not interchangeable with the HSM-SO and HSM-USER iKeys for card 0. One pair of iKeys to be used for initializing HSM card 1. The purple HSM Security Officer iKey, embossed with “HSM-SO”. The blue HSM User iKey, embossed with “HSM-USER”. Label these iKeys and HSM card 1 in a way so that the connection between them is obvious. If you will use more than one ASA 310-FIPS device in the cluster, you must also take steps to identify which pair of iKeys is used on which HSM card on which device in the cluster.

Chapter 3: Initial Setup 45 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

You also need to make sure that you can easily access the USB ports on the HSM cards, located on the rear of the ASA 310-FIPS device. When an operation requires inserting an HSM iKey, a flashing LED will direct you to the USB port on the correct HSM card.

(new setup, continued) Verify that HSM-SO iKey (purple) is inserted in card 0 (with flashing LED). Hit enter when done. Enter a new HSM-SO password for card 0: Re-enter to confirm: The HSM-SO iKey has been updated. Verify that HSM-USER iKey (blue) is inserted in card 0 (with flashing LED). Hit enter when done. Enter a new HSM-USER password for card 0: Re-enter to confirm: The HSM-USER iKey has been updated. Card 0 successfully initialized.

NOTE – For more information about iKeys, see “The Concept of iKey Authentication” on page 29.

7. Initialize HSM card 1 by inserting the second pair of HSM-SO and HSM-USER iKeys, and by defining passwords. Remember to take steps to label each pair of HSM-SO and HSM-USER iKeys and the HSM card to which each set of iKeys is associated during the initialization.

(new setup, continued) Verify that HSM-SO iKey (purple) is inserted in card 1 (with flashing LED). Hit enter when done. Enter a new HSM-SO password for card 1: Re-enter to confirm: The HSM-SO iKey has been updated. Verify that HSM-USER iKey (blue) is inserted in card 1 (with flashing LED). Hit enter when done. Enter a new HSM-USER password for card 1: Re-enter to confirm: The HSM-USER iKey has been updated. Card 1 successfully initialized.

46 Chapter 3: Initial Setup 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

8. Split the wrap key from HSM card 0 onto the CODE-SO and CODE-USER iKeys. This step is related to splitting the software wrap key used internally in the cluster, and then loading the split wrap key onto the two black CODE-SO and CODE-USER iKeys. These iKeys will then be used to transfer the cluster wrap key onto another HSM card either within the same ASA 310-FIPS device (as in Step 9), or to HSM cards in an ASA 310-FIPS device that is added to the current cluster.

Each ASA 310-FIPS device is shipped with four black CODE iKeys. However, you will only need to use two of these in one given cluster. The extra two black iKeys can be used to create a pair of backup CODE iKeys. For more information about how to create a pair of backup CODE iKeys, see the splitkey command on page 339.

To successfully split and load the cluster wrap key onto the correct iKeys, you need the following:

Two black CODE iKeys, supposedly labeled “CODE-SO” and “CODE-USER” respectively. If the black iKeys are not already labeled CODE-SO and CODE-USER respectively, you are recommended to do so before inserting them. Whenever the cluster wrap key needs to be transferred onto an initialized HSM card, you will be prompted for the specific CODE iKey, in turns. Having each iKey properly labeled CODE-SO and CODE-USER respectively will make this procedure easier.

(new setup, continued) Should new or existing CODE iKeys be used? (new/existing) [new]: Verify that CODE-SO iKey (black) is inserted in card 0 (with flashing LED). Hit enter when done. Verify that HSM-USER iKey (blue) is inserted in card 0 (with flashing LED). Hit enter when done. Verify that CODE-USER iKey (black) is inserted in card 0 (with flashing LED). Hit enter when done. Wrap key successfully split from card 0.

NOTE – Unlike the HSM-SO and the HSM-USER iKeys, the CODE-SO and CODE-USER iKeys are not specific for each HSM card. Instead, the CODE-SO and CODE-USER iKeys are specific for each cluster of ASA 310-FIPS units. Therefore, if you have more than one cluster of ASA 310-FIPS units, you need to take steps so that you can identify to which cluster a pair of CODE-SO and CODE-USER iKeys is associated.

Chapter 3: Initial Setup 47 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

9. Transfer the cluster wrap key from the CODE-SO and CODE-USER iKeys onto HSM card 1.

(new setup, continued) Verify that CODE-SO iKey (black) is inserted in card 1 (with flashing LED). Hit enter when done. Verify that HSM-USER iKey (blue) is inserted in card 1 (with flashing LED). Hit enter when done. Verify that CODE-USER iKey (black) is inserted in card 1 (with flashing LED). Hit enter when done. Wrap key successfully combined to card 1.

10. If you selected FIPS mode as the security mode, define a passphrase. If you selected FIPS mode prior to initializing HSM card 0 (Step 5 on page 44), you will also be asked to define a passphrase. Make sure you remember the passphrase as you will be prompted for the same passphrase when adding other ASA 310-FIPS units to the same cluster. When selecting Extended Security mode, this step will not appear.

(new setup, continued) Enter a secret passphrase (it will be used during addition of new iSDs to the cluster): Re-enter to confirm:

11. When the Setup utility has finished, log in to the ASA 310-FIPS again and continue with the configuration.

(new setup, continued) Initializing system...... ok Setup successful. Relogin to configure.

The setup utility is now finished, and after a short while you will get a login prompt. Log in as the admin user with the password you defined in Step 4. The Main menu is then displayed. You can now continue with the configuration of the ASA 310-FIPS using the command line interface (CLI). For more information about the CLI, see “The Command Line Interface” on page 111.

48 Chapter 3: Initial Setup 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

NOTE – After successfully having initialized the HSM cards, you are automatically logged in to each HSM card as USER. You can verify the current HSM card login status by using the /info/hsm command. After a reboot has occurred (whether intentionally invoked, or due to a power failure), you must manually log in to the HSM cards for the ASA 310-FIPS device to resume normal operations. For more information about logging in to the HSM cards after a reboot, see “An ASA HSM Stops Processing Traffic” on page 126.

Adding an ASA 310-FIPS to an Existing Cluster You add additional ASA 310-FIPS units to an existing cluster by selecting join from the Setup menu in the ASA 310-FIPS, after it has booted. This is the only way to add a new ASA 310-FIPS to an existing cluster. Trying to select new from the Setup menu and provide the Management IP address of the existing cluster will not work. The reason to this is that new indicates creating a new cluster, and each cluster must have a unique Management IP address. When adding an ASA 310-FIPS to an existing cluster, note that all devices in the cluster must be of this same model.

To successfully perform a join from the Setup menu, all ASA 310-FIPS units in the cluster must run the same software version. If the ASA 310-FIPS you are about to add has a different software version, you need to adjust it to run the same software version as on the ASA 310- FIPS units currently installed in the cluster. This must be done before performing a join. For more information, see “Reinstalling the Software” on page 56. Another option is to upgrade the whole cluster to the same software version as on the new ASA 310-FIPS. For more information, see “Performing Minor/Major Release Upgrades” on page 60. You can check the currently installed software version by using the /boot/software/cur command.

When you log in as the admin user after having started the ASA 310-FIPS the first time, the Setup menu is displayed.

1. Choose join from the Setup menu to add the ASA 310-FIPS to an existing cluster.

[Setup Menu] join - Join an existing iSD cluster new - Initialize iSD as a new installation boot - Boot Menu info - Information Menu exit - Exit [global command, always available] >> Setup# join Setup will guide you through the initial configuration of the iSD.

Chapter 3: Initial Setup 49 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

2. Specify the port number that is used in the cluster for the default management interface, enter the machine IP address, and the cluster management IP address. Make sure you specify the port number that is currently used on Interface 1 in the cluster. To check the port assignment on Interface 1 of an existing cluster, connect to the cluster and use the /cfg/sys/cluster/host/interface 1/cur command.

Assign a unique IP address to the device and provide the Management IP address of the (existing) cluster to which you want to add the ASA 310-FIPS. Make sure that the IP address you assign to the device is within the same network address range as the Management IP address of the cluster. If not, a built-in control function in the Setup utility will detect the error and ask you to check your configuration before trying again.

To check the Management IP of an existing cluster, connect to the cluster and use the /cfg/sys/cluster/cur command.

(join setup, continued) Enter port number for the management network [1-2]: 1 Enter IP address for this machine:

The system is initialized by connecting to the management server on an existing iSD, which must be operational and initialized. Enter the Management IP (MIP) address:

3. Provide the correct admin user password, and specify the appropriate iSD type. Type the correct password for the admin user.

When adding up to three additional ASA 310-FIPS units to a cluster containing a single ASA 310-FIPS, you may configure each additional ASA 310-FIPS as either master or slave. For up to three additional ASA 310-FIPS units, the default setting is master. When adding one or more ASA 310-FIPS units to a cluster that already contains four ASA 310-FIPS units, each additional ASA 310-FIPS is automatically configured as slave. It is recommended that there are 2-4 master ASA 310-FIPS units in each cluster, so in most cases there is no need to change the default setting. If needed, you can always reconfigure an ASA 310-FIPS by changing the Type setting after the initial setup. For more information, see the type command under “iSD Host Configuration” on page 306.

(join setup, continued) Enter the existing admin user password: Enter the type of this iSD (master/slave) [master]: ...... ok

50 Chapter 3: Initial Setup 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

4. Initialize HSM card 0 by inserting the first pair of HSM-SO and HSM-USER iKeys, and by defining passwords. Step 4 and Step 5 are related to initializing the HSM cards that your ASA 310-FIPS is equipped with. The Setup utility will identify the first HSM card as card 0, and the second HSM card as card 1. Make sure you have the required iKeys before proceeding. To successfully initialize both HSM cards, you need to have the following iKeys:

One pair of iKeys to be used for initializing HSM card 0. The purple HSM Security Officer iKey, embossed with “HSM-SO”. The blue HSM User iKey, embossed with “HSM-USER”. Label these iKeys and HSM card 0 in a way so that the connection between them is obvious. After HSM card 0 has been initialized, this card will only accept the HSM-SO and HSM-USER iKeys used when initializing this particular HSM card. Even if you choose to use the same HSM-SO and HSM-USER passwords when you initialize card 1 as the passwords you defined when initializing card 0, the HSM-SO and HSM-USER iKeys for card 1 are not interchangeable with the HSM-SO and HSM-USER iKeys for card 0. One pair of iKeys to be used for initializing HSM card 1. The purple HSM Security Officer iKey, embossed with “HSM-SO”. The blue HSM User iKey, embossed with “HSM-USER”. Label these iKeys and HSM card 1 in a way so that the connection between them is obvious. Because you will have more than one ASA 310-FIPS device in the cluster, you must also take steps to identify which pair of iKeys is used on which HSM card on which device in the cluster. You also need to make sure that you can easily access the USB ports on the HSM cards, located on the rear of the ASA 310-FIPS device. When an operation requires inserting an HSM iKey, a flashing LED will direct you to the USB port on the correct HSM card.

Chapter 3: Initial Setup 51 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

(join setup, continued) Verify that HSM-SO iKey (purple) is inserted in card 0 (with flashing LED). Hit enter when done. Enter a new HSM-SO password for card 0: Re-enter to confirm: The HSM-SO iKey has been updated. Verify that HSM-USER iKey (blue) is inserted in card 0 (with flashing LED). Hit enter when done. Enter a new HSM-USER password for card 0: Re-enter to confirm: The HSM-USER iKey has been updated. Card 0 successfully initialized.

NOTE – For more information about iKeys, see “The Concept of iKey Authentication” on page 29.

5. Initialize HSM card 1 by inserting the second pair of HSM-SO and HSM-USER iKeys, and by defining passwords. Remember to take steps to label each pair of HSM-SO and HSM-USER iKeys and the HSM card to which each set of iKeys is associated during the initialization. Because each ASA 310- FIPS device in the cluster will have two HSM cards, you must also take steps to identify to which ASA 310-FIPS device each pair of iKeys are associated. Your labeling must ensure that the connection is obvious between a pair of HSM-SO/HSM-USER iKeys, the HSM card that was initialized by using those iKeys, and the ASA 310-FIPS device holding that particular HSM card.

52 Chapter 3: Initial Setup 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

(join setup, continued) Verify that HSM-SO iKey (purple) is inserted in card 1 (with flashing LED). Hit enter when done. Enter a new HSM-SO password for card 1: Re-enter to confirm: The HSM-SO iKey has been updated. Verify that HSM-USER iKey (blue) is inserted in card 1 (with flashing LED). Hit enter when done. Enter a new HSM-USER password for card 1: Re-enter to confirm: The HSM-USER iKey has been updated. Card 1 successfully initialized.

6. Transfer the cluster wrap key from the CODE-SO and CODE-USER iKeys onto HSM card 0. Step 6 and Step 7 are related to transferring the cluster wrap key onto the two HSM cards in the ASA 310-FIPS you are adding to the cluster. The wrap key is transferred onto each HSM card in two steps, where each half of the cluster wrap key stored on the two black CODE-SO and CODE-USER iKeys is loaded and combined on the HSM card in the new ASA 310-FIPS cluster member.

To successfully load and combine the cluster wrap key onto the HSM cards, you need the following:

The two black HSM Code iKeys, labeled “CODE-SO” and “CODE-USER” respectively, that you used when installing the first ASA 310-FIPS in the cluster.

Chapter 3: Initial Setup 53 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

If you have more than one cluster of ASA 310-FIPS units, make sure that you can identify to which cluster the pair of CODE iKeys are associated. The cluster wrap key that is split and stored on the two CODE iKeys is specific for each cluster of ASA 310-FIPS units.

(join setup, continued) Verify that CODE-SO iKey (black) is inserted in card 0 (with flashing LED). Hit enter when done. Verify that HSM-USER iKey (blue) is inserted in card 0 (with flashing LED). Hit enter when done. Verify that CODE-USER iKey (black) is inserted in card 0 (with flashing LED). Hit enter when done. Wrap key successfully combined to card 0.

7. Transfer the cluster wrap key from the CODE-SO and CODE-USER iKeys onto HSM card 1.

(join setup, continued) Verify that CODE-SO iKey (black) is inserted in card 1 (with flashing LED). Hit enter when done. Verify that HSM-USER iKey (blue) is inserted in card 1 (with flashing LED). Hit enter when done. Verify that CODE-USER iKey (black) is inserted in card 1 (with flashing LED). Hit enter when done. Wrap key successfully combined to card 1.

8. If you selected FIPS mode when installing the first ASA 310-FIPS in the cluster, provide the correct passphrase. If you selected FIPS mode when installing the first ASA 310-FIPS in the cluster (Step 5 on page 44), you will also be asked to provide the passphrase you defined at that time. If you selected Extended Security mode, this step will not appear.

(join setup, continued) Enter the secret passphrase (as given during initialization of the first iSD in the cluster):

54 Chapter 3: Initial Setup 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

9. Wait until the Setup utility has finished.

(join setup, continued) Setup successful.

The setup utility is now finished. The ASA 310-FIPS that has now been added to the cluster will automatically pick up all configuration data from one of the already installed ASA 310- FIPS units in the cluster. After a short while you will get a login prompt.

If needed, you can now continue with the configuration of the ASA 310-FIPS units using the command line interface (CLI). Log in as the admin user, and the Main menu is displayed. For more information about the CLI, see “The Command Line Interface” on page 111.

Chapter 3: Initial Setup 55 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Reinstalling the Software

When adding a new ASA to an existing cluster, and the software version on the new ASA is different from the ASAs in the cluster, you will need to reinstall the software. Other- wise, reinstalling the software is seldom required except in case of serious malfunction.

When you log in as the boot user and perform a reinstallation of the software, the ASA is reset to its factory default configuration. All configuration data and current software is wiped out, including old software image versions or upgrade packages that may be stored in the flash memory card or on the hard disk. Also note that a reinstall must be performed on each ASA via a console connection.

NOTE – A reinstall wipes out all configuration data (including network settings). Therefore you should first save all configuration data to a file on a TFTP or FTP server. Using the ptcfg command, installed keys and certificates are included in the configuration data, and can later be restored by using the gtcfg command. For more information about these commands, see the respective command under “Configuration Menu” on page 172. If you would prefer to make backup copies of your keys and certificates separately, you can use the display or export command. For more information about these commands, see the respective command under “Certificate Management Configuration” on page 179.

To reinstall an ASA you will need the following:

Access to the ASA via a console connection. An install image, loaded on a TFTP server or an FTP server on your network. The host name or IP address of the TFTP server or FTP server. The name of the install image. Log in as user: boot, password: ForgetMe

NOTE – Configure DNS parameters if you will be specifying host names. See “DNS Servers Configuration” on page 303.

When performing a reinstallation of the ASA software, access to the ASAs must be accomplished via the console port.

56 Chapter 3: Initial Setup 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

1. Log in as the boot user and provide the correct password.

*** Reinstall Upgrade Procedure *** If you proceed beyond this point, the active network configuration will be reset, requiring a reboot to restore any current settings. However, no permanent changes will be done until the boot image has been downloaded. Continue (y/n)? [y]:

2. Confirm the network port setting, and the IP network settings.

(reinstall procedure, continued) Select a network port (1-2, or i for info) [1]: Enter VLAN tag id (or zero for no VLAN tag) [0]: Enter IP address for this iSD [192.168.128.185]: Enter network mask [255.255.255.0]: Enter gateway IP address [192.168.128.1]:

NOTE – If the ASA has not been configured for network access previously, or if you have deleted the ASA from the cluster by using the /boot/delete command, you must provide information about network settings such as interface port, IP address, network mask, and gateway IP address. No suggested values related to a previous configuration will be presented within square brackets.

3. Select a download method, specify the server IP address, and the boot image file name.

NOTE – For some TFTP servers, files larger than 16 MB may cause the update to fail.

(reinstall procedure, continued) Select TFTP (t) or FTP (f) [t]: Enter TFTP server address: 10.0.0.1 Enter file name of boot image: SSL-4.1.x-boot.img Downloading boot image... Installing new boot image... Done

Chapter 3: Initial Setup 57 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

4. Log in to the Alteon SSL Accelerator as the admin user, after the device has rebooted on the newly installed boot image.

(reinstall procedure, continued) Restarting... Restarting system. Alteon WebSystems, Inc. 0005004D Booting...

After the new boot image has been installed, the ASA will reboot and you can log in again when the login prompt appears. This time, log in as the admin user to enter the Setup menu. For more information about the Setup menu, see page 35 and onwards.

58 Chapter 3: Initial Setup 212939-F, November 2003

CHAPTER 4 Upgrading the ASA Software

The Alteon SSL Accelerator (ASA) software image is the executable code running on the ASA. A version of the image ships with the ASA, and comes pre-installed on the device. As new versions of the image are released, you can upgrade the software running on your ASA. Before upgrading, please check the accompanying release notes for any specific actions to take for the particular software upgrade package or install image.

There are three types of upgrades:

Minor release upgrade: This is typically a bug fix release. Usually this kind of upgrade can be done without the ASA rebooting. Thus, the normal operation and traffic flow is maintained. All configuration data is retained. When performing a minor upgrade, you should connect to the Management IP address of the cluster you want to upgrade. Major release upgrade: This kind of release may contain both bug fixes as well as feature enhancements. The ASA may automatically reboot after a major upgrade, since the operating system may have been enhanced with new features. All configuration data is retained. When performing a major upgrade, you should connect to the Management IP address of the cluster you want to upgrade. Upgrading the software on your ASA requires the following:

Loading the new software upgrade package or install image onto a TFTP or FTP server on your network. Downloading the new software from the TFTP or FTP server to your ASA.

59 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Performing Minor/Major Release Upgrades

The following description applies to a minor or a major release upgrade.

To upgrade the ASA you will need the following:

Access to one of your ASAs via a remote connection (Telnet or SSH), or a console connection. The software upgrade package, loaded on a TFTP or FTP server on your network. The host name or IP address of the TFTP or FTP server. If you choose to specify the host name, please note that the DNS parameters must have been configured. For more information, see “DNS Servers Configuration” on page 303. The name of the software upgrade package (upgrade packages are identified by the .pkg file name extension). It is important to realize that the set of installed ASAs you are running in a cluster are cooper- ating to give you a single system view. Thus, when performing a minor or a major release upgrade, you only need to be connected to the Management IP address of the cluster. The upgrade will automatically be executed on all the ASAs in operation at the time of the upgrade. All configuration data is retained. For a minor upgrade, normal operations are usually unaf- fected, whereas a major upgrade may cause the ASA to reboot.

Access to the Management IP address can be accomplished via a Telnet connection or SSH (Secure Shell) connection. Note however that Telnet and SSH connections to the ASA are disabled by default, after the initial setup has been performed. For more information about enabling Telnet and SSH connections, see “Connecting to the ASA” on page 112. When you have gained access to the ASA, use the following procedure.

1. To download the software upgrade package, enter the following command at the Main menu prompt. Then select whether to download the software upgrade package from a TFTP or FTP server:

NOTE – For some TFTP servers, files larger than 16 MB may cause the upgrade to fail.

>> Main# boot/software/download Select TFTP or FTP (tftp/ftp) [tftp]:tftp

60 Chapter 4: Upgrading the ASA Software 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

2. Enter the host name or IP address of the TFTP or FTP server.

Enter hostname or IP address of server:

3. Enter the file name of the software upgrade package to download.

Enter filename on server: Received 10745386 bytes in 12.0 seconds

Unpacking...ok

>> Software Management#

The exact form of the name will vary by TFTP server. However, the file location is normally relative to the TFTP directory (usually /tftpboot).

Activating the Software Upgrade Package The ASA can hold up to two software versions simultaneously. To view the current software status, use the /boot/software/cur command. When a new version of the software is downloaded to the ASA, the software package is decompressed automatically and marked as unpacked. After you activate the unpacked software version (which may cause the ASA to reboot), the software version is marked as permanent. The software version previously marked as permanent will then be marked as old.

For minor and major releases, the software upgrade will take part synchronously among the set of ASAs in a cluster. If one or more ASAs are not operational when the software is upgraded, they will automatically pick up the new version when they are started.

NOTE – If more than one software upgrade has been performed to a cluster while an ASA has been out of operation, the ASA must be reinstalled with the software version currently in use in that cluster. For more information about how to perform a reinstall, see “Reinstalling the Soft- ware” on page 56.

When you have downloaded the software upgrade package, you can inspect its status with the /boot/software/cur command.

Chapter 4: Upgrading the ASA Software 61 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

1. At the Software Management# prompt, enter the following command:

>> Software Management# cur Version Name Status ------4.1 SSL unpacked 4.0 SSL permanent

The downloaded software upgrade package is indicated with the status unpacked. The software versions can be marked with one out of four possible status values. The meaning of these status values are:

unpacked means that the software upgrade package has been downloaded and automatically decompressed. permanent means that the software is operational and will survive a reboot of the system. old means the software version has been permanent but is not currently operational. If a software version marked old is available, it is possible to switch back to this version by activating it again. current means that a software version marked as old or unpacked has been activated. As soon as the system has performed the necessary health checks, the current status changes to permanent. To activate the unpacked software upgrade package, use the activate command.

2. At the Software Management# prompt, enter:

>> Software Management# activate 4.1 Confirm action ’activate’? [y/n]: y Activate ok, relogin Restarting system.

NOTE – Activating the unpacked software upgrade package may cause the command line interface (CLI) software to be upgraded as well. Therefore, you will be logged out of the system, and will have to log in again. Wait until the login prompt appears. This may take up to 2 minutes, depending on your type of hardware platform and whether the system reboots.

62 Chapter 4: Upgrading the ASA Software 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

3. After having logged in again, verify the new software version:

>> Main# boot/software/cur Version Name Status ------4.1 SSL permanent 4.0 SSL old

In this example, version 4.1 is now operational and will survive a reboot of the system, while the software version previously indicated as permanent is marked as old.

NOTE – If you encounter serious problems while running the new software version, you can revert to the previous software version (now indicated as old). To do this, activate the software version indicated as old. When you log in again after having activated the old software version, its status is indicated as current for a short while. After about one minute, when the system has performed the necessary health checks, the current status is changed to permanent.

Upgrading a Mixed ASA Cluster

This section describes how to upgrade from a software version earlier than 3.0 to software version 4.1 in a cluster where the ASA 310 Fiber NIC model coexists with ASA 310s without Fiber NIC.

The ASA 310 Fiber NIC model uses a different port for the default management network during the upgrade in order to make use of the built-in 3Com Gigabit fiber-optic NIC. When coex- isting with other ASA models, network connectivity within the cluster will therefore be lost. To successfully upgrade such a mixed cluster and maintain network connectivity after the upgrade is complete, you therefore need to follow the procedure described below.

On subsequent upgrades to software versions later than 4.1, you can safely follow the regular upgrade procedure described in “Performing Minor/Major Release Upgrades” on page 60.

1. Delete all ASA 310 or ASA 410 Fiber NIC devices from the cluster.

>> Main# cfg/sys/cluster/host 1 >> iSD Host 1# delete

To make sure that you specify the correct host number when deleting an ASA 310 Fiber NIC from the cluster, use the /cfg/sys/cluster/cur command to display each device in the cluster by host number, IP address, and number of physical ports.

Chapter 4: Upgrading the ASA Software 63 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Repeat this step until all ASA 310 Fiber NIC devices in the cluster are deleted.

2. Upgrade the remaining ASAs in the cluster to version 4.1.

3. Upgrade the software on the ASA 310 or ASA 410 Fiber NIC device to version 4.1 by following the instructions in “Reinstalling the Software” on page 56. Make sure you use a boot image with version number 4.1 or later.

4. Join the upgraded ASA 310 Fiber NIC device to the cluster by following the instructions in “Adding an ASA to an Existing Cluster” on page 39. When asked to specify a port number for the management network, make sure you specify port number 1.

>> Setup# join Setup will guide you through the configuration of the iSD. Enter port number for the management network [1-3]: 1

On subsequent upgrades, this port number configuration will be retained.

5. Repeat steps 3 and 4 for each ASA 310 Fiber NIC device that initially was deleted from the cluster.

64 Chapter 4: Upgrading the ASA Software 212939-F, November 2003

CHAPTER 5 Managing Users and Groups

This chapter describes the rules that govern user rights, how to add or delete users from the system, how to set or change group assignments, and how to change login passwords.

User Rights and Group Membership

Group membership dictates user rights, according to Table 5-1. When a user is a member of more than one group, user rights accumulate. The admin user, who by default is a member of all three groups, therefore has the same user rights as granted to members in the certadmin and oper group, in addition to the specific user rights granted by the admin group membership. The most permissive user rights becomes the effective user rights when a user is a member of more than one group. For more information about default user groups and related access levels, see also “Accessing the ASA” on page 116.

Table 5-1 User Rights and Group Membership

Group User Add Delete Add User Remove Change Change Account Account User to User to Group User own other System from from Password User’s System Group Password

admin admin Yes Yes Yes, to own Yes Yes Yes, if admin group is a member of the other user’s first group

certadmin admin No No Yes, to own No Yes No group

oper oper No No Yes, to own No Yes No admin group

65 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Adding a New User

To add a new user to the system, you must be a member of the admin group. By default, only the admin user is a member of the admin group.

In this configuration example, a Certificate Administrator user is added to the system, and then assigned to the certadmin group. The Certificate Administrator is supposed to specialize in managing certificates and private keys, without the possibility to change system parameters or configure virtual SSL servers. A user who is a member of the certadmin group can therefore access the Certificate menu (/cfg/ssl/cert), but not the SSL Server menu (/cfg/ssl/server). Access to the System menu (/cfg/sys) is limited, and entails access only to the User Access Control submenu (/cfg/sys/user).

1. Log in to the ASA cluster as the admin user.

2. Access the User Menu.

>> Main# /cfg/sys/user

------[User Menu] passwd - Change own password list - List all users del - Delete a user add - Add a new user edit - Edit a user caphrase - Certadmin export passphrase

>> User#

3. Add the new user and designate a user name. The maximum length for a user name is 255 characters. No spaces are allowed. Each time the new user logs in to the ASA cluster, the user must enter the name you designate as the user name in this step.

>> User# add Name of user to add: cert_admin (maximum 255 characters, no spaces)

66 Chapter 5: Managing Users and Groups 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

4. Assign the new user to a user group. You can only assign a user to a group in which you yourself are a member. When this criteria is met, users can be assigned to one or more of the following three groups:

oper admin certadmin By default, the admin user is a member of all groups above, and can therefore assign a new or existing user to any of these groups. The group assignment of a user dictates the user rights and access levels to the system.

>> User# edit cert_admin >> User cert_admin# groups/add Enter group name: certadmin

5. Verify and apply the group assignment. When typing the list command, the current and pending group assignment of the user being edited is listed by index number and group name. Because the cert_admin user is a new user, the current group assignment listed by Old: is empty.

>> Groups# list Old: Pending: 1: certadmin >> Groups# apply Changes applied successfully.

6. Define a login password for the user. When the user logs in to the ASA cluster the first time, the user will be prompted for the password you define in this step. When successfully logged in, the user can change his or her own password. The login password is case sensitive and can contain spaces.

>> Groups# /cfg/sys/user >> User# edit cert_admin >> User cert_admin# password Enter admin’s current password: (admin user password) Enter new password for cert_admin: (cert_admin user password) Re-enter to confirm: (reconfirm cert_admin user password)

Chapter 5: Managing Users and Groups 67 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

7. Apply the changes.

>> User cert_admin# apply Changes applied successfully.

8. Let the Certificate Administrator user define an export passphrase. This step is only necessary if you want to fully separate the Certificate Administrator user role from the Administrator user role. If the admin user is removed from the certadmin group (as in Step 9), a Certificate Administrator export passphrase (caphrase) must be defined.

As long as the admin user is a member of the certadmin group (the default configuration), the admin user is prompted for an export passphrase each time a configuration backup that contains private keys is sent to a TFTP server (command: /cfg/ptcfg). When the admin user is not a member of the certadmin group, the export passphrase defined by the Certifi- cate Administrator is used instead to encrypt private keys in the configuration backup. The encryption of private keys using the export passphrase defined by the Certificate Administrator is performed transparently to the user, without prompting. When the configuration backup is restored, the Certificate Administrator must enter the correct export passphrase.

NOTE – If the export passphrase defined by the Certificate Administrator is lost, configuration backups made by the admin user while he or she was not a member of the certadmin group cannot be restored.

NOTE – When using the /cfg/ptcfg command on an ASA 310-FIPS, private keys are always encrypted using the wrap key that was generated when the first HSM card in the cluster was initialized.

The export passphrase defined by the Certificate Administrator remains the same until changed by using the /cfg/sys/user/caphrase command. For users who are not members of the certadmin group, the caphrase command in the User menu is hidden. Only users who are members of the certadmin group should know the export passphrase. The export passphrase can contain spaces and is case sensitive.

>> User cert_admin# ../caphrase Enter new passphrase: Re-enter to confirm: Passphrase changed.

68 Chapter 5: Managing Users and Groups 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

9. Remove the admin user from the certadmin group. Again, this step is only necessary if you want to fully separate the Certificate Administrator user role from the Administrator user role. Note however, than once the admin user is removed from the certadmin group, only a user who is already a member of the certadmin group can grant the admin user certadmin group membership anew.

When the admin user is removed from the certadmin group, only the Certificate Adminis- trator user can access the Certificate menu (/cfg/ssl/cert).

>> User# edit admin >> User admin# groups/list 1: admin 2: oper 3: certadmin >> Groups# del 3

NOTE – It is critical that a Certificate Administrator user is created and assigned certadmin group membership before the admin user is removed from the certadmin group. Otherwise there is no way to assign certadmin group membership to a new user, or to restore certadmin group membership to the admin user, should it become necessary.

10. Verify and apply the changes.

>> Groups# list Old: 1: admin 2: oper 3: certadmin Pending: 1: admin 2: oper >> Groups# apply

Chapter 5: Managing Users and Groups 69 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Changing a User’s Group Assignment

Only users who are members of the admin group can remove other users from a group. All users can add an existing user to a group, but only to a group in which the “granting” user is already a member. The admin user, who by default is a member of all three groups (admin, oper, and certadmin) can therefore add users to any of these groups.

1. Log in to the ASA cluster. In this example the cert_admin user, who is a member of the certadmin group, will add the admin user to the certadmin group. The example assumes that the admin user previously removed himself or herself from the certadmin group, in order to fully separate the Administrator user role from the Certificate Administrator user role.

2. Access the User Menu.

>> Main# /cfg/sys/user

------[User Menu] passwd - Change own password list - List all users del - Delete a user add - Add a new user edit - Edit a user caphrase - Certadmin export passphrase

>> User#

3. Assign the admin user certadmin user rights by adding the admin user to the certadmin group.

>> User# edit admin >> User admin# groups/add Enter group name: certadmin

NOTE – A user must be assigned to at least one group at any given time. If you want to replace a user’s single group assignment, you must therefore always first add the user to the desired new group, then remove the user from the old group.

70 Chapter 5: Managing Users and Groups 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

4. Verify and apply the changes.

>> Groups# list Old: 1: admin 2: oper Pending: 1: admin 2: oper 3: certadmin >> Groups# apply

Changing a User’s Password

Changing Your Own Password All users can change their own password. Login passwords are case sensitive and can contain spaces.

1. Log in to the ASA cluster by entering your user name and current password.

2. Access the User Menu.

>> Main# /cfg/sys/user

------[User Menu] passwd - Change own password list - List all users del - Delete a user add - Add a new user edit - Edit a user caphrase - Certadmin export passphrase

>> User#

Chapter 5: Managing Users and Groups 71 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

3. Type the passwd command to change your current password. When your own password is changed, the change takes effect immediately without having to use the apply command.

>> User# passwd Enter cert_admin’s current password: (current cert_admin user password) Enter new password: (new cert_admin user password) Re-enter to confirm: (reconfirm new cert_admin user password) Password changed.

Changing Another User’s Password Only the admin user can change another user’s password, and then only if the admin user is a member of the other user’s first group, i.e the group that is listed first for the user with the /cfg/sys/user/edit /groups/list command. Login passwords are case sensitive and can contain spaces.

1. Log in to the ASA cluster as the admin user.

2. Access the User Menu.

>> Main# /cfg/sys/user

------[User Menu] passwd - Change own password list - List all users del - Delete a user add - Add a new user edit - Edit a user caphrase - Certadmin export passphrase

>> User#

3. Specify the user name of the user whose password you want to change.

>> User# edit Name of user to edit: cert_admin

72 Chapter 5: Managing Users and Groups 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

4. Type the password command to initialize the password change.

>> User cert_admin# password Enter admin’s current password: (admin user password) Enter new password for cert_admin: (new password for user being edited) Re-enter to confirm: (confirm new password for user being edited)

5. Apply the changes.

>> User cert_admin# apply Changes applied successfully.

Deleting a User

To delete a user from the system, you must be a member of the admin group. By default, only the admin user is a member of the admin group.

NOTE – Remember that when a user is deleted, that user’s group assignment is also deleted. If you are deleting a user who is the sole member of a group, none of the remaining users on the system can then be added to that group. Existing users can only be added to a group by a user who is already a member of that group. Before deleting a user, you may therefore want to verify that the user is not the sole member of a group.

1. Log in to the ASA cluster as the admin user.

2. Access the User Menu.

>> Main# /cfg/sys/user

------[User Menu] passwd - Change own password list - List all users del - Delete a user add - Add a new user edit - Edit a user

>> User#

Chapter 5: Managing Users and Groups 73 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

3. Specify the user name of the user you want to remove from the system configuration. In this example, the cert_admin user is removed from the system. To list all users that are currently added to the system configuration, use the list command.

>> User# del cert_admin

4. Verify and apply the changes. The imminent removal of the cert_admin user is indicated as a pending configuration change by the minus sign (-). To cancel a configuration change that has not yet been applied, use the revert command.

>> User# list root admin oper -cert_admin >> User# apply

74 Chapter 5: Managing Users and Groups 212939-F, November 2003

CHAPTER 6 Managing Certificates and Client Authentication

This chapter describes common tasks involving certificates and client authentication. The chapter also provides detailed step-by-step instructions for generating certificate signing requests, adding certificates to the ASA, generating and revoking client certificates, as well as configuring the ASA to require client certificates.

The ASA accelerator supports importing certificates in the PEM, NET, DER, PKSCS7, and PKCS12 formats. The certificates must conform to the X.509 standard. You can create a new certificate, or use an existing certificate. The ASA supports using up to 1500 certificates. The basic steps to create a new certificate using the command line interface in the ASA are:

Generate a Certificate Signing Request (CSR) and send it to a Certificate Authority (CA, such as Entrust or VeriSign) for certification. Add the signed certificate to the ASA.

NOTE – Even though the ASA supports keys and certificates created by using Apache-SSL, OpenSSL, or Stronghold SSL, the preferred method from a security point of view is to create keys and generate certificate signing requests from within the ASA by using the command line interface. This way, the encrypted private key never leaves the ASA, and is invisible to the user.

75 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Generating and Submitting a CSR Using the CLI

1. Initiate requesting a certificate signing request (CSR), and provide the necessary information.

>> Main# cfg/ssl/cert Enter certificate number (1-): Creating Certificate 1 >> Certificate 1# request The combined length of the following parameters may not exceed 225 bytes. Country Name (2 letter code): State or Province Name (full name): Locality Name (e.g., city): Organization Name (e.g., company): Organizational Unit Name (e.g., section): Common Name (e.g., your name or your server’s hostname): E-mail Address: Generate new key pair (y/n) [y]: Key size [1024]: Request a CA certificate (y/n) [n]: Specify challenge password (y/n) [n]:

NOTE – When specifying a certificate number, make sure not to use a number currently used by an existing certificate. To view basic information about all configured certificates, use the /info/certs command. The information displayed lists all configured certificates by their main attributes, including the certificate number (contained in the Certificate Menu line, such as “Certificate Menu 1:”).

Explanations for the requested units of information:

Country Name: The two-letter ISO code for the country where the Web server is located. For current information about ISO country codes, visit for example http://www.iana.org State or Province Name: This is the name of the state or province where the head office of the organization is located. Enter the full name of the state or province. Locality Name: The name of the city where the head office of the organization is located. Organization Name: The registered name of the organization. This organization must own the domain name that appears in the common name of the Web server. Do not abbreviate the organization name and do not use any of the following characters: < > ~ ! @ # $ % ^ * / \ ( ) ?

76 Chapter 6: Managing Certificates and Client Authentication 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Organizational Unit Name: The name of the department or group that uses the secure Web server. Common Name: The name of the Web server as it appears in the URL. This name must be the same as the domain name of the Web server that is requesting a certificate. If the Web server name does not match the common name in the certificate, some browsers will refuse a secure connection with your site. Do not enter the protocol specifier (http://) or any port numbers or pathnames in the common name. Wildcards (such as * or ?) and IP address are not allowed. E-mail Address: Enter the user’s e-mail address. Generate new key pair [y]: In most cases you will want to generate a new key pair for a CSR. However, if a configured certificate is approaching its expiration date and you want to renew it without replacing the existing key, answering no (n) is appropriate. The CSR will then be based on the existing key (for the specified certificate number) instead. Key size [1024]: Specify the key length of the generated key. The default value is 1024. Request a CA certificate (y/n) [n]: Lets you specify whether to request a CA certificate to use for client authentication. Requesting a CA certificate is appropriate if you plan to issue your own server certificates or client certificates, generating them from the requested CA certificate. The default value is to not request a CA certificate. Specify challenge password (y/n) [n]:

2. Generate the CSR. Press ENTER after you have provided the requested information. The CSR is generated and displayed on screen:

Use ’apply’ to store the private key in the iSD until the signed certificate is entered. The private key will be lost unless you ’apply’ or save it elsewhere using ’export’.

Chapter 6: Managing Certificates and Client Authentication 77 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

3. Apply your changes.

>> Certificate 1# apply Changes applied successfully.

4. Save the CSR to a file. Copy the entire CSR, including the “-----BEGIN CERTIFICATE REQUEST-----” and “-----END CERTIFICATE REQUEST-----” lines, and paste it into a text editor. Save the file with a .csr extension. The name you define can indicate the server on which the certificate is to be used.

5. Save the private key to a file.

NOTE – Provided you intend to use the same certificate number when adding the certificate returned to you (after the CSR has been processed by a certificate authority), this step is only necessary if you want to create a backup copy of the private key. When generating a CSR, the private key is created and stored (encrypted) on the ASA using the specified certificate number. When you receive the certificate (containing the corresponding public key) and add it to the ASA, make sure you specify the same certificate number that is used for storing the private key. Otherwise, the private key and the public key in the certificate will not match.

78 Chapter 6: Managing Certificates and Client Authentication 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Type the display command and press ENTER. Choose to encrypt the private key, and specify a password phrase. Make sure to remember the password phrase.

>> Certificate 1# display Encrypt private key (yes/no) [yes]: Enter export pass phrase: Reconfirm export pass phrase: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,27C89CBC65615F06

5cZBjjKAVoYRdtLYFa0zBpKQhK3yAJ+qSXxkrNCaRlSzuX2iClaAHtsSueGvJg7o HNHcZVZCCxZtSLIsBTvDK0xY5ZomlqAU+JdWn0zc4hilf9KjLRBzk2p7azQUCMqW jVJ5x9oFeuurfm3e6kqdCvnPweYJmZGp5A33Y7EV7TY5v30lZWnZrmD0tTfvljq7 rAfavlfWFgeBRG5kcdOgeb1hIHF2X16YMcp7YQUWGBccA1R7FvsVuvFuva9icCN1 ++bF1GjfIMcSdpFt6Rkyq/CXBy3LVCAX0rfdPjaniO8G6sARa+qbkpnOvsA2eMc4 MXDHxc7+EavNBOIxAPL8PXunns53MYiWx5INWiQPh38gkjhi+n+75PJQi/J1Ab5p iOpqHDUfcUBwdrkp/+3SKMAbc4VIaBnbGpfv2hNrr0Q/LyJilhjEPX+LIizkhWKo QcdeqY3KyJGDugnqJBfybkNysKpPMDtd5Q7Yki5HdRe1RXenowDpiQlxToLlz9Bl XDwFj2Ag7IfUk3Kwin2dn5KKSM35+a6Ateb4WjctIZGRlsi9JqQN8GOZf4uwj/Wg nkzQeQ1rExpLbGTfiuRfVAstvo8bUIjm5xDY5HSmKx1FA2O2W2E/mB02Q9ZckG7I hjB3ku2Wnvzv91qiCq6ljPN+hl4/zVmo6c/v2+pzubAxbOF5/NfQWwyogx0quCgN 4LaxsUXb0kpak4OLXNoqPVEDysYKD1zGCnrb3rgQ8hyhgoVHcRt6Rtsi4/6UzCkT wtRtiyR96OEmVVA+x/8jsrU3LLCPYsswP0zje87mphh1PwiSRIMB6Q== -----END RSA PRIVATE KEY-----

Copy the private key, including the “-----BEGIN RSA PRIVATE KEY-----” and “-----END RSA PRIVATE KEY-----” lines, and paste it into a text editor. Save the file with a .key extension. Preferably, use the same file name that you defined for the .csr file, so the connection between the two files becomes obvious. The name you define can indicate the server on which the certificate and the corresponding private key is to be used.

NOTE – When using an ASA 310-FIPS, the private key is protected by the HSM card and cannot be exported.

After you have received the processed CSR from a CA, make sure to create a backup copy of the certificate as well.

Chapter 6: Managing Certificates and Client Authentication 79 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

6. Open and copy the CSR. In a text editor, open the .csr file you created in Step 4. It should appear similar to the following:

Copy the entire CSR, including the “-----BEGIN CERTIFICATE REQUEST-----” and “-----END CERTIFICATE REQUEST-----” lines.

7. Submit the CSR to Verisign, Entrust, or any other CA. The process for submitting the CSR varies with each CA. Use your Web browser to access your CA’s Web site and follow the online instructions. When prompted, paste the CSR into the space provided on the CA’s online request process. If the CA requires that you specify a server software vendor whose software you supposedly used to generate the CSR, specify Apache.

The CA will return the signed certificate for installation. The certificate is then ready to be added into the ASA.

80 Chapter 6: Managing Certificates and Client Authentication 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Adding Certificates to the ASA

Using the encryption capabilities of the ASA requires adding a key and certificate that con- forms to the X.509 standard to the ASA. If you have more than one ASA in a cluster, the key and certificate need only be added to one of the devices. As with configuration changes, the information is automatically propagated to all other devices in the cluster.

NOTE – When using an ASA 310-FIPS running in FIPS mode, the private key associated with a certificate cannot be imported. All private keys must be generated on the HSM card itself due to the FIPS security requirements.

There are two ways to install a key and certificate into the ASA:

Copy-and-paste the key/certificate. Download the key/certificate from a TFTP/FTP server. The ASA supports importing certificates and keys in these formats:

PEM NET DER PKCS7 (certificate only) PKCS8 (keys only, used in WebLogic) PKCS12 (also known as PFX) Besides these formats, keys in the proprietary format used in MS IIS 4 can be imported by the ASA, as wells as keys from Netscape Enterprise Server or iPlanet Server. Importing keys from Netscape Enterprise Server or iPlanet Server however, require that you first use a conversion tool. For more information about the conversion tool, contact Nortel Networks. See “How to Get Help” on page 17 for contact information.

When it comes to exporting certificates and keys from the ASA, you can specify to save in the PEM, NET, DER, or PKCS12 format when using the export command. If you choose to use the display command (which requires a copy-and-paste operation), you are restricted to saving certificates and keys in the PEM format only.

NOTE – When performing a copy-and-paste operation to add a certificate or key, you must always use the PEM format.

Chapter 6: Managing Certificates and Client Authentication 81 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Using a Copy-and-Paste Operation to Add Certificates The following steps demonstrate how to add a certificate using the copy-and-paste method.

NOTE – If you connect to one of the ASAs in the cluster by using a console connection, note that HyperTerminal under Microsoft Windows may be slow to complete copy-and-paste operations. If your security policy permits enabling Telnet or SSH access to the ASA, use a Telnet or SSH client and connect to the Management IP address instead.

1. Type the following command from the Main menu prompt on the ASA to start adding a certificate.

>> Main# cfg/ssl/cert Enter certificate number: (1-) >> Certificate 1# cert Paste the certificate, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate. >

In most cases you should specify the same certificate number as the certificate number you used when generating the CSR. By doing so, you do not have to add the private key because this key remains connected to the certificate number that you used when you generated the CSR.

If you have obtained a key and a certificate by other means than generating a CSR using the request command on the ASA, specify a certificate number not used by a configured certificate before pasting the certificate. If the private key and the certificate are not contained in the same file, use the key or import command to add the corresponding private key.

To view basic information about configured certificates, use the /info/certs command. The information displayed lists all configured certificates by their main attributes.

2. Copy the contents of your certificate file. Open the certificate file you have received from a CA in a text editor and copy the entire contents. Make sure the selected text includes the “-----BEGIN CERTIFICATE-----” and “-----END CERTIFICATE-----” lines.

3. Paste the contents of the certificate file at the command prompt. Now, paste the certificate at the command line interface prompt, press ENTER to create a new empty line, and then type “...” (without the quotation marks). Press ENTER again to complete the installation of the certificate.

82 Chapter 6: Managing Certificates and Client Authentication 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Your screen output should now resemble the following example:

>> Certificate 1# cert Paste the certificate, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate. > -----BEGIN CERTIFICATE----- > MIIDTDCCArWgAwIBAgIBADANBgkqhkiG9w0BAQQFADB9MQswCQYDVQQGEwJzZTEO > MAwGA1UECBMFa2lzdGExEjAQBgNVBAcTCXN0b2NraG9sbTEMMAoGA1UEChMDZG9j > MQ0wCwYDVQQLEwRibHVlMRIwEAYDVQQDEwl3d3cuYS5jb20xGTAXBgkqhkiG9w0B > CQEWCnR0dEBjY2MuZG4wHhcNMDAxMjIyMDkxOTI0WhcNMDExMjIyMDkxOTI0WjB9 > MQswCQYDVQQGEwJzZTEOMAwGA1UECBMFa2lzdGExEjAQBgNVBAcTCXN0b2NraG9s > bTEMMAoGA1UEChMDZG9jMQ0wCwYDVQQLEwRibHVlMRIwEAYDVQQDEwl3d3cuYS5j > b20xGTAXBgkqhkiG9w0BCQEWCnR0dEBjY2MuZG4wgZ8wDQYJKoZIhvcNAQEBBQAD > gY0AMIGJAoGBALXym9cIVfHZUZFE1MFi+xefDviIEvilnJAQSSPITnZa69fzGcL3 > vpQv0NLxNffs1jEw4RPDMKu2rQ9N02EiiJcrCHnaSNZPdwGoX39IkEUkANzm3mh2 > DlP1RfW4ejpNKsG5Tme/e1vFYWXeXXI1oRtdPIaVGxK8pvqBEHDXCcJlAgMBAAGj > gdswgdgwHQYDVR0OBBYEFJBM3K0KB03fpCOVrQCC34hovwM8MIGoBgNVHSMEgaAw > gZ2AFJBM3K0KB03fpCOVrQCC34hovwM8oYGBpH8wfTELMAkGA1UEBhMCc2UxDjAM > BgNVBAgTBWtpc3RhMRIwEAYDVQQHEwlzdG9ja2hvbG0xDDAKBgNVBAoTA2RvYzEN > MAsGA1UECxMEYmx1ZTESMBAGA1UEAxMJd3d3LmEuY29tMRkwFwYJKoZIhvcNAQkB > Fgp0dHRAY2NjLmRuggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEA > m/GKwEyDKCm2qdPt8+pz1znSGNaRTxfK1R0mjtnDGFb0qk+Bv7d9YlX+1QTZhxnZ > Z4JXuWPJS36kAwiirVbOIaIforIVa+IUlo8HUjMvxzIqCYPiiDwBcBi3NsvjlFM7 > i24Q+lvDLE/Ko+x/YEnNukfp3SBXiJqZ8WZIvbTCyT4= > -----END CERTIFICATE----- > ... Certificate added.

NOTE – Depending on the type of certificate the CA generates (registered or chain), your certificate may appear substantially different from the one shown above. Be sure to copy and paste the entire contents of the certificate file.

4. Apply your changes.

>> Certificate 1# apply Changes applied successfully.

If you have used the request command in the ASA to generate a CSR, and have specified the same certificate number as the CSR when pasting the contents of the certificate file, your certificate is now fully installed.

If you have obtained a certificate by other means, however, you must also add the corresponding private key.

Chapter 6: Managing Certificates and Client Authentication 83 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Using a Copy-and-Paste Operation to Add a Private Key

1. Type the following command from the Main menu prompt on the ASA to start adding a private key. Make sure you specify the same certificate number as when pasting the certificate.

>> Main# cfg/ssl/cert Enter certificate number: (1-) >> Certificate 1# key Paste the key, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate. >

2. Copy the contents of your private key file. Locate the file containing your private key. Make sure the key file corresponds with the certificate file you have received from a CA. The public key contained in the certificate works in concert with the related private key when handling SSL transactions.

Open the key file in a text editor and copy the entire contents. Make sure the selected text includes the “-----BEGIN RSA PRIVATE KEY-----” and “-----END RSA PRI- VATE KEY-----” lines.

3. Paste the contents of the key file at the command prompt. Now, paste the private key at the command line interface prompt. Press ENTER to create a new row, and then type “...” (without the quotation marks). Press ENTER again to complete the installation of the key.

You may be prompted for a password phrase after having completed the paste operation. The password phrase you are requested to type is the one you specified when creating (or exporting) the private key.

84 Chapter 6: Managing Certificates and Client Authentication 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Your screen output should now resemble the following example.

>> Certificate 1# key Paste the key, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate. > -----BEGIN RSA PRIVATE KEY----- > Proc-Type: 4,ENCRYPTED > DEK-Info: DES-EDE3-CBC,2C60C89FEB57A853 > > MbbLDYlwdbNfXUGHFm10nfRlI+KTnx2Bdx750EaG8HSVV7KrtnsNF/Fsz1jFvO/j > nKhZfs4zsVrsstrVlqfP1uatg19VyJSEug1ZcCamH59Dcy+UNocFWCzR56PHpyZK > GXX66jS+6twYdiXQk58URIudkmGXGTYMvBRuVjV22ZRLyJk41Az5nA6HiDz6GGs6 > vkCaPFGm263KxmXjy/okNgSJl9QTqJfSq7Eh1cIslBReAE9HXGl0Eubb6gVJu+sR > mGhS/yGx4vMx98wiMjL37gRtXBfDWlu6u0HOPeJxs6fH05fYzmnpwAHj592TDFds > Ji5pmrY0NhAeXfuG8mF/T9nEz02ZA8iQGJsaUPfkeBxbZS+umY/R65Okwt1k2RN4 > RlFnmRWqvhHMrHzJuegez/806YazHBv74sOg3KgETRH92z5yvwbgFwmffgb+hai0 > RlRtZgQ4A5kSAFYW37KDq6eJBsZ/m3Que1buMbh8tRxdGpo54+bGqu5b12iLanLn > Rk57ENQGTgzxOD/1RZIJHqObCY7VDLkK7WZM/LPa0k+bTeAysmZa7fu7gvELJF0i > vszs3nzm7zT1y0mJ0QX9u9eoW8wpASCAdCC2r2LZt8o9+IWLSZWh5UCIr8qFKGiL > rUIx8coIhxSpx/PqEV8KhSRV+0taq0N7pJa3TLmO3o80t5966VSFKc3Y35fx9Yk8 > G+RlSzo4CxooY4bCKsfchnJ957SJx5vUyh6jjztnuU4iAfeTVCUdF0LXd+NlQ7T7 > IMFsjjx9SZuuHPZTF0KD/WYLx7FfIFIBHDumu6scraYZOaWaJKI5Pw== > -----END RSA PRIVATE KEY----- > ... Enter pass phrase: Key added

4. Apply your changes.

>> Certificate 1# apply Changes applied successfully.

Your certificate and private key is now fully installed and ready to be taken into use by a virtual SSL server. To view information about configured certificates and SSL servers, use the /cfg/ssl/cur command.

Chapter 6: Managing Certificates and Client Authentication 85 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Using TFTP or FTP to Add Certificates and Keys The following is an example of how to input a certificate into the ASA using TFTP or FTP.

1. Put the certificate file and key file on your TFTP/FTP server.

NOTE – You may arrange to include your private key in the certificate file. When the specified certificate file is retrieved from the TFTP/FTP server, the ASA software will analyze the contents and automatically add the private key, if present (the screen output displays “Certificate added” and “Key added” in this case). If the private key is included, you do not have to perform step 3.

2. Initiate the process of adding a certificate using TFTP or FTP. Type the command /cfg/ssl/cert and press ENTER. Specify an unused certificate index number, and then type the command import.

Make sure to specify a certificate number not in use by an existing certificate. To view basic information about all configured certificates, use the /info/certs command.

>> Main# cfg/ssl/cert Enter certificate number: (1-) >> Certificate 1# import Select TFTP or FTP (tftp/ftp) [tftp]: Enter host name or IP address of server: Enter filename on server: Retrieving filename.crt from server

Provided the operation was successful, your screen output should resemble the following example:

>> Certificate 1# import Select TFTP or FTP (tftp/ftp) [tftp]: ftp Enter host name or IP address of server: 192.168.128.58 Enter filename on server: VIP_1.crt Retrieving VIP_1.crt from 192.168.128.58 Key added. Certificate added.

86 Chapter 6: Managing Certificates and Client Authentication 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

3. Add your private key using TFTP or FTP. Type the command import and press ENTER. Provide the required information. You may be prompted for a password phrase (if specified when creating or exporting the private key).

>> Certificate 1# import Select TFTP or FTP (tftp/ftp) [tftp]: Enter host name or IP address of server: Enter filename on server: Retrieving filename.key from server Enter pass phrase:

Provided the operation was successful, your screen output should resemble the following example:

>> Certificate 1# import Select TFTP or FTP (tftp/ftp) [tftp]: ftp Enter host name or IP address of server: 192.168.128.58 Enter filename on server: VIP_1.key Retrieving VIP_1.key from 192.168.128.58 Enter pass phrase: Key added.

4. Apply your changes.

>> Certificate 1# apply Changes applied successfully.

Your certificate and private key is now fully installed and ready to be taken into use by a virtual SSL server. To view basic information about configured certificates and SSL servers, use the /cfg/ssl/cur command.

Chapter 6: Managing Certificates and Client Authentication 87 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Update Existing Certificate

Whenever you wish to substitute an existing certificate for a new certificate, you should keep the existing certificate until it is verified that the new certificate works as designed.

Create a New Certificate

1. Check the certificate numbers currently in use.

>> Main# cfg/ssl/ >> SSL# cur

If e.g. two different certificates exist as Certificate 1 and Certificate 2, create Certificate 3 for your new certificate.

2. Add a certificate with a new certificate number.

>> SSL# cert Enter certificate number: (1-1500) 3 Creating Certificate 3

3. Add the new certificate according to the instructions in “Adding Certificates to the ASA” on page 81”.

4. Apply the new certificate to the desired servers.

>> SSL# server Enter virtual server number: (1-256) 1 >> Server 1# ssl >> SSL Settings# cert Current value: 2 Enter certificate number: (1-1500) 3

After you have tested that the new certificate works fine on your SSL servers you may delete the old certificate(s).

88 Chapter 6: Managing Certificates and Client Authentication 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Configuring a Virtual SSL Server for Client Authentication

In each ASA cluster, you can create an unlimited number of virtual SSL servers. Each virtual SSL server is mapped to a virtual server on the Alteon Application Switch, and can handle a specific service such as HTTPS, SMTPS, IMAPS, or POP3S. Each virtual SSL server is configured to use a server certificate to authenticate itself towards the clients. Besides, a virtual SSL server can be configured to require client certificates in order to authenticate clients before granting access to the requested service.

NOTE – The ASA can also operate in standalone mode, i.e. without being connected to an Alteon Application Switch. For configuration examples, see the Standalone Web Server Accel- erator chapter in the Application Guide.

When a virtual SSL server is set to require client certificates, a CertificateRequest message is sent from the server to the client during the SSL handshake. The client responds by sending its public key certificate in a Certificate message. After that, the client will send a CertificateVerify message to the server. The CertificateVerify message is signed by using the client’s private key, and contains important information about the SSL session known to both the client and the server. Upon receiving the CertificateVerify message, the virtual SSL server will use the public key from the client certificate to authenticate the client’s identity.

The virtual SSL server will also check if the certificate the client presents is signed by an accepted certificate authority. Accepted certificate authorities are defined by the CA certificates you have specified in the virtual SSL server. The certificate you use for generating client certificates must therefore also be specified as a CA certificate in the virtual SSL server.

The virtual SSL server also checks if the client certificate should be revoked, by comparing the serial number of the presented client certificate with entries in the certificate revocation list.

The following steps demonstrate how to configure a virtual SSL server to require client certificates for authentication purposes.

1. Display information about current virtual SSL servers. This command displays information about all certificates and virtual SSL servers on the ASA, including their current configurations. Based on the information displayed, decide which virtual SSL server to configure for client authentication.

>> Main# cfg/ssl/cur

Chapter 6: Managing Certificates and Client Authentication 89 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

2. Configure the chosen virtual SSL server to require client certificates. The client must send its client certificate to the virtual SSL server during the SSL handshake. If the client does not have a certificate, the client will respond with a NoCertificateAlert message. At that point, the session will be terminated.

>> SSL# server 1 >> Server 1# ssl >> SSL Settings for Server 1# verify Current value: none Certificate verification (none/optional/require): require

3. Specify which CA certificates to use for client authentication. Specify which CA certificates you want the virtual SSL server to use for authenticating client certificates. Only those client certificates that are issued by a certificate authority whose CA certificate you specify, will be accepted. Note that the CA certificates you specify by index number must be available on the ASA itself.

In order to authenticate client certificates issued within your own organization, the CA certificate used for generating the issued client certificates must be specified as a CA certificate.

>> SSL Settings for Server 1# cacerts Current value: "" Enter certificate numbers (separated by comma):

To view basic information about all certificates currently added to the ASA, use the /info/certs command.

4. Apply your settings.

>> SSL Settings for Server 1# apply Changes applied successfully.

90 Chapter 6: Managing Certificates and Client Authentication 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Generating Client Certificates on the ASA

Before issuing client certificates, you should establish the means of validating the identities of the users. The credentials users need to present in order to obtain a client certificate may vary, depending on the type of service, the size of your organization, etc.

1. Specify a CA certificate by index number to use for generating a client certificate, and generate the client certificate. In this example certificate number 1 is specified for generating a client certificate. The private key corresponding with the public key in the certificate you specify is used for signing the client certificate.

>> Main# cfg/ssl/cert Enter certificate number: (1-) 1 >> Certificate 1# gensigned Type of certificate (server/client) [client]: The combined length of the following parameters may not exceed 225 bytes. Country Name (2 letter code): State or Province Name (full name): Locality Name (e.g., city): Organization Name (e.g., company): Organizational Unit Name (e.g., section): Common Name (e.g., your name or your server’s hostname): Email Address:

To view basic information about all available certificates, use the /info/certs command.

NOTE – Only certificates having the basic constraint CA:TRUE can be used for generating client certificates. When generating a client certificate, the ASA automatically checks that the current certificate has this constraint. To perform this check yourself, use the /cfg/ssl/cert #/show command and look for lines containing the text X509v3 Basic Constraints:CA:TRUE|FALSE in the screen output.

Chapter 6: Managing Certificates and Client Authentication 91 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

2. When prompted, provide the following information about the subject to include in the client certificate: Country Name (2 letter code): The two-letter ISO code for the country in which the subject resides. With subject is meant the person for whom the client certificate is created. For current information about ISO country codes, visit for example http://www.iana.org State or Province Name (full name): The full name of the state or province in which the subject resides. Locality Name (e.g., city): The name of the city or town where the subject resides. Organization Name (e.g., company): The registered name of the organization to which the subjects belongs. Do not abbreviate the organization name and do not use the following characters: < > ~ ! @ # $ % ^ * / \ ( ) ? Organizational Unit Name (e.g., section): The unit name of the organization to which the subject belongs. Common Name (e.g., the subject’s name): The full name of the subject. E-mail address: The full e-mail address of the subject.

3. Specify the validity period, key size, and serial number. After having provided information about the subject, you are now ready to specify information relating to the client certificate itself.

Decide how many days the client certificate should be valid. By default, each new client certificate is set to be valid for 365 days.

Decide which key size should be used. The default key size is set to 512 bits, which is appropriate in most cases. Note that export versions of MS Internet Explorer 4.x (40-bit encryption) and MS Internet Explorer 5 (56-bit encryption) cannot import client certificates with a larger key size than 512.

Assign a serial number to the client certificate, or accept the suggested number. When generating a new client certificate, the lowest available serial number is displayed in square brackets and will be used unless you specify a different number. As you generate more client certificates, the proposed serial number increments automatically.

>> Certificate 1# Valid for days [365]: Key size (512/1024) [512]: Serial number of client certificate [1]:

92 Chapter 6: Managing Certificates and Client Authentication 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

4. Decide whether to save the client certificate and define a pass phrase for the private key.

>> Certificate 1# Save signed certificate (yes/no) [yes]: (press ENTER to save the certificate) Select cert no. to save to [2]: (press ENTER to accept the suggested certificate index number) Encrypt private key (yes/no) [yes]: (press ENTER to encrypt the private key) Enter export pass phrase: (define a pass phrase to protect the encrypted private key) Reconfirm export pass phrase: Creating new cert 2 Use ’apply’ to save signed key and certificate. -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,5B2BFB839B4A9524

ErcHmgvzyLuaGn9WXrkZgn/EY6CcrgluO7d4fh/a3YuCBFPgiE5NKs7HtqJ6RPfb K/Uinv7MaRSmRzIIbojOaOk6jZUsP1U7d+60Hy/kgfnMI7mI2oByHFvJ1IfZ5Dfs SyJFmbMYSfG7MPtobaUjuTedmBw5Vo5JnpmfYqnd0uvMMT4H8HM6PgEHggJctBoJ iaENDtCEbhaUX6B6+7qzXBpcUx6GJoQ3P8b07YrGhkfY9KWGT4DglKBHJiT4Wgua +voUZ2WPebSC5XCfR6bnIFykxNrFPWMV+2FwxNs6to6QPY2sARwym8/pK2CQFW5b mojNTWtW9U9UObAvV1TUCSUauARy3aVAMtY7bi7HX93Yypk5FXFVn75RoTMB7CIZ jxwL3R7kZFsEmHe/NE4LkiLHRFd+ZxbbRdNC1Zw47qw= -----END RSA PRIVATE KEY-----

Chapter 6: Managing Certificates and Client Authentication 93 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

You should save the client certificate and assign a certificate index number to it. The lowest available index number available is displayed in square brackets and will be used unless you specify a different number. By saving the certificate, you can later easily access the certificate by specifying the assigned index number at the cert prompt. After having specified the assigned index number, you can use the display or export command in order to prepare for the transfer of the client certificate to the subject. To view basic information about all saved certificates, use the /info/certs command.

If you choose to not save the client certificate, you will need to save the private key and the certificate to a file by performing a copy-and-paste operation to a text editor. The private key and the certificate are displayed on screen as soon as you reconfirm the chosen password phrase. The private key and the certificate are combined and saved in the PEM format when using a copy-and-paste operation.

The requested pass phrase is a word or code that you need to define. The pass phrase protects the encrypted key against illegitimate use. When the intended user installs the client certificate into a Web browser or e-mail client, the correct pass phrase (which you defined) is required to unlock the certificate.

5. Verify that the certificate you used for generating the client certificate is specified as a CA certificate for the appropriate virtual SSL server.

>> Main# cfg/ssl/server Enter virtual server number: (1-) 1 >> Server 1# ssl >> SSL Settings for Server 1# cacerts Current value: 1 Enter certificate numbers (separated by comma):

In order to successfully validate the client certificate on authentication, you need to verify that the certificate you used for generating the client certificate is also specified as a CA certificate for the appropriate virtual SSL server. In the sample screen output above, the certificate has already been defined as a CA certificate. This is observable by the line Current value: 1, where number 1 is the index number of the certificate that was used when generating the client certificate. If the certificate index number representing the certificate you used when generating client certificates is not listed by Current value:, type the certificate index number and apply your changes.

If the correct certificate index number is already listed by Current value:, press ENTER and answer no to the question if you want to clear the list.

94 Chapter 6: Managing Certificates and Client Authentication 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

6. Transmit the private key and certificate to the user. Before you transfer the private key and client certificate to the subject, save the key and the certificate to a file using the export or display command on the Certificate menu. The export command is recommended, as this provides you with the option to select the PKCS12 file format (also known as PFX). Most Web browsers accept importing a combined key and certificate file in the PKCS12 format. For more information, see the export and display commands under “Certificate Management Configuration” on page 179.

Transmit the client certificate and the pass phrase protected private key to the user in a secure manner. Never send the password phrase in an e-mail message.

The user will then need to import the received client certificate into his or her Web browser or e-mail program. For more information about importing certificates, refer to the help system of the destination Web browser or e-mail program.

Managing Revocation of Client Certificates

Certificate revocation lists (CRLs) are maintained by certificate authorities to recall client certificates that are no longer considered trustworthy. The reasons for this can be that the client certificate may have been issued by mistake, or that the subject accidentally has revealed the private key.

By keeping a certificate revocation list on your SSL server, client certificates sent to the server are checked against the CRL. If a match is found, the SSL session is terminated. This mode of operation requires, first of all, that you have configured the virtual SSL server to always require client certificates. (For more information, see “Configuring a Virtual SSL Server for Client Authentication” on page 89). You must also regularly check with the certificate authorities you trust for their latest CRLs.

Moreover, if you take on the role of a certificate authority by issuing your own client certificates, you will also need to maintain your own certificate revocation lists. This can be done by listing the serial numbers of the client certificates you want to revoke in an ASCII file. You may also specify the serial number of a particular client certificate directly in the command line interface by using the add command in the Revocation menu.

Chapter 6: Managing Certificates and Client Authentication 95 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Revoking Client Certificates Issued by an External CA

1. Specify the CA certificate, to which you want to add a CRL. The certificate you specify must be a CA certificate from the same certificate authority that published the CRL you are about to add. To view basic information about available certificates, use the /info/certs command.

>> Main# cfg/ssl/cert Enter certificate number: (1-) 1 (example) >> Certificate 1# revoke

2. Download and add a CRL from a TFTP or FTP server. Specify the host name or IP address of the TFTP/FTP server, and provide the file name of the CRL. The CRL is retrieved and added to Certificate 1 (used as an example).

>> Revocation# import Select TFTP or FTP (tftp/ftp) [tftp]: ftp Enter host or IP address of server: 192.168.128.20 (example) Enter name of file on server (PEM, DER or ASCII format): crl.der Retrieving crl.der from 192.168.128.20 Received 12628 bytes in 0.1 seconds

Certificate revocation list found in der format Revocation list added. Use ’apply’ to activate changes.

3. Apply your changes.

>> Revocation# apply Changes applied successfully.

96 Chapter 6: Managing Certificates and Client Authentication 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Revoking Client Certificates Issued within your Own Organization

1. Specify the CA certificate, to which you want to add a CRL. Specify the certificate number that represents the CA certificate of the certificate used for generating the client certificate you want to revoke. To view basic information about available certificates, use the /info/certs command.

>> Main# cfg/ssl/cert Enter certificate number: (1-) 1 (example) >> Certificate 1# revoke

2. Add the serial number of a specific client certificate to revoke.

>> Revocation# add Enter serial number to revoke:

Repeat this step for each serial number you want to add. To display the serial number (along with subject information) for a saved client certificate, use the /info/certs command.

Or, download and add your own CRL in ASCII format from a remote machine.

>> Revocation# import Select TFTP or FTP (tftp/ftp) [tftp]: ftp Enter host or IP address of server: 192.168.128.20 (example) Enter name of file on server (PEM, DER or ASCII format): crl.ascii Retrieving crl.ascii from 192.168.128.20 Received 12628 bytes in 0.1 seconds

Certificate revocation list found in ascii format Revocation list added. Use ’apply’ to activate changes.

If you have added serial numbers for particular client certificates by using the add command prior to using the import command, you will be asked if you want to merge those serial numbers to the CRL in ASCII format. If the CRL does not already include those serial numbers, choose to merge them. However, make sure that you update the original CRL with the merged serial numbers before the next download, as you will otherwise lose them. For more information about how to build your own CRL, see “Creating Your Own Certificate Revocation List” on page 98.

Chapter 6: Managing Certificates and Client Authentication 97 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

3. Verify that the serial numbers of the client certificates you want to revoke have been added.

>> Revocation# list Revoked certificates:

4. Apply your changes.

>> Revocation# apply Changes applied successfully.

Creating Your Own Certificate Revocation List You can easily build and manage certificate revocation lists for client certificates issued within your own organization. The CRL can then be added by using TFTP or FTP. For more information about how to accomplish this, see “Revoking Client Certificates Issued within your Own Organization” on page 97.

1. Open a text editor and create a new file.

2. Decide if you want to add serial numbers in decimal form, or in hexadecimal form. If you choose to add serial numbers for client certificates to revoke in decimal form, add a paragraph in the text document that reads:

ASCII revocation

Or, if you choose to add serial numbers in hexadecimal form, add a paragraph in the text document that reads:

HEX ASCII revocation

NOTE – You can add comments to a CRL ASCII file by preceding your comments with the # character. Each new line of comments must begin with the # character. Comments can be used for providing information about the date of issue or last update, for example. You can cancel the revocation of a client certificate by inserting the # character at the beginning of the line containing the desired serial number.

98 Chapter 6: Managing Certificates and Client Authentication 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

3. Add the serial numbers of the client certificates you want to revoke. For a CRL in decimal format, simply list the serial numbers below the ASCII revocation paragraph. For example:

# CRL for CA certificate 1 # Issued first: 2003-01-01 # Last update: 2003-02-01

ASCII revocation

500 501 590

Or, for a CRL in hexadecimal format, list the serial numbers by their hexadecimal values below the HEX ASCII revocation paragraph. For example:

# CRL for CA certificate 1 # Issued first: 2003-01-01 # Last update: 2003-02-01

HEX ASCII revocation

1F4 1F5 24E

4. Save the file, and upload it to a TFTP or FTP server that can be accessed from your ASA(s).

Chapter 6: Managing Certificates and Client Authentication 99 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

100 Chapter 6: Managing Certificates and Client Authentication 212939-F, November 2003

CHAPTER 7 Using the Quick Server Setup Wizard

The Quick Server Setup Wizard provides a way to quickly configure and enable a working virtual SSL server for the service you specify. Before using the Quick Server Setup Wizard, you must have obtained a server certificate in the PEM format that the virtual SSL server can use.

Note that even if the wizard provides an easy way to create and configure a virtual SSL server, you still must configure the Alteon Application Switch accordingly. The extent of configuration changes to filters etc. needed on the Alteon Application Switch depend on your current setup and services. For detailed examples of virtual SSL server implementations in conjunction with an Alteon Application Switch, see the Application Guide.

The ASA can also operate in standalone mode, i.e. without being connected to an Alteon Application Switch. For configuration examples, see the Standalone Web Server Accelerator chapter in the Application Guide.

Create an HTTP Server

1. Start the Quick Server Setup Wizard and define the server type. As the virtual SSL server is created for HTTPS offload purposes in this example, the server type suggested by the wizard ([http]) need not be changed. Simply press ENTER to preserve the server type.

>> Main# cfg/ssl/quick Type of server (generic/http/socks/portal) [http]:

NOTE – When the SSL server type is set to HTTP, the virtual SSL server is automatically configured to use built-in features such as automatic SSL redirect and the adding of extra headers. For more information about these advanced HTTP-specific features, see “SSL Server HTTP Settings Configuration” on page 201.

101 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

2. Specify the IP address of an existing virtual server. Specify the IP address of an existing virtual server on the Alteon Application Switch in order to bind the HTTP virtual SSL server to that virtual server.

IP address of SSL server: 192.168.128.100

3. Set the listen TCP port. In this example, the virtual SSL server is created for HTTPS offload purposes and the listen TCP port suggested by the wizard ([443]) need not be changed. Simply press ENTER to preserve the TCP port value. However, if you want to set up the virtual SSL server to handle IMAPS for example, you would set the listen TCP port to 993.

Listen port of server [443]:

4. Set the real server IP address. Sets the IP address of the real server to which the virtual SSL server should connect when initiating requests. When using the ASA in conjunction with an Alteon Application Switch, the real server IP address (RIP) should be the set to 0.0.0.0 (the default setting).

Press ENTER to accept the suggested real server IP address.

Real server IP [0.0.0.0]:

5. Set the real server TCP port. The real server port defines the TCP port to which the virtual SSL server connects. When setting up a virtual SSL server for HTTPS offload purposes, the default real server port is 81. The virtual SSL server will use this port to send and receive decrypted HTTP information to and from the real Web servers.

Real server port [81]:

NOTE – The real Web servers must also be configured to listen for ASA traffic on port 81. For security reasons it is also important to define a filter on the Alteon Application Switch that blocks all incoming client traffic destined for port 81.

102 Chapter 7: Using the Quick Server Setup Wizard 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

6. Specify whether or not the site should be password protected. If you choose yes here, a login window will be displayed when the user connects to the HTTP server. The login feature is on top of the SSL encryption, which makes it safe to enter user name and password. For user authentication, you will be prompted to select an existing Xnet domain (if any). The authentication scheme adhering to this Xnet domain will then be used.

Should the site be password protected (yes/no) [no]:

7. Specify whether or not the real server is an Outlook Web Access server. If the real server is an Outlook Web Access server, choose yes, otherwise choose no.

Is the real server an Outlook Web Access server (yes/no) [no]:

NOTE – Enabling this setting corresponds to enabling the addfront setting on the /cfg/ssl/server #/http menu. For more information about these advanced HTTP-specific features, see “SSL Server HTTP Settings Configuration” on page 201.

8. Choose whether to use an existing certificate or not. If you wish to use a certificate already present in the ASA configuration, choose the desired certificate by entering the corresponding number, otherwise choose no.

Use existing certificate (no/1) [no]:

9. If you answered no in step 8, paste the certificate you want the virtual SSL server to use. Locate the certificate you want to use, make sure the certificate file is in the PEM format (which combines both the private key and the certificate in the same file), open the file in a text editor and copy the entire content. Make sure your text selection includes the “-----BEGIN PRIVATE KEY-----” and “-----END CERTIFICATE-----” lines.

Now, paste the content at the command line interface prompt, press ENTER to create a new empty line, and then type “...” (without the quotation marks). Press ENTER again to complete the installation of the certificate. If the private key has been password protected, you will be asked to provide the correct pass phrase.

Paste the certificate and key, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate. >

Chapter 7: Using the Quick Server Setup Wizard 103 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

10. Your screen output should now resemble the following example:

Paste the certificate, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate. > -----BEGIN RSA PRIVATE KEY----- > Proc-Type: 4,ENCRYPTED > DEK-Info: DES-EDE3-CBC,A869F45E9CC45F52 > > 7Px2H7TG/9omI8juY96FKTY3+8ID6J2KGMMutWBT7ug6dVzKD+K0yd6Lza20xivk > JVWXU7+ry448vcHVw2ApSb3qvlg7FRdN7oFYutZZESozlZrZzbKDxv4LH/lqW2x+ > Ngb2qjFsP6jKtlc4TNkdFLYkzVxXC6h+hSdG7C0H4taylxoP1RdY8SZwoT0PLaC6 > 8aZGCdfYZ+RsVDoGeP3QyenlXTrMls/d2+SWOG4xjEAfEHunI/z7W1lIBmipmvnz > wjbD2PNmzx2k8JuYA4gclbAfJYKoeT1O4N9tzJrv0GLkG1Hq8XAvHXzs4W8WUfln > sCmu1kKDGCfl6EOCt1le4oDzK8EuBZF2y0ZmQYEXuf9oFUN3xiu/rShzEPFCoADv > a8ZV+jvFH1j/ozvTmRXaNz1I8dHkbrFz8ViELfqXr6k= > -----END RSA PRIVATE KEY----- > > -----BEGIN CERTIFICATE----- > MIICXjCCAgigAwIBAgIBADANBgkqhkiG9w0BAQQFADBbMQswCQYDVQQGEwJTRTEK > MAgGA1UECBMBZzEKMAgGA1UEBxMBZzEKMAgGA1UEChMBZzEKMAgGA1UECxMBZzEK > MAgGA1UEAxMBZzEQMA4GCSqGSIb3DQEJARYBZzAeFw0wMDExMTQxNzQ0NTBaFw0w > MTExMTQxNzQ0NTBaMFsxCzAJBgNVBAYTAlNFMQowCAYDVQQIEwFnMQowCAYDVQQH > EwFnMQowCAYDVQQKEwFnMQowCAYDVQQLEwFnMQowCAYDVQQDEwFnMRAwDgYJKoZI > hvcNAQkBFgFnMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMM1w/CGs5lLh3Thrns6 > HW2s8YT0ujIq3chDHppNSQQskeM4EN4GIRbBmPmuMmqFzmC1CVARm4wJQu+/Xnnv > s6sCAwEAAaOBtjCBszAdBgNVHQ4EFgQUMeRJwoUki4m4moHPCgvhbNgCgacwgYMG > A1UdIwR8MHqAFDHkScKFJIuJuJqBzwoL4WzYAoGnoV+kXTBbMQswCQYDVQQGEwJT > RTEKMAgGA1UECBMBZzEKMAgGA1UEBxMBZzEKMAgGA1UEChMBZzEKMAgGA1UECxMB > ZzEKMAgGA1UEAxMBZzEQMA4GCSqGSIb3DQEJARYBZ4IBADAMBgNVHRMEBTADAQH/ > MA0GCSqGSIb3DQEBBAUAA0EALUQqocsBBMd7Y9b2PnMoc/U9yzcunxH3cwSK+oLE > NuykQRO72vie+n1uztXTJxugTnFO9MGoIxEy19zFklUrLQ== > -----END CERTIFICATE----- > ... Enter pass phrase: Do you require chain certificates (yes/no) [no]:

104 Chapter 7: Using the Quick Server Setup Wizard 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

11. If the server certificate you just added is a chain certificate, add your chain certificate(s) as well. You need to repeat the pasting of chain certificates until the root CA certificate has been added. This constructs the server certificate chain, which is sent to the client’s browser in addition to the server certificate.

When you have added your root CA certificate, answer no to the question if you require (additional) chain certificates. The following message is then displayed:

Do you require more chain certificates (yes/no) [no]: no Creating new server 2 Creating new cert 2 Server certificate added as cert 2 Creating new cert 3 Adding chain certificate as cert 3 Use apply to activate the new server.

12. Apply your settings.

>> SSL# apply

13. Verify your settings.

>> SSL# cur

According to the example above, information relating to the added virtual SSL server and added certificates can be reviewed under the following main entries in the screen output, after you have issued the cur command:

Certificate 2 Certificate 3 Server 2

Chapter 7: Using the Quick Server Setup Wizard 105 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Create a Socks server

1. Start the Quick Server Setup Wizard and define the server type. When the ASA is used for SSL VPN support, a Socks server is generally not required. Both the Portal and the SSL VPN client work fine with just a Portal server. However, if exclusive support for the SSL VPN client is the desired option (i.e. no SSL VPN Portal interaction), a Socks server must be configured. See the Application Guide for examples of SSL VPN usage.

>> Main# cfg/ssl/quick Type of server (generic/http/socks/portal) [http]: socks

2. Specify the IP address of an existing virtual server. Specify the virtual IP address (VIP) for the Socks server. This IP address should correspond to the IP address of a virtual server on the Alteon Application Switch. If stand-alone mode is used, specify an IP address here and configure the SSL server later, according to the instructions in the “Stand-Alone Web Server Accelerator” chapter in the Application Guide.

IP address of SSL server: 192.168.128.101

3. Set the listen TCP port. In this example, the virtual SSL server is created for requests through a SOCKS over SSL connection. The listen TCP port suggested by the wizard ([1080]) need not be changed. Simply press ENTER to preserve the TCP port value.

NOTE – This is not the RFC standard SOCKS protocol, but an SSL-encrypted version. Other SOCKS clients than the SSL VPN client cannot be used to access this service.

Listen port of server [1080]:

4. Select an Xnet domain to use for authentication. To be able to use the SSL VPN feature, an Xnet domain has to be configured and associated with the Socks server. Existing Xnet domains (if any) are shown within the parenthesis.

Select an Xnet domain to use for authentication (1) [1]:

106 Chapter 7: Using the Quick Server Setup Wizard 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

5. Select whether or not to use unqualified domain names. If you enable use of short names (unqualified domain names) you can specify one or several domain names with which it is sufficient to use a short name when requesting the destination.

Do you want support for short names (yes/no) [yes]:

6. If you chose to support unqualified domain names, list the desired domains. For example, if you specify .example.com, the user can use any short name (e.g. www) that is configured in DNS for the specified domains.

Enter comma separated list domains: .example.com, .support.example.com (examples of list domains)

7. If the HTTP Proxy feature on the Portal page should be available, enable http proxy. The HTTP Proxy feature sees to it that intranet web page links embedded in plugins (such as Flash, Shockwave and Java applets) will be redirected to the ASA through a secure connection when executed.

Enable support for portal http proxy (yes/no) [yes]:

8. Continue with adding certificates according to Step 8 to Step 13 in “Create an HTTP Server” on page 101.

Chapter 7: Using the Quick Server Setup Wizard 107 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Create a Portal Server

1. Start the Quick Server Setup Wizard and define the server type. A Portal server is required to generate the SSL VPN Portal page (browser-based mode). The Portal server is also required to be able to download the virtual SSL Socks server configuration settings using the SSL VPN client wizard. See the Application Guide for SSL VPN usage examples.

>> Main# cfg/ssl/quick Type of server (generic/http/socks/portal) [http]: portal

2. Specify the IP address of an existing virtual server. Specify the virtual IP address (VIP) for the Portal server. This IP address should correspond to the IP address of a virtual server on the Alteon Application Switch. If stand-alone mode is used, specify an IP address here and configure the SSL server later, according to the instructions in the “Stand-Alone Web Server Accelerator” chapter in the Application Guide.

IP address of SSL server: 192.168.128.103

3. Set the listen TCP port. In this example, the virtual SSL server is created for HTTPS requests to the Portal page. The listen TCP port suggested by the wizard ([443]) need not be changed. Simply press ENTER to preserve the TCP port value.

Listen port of server [443]:

4. Select an Xnet domain to use for authentication. To be able to use the SSL VPN feature, an Xnet domain has to be configured and associated with the Portal server. Existing Xnet domains (if any) are shown within the parenthesis.

Select an Xnet domain to use for authentication (1) [1]:

5. Specify whether or not you want support for portal applets and the SSL VPN client. If you enable support for Portal applets and the SSL VPN client, the features available on the Portal’s Advanced tab will be supported (i.e. HTTP Proxy, Port forwarder, and Telnet/SSH access). Support for SSL VPN client is also added.

Do you want support for portal applets and vpn client (yes/no) [yes]:

108 Chapter 7: Using the Quick Server Setup Wizard 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

6. Select whether or not to use unqualified domain names. If you enable use of short names (unqualified domain names) you can specify one or several domain names with which it is sufficient to use a short name when requesting the destination.

Do you want support for short names (yes/no) [yes]:

7. If you chose to support unqualified domain names, list the desired domains. For example, if you specify .example.com, the user can use any short name (e.g. www) that is configured in DNS for the specified domains.

Enter comma separated list domains: .example.com, .support.example.com (examples of list domains)

8. Specify the DNS name of the virtual SSL server.

Enter the DNS name of the VIP (e.g. www.example.com): vpn.example.com (example of DNS name)

9. Continue with adding certificates according to Step 8 to Step 13 in “Create an HTTP Server” on page 101.

Chapter 7: Using the Quick Server Setup Wizard 109 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

110 Chapter 7: Using the Quick Server Setup Wizard 212939-F, November 2003

CHAPTER 8 The Command Line Interface

This chapter explains how to access the ASA via the command line interface (CLI).

The ASA version 4.1 software provides means for accessing, configuring, and viewing information and statistics about the ASA. By using the built-in, text-based command line interface and menu system, you can access and configure the ASA either via a local console connection (using a computer running terminal emulation software), or via a remote session using either a Telnet client or an SSH client.

When using a Telnet client or SSH client to connect to a cluster of ASAs, always connect to the IP address of the MIP (Management IP). Configuration changes are automatically propagated to all members of the cluster. However, when using the halt, reboot, or delete commands (available in the Boot menu), you should connect to the IP address of the particular ASA on which you want to perform these commands, or connect to that ASA via a console connection.

111 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Connecting to the ASA

You can access the command line interface in two ways:

Using a console connection via the console port Using a Telnet connection or SSH connection over the network.

Establishing a Console Connection A console connection is required when performing the initial setup, and when reinstalling the ASA software as the boot user. When logging in as root user for advanced troubleshooting purposes, a console connection is also required.

Requirements To establish a console connection with the ASA, you will need the following:

An ASCII terminal or a computer running terminal emulation software set to the parameters shown in the table below:

Table 8-1 Console Configuration Parameters

Parameter Value

Baud Rate 9600 Data Bits 8 Parity None Stop Bits 1 Flow Control None

A serial cable with a female DB-9 connector. (For more specific information, see the “Connecting to the ASA” chapter in the Alteon SSL Accelerator Hardware Installation Guide.)

112 Chapter 8: The Command Line Interface 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Procedure

1. Connect the terminal to the Console port using the correct serial cable. When connecting to an ASA, use a serial cable with a female DB-9 connector (shipped with the ASA).

2. Power on the terminal.

3. To establish the connection, press ENTER on your terminal. You will next be required to log in by entering a user name and a password. For more information on user accounts and default passwords, see “Accessing the ASA” on page 116.

Establishing a Telnet Connection A Telnet connection offers the convenience of accessing the ASA from any workstation connected to the network. Telnet access provides the same options for user access and administrator access as those available through the console port.

To configure the ASA for Telnet access, you need to have a device with Telnet client software located on the same network as the ASA. The ASA must have an IP address and a Manage- ment IP address. If you have already performed the initial setup by selecting new or join in the Setup menu, the assignment of IP addresses is complete.

When making configuration changes to a cluster of ASAs via Telnet, it is recommended that you connect to the IP address of the MIP. However, if you want to halt or reboot a particular ASA in a cluster, or reset all configuration to the factory default settings, you must connect to the IP address of the particular ASA. This also applies when using an SSH connection instead of a Telnet connection. To view the IP addresses of all ASAs in a cluster, use the /info/isdlist command.

Enabling and Restricting Telnet Access Telnet access to the ASA is disabled by default, for security reasons. However, depending on the severity of your security policy, you may want to enable Telnet access. You may also restrict Telnet access to one or more specific machines.

For more information on how to enable Telnet access, see the telnet command under “Sys- tem Access Configuration” on page 315. For more information on how to restrict Telnet access to one or more specific machines, see the add command under “System Access Configura- tion” on page 315.

Chapter 8: The Command Line Interface 113 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Running Telnet Once the IP parameters on the ASA are configured and Telnet access is enabled, you can access the CLI using a Telnet connection. To establish a Telnet connection with the ASA, run the Telnet program on your workstation and issue the Telnet command, followed by the ASA IP address.

telnet

You will then be prompted to enter a valid user name and password. For more information about different user accounts and default passwords, see “Accessing the ASA” on page 116.

Establishing a Connection Using SSH (Secure Shell) When accessing the ASA from a workstation connected to the network using a Telnet connection, it is important to keep in mind that the communication channel is not secure. All data flowing back and forth between the Telnet client and the ASA is sent unencrypted (including the password), and there is no server host authentication.

By using an SSH client to establish a connection over the network, the following benefits are achieved:

Server host authentication Encryption of passwords for user authentication Encryption of all traffic that is transmitted over the network when configuring or collecting information from the ASA

114 Chapter 8: The Command Line Interface 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Enabling and Restricting SSH Access SSH access to the ASA is disabled by default. However, depending on the severity of your security policy, you may want to enable SSH access. You may also restrict SSH access to one or more specific machines.

For more information on how to enable SSH access, see the ssh command under “System Configuration” on page 299. For more information on how to restrict SSH access to one or more specific machines, see the add command under “System Access Configuration” on page 315.

Running an SSH Client Connecting to the ASA using a SSH client is similar to connecting via Telnet. As with Telnet, the IP parameters on the ASA need to be configured in advance and SSH access must be enabled. After providing a valid user name and password, the command line interface in the ASA is accessible the same way as when using a Telnet client. However, since a secured and encrypted communication channel is set up even before the user name and password is transmitted, all traffic sent over the network while configuring or collecting information from the ASA is encrypted. For information about different user accounts and default passwords, see “Accessing the ASA” on page 116.

During the initial setup of the ASA, you are provided with the choice to generate new SSH host keys. It is recommended that you do so, in order to maintain a high level of security when connecting to the ASA using a SSH client. If you fear that your SSH host keys have been com- promised, you can create new host keys at any time by using the /cfg/sys/adm/gensshkey command. When reconnecting to the ASA after having generated new host keys, your SSH client will display a warning that the host identification (or host keys) has been changed.

Chapter 8: The Command Line Interface 115 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Accessing the ASA

To enable better ASA management and user accountability, five categories of users can access the ASA:

The Operator is only granted read access to the menus and information appropriate to this user access level. The Operator cannot make any changes to the configuration. The Administrator can make any changes to the ASA configuration. Thus, the Adminis- trator has read and write access to all menus, information and configuration commands in the ASA. A Certificate Administrator is a member of the certadmin group, and has sufficient user rights to manage certificates and private keys on the ASA. By default, only the Administrator user is a member of the certadmin group. To separate the Certificate Administrator user role from the Administrator user role, the Administrator user can add a new user account to the system, assign the new user to the certadmin group, and then remove himself or herself from the certadmin group. For more information, see “Add- ing a New User” on page 66. The Boot user can only perform a reinstallation. For security reasons, it is only possible to log in as the Boot user via the console port using terminal emulation software. The Boot user password cannot be changed from the default ForgetMe. The Root user is granted full access to the underlying Linux operating system. For security reasons, it is only possible to log in as the Root user via the console port using terminal emulation software. Root user access should mainly be reserved for advanced troubleshooting purposes, under guidance from Nortel Networks customer support. For more information, see “How to Get Help” on page 17. Access to the ASA command line interface and settings is controlled through the use of four predefined user accounts and passwords. Once you are connected to the ASA via a console connection or remote connection (Telnet or SSH), you are prompted to enter a user account name and the corresponding password. The default user accounts and passwords for each access level are listed in Table 8-2 on page 117.

NOTE – The default Administrator user password can be changed during the initial configuration (see “Installing an ASA in a New Cluster” on page 36). For the Operator user, the Boot user, and the Root user however, the default passwords are used even after the initial configuration. It is therefore recommended that you change the default ASA passwords soon after the initial configuration, and as regularly as required under your network security policies. For more information about how to change a user account password, see “Changing a User’s Password” on page 71.

116 Chapter 8: The Command Line Interface 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 8-2 User Access Levels

User Account User Group Access Level Description Default Password

oper oper The Operator is allowed read access to some of the oper menus and information available in the CLI.

admin admin The Administrator is allowed both read and write admin oper access to all menus, information and configuration certadmin commands. The Administrator can add users to all groups in which the Administrator himself or herself is a member. The Administrator can delete a user from any of the three built-in groups.

certadmin By default, only the Administrator is a member of the certadmin group. Certadmin group rights are sufficient for administrat- ing certificates and keys on the ASA. A certificate administrator user has no access to the SSL Server menu, and only limited access to the System menu.

boot The boot user can only perform a reinstallation of the ForgetMe software, and only via a console connection.

root The root user has full access to the underlying Linux ForgetMe operating system, but only via a console connection.

CLI vs. Setup

Once the Administrator user password is verified, you are given complete access to the ASA. If the ASA is still set to its factory default configuration, the system will run Setup (see “Installing an ASA in a New Cluster” on page 36), a utility designed to help you through the first-time configuration process. If the ASA has already been configured, the Main menu of the CLI is displayed instead.

Chapter 8: The Command Line Interface 117 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

The following figure shows the Main menu with administrator privileges.

[Main Menu] info - Information Menu stats - Statistics Menu cfg - Configuration Menu boot - Boot Menu maint - Maintenance Menu diff - Show pending config changes [global command] apply - Apply pending config changes [global command] revert - Revert pending config changes [global command] paste - Restore saved config with key [global command] help - Show command help menu [global command] exit - Exit [global command, always available]

Figure 8-1 Administrator Main Menu

Command Line History and Editing

For a description of global commands, shortcuts, and command line editing functions, see “ASA Command Reference” on page 141.

Idle Timeout

The ASA will disconnect your local console connection or remote connection (Telnet or SSH) after 10 minutes of inactivity. This value can be changed to a maximum value of 1 hour using the /cfg/sys/adm/clitimeout command.

If you have unapplied configuration changes when automatically disconnected after the specified idle timeout value, the unapplied configuration changes will be lost. Therefore, make sure to save your configuration changes regularly by using the global apply command.

If you have unapplied configuration changes when using the global exit command to log out from the command line interface, you will be prompted to view the pending configuration changes by using the global diff command. After verifying the pending configuration changes, you can either remove the changes or apply them. For more information about pending configuration changes, see “Viewing, Applying and Removing Changes” on page 174.

118 Chapter 8: The Command Line Interface 212939-F, November 2003 CHAPTER 9 Troubleshooting the ASA

This chapter provides troubleshooting tips for the following problems:

Cannot connect to the ASA via Telnet or SSH, on page 120. Cannot add the ASA to an existing cluster, on page 122. Cannot contact the MIP on page 123. The ASA stops responding, on page 124. A user password is lost, on page 125. An ASA does not process any SSL traffic, on page 126. Resetting the HSM cards on the ASA, on page 128. An ASA cluster configuration needs to be reconstructed onto new devices, on page 131. The chapter also provides a section on performing system diagnostics, on page 135.

119 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Cannot Connect to ASA via Telnet or SSH

Verify the Current Configuration Connect via a console connection and check that Telnet or SSH access to the ASA is enabled. By default, remote connections to the ASA are disabled for security reasons. Type the command /cfg/sys/adm/cur to see whether remote access via Telnet or SSH is enabled.

>> # /cfg/sys/adm/cur Collecting data, please wait... Administrative Applications: CLI idle timeout = 1h Telnet CLI access = off SSH CLI access = off

Enable Telnet or SSH Access If your security policy affords enabling remote connections to the ASA, type the command /cfg/sys/adm/telnet to enable Telnet access, or the command /cfg/sys/adm/ssh to enable SSH access. Apply your configuration changes.

>> # /cfg/sys/adm/ssh Current value: off Allow SSH CLI access (on/off): on >> Administrative Applications# apply Changes applied successfully.

Check the Access List If you find that Telnet or SSH access is enabled but you still can’t connect to the ASA using a Telnet or SSH client, check whether any hosts have been added to the Access List. Type the command /cfg/sys/accesslist/list to view the current Access List.

>> # /cfg/sys/accesslist/list 1: 192.168.128.78, 255.255.255.0

When Telnet or SSH access is enabled, only those hosts listed in the Access List are allowed to access the ASA over the network. If no hosts have been added to the Access List, this means that any host is allowed to access the ASA over the network (assuming that Telnet or SSH access is enabled).

120 Chapter 9: Troubleshooting the ASA 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Check the IP Address Configuration If your host is allowed to access the ASA over the network according to the Access List, check that you have configured the correct IP addresses on the ASA. Make sure you ping the real IP address of the ASA, and not the Management IP (MIP) of the cluster in which the ASA is a member. Type the command /cfg/sys/cluster/cur to view IP address information for all ASAs in the cluster.

>> # /cfg/sys/cluster/cur Cluster: Management IP (MIP) address = 192.168.128.211

iSD Host 1: Type of the iSD = master IP address = 192.168.128.210 License = xnet (10), tps (unlimited) Default gateway address = 192.168.128.3 Ports = 1

Host Routes: No items configured

Host Interface 1: IP address = 192.168.128.210 Network mask = 255.255.255.0 VLAN tag id = 0 Mode = failover Primary port = 0

Interface Ports: 1

Host Port 1: Autonegotiation = on Speed = 0 Full or half duplex mode = full

If the IP address assigned to the ASA seems to be correct, you may have a routing problem. Try to run traceroute (a global command available at any menu prompt) or the tcpdump command (or some other network analysis tool) to locate the problem. For more information about the tcpdump command, see page 195.

If this does not help you to solve the problem, contact Nortel Networks for technical support. See “How to Get Help” on page 17.

Chapter 9: Troubleshooting the ASA 121 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Cannot Add an ASA to a Cluster

When trying to add an ASA to a cluster by selecting join in the Setup menu, you may receive an error message stating that the system is running an incompatible software version. The incompatible software version referred to in the error message is the software that is running on the ASA device you are trying to add to the cluster. This error message is displayed whenever the ASA you are trying to add has a different software version from the ASA(s) already in the cluster. In this situation you need to do one of the following:

Adjust the software version on the ASA device you are trying to add to the cluster, to syn- chronize it with the software version running on the ASA(s) already in the cluster. You can verify software versions by typing the command /boot/software/cur, where the active version is indicated as permanent. Adjusting the software version on the ASA device you want to add to the cluster implies either upgrading to a newer software version, or reverting to an older software version. In either case you will need to perform the steps described in “Reinstalling the Software” on page 56. After having adjusted the software version, log in as the Administrator user and select join from the Setup menu. Upgrade the software version running on the ASA(s) in the cluster to the same version as running on the ASA you want to add to the cluster. Perform the steps described in “Per- forming Minor/Major Release Upgrades” on page 60. Then add the ASA device by selecting join from the Setup menu.

122 Chapter 9: Troubleshooting the ASA 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Cannot Contact the MIP

When trying to add an ASA to a cluster by selecting join in the Setup menu, you may receive an error message stating that the system is unable to contact the Management IP address (MIP).

This could be the case if you are trying to join an ASA to a cluster and there are existing entries in the Access list. Typically, the Access list contains valid IP addresses for Telnet or SSH management. If the Access list contains entries, you have to add the Interface 1 IP addresses of both ASAs and the Management IP address (MIP) to the Access list before joining the ASA.

If the Access list is empty, communication should be working fine.

Check the Access List On the master ASA, check if there are entries in the Access list. Type the command /cfg/sys/accesslist/list to view the current Access list.

>> # /cfg/sys/accesslist/list 1: 192.168.128.78, 255.255.255.0

Add Interface 1 IP Addresses and MIP to Access List Use the /cfg/sys/cluster/cur command to view the Host Interface 1 IP address for the existing ASA. Then add this IP address, the intranet IP address you had in mind for the new ASA and the Management IP address (MIP) to the Access list.

To add the IP addresses to the Access list, type the command /cfg/sys/accesslist/add.

>> # /cfg/sys/accesslist/add Enter network address: Enter netmask:

Try adding the ASA to the cluster using the join command in the Setup menu.

Chapter 9: Troubleshooting the ASA 123 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

The ASA Stops Responding

Telnet or SSH Connection to the Management IP Address When you are connected to a cluster of ASAs via a Telnet or SSH connection to the Manage- ment IP address, your connection to the cluster can be maintained as long as at least one master ASA in the cluster is up and running. However, if the particular ASA that currently is in control of the Management IP stops responding while you are connected, you need to close down your Telnet or SSH connection and reconnect to the Management IP address.

After doing so, you can view the operational status of all ASAs in the cluster by typing the command /info/isdlist. If you find that one of the ASA’s operational status is indicated as down, you should reboot that machine. On the ASA 310, press the Power button on the back panel to turn the machine off, wait until the fan comes to a standstill, and then press the Power button again to turn the machine on.

Console Connection If you are connected to a particular ASA via a console connection, and that ASA stops responding, you should first try pressing the key combination CTRL+ ^ and press ENTER. This will take you back to the login prompt. Log in as the Administrator user and check the operational status of the ASA. Type the command /info/isdlist and see if the operational status is indicated as up. If the operational status is indicated as up, the ASA should continue to process SSL traffic without the need of a reboot.

If the operational status of the ASA is indicated as down, try rebooting the ASA by typing the command /boot/reboot. You will be asked to confirm your action before the actual reboot is performed. Log in as the Administrator user and check if the operational status of the ASA is now up.

If the operational status of the ASA still is down, reboot the machine. On the ASA 310, press the Power button on the back panel to turn the machine off, wait until the fan comes to a standstill, and then press the Power button again to turn the machine on. Log in as the Administrator user when the login prompt appears.

124 Chapter 9: Troubleshooting the ASA 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

A User Password is Lost

Administrator User Password If you have lost the Administrator user password there is only one way to regain access to the ASA as the Administrator user: reinstalling the software via a console connection as the Boot user.

For more information, see “Reinstalling the Software” on page 56.

Operator User Password If you have lost the Operator user password, log in as the Administrator user and define a new Operator user password. Only the Administrator user can change the Operator user password.

For more information, see the edit command under “User Access Configuration” on page 327. Root User Password

If you have lost the Root user password, log in as the Administrator user and define a new Root user password. Only the Administrator user can change the Root user password. For more information, see the edit command under “User Access Configuration” on page 327.

Boot User Password The default Boot user password cannot be changed, and can therefore never really be “lost”. If you have forgotten the Boot user password, see “Accessing the ASA” on page 116.

If the Boot user password could be changed and you have lost both the Administrator password and the Boot user password, the ASA would be rendered completely inaccessible to all users except the Operator, whose access level does not permit any changes being made to the configuration of the ASA.

The fact that the Boot user password cannot be changed should not imply a security issue, since the Boot user can only access the ASA via a console connection using a serial cable, and the ASA presumably is set up in a server room with restricted access.

Chapter 9: Troubleshooting the ASA 125 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

An ASA HSM Stops Processing Traffic

Whenever an ASA has undergone a reboot (whether intentionally invoked by the user, or due to a power failure), the device stops processing SSL traffic. This behavior is perfectly normal, and is due to the high security demands placed on the ASA.

To make the ASA start processing SSL traffic again, log in to the HSM cards using the HSM- USER iKey associated to each card. Logging in to the HSM cards will clear the alarms that were set during the reboot, and the ASA will accept SSL traffic again.

Follow these steps to log in to the HSM cards:

1. Log in to the specific ASA that has undergone a reboot as the admin or oper user.

When connecting to the ASA, you can use a console connection, or a remote connection (Tel- net or SSH, if enabled in the system configuration).

NOTE – It is important that you log in to the particular ASA on which a reboot has occurred, and not to the Management IP address (MIP) of the cluster.

126 Chapter 9: Troubleshooting the ASA 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

2. Log in to each HSM card consecutively by inserting the correct HSM-USER iKey and providing the associated password. Remember that each HSM card requires inserting the specific HSM-USER iKey that was used when initializing that particular HSM card. This holds true even if you use the same password for both HSM-USER iKeys.

>> Main# maint/hsm/login Verify that HSM-USER iKey (blue) is inserted in card 0 (with flashing LED). Hit enter when done. Enter the current HSM-USER password for card 0: Successful login on card 0. Verify that HSM-USER iKey (blue) is inserted in card 1 (with flashing LED). Hit enter when done. Enter the current HSM-USER password for card 1: Successful login on card 1.

NOTE – If you enter the wrong password for the HSM-USER fifteen (15) times in a row, the HSM-USER iKey will be rendered unusable. This is due to the strict security specifications placed on the ASA.

3. Verify that the alarms that caused the ASA to stop processing SSL traffic have been cleared.

>> # /info/events/alarms ** (alarm) Active Alarm List ***************************************

The hsm_not_logged_in alarms that were triggered during the reboot should now be cleared from the active alarm list, after the successful login to both HSM cards. The ASA is now ready to process SSL traffic again.

Chapter 9: Troubleshooting the ASA 127 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Resetting HSM Cards on the ASA 310-FIPS

When removing an ASA 310-FIPS device from a cluster, you have the option to reset (or de-initialize) the HSM cards.

When an ASA 310-FIPS device that has been removed from a cluster is installed in a new cluster, or added to an existing cluster, the cards will be initialized again. This is done by performing a series of steps as part of the setup procedure of the ASA device itself. If the Setup utility detects that the cards have not been reset, you will be prompted to reset the HSM cards at that time. The HSM cards must be reset before they can be initialized. You may therefore choose to reset the cards already when removing the ASA device from the cluster. Resetting the HSM cards will clear all sensitive cryptographic information stored on the cards. Until the cards are initialized again, they will remain in that state.

To reset the HSM cards, you need the following:

The two pairs of HSM-SO and HSM-USER iKeys, where each pair is associated with a particular HSM card on the ASA 310-FIPS device you want to delete from the cluster The HSM-SO password associated with each HSM-SO iKey Log in as the admin user to the particular ASA 310-FIPS device you want to delete If the ASA 310-FIPS device will be used in a different department or organization after it has been deleted from the cluster, you may want to change the current password for the HSM-SO iKey and the HSM-USER iKey before you reset the HSM cards. The user who performs the initial setup of the ASA device must then provide the “transient” passwords known by both parties when initializing the HSM cards, but can directly change to new HSM-SO and HSM- USER passwords within the normal initialization procedure.

To change the current password for the HSM-SO iKey before resetting the HSM cards, use the /maint/hsm/changepass command. For more information about this command, see page 340.

NOTE – When moving the ASA 310-FIPS device to a different location, make sure to maintain the connection between each pair of HSM-SO and HSM-USER iKeys and the particular HSM card to which they are associated. To initialize the HSM cards when installing or adding the device in a cluster, the correct HSM-SO and HSM-USER iKeys are required, as well as the corresponding HSM-SO and HSM-USER passwords.

128 Chapter 9: Troubleshooting the ASA 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

1. Log in to the ASA 310-FIPS that you want to delete from the cluster. In this step it is important that you connect to the particular ASA 310-FIPS that you want to delete from the cluster. To do that, you can use either a console connection, or a remote connection (via Telnet or SSH) using the IP address assigned to the specific ASA 310-FIPS device. Do not connect via a remote connection using the Management IP (MIP) address of the ASA cluster. To view the IP addresses assigned to each ASA 310-FIPS device in the cluster, use the /info/isdlist command.

2. Delete the ASA 310-FIPS (iSD) and choose to reset the HSM cards.

>> Main# /boot/delete Are you sure you want delete the iSD? (y/n) y Do you want to clear the HSM card(s) as well? (y/n) [y]: (press ENTER to accept resetting the HSM cards)

3. Insert the HSM-SO iKey associated with HSM card 0 in the card with flashing LED and provide the correct password. Remember that each HSM card requires inserting the specific HSM-SO iKey that was used when initializing that particular HSM card. This holds true even if you use the same password for both HSM-SO iKeys that are used on one ASA device.

(continued) Verify that HSM-SO iKey (purple) is inserted in card 0 (with flashing LED). Hit enter when done. Enter the current HSM-SO password for card 0:

Chapter 9: Troubleshooting the ASA 129 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

4. Insert the HSM-SO iKey associated with HSM card 1 in the card with flashing LED and provide the correct password. Again, make sure that you insert the correct HSM-SO iKey, as each HSM card requires the specific iKey that was used when the card was first initialized.

(continued) Verify that HSM-SO iKey (purple) is inserted in card 1 (with flashing LED). Hit enter when done. Enter the current HSM-SO password for card 1:

iSD 192.168.128.185 deleted. Logging out.

The ASA 310-FIPS device is now removed from the cluster and reset to its factory default settings. Both HSM cards are also reset, which means that all sensitive cryptographic information stored on the cards is deleted. The next time a user turns on the ASA device, the Setup menu will be displayed after having logged in as the admin user via a console connection.

When selecting new or join in the Setup menu, you will be prompted to insert the HSM-SO iKey and HSM-USER iKey associated with each HSM card, and provide the current password stored on the respective iKey. This is required to initialize the HSM card anew. After you have provided the correct password for the iKey being requested by the Setup utility, a new passwords can be defined for that iKey.

For more information about installing and adding ASA 310-FIPS device in a cluster, see “Installing and Adding an ASA 310-FIPS” on page 42.

130 Chapter 9: Troubleshooting the ASA 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

An ASA 310-FIPS Cluster Must be Reconstructed onto New Devices

If your cluster of ASA 310-FIPS devices has been damaged beyond repair (by fire, for example) you can reconstruct the complete cluster, including certificates, private keys, and wrap keys. However, this requires that you have access to the following:

A new set of ASA 310-FIPS devices, replacing the cluster of damaged devices. A backup configuration file, saved to a TFTP server as a precautionary measure by using the /cfg/ptcfg command in the former cluster. For more information about the ptcfg command, see page 173. The black CODE-SO and CODE-USER iKeys that were used when the now damaged cluster of ASA devices was first created. The black CODE iKeys are needed to transfer the wrap key used in the former cluster onto the HSM cards in the new ASA 310-FIPS devices, as well as for decrypting private key information in the backup configuration file. The secret passphrase that was defined in the former cluster when first initialized (Pro- vided your former cluster was running in FIPS mode). To reconstruct the cluster configuration, certificates, private keys, and wrap keys used in the former cluster onto a new set of ASA 310-FIPS devices, follow these steps:

1. Install the first ASA 310-FIPS in a new cluster by following the instructions on page 42 up to and including Step 7 on page 46.

NOTE – When asked to use FIPS or Extended Security Mode, select the same mode that was used in the former cluster.

2. When both HSM cards have been initialized, you will be asked if you want to use new or existing HSM-CODE iKeys. Type existing and press ENTER.

(new setup, continued) Card 1 successfully initialized. Should new or existing CODE iKeys be used? (new/existing) [new]: existing

Chapter 9: Troubleshooting the ASA 131 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

3. Transfer the cluster wrap key from the existing CODE-SO and CODE-USER iKeys to card 0. Make sure you use the same pair of CODE-SO and CODE-USER iKeys that were used in the former cluster of ASA 310-FIPS devices.

(new setup, continued) Verify that CODE-SO iKey (black) is inserted in card 0 (with flashing LED). Hit enter when done. Verify that HSM-USER iKey (blue) is inserted in card 0 (with flashing LED). Hit enter when done. Verify that CODE-USER iKey (black) is inserted in card 0 (with flashing LED). Hit enter when done. Wrap key successfully combined to card 0.

4. Transfer the cluster wrap key from the CODE-SO and CODE-USER iKeys to card 1.

5. If you selected FIPS mode as the security mode, specify the passphrase. Enter the same secret passphrase as was defined in the former cluster running in FIPS mode. This step only appears if you selected FIPS mode when initializing the HSM cards.

(new setup, continued) Enter the old secret passphrase (it is used during addition of new iSDs to the cluster): Re-enter to confirm:

132 Chapter 9: Troubleshooting the ASA 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

6. Wait for the initial setup of the first ASA 310-FIPS in the cluster to finish.

(new setup, continued) Initializing system...... ok Setup successful. Relogin to configure.

7. Add an additional ASA to the newly created cluster by following the instructions on page page 49 up to and including Step 5 on page 52.

8. Transfer the cluster wrap key from the CODE-SO and CODE-USER iKeys to card 0. When asked to insert the CODE-SO and the CODE-USER iKeys, make sure to use the same CODE iKeys as you did in Step 3 and Step 4.

9. Transfer the cluster wrap key to card 1.

Chapter 9: Troubleshooting the ASA 133 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

10. If you selected FIPS mode as the security mode, specify the secret passphrase. Enter the same secret passphrase as you specified in Step 5. This step only appears if you selected FIPS mode when initializing the HSM cards.

(join setup, continued) Enter the secret passphrase (as given during initialization of the first iSD in the cluster):

If you chose FIPS mode when initializing the first HSM card in the cluster, you will be asked to enter the secret passphrase. Enter the same secret passphrase as when initializing the first HSM card in the cluster.

11. Wait for the setup of the added ASA 310-FIPS to finish.

(join setup, continued) Setup successful.

12. Log in to the ASA 310-FIPS that you are currently connected to and restore the configuration file of the former cluster from a TFTP server.

>> Main# cfg/gtcfg Enter hostname or IP address of TFTP server: Enter name of file on TFTP server: Received 4960 bytes in 0.1 seconds Password for importing private keys in cfg: Configuration loaded.

>> Configuration#

The configuration information is now automatically propagated and applied to all ASA 310- FIPS devices in the cluster. The information includes certificates and encrypted private keys.

134 Chapter 9: Troubleshooting the ASA 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

System Diagnostics

A few system diagnostics can be performed on the ASA.

Installed Certificates and Virtual SSL Servers To view the currently installed certificates, type the following command:

>> # /info/certs

To view detailed information about a specific certificate, access the Certificate menu and specify the desired certificate by its index number:

>> # /cfg/ssl/cert Enter certificate number: (1-) >> Certificate 1# show

To view the configured virtual SSL servers, type the following command:

>> # /info/servers

The screen output provides information about which certificate (indicated by certificate index number) is used by each configured SSL server.

Network Diagnostics To check various network settings for a specific ASA, access the iSD Host menu by typing the following commands:

>> # /cfg/sys/cluster/host Enter iSD host number: (1-) >> iSD Host 1# cur

The screen output provides information about the type of iSD (master or slave), IP address, network mask, and gateway address for the ASA you have specified (by host number).

To check general network settings related to the cluster to which you have connected, type the following command:

>> # /cfg/sys/cluster/cur

Chapter 9: Troubleshooting the ASA 135 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

The screen output provides information about the management IP address (MIP) of the ASA cluster, DNS servers, iSD hosts in the cluster, Syslog servers, and NTP servers.

To check if the ASA(s) is getting network traffic, type the following command:

>> # /stats/dump

The screen output provides information about currently active request sessions, total completed request sessions, as well as SSL statistics for configured virtual SSL servers.

To check statistics for the local Ethernet network interface card, type the following command::

>> # /info/ethernet

The screen output provides information about the total number of received and transmitted packets, the number of errors when receiving and transmitting packets, as well as the type of error such as dropped packets, overrun packets, malformed packets, packet collisions, and lack of carrier.

To check if a virtual server (on the Alteon Application Switch) is working, type the following command at any menu prompt:

>> # ping

To capture and analyze TCP traffic sent between a client and a virtual SSL server, type the following command (where you replace “#” with the index number of the desired virtual SSL server):

>> # /cfg/ssl/server #/trace/tcpdump

To capture and analyze decrypted SSL traffic sent between a client and a virtual SSL server, type the following command (where you replace “#” with the index number of the desired virtual SSL server):

>> # /cfg/ssl/server #/trace/ssldump

136 Chapter 9: Troubleshooting the ASA 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Active Alarms and the Events Log File To view an alarm that has been triggered and is active, type the following command:

>> # /info/events/alarms

In the current software version of the ASA, an alarm is only triggered when a hardware failure in an SSL accelerator card is detected.

To save the events log file to a TFTP server, type the following command:

>> # /info/events/download

You need to provide the IP address or host name of the TFTP server, as well as a file name. After the events log file has been saved, connect to the TFTP server and examine the contents of the file.

Error Log Files Provided you have configured the ASA to use a Syslog server, the ASA will send log messages to the specified Syslog server. For more information on how to configure a UNIX Syslog daemon, see the Syslog manpages under UNIX. For more information on how to configure the ASA to use a Syslog server, see the “Syslog Servers Configuration” on page 304.

Chapter 9: Troubleshooting the ASA 137 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

138 Chapter 9: Troubleshooting the ASA 212939-F, November 2003

Part 2: Command Reference

This section provides detailed information about all CLI commands and menu items, organized in the same way as the command line interface itself. The section starts with listing the global commands, which can be used at any menu prompt, and also explains the history and shortcut functions that can be used to navigate more efficiently within the menu system.

212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

140 Part 2: Command Reference 212939-F, November 2003

CHAPTER 10 ASA Command Reference

This chapter describes how to use the command line interface on the ASA. The chapter also provides explanations of all available commands.

Menu Basics

The ASA command line interface (CLI) is used for viewing ASA information and statistics. In addition, the administrator can use the CLI for configuring all levels of the ASA.

The various CLI commands are grouped into a series of menus and submenus. Each menu displays a list of commands and/or submenus that are available, along with a summary of what each command will do. Below each menu is a prompt where you can enter any command appropriate to the current menu.

When creating new CLI objects, e.g. a new interface or a new group, you will enter a wizard providing the relevant questions for that object. The regular menu for the object will be displayed after the wizard is completed.

This chapter describes the Main menu commands, and provides a list of commands and shortcuts that are commonly available from all the menus within the CLI.

141 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Global Commands

Some basic commands are recognized throughout the menu hierarchy. These commands are useful for obtaining online help, navigating through menus, and for applying and saving configuration changes:

Table 10-1 Global Commands

Command Action

help Display a summary of the global commands.

help Displays help on a specific command in the command line interface.

. Display the current menu.

print Display the current menu.

.. Go up one level in the menu structure.

up Go up one level in the menu structure.

/ If placed at the beginning of a command, go to the Main menu. Otherwise, this is used to separate multiple commands placed on the same line.

cd "

" Display the menu indicated within quotation marks. Example: Typing cd "/cfg/sys" at any prompt in the CLI will display the System menu. The same result is achieved by only typing /cfg/sys (no quotation marks) at any menu prompt.

pwd Display the command path used to reach the current menu.

apply Apply pending configuration changes.

diff Show any pending configuration changes.

revert Remove pending configuration changes between “apply” commands. Use this command to restore configuration parameters set since last “apply” command.

paste Lets you restore a saved configuration that includes private keys. Before pasting the configuration, you need to provide the password phrase you specified when selecting to include the private keys in the configuration dump. For more information, see the dump command under “Configuration Menu” on page 172.

exit Terminate the current session and log out. If you have unapplied (pending) configuration changes when using the exit command, you will be notified. If you choose to log out anyhow without using the apply command, your pending configuration changes will be lost.

142 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-1 Global Commands

Command Action

quit Same as Exit. If you have unapplied (pending) configuration changes when using the quit command, you will be notified. If you choose to log out anyhow without using the apply command, your pending configuration changes will be lost.

CTRL+^ Exit from the command line interface in case the ASA has stopped responding. This command should only be used when connected to a specific ASA via a console connection, not when connected to the Management IP of the cluster via a Telnet or SSH connection.

netstat Use this command to show the current network status of the ASA. The netstat command provides information about active TCP connections, as well as the state of all TCP/IP servers and the sockets used by them.

nslookup Use this command to find the IP address or host name of a machine. In order to use this command, you must have configured the ASA to use a DNS server. If you did not specify a DNS server during the initial setup procedure, you can add a DNS server at any time by using the /cfg/sys/dns/add command.

ping Use this command to verify station-to-station connectivity across the network. The format is as follows: ping

Where address is the host name or IP address of the device, tries (optional) is the number of attempts (1-32), and delay (optional) is the number of milliseconds between attempts. The DNS parameters must be configured if specifying host names (see “DNS Servers Configuration” on page 303).

traceroute Use this command to identify the route used for station-to-station connectivity across the network. The format is as follows: traceroute

Where address is the host name or IP address of the target station, max-hops (optional) is the maximum distance to trace (1-16 devices), and delay (optional) is the number of milliseconds for wait for the response. As with ping, the DNS parameters must be configured if specifying host names.

cur Use this command to view all the current settings for the active menu.

curb Use this command for a brief version of the current settings for the active menu.

dump Use this command to dump the current configuration for the active menu. The dumped information can be cut and pasted in to another operator’s CLI at the same menu level.

Chapter 10: ASA Command Reference 143 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-1 Global Commands

Command Action

lines n Set the number of lines (n) that is displayed on the screen at one time. The default value is 24 lines. When used without a value, the current setting is displayed.

verbose n Sets the level of information displayed on the screen: 0 =Quiet: Nothing appears except errors—not even prompts. 1 =Normal: Prompts and requested output are shown, but no menus. 2 =Verbose: Everything is shown. The default level is 2. When used without a value, the current setting is displayed.

slist Use this command to display a list of all Admin user sessions currently running in the cluster.

Command Line History and Editing

Using the command line interface, you can retrieve and modify previously entered commands with just a few keystrokes. The following options are available globally at the command line:

Table 10-2 Command Line History and Editing Options

Option Description

history Display a numbered list of the last 10 previously entered commands.

!! Repeat the last entered command.

!n Repeat the nth command shown on the history list.

pushd “Bookmarks” your current position in the menu structure. After moving to another level or command in the menu structure, you can easily return to the bookmarked position by typing the popd command. The pushd command can be combined with command stacking, as in this example: >> Information# pushd "/cfg/ssl/server 1/ssl" >> SSL Settings# When you issue the popd command, you are immediately taken back to the prompt from where you issued the pushd command, the Information prompt in this example.

popd Takes you back to a position in the menu structure that has been “bookmarked” by using the pushd command.

(Also the up arrow key.) Recall the previous command from the history list. This can be used multiple times to work backward through the last 10 commands. The recalled command can be entered as is, or edited using the options below.

144 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-2 Command Line History and Editing Options

Option Description

(Also the down arrow key.) Recall the next command from the history list. This can be used multiple times to work forward through the last 10 commands. The recalled command can be entered as is, or edited using the options below.

Move the cursor to the beginning of command line.

Move cursor to the end of the command line.

(Also the left arrow key.) Move the cursor back one position to the left.

(Also the right arrow key.) Move the cursor forward one position to the right.

(Also the Delete key.) Erase one character to the left of the cursor position.

Delete one character at the cursor position.

Kill (erase) all characters from the cursor position to the end of the command line.

Rewrites the most recent command.

Abort an on-going transaction. If pressed when there is no on-going transaction, the current menu is displayed. Note: Using will not abort screen output generated from using the cur command. To abort the heavy screen output that may result from using the cur command, press .

Clear the entire line.

Other keys Insert new characters at the cursor position.

Chapter 10: ASA Command Reference 145 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Command Line Interface Shortcuts

Command Stacking You can type multiple commands separated by forward slashes (/) on a single line in order to access a submenu and one of the related menu options. Type as many commands as required to access the desired submenu and menu option. For example, the keyboard shortcut to access the list command in the NTP Servers menu from the Main menu prompt is as follows:

>> Main# cfg/sys/time/ntp/list

You can also use command stacking to go up one or more levels in the menu system, and then go directly to another submenu and one of the related menu options in that submenu. For example, to go up two levels from the NTP Servers menu to the System menu, and from there to the DNS servers menu in which you list the configured DNS servers you would type:

>> NTP Servers# ../../dns/list

Command Abbreviation Most commands can be abbreviated by entering the first characters which distinguish the command from the others in the same menu or submenu. For example, the command shown in the first example above could also be entered as follows:

>> Main# c/sy/t/n/l

Tab Completion By typing the first letter of a command at any menu prompt and pressing TAB, all commands in that menu beginning with the letter you typed is displayed. By typing additional letters, you can further refine the list of commands or options displayed. If only one command matches the letter(s) you typed, that command is supplied on the command line when pressing TAB. You can then execute the command by pressing ENTER. If the TAB key is pressed without any input on the command line, the currently active menu is displayed.

146 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Using Submenu Name as Command Argument To display the properties related to a specific submenu, you can provide the submenu name as an argument to the cur command (at a menu prompt one level up from the desired submenu information).

For example, to display cluster information at the System menu prompt (/cfg/sys), type the following command:

>> System# cur cluster Cluster: Management IP (MIP) address = 192.168.128.211

iSD Host 1: Type of the iSD = master IP address = 192.168.128.213 License = xnet (10), tps (unlimited) Default gateway address = 192.168.128.3 Ports = 1 : 2

Host Routes: No items configured

Host Interface 1: IP address = 192.168.128.213 Network mask = 255.255.255.0 VLAN tag id = 0 Mode = failover Primary port = 0

Interface Ports: 1

Host Port 1: Autonegotiation = on Speed = 0 Full or half duplex mode = full

Host Port 2: Autonegotiation = on Speed = 0 Full or half duplex mode = full

Without having to descend into the Cluster menu (/cfg/sys/cluster), cluster-specific information only is displayed directly at the System menu prompt. If the cur command had been used without the cluster submenu argument in the example above, information related to both the current System menu and all submenus would have been displayed.

Chapter 10: ASA Command Reference 147 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Using Slashes (/) and Spaces in Commands If you need to use a forward slash (/) or a space in a command string, make sure the string containing the slash or space is within double quotation marks before you run the command. One example of a command where double quotation marks is required, is when you specify a directory path and file name on the same line as the ftp command in the CLI.

Example:

>> Software Management# ftp 10.0.0.1 “pub/SSL-4.1-upgrade_complete.pkg”

148 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

The Main Menu

The Main menu appears after a successful connection and login. Figure 10-1 shows the Main menu as it appears when logged in as Administrator. Note that some of the commands are not available when logged in as Operator.

[Main Menu] info - Information menu stats - Statistics menu cfg - Configuration menu boot - Boot menu maint - Maintenance menu diff - Show pending config changes [global command] apply - Apply pending config changes [global command] revert - Revert pending config changes [global command] paste - Restore saved config with key [global command] help - Show command help [global command] exit - Exit [global command, always available]

Figure 10-1 Administrator Main Menu Menu Summary Information menu Provides submenus for displaying information about the current status of the ASA. For more information, see page 150. Statistics menu Provides submenus for displaying ASA performance statistics. For more information, see page 156. Configuration menu Provides submenus for configuring the ASA. Some of the commands in the Configuration menu are available only from the Administrator user login. For more information, see page 172. Boot menu Is used for upgrading ASA software and for rebooting, if necessary. The Boot menu is only accessible when logged in as the Administrator user. For more information, see page 332. Maintenance menu Is used for sending technical support information to a TFTP server. For more information, see page 337.

Chapter 10: ASA Command Reference 149 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

/info Information Menu

The Information menu is used for viewing information and events for ASAs in a cluster.

[Information Menu] servers - Show configured SSL servers certs - Show configured certificates hsm - Show local HSM information xnet - Show configured Xnets users - Show logged in Xnet users access - Print the access rules of an Xnet user kick - Kick an Xnet user sys - Show system configuration isdlist - Show all iSDs and their operational status local - Show local iSD information ethernet - Show local ethernet status information ports - Show local port(s) information events - Inspect Events menu

Table 10-3 Information Menu Options (/info)

Command Syntax and Usage

servers Displays the current SSL server settings, including SSL specific settings for each configured virtual SSL server.

certs Displays the certificate name, serial number, expiration date, and key size for each installed certificate. Information related to the subject of the certificate is also displayed.

hsm Displays status information related to the HSM cards on each ASA device in the cluster. Informa- tion about the current security mode (Extended mode or FIPS mode) is displayed, as well as current login status and login user information (HSM-SO or HSM-USER). For a sample screen output, see page 155. Note: HSM information is only displayed when you are using the ASA 310 FIPS model.

150 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-3 Information Menu Options (/info)

Command Syntax and Usage

xnet Displays information about the current SSL VPN settings, e.g. login session idle timeout value (shared by all configured Xnet domains), as well as information related to each specific Xnet domain configuration. For each Xnet domain, information about authentication methods, authentication order, user access groups and the access control lists associated with each group is displayed. Information about the banner GIF file currently in use on the SSL VPN portal Web page is also shown, as well as company name, portal colors and the static link text displayed on each SSL VPN users home page on the SSL VPN portal.

users Displays the user name, login time, source IP address, group membership and profile of all SSL VPN users that are currently logged in to an Xnet domain. The user properties are listed per Xnet domain. The profile refers to data configured directly under the Group menu. Any other profile stated after the group name is an extended profile. For more information about base profiles and extended profiles, see Chapter 14, “Groups, Access Rules and Profiles” in the Application Guide. You can choose to limit the output of logged in users to a particular Xnet domain by providing the Xnet domain number as a modifier to the users command. To limit the output further, you can also provide one or more initial letters of a user name, directly followed by an asterisk (*). Examples: >> Information# users 2 All users currently logged in to Xnet domain 2 are listed. >> Information# users 2 j* Users currently logged in to Xnet domain 2, and whose user name begins with the letter “j”, are listed.

access By specifying an Xnet domain number and a user name following the access command, a detailed view of an SSL VPN user’s access rights is displayed. The information is presented in a table showing the user’s access rights to specific networks, ports, protocols and paths.

kick By specifying an Xnet domain number and a user name following the kick command, a user can be logged out from a session by the ASA operator.

sys Displays information about the current system configuration, e.g. network mask, default gateway address, static routes, NTP servers, DNS servers, syslog servers, networks, number of ASAs included in the cluster along with IP addresses etc.

Chapter 10: ASA Command Reference 151 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-3 Information Menu Options (/info)

Command Syntax and Usage

isdlist Displays the IP addresses, master/slave assignments, CPU usage, memory usage, and operational status for all the ASAs in the cluster. An asterisk (*) in the MIP column indicates which ASA in the cluster is currently is control of the Management IP. An asterisk (*) in the Local column indicates the particular ASA to which you have connected. For a sample screen output, see page 155.

local Displays the current software version, ASA hardware platform, up time (since last boot), IP address, and Ethernet MAC address for the particular ASA to which you have connected. If you have connected to the MIP address, the information displayed relates to the ASA in the cluster that currently is in control of the MIP. For a sample screen output, see page 155.

152 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-3 Information Menu Options (/info)

Command Syntax and Usage

ethernet Displays statistics for the Ethernet network interface card (NIC) on the particular ASA host to which you have connected. If you have connected to the MIP address, the information displayed relates to the ASA in the cluster that currently is in control of the MIP. If more than one network is configured in the cluster, ethernet statistics for the respective network is displayed. RX packets: the total number of received packets TX packets: the total number of transmitted packets errors: packets lost due to error dropped: error due to lack of resources overruns: error due to lack of resources frame: error due to malformed packets carrier: error due to lack of carrier collisions: number of packet collisions For a sample screen output, see page 155. Note: A non-zero collision value may indicate an incorrect configuration of the Ethernet autonegotiation. For more information, see the autoneg command on page 314.

ports Displays the status of the physical ports on the Ethernet network interface card (NIC) on the particular ASA host to which you have connected. If you have connected to the MIP address, the information displayed relates to the ASA in the cluster that currently is in control of the MIP. For each port, link status (up/down) and the Ethernet autonegotiation setting (on/off) is shown. If the link is up, current values for speed (10/100/1000) and duplex mode (half/full) are also shown. If the link is down and autonegotiation is set to off, the configured values for speed and duplex mode are shown instead. To change the NIC port settings, see the commands under “Host Ethernet Port Configuration” on page 314.

events Displays the Events menu. To view menu options, see page 154.

Chapter 10: ASA Command Reference 153 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

/info/events Events Menu

[Events Menu] alarms - List all pending alarms download - Dump the event log file to a TFTP/FTP server.

The Events menu is used for viewing active alarms and events that have been logged.

Table 10-4 Events Menu Options (/info/events)

Command Syntax and Usage

alarms Displays all alarms in the active alarm list by their main attributes: severity level, alarm ID number, date and time when triggered, alarm name, sender, and cause.

download Transmits the event log file from the ASA cluster to a file on a TFTP or FTP server. You need to specify the IP address or host name of the TFTP/FTP server, as well as a file name. TFTP is default value.

154 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

/info/hsm HSM Command

>> Information# hsm iSD IP 192.168.128.185: Mode: Extended HSM card 0: Logged in as HSM-USER HSM card 1: Logged in as HSM-USER

/info/isdlist iSD List Command

>> Information# isdlist IP addr type MIP local cpu(%) mem(%) op 192.168.128.122 master * 1 14 up 192.168.128.123 master * 1 14 up 192.168.128.124 master 1 14 up 192.168.128.125 slave down

/info/local Information Local Command

>> Information# local Alteon iSD SSL Software version 4.1 HW platform: iSD410 Up time: 5 days 21 hours 40 minutes IP address: 192.168.128.185 MAC address: 00:01:02:b1:25:c0

/info/ethernet Information Ethernet Command

>> Information# ethernet Net 1: RX packets:7553 errors:0 dropped:0 overruns:1 frame:0 Net 1: TX packets:87 errors:0 dropped:0 overruns:0 carrier:2 collisions:11

Chapter 10: ASA Command Reference 155 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

/stats Statistics Menu

The Statistics menu is used for viewing various ASA performance statistics.

[Statistics Menu] server - Cluster SSL Server statistics local - Local statistics for each iSD host clear - Clear all statistics for all IPs activesess - Number of currently active request sessions totalsess - Total completed request sessions sslaccept - Total completed SSL accept sslconnect - Total completed SSL connect tpshisto - Cluster-wide TPS histograms for all servers clihisto - Cluster-wide client data histograms for all servers srvhisto - Cluster-wide server data histograms for all servers aaa - AAA specific statistics dump - Dump all information

Table 10-5 Statistics Menu Options (/stats)

Command Syntax and Usage

server Displays the Cluster Wide SSL Statistics menu for the specified virtual SSL server. To view menu options, see page 158.

local Displays the Local Statistics menu. To view menu options, see page 161.

clear Resets all statistics to zero.

activesess Displays the number of currently active request sessions in the cluster.

totalsess Displays the total number of completed request sessions in the cluster.

sslaccept Displays the total number of initiated SSL client connections on all virtual SSL servers in the cluster.

sslconnect Displays the total number of established SSL client connections on all virtual SSL servers in the cluster.

156 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-5 Statistics Menu Options (/stats)

Command Syntax and Usage

tpshisto Displays histograms of the number of SSL transactions per second, as performed by each virtual SSL server in the cluster. The figures presented are accumulated from all ASA devices in the cluster.

clihisto Displays histograms of data throughput in bytes per second from clients to each virtual SSL server in the cluster. The figures presented are accumulated from all ASA devices in the cluster.

srvhisto Displays histograms of data throughput in bytes per second from backend servers to each virtual SSL server in the cluster. The figures presented are accumulated from all ASA devices in the cluster.

aaa Displays the AAA Statistics menu. To view menu options, see page 171.

dump Displays cluster-wide SSL statistics for each virtual SSL server in the cluster, as well as the number of active request sessions, and the total number of completed request sessions. The total number of initiated SSL client connections, and the total number of established SSL client connections as accumulated values for all virtual SSL servers in the cluster are also displayed. Histograms, however, are not included in the output.

Chapter 10: ASA Command Reference 157 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

/stats/server Cluster Wide SSL Statistics Server Menu

[Cluster Wide SSL Stats for Server 1 Menu] accept - SSL accept renegotiat - SSL renegotiate requests handshakeg - SSL handshakes completed cachemisse - SSL cache misses cachetimeo - SSL cache timeout cachefull - SSL cache full cachehits - SSL cache hits sslconnect - SSL connects revocation - Client cert revocations cipherrewr - HTTP weak cipher rewrites http_redir - HTTP redirect rewrites becnctfail - Failed backend server connects tps - SSL transactions/sec tpshisto - Host local TPS histograms for this server clihisto - Host local client byte/s histos for this server srvhisto - Host local server data byte/s histos for this server dump - Dump all stats except histograms

The Cluster Wide SSL Statistics Server menu is used for viewing various statistics for a virtual SSL server, specified by its index number. The figures presented are accumulated from all ASA devices in the cluster, but specific for the selected virtual SSL server.

Table 10-6 Cluster Wide SSL Statistics Server Menu Options (/stats/server)

Command Syntax and Usage

accept Displays the number of initiated SSL client connections on the current virtual SSL server.

renegotiat Displays the number of times clients have requested a renegotiation of the SSL connection on the current virtual SSL server.

handshakeg Displays the number of successfully completed SSL handshakes on the current virtual SSL server. The number of failed SSL handshakes equals the combined values for SSL accept and SSL renegotiate requests, minus the combined values for SSL handshakes completed and Number of currently active request sessions. You can view the values mentioned above by using the/stats/dump command.

158 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-6 Cluster Wide SSL Statistics Server Menu Options (/stats/server)

Command Syntax and Usage

cachemisse Displays the number of times clients have made requests to reuse a particular session ID, and that session ID was not found in the SSL cache. If there is a high number of cache misses in combination with a high value for cachefull, you may consider increasing the SSL cache size of the virtual SSL server. To change the current SSL cache size, use the /cfg/ssl/server command, specify the appropriate virtual SSL server by index number, and then type the command ssl/cachesize. The default SSL cache size is 4000 items. If there is a high number of cache misses in combination with a low value for cachefull, you may consider increasing the cachettl value. To change the current cachettl value, use the /cfg/ssl/server command, specify the appropriate virtual SSL server by index number, and then type the command ssl/cachettl. The default SSL cache timeout value is 5 minutes.

cachetimeo Displays the number of reuse attempts on SSL sessions still in the cache, and whose timeouts were initiated. If there is a high number of cache timeouts, you may consider increasing the cachettl value for the virtual SSL server. To change the current cachettl value, use the /cfg/ssl/server command, specify the appropriate virtual SSL server by index number, and then type the command ssl/cachettl. The default SSL cache timeout value is 5 minutes.

cachefull Displays the number of times when a new client session could not be cached due to the cache being full. If the cachefull value is high, you may consider increasing the SSL cache size of the virtual SSL server.

cachehits Displays the number of times clients have made requests to reuse a particular session ID, and that session ID was found in the SSL cache.

sslconnect Displays the number of completed SSL client connections on the current virtual SSL server.

revocation Displays the number of revoked client certificates.

cipherrewr Displays the number of HTTP weak cipher rewrites.

http_redir Displays the number of HTTP redirect rewrites.

Chapter 10: ASA Command Reference 159 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-6 Cluster Wide SSL Statistics Server Menu Options (/stats/server)

Command Syntax and Usage

becnctfail Displays the number of failed connections to backend servers.

tps Displays the number of SSL transactions per second for the specified virtual SSL server, as performed on all ASA devices in the cluster.

tpshisto Displays histograms of the number of SSL transactions per second, as performed by the specified virtual SSL server on all ASA devices in the cluster.

clihisto Displays histograms of data throughput in bytes per second from clients to the specified virtual SSL server, as performed on all ASA devices in the cluster.

srvhisto Displays histograms of data throughput in bytes per second from backend servers to the specified virtual SSL server, as performed on all ASA devices in the cluster.

dump Displays all statistics for the current virtual SSL server, except the histograms.

160 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

/stats/local Local Statistics Menu

[Local Statistics Menu] isdhost - ISD local SSL server statistics menu overview - Overview of isdhost local statistics tpshisto - ISD local TPS histograms for all servers/ISDs clihisto - ISD local client byte/s histos for all servers/ISDs srvhisto - ISD local server data byte/s histos for all servers/ISDs license - ISD local license statistics dump - Dump all information

The Local Statistics menu is used for viewing histograms of SSL transactions per second, received client data and received backend server data (in bytes per second). Values are presented for each virtual SSL server, on a per ASA device basis. You can therefore easily com- pare the performance of a particular virtual SSL server on different ASA devices in the cluster.

The Local Statistics menu is also used for accessing the Single iSD Stats menu, in which you can view the same histograms as in the Local Statistics menu, with the difference that the histograms only pertain to a single ASA device (specified by host index number).

The dump command in the Local Statistics menu displays a number of statistics, where most of them relate to various SSL properties for incoming client connections. These statistics are presented for each virtual SSL server, on a per ASA device basis. Information related to the health check status (of backend servers) and pool status may also be displayed, depending on your virtual SSL server configuration. This information is also displayed on a per ASA device basis, since each ASA performs its own health checking of configured backend servers inde- pendently from other ASAs in the cluster.

Histograms are not included in the output when running the dump command.

Table 10-7 Local Statistics Menu Options (/stats/local)

Command Syntax and Usage

isdhost Displays the Single ISD Stats menu, after you have specified the index number of an ASA host in the cluster. To view menu options, see page 163. To view information about host index numbers for all ASA hosts in the cluster, use the /cfg/sys/cluster/cur command.

overview Displays the total number of completed request sessions for each virtual SSL server on a per ASA device basis. An overview of the health check status of backend servers and the pool status may also be displayed, depending on your virtual SSL server configuration.

Chapter 10: ASA Command Reference 161 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-7 Local Statistics Menu Options (/stats/local)

Command Syntax and Usage

tpshisto Displays histograms of the number of SSL transactions per second, as performed by each virtual SSL server on a per ASA device basis.

clihisto Displays histograms of data throughput in bytes per second from clients to each virtual SSL server, on a per ASA device basis.

srvhisto Displays histograms of data throughput in bytes per second from backend servers to each virtual SSL server, on a per ASA device basis.

license Displays information about the number of times the tps license has reached the limit.

dump Displays various SSL properties for incoming client connections, as well as HTTP-related statistics. The statistics are presented for each virtual SSL server, on a per ASA device basis. Histo- grams are not included in the output.

162 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

/stats/local/isdhost Single iSD Statistics Menu

[Single ISD Stats 1 Menu] server - ISD local SSL server stats tpshisto - ISD local TPS histograms for all servers clihisto - ISD local client byte/s histograms for all servers srvhisto - ISD local server byte/s histograms for all servers dump - Dump all information

The Single iSD Statistics menu is used for viewing histograms of SSL transactions per second, received client data, and received backend server data (in bytes per second). Values are presented for each virtual SSL server in the cluster, as performed on a single ASA device (specified by host index number when you enter the Single iSD Statistics menu).

The Single iSD Statistics menu is also used for accessing the Single iSD Stats for Server menu, in which you can view various statistics related to one specific virtual SSL server as performed on the currently selected ASA host.

The dump command in the Single iSD Statistics menu displays a number of statistics where most of them are related to various SSL properties for incoming client connections for each virtual SSL server individually, as performed on the selected individual ASA. Histograms are not included in the output when running the dump command.

Table 10-8 Single iSD Statistics Menu Options (/stats/local/isdhost)

Command Syntax and Usage

server Displays the Single iSD Stats for Server # menu. To view menu options, see page 165.

tpshisto Displays histograms of the number of SSL transactions per second for each virtual SSL server, as performed on the currently specified ASA.

clihisto Displays histograms of data throughput in bytes per second from clients to each virtual SSL server, as performed on the currently specified ASA.

srvhisto Displays histograms of data throughput in bytes per second from backend servers to each virtual SSL server, as performed on the currently specified ASA.

Chapter 10: ASA Command Reference 163 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-8 Single iSD Statistics Menu Options (/stats/local/isdhost)

Command Syntax and Usage

dump Displays various SSL properties for incoming client connections, as well as HTTP-related statistics. The statistics are presented for each virtual SSL server in the cluster, but where the figures relate only to the currently specified ASA. Histograms are not included in the output.

164 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

/stats/local/isdhost /server Single ISD Statistics for Virtual SSL Server Menu

[Single ISD Stats for Server 1 Menu] healthchec - Display health check status for all loadbalanced RIPs poolstatus - Pool status and statistics accept - SSL accept renegotiat - SSL renegotiate requests handshakeg - SSL handshakes completed cachemisse - SSL cache misses cachetimeo - SSL cache timeout cachefull - SSL cache full cachehits - SSL cache hits sslconnect - SSL connects revocation - Client cert revocations cipherrewr - HTTP weak cipher rewrites http_redir - HTTP redirect rewrites becnctfail - Failed backend server connects tps - SSL transactions/sec tpshisto - isdhost local TPS histograms for this server clihisto - isdhost local client byte/s histos for this server srvhisto - isdhost local server data byte/s histos for this server dump - Dump all information

The Single iSD Stats for Server # menu is used for viewing the pool status for backend servers that are load balanced by the specified virtual SSL server. The health check status of backend servers can also be displayed. Remember that each ASA device (or host) performs its own health checks of configured backend servers, which makes the status information unique for the specified ASA.

Other statistics can also be displayed, such as statistics related to SSL properties for incoming client connections handled by the specified virtual SSL server on the currently selected ASA. The values are unique for the selected ASA, because the figures depend on the Alteon Applica- tion Switch load balancing configuration of the server group in which the ASA resides.

The dump command will display all statistics available via the individual commands in the menu, except the health check status, pool status, and histograms.

Chapter 10: ASA Command Reference 165 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-9 Single iSD Statistics Server Menu Options (/stats/local/isdhost/server)

Command Syntax and Usage

healthchec Displays the health check status for the backend servers that are load balanced by the current virtual SSL server. Because each ASA device (or host) performs its own health checks of configured backend servers, the displayed health check status information is specific not only for the selected virtual SSL server, but also for the selected ASA host. The following health check properties are displayed: BE: Backend servers by index number. RIP: Load balanced backend servers listed by IP address and TCP port. UP: Lists the current status of backend servers as up or down, where backend servers that passed the health check are indicated as up. EXEC: Indicates whether a health check is currently being performed on a backend server. FAILS: Indicates the number of times a health check has failed. For more information about script-based health checks, see the “Script-Based Health Checks” chapter in the Alteon SSL Accelerator 4.1.2 Application Guide. REASON: States the reason, in clear text, for why a health check failed. Note 1: If you have enabled load balancing of configured backend servers and set the health check method to none, all backend servers will at all times be considered up. Failed connections to backend servers are still logged (as a total) and can be viewed using the /stats/server #/becnctfail command. Note 2: If you have not added any backend servers to the system configuration, the IP address specified as the Real Server IP (RIP) for the current virtual SSL server is listed under the RIP column. When using the ASA together with an Alteon Application Switch, the RIP typically corresponds to 0.0.0.0. By specifying 0.0.0.0 as the Real Server IP address, the SSL server is instructed to use the destination IP address (in the received packets) when initiating requests sent to the virtual server. Such a RIP configuration ensures that requests initiated by the virtual SSL server always reach the correct Virtual Server IP address (as configured on the Alteon Application Switch), because the destination IP address in the received packets corresponds to the IP address of the virtual server. For a sample screen output, see page 170.

166 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-9 Single iSD Statistics Server Menu Options (/stats/local/isdhost/server)

Command Syntax and Usage

poolstatus Displays pool status for the backend servers that are load balanced by the current virtual SSL server (where one pool is maintained for each backend server that passed the health check). Because each ASA device (or host) performs its own health checks of configured backend servers, the displayed pool status information is specific not only for the selected virtual SSL server, but also for the selected ASA host. The following pool status information is displayed: BE: Backend servers by index number. RIP: Backend servers (listed by IP address), for which a pool is maintained. fds: File Descriptors. The number of server-side sockets that are currently in the pool. sess: SSL sessions. The number of SSL sessions that are currently in the pool. A pooled SSL session can be reused when setting up a new server-side socket. poolcnct: The number of server-side sockets in the pool that have been reused. !poolcnct: The number of server-side sockets that have been set up without taking advan- tage of reusing an existing socket. Note: If you have not added any backend servers to the system configuration, the IP address specified as the Real Server IP (RIP) for the current virtual SSL server is listed under the RIP column. When using the ASA together with an Alteon Application Switch, the RIP typically corresponds to 0.0.0.0. By specifying 0.0.0.0 as the Real Server IP address, the SSL server is instructed to use the destination IP address (in the received packets) when initiating requests sent to the virtual server. Such a RIP configuration ensures that requests initiated by the virtual SSL server always reach the correct Virtual Server IP address (as configured on the Alteon Application Switch), since the destination IP address in the received packets corresponds to the IP address of the virtual server. For a sample screen output, see page 170.

accept Displays the number of initiated SSL client connections on the current virtual SSL server.

renegotiat Displays the number of times clients have requested a renegotiation of the SSL connection on the current virtual SSL server.

handshakeg Displays the number of successfully completed SSL handshakes on the current virtual SSL server. To view the number of failed SSL handshakes, use the /stats/dump command. The number of failed SSL handshakes equals the combined values for SSL accept and SSL renegotiate requests, minus the combined values for SSL handshakes completed and the number of currently active request sessions.

Chapter 10: ASA Command Reference 167 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-9 Single iSD Statistics Server Menu Options (/stats/local/isdhost/server)

Command Syntax and Usage

cachemisse Displays the number of times clients have made requests to reuse a particular session ID, and that session ID was not found in the SSL cache. If there is a high number of cache misses in combination with a high value for cachefull, you may consider increasing the SSL cache size of the virtual SSL server. To change the current SSL cache size, use the /cfg/ssl/server command, specify the appropriate virtual SSL server by index number, and then type the command ssl/cachesize. The default SSL cache size is 8000 items. If there is a high number of cache misses in combination with a low value for cachefull, you may consider increasing the cachettl value. To change the current cachettl value, use the /cfg/ssl/server command, specify the appropriate virtual SSL server by index number, and then type the command ssl/cachettl. The default SSL cache timeout value is 5 minutes.

cachehits Displays the number of times clients have made requests to reuse a particular session ID, and that session ID was found in the SSL cache.

sslconnect Displays the number of completed SSL client connections on the current virtual SSL server.

revocation Displays the number of revoked client certificates.

cipherrewr Displays the number of HTTP weak cipher rewrites.

http_redir Displays the number of HTTP redirect rewrites.

168 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-9 Single iSD Statistics Server Menu Options (/stats/local/isdhost/server)

Command Syntax and Usage

becnctfail Displays the number of failed connections to backend servers.

tps Displays the number of SSL transactions per second as performed by the specified virtual SSL server on the currently selected ASA host.

tpshisto Displays histograms of the number of SSL transactions per second for the specified virtual SSL server, as performed on the currently selected ASA host.

clihisto Displays histograms of data throughput in bytes per second from clients to the specified virtual SSL server, as performed on the currently selected ASA host.

srvhisto Displays histograms of data throughput in bytes per second from backend servers to the specified virtual SSL server, as performed on the currently selected ASA host.

dump Displays all statistics for the specified virtual SSL server on the currently selected ASA host, except the health check status, pool status, and histograms.

Chapter 10: ASA Command Reference 169 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

/stats/local/isdhost #/server # /healthchec Single iSD Host SSL Server Healthcheck Command

>> Single ISD Stats for Server 1# healthchec Healthcheck status at ISD number ’1’ BE RIP UP EXEC FAILS REASON 1 192.168.128.1:80 up no

/stats/local/isdhost #/server # /poolstatus Single iSD Host SSL Server Poolstatus Command

>> Single ISD Stats for Server 1# poolstatus Poolstatus at ISD number ’1’ BE RIP fds sess poolcnct !poolcnct 1 192.168.128.1:80 0 0 0 0

170 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

/stats/aaa AAA Statistics Menu

[AAA Statistics Menu] total - Cluster-wide authentication statistics isdhost - ISD local authentication statistics dump - Dump all information

The AAA Statistics menu is used for viewing authentication statistics related to the ASA cluster as a whole, or to one specific ASA in the cluster.

The number of accepted and rejected authentication requests of VPN users are listed for each configured authentication method and authentication server. For remote authentication methods (RADIUS, LDAP and NTLM), the number of times an authentication request has timed out on a specific server is listed as well. The remote authentication servers are listed by IP address and TCP port number.

Note that authentication statistics for all servers that are configured in the ASA cluster are displayed, and not only for the servers that are included in the authentication order scheme (by using the /cfg/xnet/domain/authorder command). If the statistics for a certain authentication method always comes down to a row with zeroes, this might be due to the fact that the method is not included in the authentication order scheme.

Table 10-10 Xnet Statistics Menu Options (/stats/aaa)

Command Syntax and Usage

total Displays the total authentication statistics for all ASA hosts in the cluster.

isdhost Displays the AAA settings for the specified ASA host in the cluster.

dump Dumps all authentication statistics.

Chapter 10: ASA Command Reference 171 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

/cfg Configuration Menu

The Configuration menu is used for performing SSL and system-wide configuration, as well as for saving and restoring ASA configurations to and from a TFTP or FTP server.

[Configuration Menu] ssl - SSL offload menu xnet - Xnet menu sys - System-wide parameter menu ptcfg - Backup current configuration to TFTP/FTP server gtcfg - Restore current configuration from TFTP/FTP server dump - Dump configuration on screen for copy-and-paste

Table 10-11 Configuration Menu Options (/cfg)

Command Syntax and Usage

ssl Displays the SSL menu. To view menu options, see page 175.

xnet Displays the Xnet menu. To view menu options, see page 252.

sys Displays the System Configuration menu. To view menu options, see page 299.

172 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-11 Configuration Menu Options (/cfg)

Command Syntax and Usage

ptcfg Saves the current configuration, including private keys and certificates, to a TFTP/FTP server. The configuration can later be restored by using the gtcfg command. You are required to specify a password phrase before the information is sent to the TFTP/FTP server. If you restore the configuration by using the gtcfg command, you will be prompted for the password phrase you have specified. The password phrase is used to protect the private keys in the configuration. Note 1: If you have fully separated the Administrator user role from the Certificate Administrator user role, the export passphrase defined by the certificate administrator is used to protect the private keys in the configuration—transparently to the user. When a configuration backup is restored by using the gtcfg command, the certificate administrator must enter the correct passphrase. For more information on separating the Administrator user role from the Certificate Administrator user role, see “Adding a New User” on page 66. Note 2: When using the ptcfg command on an ASA FIPS, private keys are encrypted using the wrap key that was generated when the first HSM card in the cluster was initialized.

gtcfg Restores a configuration, including private keys and certificates, from a TFTP/FTP server. You need to provide the password phrase you specified when saving the configuration to the TFTP/FTP server. Note: If you have fully separated the Administrator user role from the Certificate Administrator user role (by removing the admin user from the certadmin group), the certificate administrator must enter the passphrase that he or she defined by using the /cfg/sys/user/caphrase command.

dump Dumps the current configuration on screen in a format that allows you to restore the configuration without using a TFTP server. Save the configuration to a text file by performing a copy-and-paste operation to a text editor. The configuration can later be restored by pasting the contents of the saved text file at any command prompt in the command line interface using the global paste command. When pasted, the content is batch processed by the ASA. To view the pending configuration changes resulting from the batch processing, use the diff command. To apply the configuration changes, use the apply command. If you choose to include private keys in the configuration dump, you are required to specify a password phrase. The password phrase you specify applies to all private keys. When restoring a configuration that includes private keys, use the global paste command. Before pasting the configuration, you will be prompted for the password phrase you have specified. Note: When using this command on an ASA FIPS, private keys are only displayed for client certificates.

Chapter 10: ASA Command Reference 173 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Viewing, Applying and Removing Changes As you use the configuration menus to set ASA parameters, the configuration changes you make do not take effect immediately. All changes are considered “pending” until you explicitly apply them.

While configuration changes are in the pending state, you can do the following:

View the pending changes Apply the pending changes Remove the pending changes

Viewing Pending Changes You can view all pending configuration changes by using the diff command at the menu prompt.

>> # diff

If you have pending configuration changes when using the exit command to log out from the command line interface, you will be prompted to view the pending changes by using the diff command. You can then either apply the changes, or remove them.

Applying Pending Changes To make your configuration changes active, you must apply them. To apply pending configuration changes, use the apply command at the menu prompt.

>> # apply

Removing Pending Changes To remove your pending configuration changes before they have been applied, use the revert command at the menu prompt.

>> # revert

NOTE – The diff, apply and revert commands are global commands. Therefore, you can enter these commands at any menu prompt in the command line interface.

174 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

/cfg/ssl SSL Configuration Menu

[SSL Menu] dns - DNS client settings cert - Certificate menu server - SSL server menu test - Create test server and certificate quick - Quick server setup wizard

The SSL Configuration menu is used for configuring SSL certificates and virtual SSL servers. There are also menu options for viewing the current settings, and for creating a test server and a test certificate.

Table 10-12 SSL Configuration Menu Options (/cfg/ssl)

Command Syntax and Usage

dns Displays the DNS client settings menu. To view menu options, see page 177.

cert Displays the Certificate menu, after you have typed the index number of an existing certificate or a new certificate. To view menu options, see page 179.

server Displays the Server menu, after you have typed the index number of an existing virtual SSL server or a new server. To view menu options, see page 190.

Chapter 10: ASA Command Reference 175 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-12 SSL Configuration Menu Options (/cfg/ssl)

Command Syntax and Usage

test Creates a test SSL server using the first available virtual SSL index number. The default name of the test server is test_server. A test certificate and key are also created for the test SSL server. When executing the test command, you are asked to specify the IP address of a virtual server (defined on the Alteon Application Switch). The virtual server you specify will then make use of the services the test SSL server provides (HTTPS offload by default). You also need to specify which type of test SSL server you want to create. Depending on the type you choose to create, you will be prompted for additional related information. Valid SSL server types include the following: generic: When selecting the generic SSL server type, you only need to specify a virtual server IP address. A generic SSL server listens on port 443 (HTTPS) and runs in transparent proxy mode. Contents handled by a generic SSL server is treated as generic data and will not be parsed. http: When selecting the HTTP SSL server type, you only need to specify a virtual server IP address. A HTTP server shares many of its characteristics with the generic server type, but content is parsed as HTTP requests and responses. This paves the way for using a number of HTTP configuration options on the non-encrypted contents. socks: A socks server is only required in configurations supporting the SSL VPN client exclusively, i.e. without the need for SSL VPN Portal interaction. To support both the SSL VPN client and the SSL VPN Portal, a portal server is sufficient. portal: A portal server is required to set up an SSL VPN Portal. When selecting the portal SSL server type, you can choose to map the test server to an existing Xnet domain or create a new Xnet domain. If you choose to create a new Xnet domain, you will also be prompted for a user name and password for a test user. The test user is automatically mapped to the test group which the system creates in the new Xnet domain. Members of the test group have unlimited access according to Access rule 1, which is automatically created in the test group. The local authentication mechanism is likewise automatically configured, which means that Portal user authentication is performed against the ASA’s local database where the test user is automatically stored. The test user’s credentials are used to log in to the Portal for testing purposes. For each of the above SSL server types, you have the option to use an existing certificate (if available), identified by the certificate index number, or create a test certificate. For more information on the characteristics and capabilities of the respective server type, see the type command on page 192.

quick Starts the Quick Server Setup Wizard. For more information about using the Quick Server Setup Wizard, see “Using the Quick Server Setup Wizard” on page 101. Note: This command cannot be used on an ASA FIPS running in FIPS mode. Due to FIPS security requirements, FIPS mode prohibits importing of private keys.

176 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

/cfg/ssl/dns DNS Client Settings Configuration

[DNS Client Settings Menu] cachesize - Set Local DNS cache size retransmit - Set DNS Retransmit interval timer count - Set DNS Retransmit counter ttl - Set Max TTL health - Set Health check interval hdown - Set Health check down counter hup - Set Health check up counter

The DNS Client Settings menu is used for fine tuning DNS settings. The DNS Client settings interact with the DNS servers that are added to the system configuration using the /cfg/sys/dns/add command.

The DNS client settings mainly come into play when name resolution queries that involve HTTP traffic are performed.

Table 10-13 DNS Client Settings Menu Options (/cfg/ssl/dns)

Command Syntax and Usage

cachesize Sets the maximum number of DNS entries contained in the local DNS cache. The default DNS cache size is 1000 entries.

retransmit Sets the interval for retransmitting a DNS query. The default retransmit value is 2 seconds.

count Sets the maximum number of times a DNS query is retransmitted. The default value is 3.

ttl Sets the maximum Time-To-Live for a DNS entry in the cache. If you want to specify a value in minutes, hours or days, enter an integer directly followed by the letter m, h, or d. If you enter an integer not followed by one of these letters, seconds is implied. The default TTL value is 1 hour (1h).

health Sets the DNS server health check interval. The ASA will perform a DNS query to each of the DNS servers added to the system configuration at the specified interval to determine the health check status. The default health check interval is set to 10 seconds (10s).

Chapter 10: ASA Command Reference 177 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-13 DNS Client Settings Menu Options (/cfg/ssl/dns)

Command Syntax and Usage

hdown Sets the number of times a DNS server health check can time out before the ASA determines the DNS server as down. The default health check down counter is set to 2.

hup Sets the number of times a DNS server health check returns a positive response before the ASA determines the DNS server as up. The default health check up counter is set to 2.

178 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

/cfg/ssl/cert Certificate Management Configuration

[Certificate 1 Menu] name - Set certificate name cert - Set certificate key - Set private key revoke - Revocation menu genkey - Generate private key gensigned - Generate signed client/server certificate request - Generate certificate request sign - Sign a certificate request test - Generate test certificate and key import - Import key and certificate from remote machine export - Export certificate and key with TFTP/FTP display - Display certificate and key show - Show certificate information info - Show certificate subject information validate - Check if key and certificate match keysize - Show key size keyinfo - Show how key is stored del - Remove certificate

The Certificate menu is used for managing private keys and certificates. When accessing the Certificate menu, you are requested to specify the index number of the certificate you want to work with. When adding a new certificate, specify an unused index number. You can add up to 1500 certificates to the ASA. Any unused index number can be assigned to a certificate, including numbers higher than 1500. To view basic information about all certificates added to the ASA, use the /info/certs command.

Table 10-14 Certificate Menu Options (/cfg/ssl/cert)

Command Syntax and Usage

name Assigns a name to the certificate. The assigned name is mainly for your own reference.

Chapter 10: ASA Command Reference 179 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-14 Certificate Menu Options (/cfg/ssl/cert)

Command Syntax and Usage

cert Lets you paste the contents of a certificate file from a text editor. If the certificate file contains both the private key and the certificate, you can paste the entire contents at the menu prompt. In this case, you will not need to paste the private key separately using the key command. If the key has been password protected, you are prompted for the correct password phrase. When using the cert command to add a certificate to the ASA, the certificate (and key, if present) must be in the PEM format. If a certificate is already installed using the current certificate index number, that certificate will be overwritten by pasting another certificate to the same index number. Use the show command to verify that the current certificate index number is not in use. Note: This command cannot be used on an ASA FIPS running in FIPS mode, if the certificate file also contains the private key, or if you need to import the private key associated with the public key in the certificate from an external source. Due to FIPS security requirements, FIPS mode prohibits importing of private keys.

key Lets you paste the contents of a key file from a text editor. Make sure the key file corresponds to the public key contained in the related certificate file. If the key has been password protected, you are prompted for the correct password phrase. When using the key command to add a private key to the ASA, the key must be in the PEM format. If a key is already installed using the current certificate index number, that key will be overwritten by pasting another key to the same index number. Use the keyinfo command to verify that the current certificate index number is not in use. After you have added the private key you should use the validate command to ensure that the private key matches the public key in the current certificate. Note: This command cannot be used on an ASA FIPS running in FIPS mode. Due to FIPS security requirements, FIPS mode prohibits importing of private keys.

revoke Displays the Revocation menu. To view menu options, see page 185.

genkey Generates a PEM (Privacy Enhanced Mail) encrypted private key. After specifying a key length (512, 1024, or 2048 bits, with 1024 bits being the default key length), the key is generated immediately. Note that existing keys in the current certificate number are overwritten when you execute the apply command. To save the key to a file, use the display command to display the encrypted key on-screen. You can then perform a copy-and-paste operation to a text editor and save the key to a file. When using the display command, you also have the option of protecting the key with a password by specifying a password phrase.

180 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-14 Certificate Menu Options (/cfg/ssl/cert)

Command Syntax and Usage

gensigned server|client Generates a server or client certificate that is signed using the private key associated with the currently selected certificate. server: Generates a signed server certificate provided with key use options that are appropriate for server usage. Setting the CA cert value to true is appropriate if you plan to issue your own client certificates or chained server certificates, generating them from the currently generated server certificate. The CA cert value you specify when generating a certificate translates into the X509v3 Basic Constraints property in the generated certificate. The properties of a certificate available on the ASA can be viewed by entering the following command: /cfg/ssl/cert #/show client: Generates a client certificate that is signed using the private key associated with the currently selected certificate. In order to authenticate a client that is using the generated client certificate, you must also specify the currently selected certificate as a CA certificate to the virtual SSL server handling the authentication for the intended service. Specify the CA certificates used for authenticating client certificates by entering the /cfg/ssl/server command. After specifying the desired SSL server, enter the ssl/cacerts command and specify the desired CA certificate by its index number. For more information about generating client certificates, see “Generating Client Certificates on the ASA” on page 91. Note: Only certificates that have the basic constraint CA:TRUE can be used to generate server or client certificates. When generating a certificate, the ASA automatically checks that the currently selected certificate has the basic constraint CA:TRUE.

request Generates a certificate signing request (CSR), which can be further processed by a certificate authority (CA) such as VeriSign, Entrust, or any other CA. During the process of generating a CSR, you are asked whether to generate a new private key. The default answer is Yes. However, if you want to generate a CSR using the existing private key, you should answer No. If your existing certificate is reaching its expiration date and you only want to renew it, you should keep using the existing private key and answer No. For more information about how to generate a CSR, see “Generating and Submitting a CSR Using the CLI” on page 76.

Chapter 10: ASA Command Reference 181 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-14 Certificate Menu Options (/cfg/ssl/cert)

Command Syntax and Usage

sign Signs a CSR (Certificate Signing Request) by using the private key associated with the currently selected certificate. First, open the CSR file in a text editor and copy the entire contents, including the text “-----BEGIN CERTIFICATE REQUEST-----” and “-----END CERTIFICATE REQUEST-- ---”. Then, after having issued the sign command, follow the instructions on screen. Note: This command is primarily intended to be used when you have configured the virtual SSL server to perform end to end encryption, and you want to sign a CSR generated on a backend Web server by using a CA certificate on the ASA. (The signed CSR can then be installed on the backend Web server as a server certificate). In such a configuration, make sure the certificate you used for signing the CSR is specified as a CA certificate on the virtual SSL server. To set a certificate as a CA certificate used by a particular virtual SSL server, enter the command /cfg/ssl/server #/adv/sslconnect/verify/cacerts and specify the index number of the appropriate CA certificate.

test Generates a self-signed certificate and private key for testing purposes. After providing the requested information, the certificate and key are generated immediately. However, to activate the test certificate and key, you need to execute the apply command. Note: If a certificate and key already exist for the current certificate index number, they are overwritten when you execute the apply command. You should therefore always choose an unused certificate index number before creating a test certificate. To check if a certificate and key already exist for the current index number, use the info command.

import Installs a private key and certificate by downloading it from a TFTP or FTP server. If the private key has been password protected, you are prompted for the correct password phrase. Keys in the following formats can be imported using the import command: PEM, DER, NET, PKCS8 (used in WebLogic), PKCS12, and keys in the proprietary format used in MS IIS 4. Keys from Netscape Enterprise Server or iPlanet Server can also be imported, but require that you first use a conversion tool. Contact Nortel Networks for more information about the conversion tool. Certificates in the following formats can be imported using the import command: PEM, DER, NET, PKCS7, and PKCS12. If a key or certificate is already installed using the current certificate index number, that key/certificate will be overwritten by installing another key/certificate to the same index number. Use the keyinfo and show command respectively, to verify that the current certificate index number is not in use. Note: This command cannot be used on an ASA FIPS running in FIPS mode, if the certificate file also contains the private key, or if you need to import the private key associated with the public key in the certificate from an external source. Due to the FIPS security requirements, FIPS mode prohibits importing private keys.

182 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-14 Certificate Menu Options (/cfg/ssl/cert)

Command Syntax and Usage

export Exports the current key and certificate to a TFTP or FTP server in the specified format. Keys and certificates can be exported and saved into four different formats: PEM, DER, NET, or PKCS12. These formats have different capabilities regarding private key encryption and the ability to save the private key and the certificate in separate files. Only the DER format does not offer private key encryption. The DER format and the NET format lets you store the private key and the certificate in separate files. The PEM format and the PKCS12 format always combine the private key and the certificate in the same file. Most Web browsers allow importing a combined key and certificate file in the PKCS12 format. Note: When using this command on an ASA FIPS, you can only export the certificate to a TFTP/FTP server—not the private key. For client certificates however, both the certificate and the private key can be exported to a TFTP/FTP server using the export command.

display Displays the current key and certificate in the CLI. When executing the display command, you are provided with the option to protect the private key with a password phrase. This adds an extra layer of security and is recommended. You can perform a cut-and-paste operation on the key section into a text editor, and save the private key to a file with the .PEM extension. Repeat the cut- and-paste operation on the certificate section and save it to a file with the .PEM extension. You may also save both the key and the certificate to the same file, again using the .PEM extension. If you need to save a certificate and key in another format than the PEM format, use the export command instead. Note: When using this command on an ASA FIPS, only the certificate section is displayed unless the currently selected certificate is a client certificate. For client certificates, both the certificate section and the private key section are displayed and can be saved into a text editor using a cut- and-paste operation.

show Displays detailed information related to the certificate, except the certificate name.

info Displays the serial number, the expiration date, and information related to the subject of the current certificate.

validate Validates that the private key matches the public key in the current certificate.

keysize Displays the key size of the private key in the current certificate.

Chapter 10: ASA Command Reference 183 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-14 Certificate Menu Options (/cfg/ssl/cert)

Command Syntax and Usage

keyinfo Provides information about how the private key associated to the currently selected certificate is protected. For the ASA without the HSM card, private keys are protected by the cluster. For the ASA FIPS, private keys are protected by the HSM card. However, when generating a client certificate, the associated private key is protected by the cluster and not by the HSM card. This is necessary in order to transfer both the certificate and the private key to the client using the export command.

del Removes the current certificate and key.

184 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

/cfg/ssl/cert /revoke Certificate Revocation Configuration

[Revocation Menu] add - Add serial number to revocation list addx - Add serial number to revocation list del - Cancel revocation for a serial number list - List revoked certificates rev - Enter revocation list import - Import revocation list from remote machine automatic - Automatic CRL retrieval menu

The Certificate Revocation menu is used for revoking client certificates.

Table 10-15 Certificate Revocation Menu Options (/cfg/ssl/cert/revoke)

Command Syntax and Usage

add Adds a client certificate, specified by its serial number, to the current certificate revocation list.

addx Adds a client certificate, specified by its serial number in hexadecimal form, to the current certificate revocation list. When using the list command to view revoked certificates, certificates added by using the hexadecimal form are listed using their decimal form.

del Removes a client certificate, specified by its serial number, from the current certificate revocation list. This will cancel the revocation of the specified certificate.

list Lists the serial numbers of client certificates that will be revoked on client authentication.

rev Lets you paste the contents of a certificate revocation list in the PEM or ASCII format from a text editor. The revocation list is used to revoke client certificates issued by a particular certificate authority (CA). The currently selected certificate index number (Cert 1, for example) should hold the CA certificate of the same CA as from which you obtained the certificate revocation list. To view information about the currently selected certificate, use the /cfg/ssl/cert #/show command. If your organization has issued its own client certificates, it may as well have created its own certificate revocation list in ASCII format. Such a list can also be pasted and added to the CA certificate that was used in order to generate the client certificates.

Chapter 10: ASA Command Reference 185 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-15 Certificate Revocation Menu Options (/cfg/ssl/cert/revoke)

Command Syntax and Usage

import Adds a certificate revocation list in PEM, DER or ASCII format by downloading it from a TFTP or FTP server. The revocation list is used to revoke client certificates issued by a particular certificate authority (CA). The currently selected certificate index number (Cert 1, for example) should hold the CA certificate of the same CA as from which you obtained the certificate revocation list. To view information about the currently selected certificate, use the /cfg/ssl/cert #/show command. If your organization has issued its own client certificates, it may as well have created its own certificate revocation list in ASCII format. Such a list can also be downloaded and added to the CA certificate that was used in order to generate the client certificates.

automatic Displays the Automatic CRL menu. To view menu options, see page 187.

186 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

/cfg/ssl/cert /revoke/automatic Automatic CRL Menu

[Automatic CRL Menu] url - Set URL to retrieve CRL from authDN - Set LDAP DN used for bind/authentication passwd - Set password to use when to authenticate interval - Set refresh interval cacerts - Set list of accepted signers of CRLs ena - Enable automatic retrieval dis - Disable automatic retrieval

The Automatic CRL menu is used for configuring access to a server containing CRLs (certificate revocation lists), and retrieving such lists at regular intervals in order to automate the task of keeping the CRL up-to-date.

NOTE – When enabling automatic retrieval of certificate revocation lists, any existing revocation list is overwritten.

You can use LDAP, HTTP, or TFTP to retrieve CRLs from the appropriate server (for LDAP, the server must support LDAP v3). When using LDAP, a bind operation to the specified LDAP server is performed each time a CRL retrieval occurs. The bind operation uses the specified distinguished name and password. Directly after a successful bind operation, a search for the CRL attribute specified in the URL is performed on the LDAP server. For more information on the implementation details behind these operations, see RFC 2251.

Chapter 10: ASA Command Reference 187 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-16 Automatic CRL Menu Options (/cfg/ssl/cert/revoke/automatic)

Command Syntax and Usage

url Sets the complete URL for retrieving a CRL using LDAP, HTTP, or TFTP. If you are not using the default TCP port of the respective protocol, the TCP port number must also be included in the URL. If you want to retrieve CRLs from an LDAP server, you need to provide the distinguished name of the specific object on the LDAP server, together with the attribute that holds the CRL (all in accordance with RFC 2255). Example: ldap://10.42.128.30:389/cn=VeriSign CRL,o=Your Organization? CertificateRevocationList;binary Using HTTP or TFTP, the URL you specify must include the specific file name you want to access. The recognized URL syntax is a subset of RFC 1738, and can be defined as: ://[:]/. Example: http://10.42.128.30/server.crl

authDN Sets the distinguished name used for binding and authenticating the initiated LDAP session on the specified LDAP server. Check your LDAP server documentation for details on binding, authentication, and access control. Example: cn=Bill Smith,o=Your Organization When using HTTP or TFTP to retrieve a CRL, you don’t need to provide a distinguished name for binding and authentication.

passwd Sets the password used for binding and authenticating the initiated LDAP session on the specified LDAP server. Check your LDAP server documentation for details on binding, authentication, and access control. When using HTTP or TFTP to retrieve a CRL, you don’t need to provide a password for binding and authentication.

interval Sets the time interval for retrieving CRLs from the resource you have specified using the url command. If you want to specify a time interval in minutes, hours or days, enter an integer directly followed by the letter m, h, or d. The default interval is 1 day (1d). The shortest time interval allowed is 601 seconds (10 minutes and 1 second).

188 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-16 Automatic CRL Menu Options (/cfg/ssl/cert/revoke/automatic)

Command Syntax and Usage

cacerts Specifies which CA certificates that are valid signers of the certificate revocation lists you retrieve. To get an overview over all available certificates, enter the /info/certs command. When specifying more than one certificate, use commas to separate the corresponding index numbers. Example: 1,2,5 To clear all specified CA certificates, press ENTER when asked to enter certificate numbers, then answer yes to the question if you want to clear the list.

ena Enables automatic retrieval of CRLs. When using the apply command the first time after having enabled automatic retrieval of CRLs, a first retrieval is invoked immediately. After that, retrievals will occur at the specified time interval (where the default value is once every 24 hours).

dis Disables automatic retrieval of CRLs. By default, automatic retrieval is disabled.

Chapter 10: ASA Command Reference 189 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

/cfg/ssl/server SSL Server Management Configuration

[Server 1 Menu] name - Set server name vip - Set IP addr of SSL server iplist - List of IP addresses for this Virtual server port - Set listen port of SSL server rip - Set real server IP addr rport - Set real server port type - Set type (generic/http/socks/portal) dnsname - Set DNS name of server proxy - Set transparent proxy mode (on/off) trace - Traffic trace menu ssl - SSL settings menu tcp - TCP endpoint settings menu http - HTTP settings menu dns - DNS settings menu portal - Portal settings menu socks - Socks settings menu adv - Advanced settings menu del - Remove virtual server ena - Enable virtual server dis - Disable virtual server

The SSL Server menu is used for configuring various attributes of a particular virtual SSL server. The number of items available in the menu will vary according to the virtual SSL server type (generic, HTTP, socks, or portal). When accessing the SSL Server menu, you are requested to specify the index number of the virtual SSL server you want to work with. To view information about all configured SSL servers, use the /info/servers command.

Table 10-17 SSL Server Configuration Menu Options (/cfg/ssl/server)

Command Syntax and Usage

name Assigns a name to the virtual SSL server. The assigned name is mainly for your own reference.

vip Sets the virtual server IP address (on the Alteon Application Switch), to which the virtual SSL server is mapped.

190 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-17 SSL Server Configuration Menu Options (/cfg/ssl/server)

Command Syntax and Usage

iplist The iplist command replaces the vip command when standalone mode is enabled (see the /cfg/ssl/server #/adv/standalone command). Standalone should be enabled when using the ASA as a stand-alone Web server accelerator, without any interoperability with an Alteon Application Switch. When stand-alone mode is enabled, the SSL server addresses in the IP list will be distributed among the ASAs. If one or several ASAs fail, the SSL server addresses currently held by these ASAs will migrate to functional ASAs. This means that as long as there is one functional ASA in the cluster, all of the SSL server addresses in the list will be available.

port Sets the TCP port number to which the virtual SSL server listens. The default is port 443 for all virtual SSL servers. The port setting on the ASA must be accompanied by a redirect filter (on the Alteon Application Switch) in which the dport value corresponds to the port value (on the ASA).

rip Sets the IP address of the real server to which the virtual SSL server should connect when initiating requests. When using the ASA in conjunction with an Alteon Application Switch, the real server IP address (RIP) should be the set to 0.0.0.0 (the default setting). This setting instructs the ASA to use the destination IP address found in the received packets, when initiating requests to the virtual server on the Alteon Application Switch to which the virtual SSL server has been mapped. When using the ASA as a stand-alone Web server accelerator, without any interoperability with an Alteon Application Switch, the real server IP address (RIP) should be set to the IP address of the (single) server that the ASA offloads. If you have enabled the built-in load balancing capabilities of the ASA, the rip command is unavailable. Instead, the IP address for each load balanced real server is specified using the /cfg/ssl/server #/adv/loadbalanc/backend #/ip command.

rport Sets the TCP port to which the virtual SSL server connects. The default rport value for all virtual SSL servers that are created is 81. If you are setting up your ASA as a Web server accelerator, the ASA will use this port to send and receive decrypted HTTP information to and from the real Web servers. Note that both the virtual server (on the Alteon Application Switch) and the real servers must also be configured to listen for ASA traffic on port 81. When using the ASA as a stand-alone Web server accelerator (of a single real Web server) in combination with end to end encryption, the rport value should be set to 443. The real Web server must also be configured to listen to TCP port 443. If you have enabled the built-in load balancing capabilities of the ASA, the rport value is neglected. Instead, the TCP port for each load balanced real server is specified using the /cfg/ssl/server #/adv/loadbalanc/backend #/port command.

Chapter 10: ASA Command Reference 191 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-17 SSL Server Configuration Menu Options (/cfg/ssl/server)

Command Syntax and Usage

type generic|http|socks|portal Specifies the virtual SSL server type. Valid options are: generic: When the server type is set to generic, the contents is treated as generic data and will not be parsed. http: When the server type is set to http, the content is parsed as HTTP requests and responses, and you can use the HTTP configuration options on the non-encrypted contents. For more information about HTTP configuration options, see page 201. socks: When the server type is set to socks, a socks server is enabled for the current virtual SSL server. A socks server is only required in configurations supporting the SSL VPN client exclusively, i.e. without the need for SSL VPN Portal interaction. To support both the SSL VPN client and the SSL VPN Portal, a portal server is sufficient. portal: When the server type is set to portal, the SSL VPN Portal is displayed in the client Web browser when a connection request is made. To configure an ASA for browser-based SSL VPN mode, set the virtual server type to portal. For more information about Portal configuration options, see page 217. The default SSL server type is set to generic.

dnsname Assigns a DNS name to the current virtual SSL server. The DNS name you assign is used when the SSL VPN feature is deployed for verifying URLs and for creating the links that appear on the Por- tal home page. When pressing Return after having specified the DNS name, a check will be performed against the DNS server included in the system configuration (see the /cfg/sys/dns command). The system will verify that the fully qualified domain name you have specified for the virtual server (using the /cfg/ssl/server #/dnsname command) is registered in DNS, and that the resolved IP address corresponds to the virtual server IP address. Note: The dnsname command is only available for servers of the HTTP or portal type.

proxy on|off Specifies whether to use Transparent proxy mode. If proxy is set to on, the client’s real IP address is used when the ASA forwards client requests to the real servers. Consequently, it is the client’s IP address that is logged on the real servers, and not the ASA’s IP address (which is “transparent” to the real servers). In order to use the Transparent proxy mode, you need to make sure all client traffic is routed back to the clients through the Alteon Application Switch. The ASA real server group defined on the Alteon Application Switch must use the hash algorithm for server load balancing, and FWLB (Firewall Load Balancing) must be enabled in the appropriate redirect filter on the Alteon Application Switch. If proxy is set to off, the IP address assigned to the ASA is used when client requests are forwarded to the real servers. If a real Web server is logging the client IP address, it will log the ASA’s IP address instead of the real client’s IP address. When proxy is set to off, the ASA works in non-transparent proxy mode, that is. When using non-transparent proxy mode, firewall redirect hash method must not be applied to any real ports on the Alteon Application Switch. The default proxy mode value is on.

192 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-17 SSL Server Configuration Menu Options (/cfg/ssl/server)

Command Syntax and Usage

trace Displays the Trace menu. To view menu options, see page 194.

ssl Displays the SSL settings menu. To view menu options, see page 196.

tcp Displays the TCP settings menu. To view menu options, see page 199.

http Displays the HTTP settings menu. To view menu options, see page 201. Note: This menu item is only available when the SSL server type is set to http.

dns Displays the DNS settings menu. To view menu options, see page 210. Note: This menu item is only available when the SSL server type is set to one of the following: http, socks or portal.

portal Displays the Portal settings menu. To view menu options, see page 217. Note: This menu item is only available when the SSL server type is set to portal.

socks Displays the Socks settings menu. To view menu options, see page 211. Note: This menu item is only available when the SSL server type is set to socks.

adv Displays the Advanced settings menu. To view menu options, see page 220.

del Removes the current virtual SSL server.

ena Enables the current virtual SSL server.

dis Disables the current virtual SSL server.

Chapter 10: ASA Command Reference 193 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

/cfg/ssl/server /trace Network Traffic Dump Commands

[Trace Menu] ssldump - Create traffic dump tcpdump - Create traffic dump

The Trace menu is used for capturing and analyzing SSL and TCP traffic flowing between clients and the selected virtual SSL server on the ASA. The commands can be useful for debugging purposes. The ssldump command will decrypt transmitted data traffic, provided private keys and certificates have been configured properly on the selected virtual SSL server.

The ssldump and the tcpdump commands can be permanently deactivated in the ASA cluster. For more information, see the /cfg/sys/distrace command on page page 299.

Table 10-18 Trace Menu Options (/cfg/ssl/server/trace)

Command Syntax and Usage

ssldump interactive|tftp|ftp Creates a dump of the SSL traffic flowing between clients and the currently selected virtual SSL server. The captured information can either be displayed decrypted on screen (the default interactive output mode), or saved as a file to a TFTP or FTP server. A TFTP or FTP server can be specified using either the host name or the IP address in dotted decimal notation. If you choose to send the dump as a file to a TFTP server, a number of files will be sent to the server depending on the amount of captured information. A number is appended to the file name given in the CLI, starting at 1 and incremented automatically for additional files. You will be prompted for a destination file name prefix of your own choice. If you choose to send the dump as a file to an FTP server, you will be prompted for the destination file name, as well as a user name and password valid on the specified FTP server. For detailed information about the default flags used when issuing the ssldump command, as well as customizing the default filter expression, see the SSLDUMP (1) manual pages under UNIX.

194 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-18 Trace Menu Options (/cfg/ssl/server/trace)

Command Syntax and Usage

tcpdump interactive|tftp|ftp Creates a dump of the TCP traffic flowing between clients and the currently selected virtual SSL server. The captured information can either be displayed on screen (the default interactive output mode), or saved as a file to a TFTP or FTP server. A TFTP or FTP server can be specified using either the host name or the IP address in dotted decimal notation. You can read a saved TCP traffic dump file using the TCPDUMP or Ethereal application on a remote machine. If you choose to send the dump to a TFTP server, a number of files will be saved on the server depending on the amount of captured information. A number is appended to the file name given in the CLI, starting at 1 and incremented automatically for additional files. You will be prompted for a destination file name prefix of your own choice. If you choose to send the dump as a file to an FTP server, you will be prompted for the destination file name, as well as a user name and password valid on the specified FTP server. For detailed information about the default flags used when issuing the tcpdump command, as well as customizing the default filter expression, see the TCPDUMP (8) manual pages under UNIX.

Chapter 10: ASA Command Reference 195 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

/cfg/ssl/server /ssl SSL Settings Configuration

[SSL Settings Menu] cert - Set server certificate cachesize - Set SSL cache size cachettl - Set SSL cache timeout cacerts - Set list of accepted signers of client certificates cachain - Set list of CA chain certificates protocol - Set protocol version verify - Set certificate verification level ciphers - Set cipher list ena - Enable SSL dis - Disable SSL

The SSL Settings menu is used for configuring SSL-specific settings for a particular virtual SSL server.

Table 10-19 SSL Settings Menu Options (/cfg/ssl/server/ssl)

Command Syntax and Usage

cert Specifies which server certificate is used by the current virtual SSL server. To view basic information about available certificates, use the /info/certs command. To add a new certificate, see “Adding Certificates to the ASA” on page 81. Note that each virtual SSL server may only use one server certificate.

cachesize Sets the size of the SSL cache. The default value is 4000 cached sessions. If you notice that there are many cache misses, the cachesize value can be increased for better performance. To view the number of cache misses for a virtual SSL server, use the /stats/server #/cachemisse command (where you replace “#” with the index number of the desired virtual SSL server).

cachettl Sets the maximum Time To Live (TTL) value for items in the SSL cache, before they are dis- carded. The default TTL value is 5 minutes.

196 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-19 SSL Settings Menu Options (/cfg/ssl/server/ssl)

Command Syntax and Usage

cacerts Specifies which of the available CA certificates to use for client authentication. CA certificates are added the same way as an SSL server certificate—either via a cut-and-paste operation, or via TFTP/FTP from a remote host. Both actions are performed from the Certificate menu. To get an overview over available certificates, enter the /info/certs command. When specifying more than one certificate, use commas to separate the corresponding index numbers. Example: 1,2,5 To clear all specified CA certificates, press ENTER when asked to enter the certificate numbers, then answer yes to the question if you want to clear the list. Note: If you are using one of the available certificates to generate your own client certificates, you must specify it as a CA certificate in order to successfully authenticate clients. For more information on client authentication, see “Configuring a Virtual SSL Server for Client Authentication” on page 89.

cachain Specifies the CA certificate chain of the server certificate. The chain starts with the issuing CA certificate of the server certificate, and can range up to the root CA certificate. This command explicitly constructs the server certificate chain, which is sent to the browser in addition to the server certificate. When specifying more than one certificate, use commas to separate the corresponding index numbers. Example: 1,2,5 To clear all specified chain certificates, press ENTER when asked to enter the certificate numbers, then answer yes to the question if you want to clear the list. Note: When configuring the virtual SSL server to use chain certificates, the protocol version must be set to SSL3 or SSL23.

protocol ssl2|ssl3|ssl23|tls1 Specifies the protocol to use when establishing an SSL session with a client. Valid options are: ssl2: Only accept SSL 2.0. ssl3: Accept SSL 3.0 and TLS 1.0. ssl23: Accept SSL 2.0, SSL 3.0, and TLS 1.0. tls1: Only accept TLS 1.0. The default protocol value is ssl3.

verify none|optional|require Specifies the level of client authentication to use when establishing an SSL session. Valid options are: none: No client certificate is required. optional: A client certificate is requested, but the client need not present one. require: The client must present a valid certificate in order to establish a session. The default verify value is none.

Chapter 10: ASA Command Reference 197 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-19 SSL Settings Menu Options (/cfg/ssl/server/ssl)

Command Syntax and Usage

ciphers Lets you change the default cipher preference list, which corresponds to ALL@STRENGTH. For more information about cipher lists, see “Cipher List Formats” on page 345.

ena Enables SSL on the current virtual SSL server. By default, SSL is enabled on all virtual SSL servers.

dis Disables SSL on the current virtual SSL server.

198 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

/cfg/ssl/server /tcp SSL Server TCP Settings Configuration

[TCP Settings Menu] cwrite - Set client TCP write timeout ckeep - Set client TCP keep alive timeout swrite - Set server TCP write timeout sconnect - Set server TCP connect timeout csendbuf - Set client TCP send buffer size crecbuf - Set client TCP receive buffer size ssendbuf - Set server TCP send buffer size srecbuf - Set server TCP receive buffer size

The TCP Settings menu is used for configuring various TCP timeout and buffer size settings on both the client and the virtual SSL server side.

Table 10-20 TCP Settings Menu Options (/cfg/ssl/server/tcp)

Command Syntax and Usage

cwrite Sets the timeout value for how long the virtual SSL server should wait for a write operation towards the client(s) to complete. The default client write timeout value is 15 minutes (900 seconds).

ckeep Sets the timeout value for how long the virtual SSL server should wait before closing an idle session. The default client keep alive timeout value is 15 minutes (900 seconds).

swrite Sets the timeout value for how long the virtual SSL server should wait for a write operation towards the backend server(s) to complete. The default server write timeout value is 15 minutes (900 seconds).

sconnect Sets the timeout value for how long the virtual SSL server should wait for a server connection when trying to open a TCP connection. The default server connect timeout value is 10 seconds.

csendbuf auto| Sets the size of the client TCP send buffer. If you specify a size manually, the buffer size should not be set lower than the normal MTU size which is 1500 bytes. The default client TCP send buffer setting is auto.

Chapter 10: ASA Command Reference 199 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-20 TCP Settings Menu Options (/cfg/ssl/server/tcp)

Command Syntax and Usage

crecbuf auto| Sets the size of the client TCP receive buffer. If you specify a size manually, the buffer size should not be set lower than the normal MTU size which is 1500 bytes. The default client TCP receive buffer setting is auto.

ssendbuf auto| Sets the size of the server TCP send buffer. If you specify a size manually, the buffer size should not be set lower than the normal MTU size which is 1500 bytes. The default server TCP send buffer setting is auto.

srecbuf auto| Sets the size of the server TCP receive buffer. If you specify a size manually, the buffer size should not be set lower than the normal MTU size which is 1500 bytes. The default server TCP receive buffer setting is 6000.

200 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

/cfg/ssl/server /http SSL Server HTTP Settings Configuration

[HTTP Settings Menu] redirect - Set handle SSL redirect rewrite - SSL triggered rewrite menu sslheader - Set add SSL header addxfor - Set add X-Forwarded-For header addvia - Set add Via header addxisd - Set add HTTP-X-ISD debug header addfront - Set add Front-End-Https header addclicert - Set add Client-Cert as a HTTP header addnostore - Set add no-cache/no-store HTTP header allowimage - Set allow image caching allowdoc - Set allow document caching allowica - Set allow ica file caching cmsie - Set MSIE session termination bug workaround rhost - Set Rewrite host header to default value defaulthos - Set Default host header value auth - User authentication menu maxrcount - Set Max number of persistent client requests maxline - Set Max line length

The HTTP Settings menu is used for configuring HTTP-specific settings for a particular virtual SSL server.

The HTTP Settings menu is only available if the virtual SSL server has been defined as being of the http or portal type. For more information about virtual SSL server types, see the type command on page page 192.

Chapter 10: ASA Command Reference 201 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-21 HTTP Settings Menu Options (/cfg/ssl/server/http)

Command Syntax and Usage

redirect on|onpath|off|all|allpath The redirect function is designed to enhance a Web server’s built-in redirect functionality, as illustrated by the example below. With redirect set to off, the client request GET /top_page HTTP/1.0 Host: www.testserver.com may first be redirected by the Web server to HTTP/1.0 302 Moved Temporarily Date: Thu, 01 Oct 2003 16:27:51 GMT Server: inets/2.5.3 Location: http://www.testserver.com:81/login With redirect set to on, the ASA rewrites http:// to https:// according to the following pattern: HTTP/1.0 302 Moved Temporarily Date: Thu, 01 Oct 2003 16:27:51 GMT Server: inets/2.5.3 Location: https://www.testserver.com/login Before rewriting http:// to https://, the ASA performs a validation of the following criteria: The protocol must be HTTP. The domain name in the Host header of the client request must correspond to the domain name in the Location header of the Web server redirect. The TCP port in the Web server redirect must correspond to the specified rport value for the virtual SSL server on the ASA. Other valid options for the redirect command are: onpath: An http:// string that is embedded in the path section of an URL is also rewritten to https://, following the same validation criteria as for the on setting. off: No Web server redirects are rewritten to https://. all: All Web server redirects are rewritten to https://, regardless of the domain name and port in the original client request. Use this setting with caution. allpath: An http:// string that is embedded in the path section of an URL is also rewritten to https://, following the same rules as for the all setting. The default redirect value is on. Note: When using the redirect feature, the ASA must be configured to use a DNS server, and the responding DNS server must be able to perform reverse DNS lookups. When the ASA performs a reverse DNS query of the virtual server IP address (VIP), the resolved name must match the domain name in the Host header of the client request.

202 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-21 HTTP Settings Menu Options (/cfg/ssl/server/http)

Command Syntax and Usage

rewrite Displays the Rewrite menu. To view menu options, see page 207.

sslheader on|off|remove Specifies how the virtual SSL server handles the optional X-SSL header. When added, the X-SSL header contains information about the particular cipher suite that was used during the SSL session—information that can be logged on the Web servers. The information can also be used for Web application logical decisions concerning which cipher suites should be accepted. Such a deci- sion would then override the default cipher suite setting for a virtual SSL server on the ASA. Example of an added X-SSL header: X-SSL: decrypted=true, ciphers="TLSv1/SSLv3 RC4-MD5" In case you have configured the virtual SSL server to require client certificates, information about the certificate issuer, the certificate subject, and the serial number is extracted from the client certificate and added to the encryption information in the X-SSL header. Valid options for the sslheader command are: on: An X-SSL header is added to the client request. off: No X-SSL header is added to the client request. remove: The X-SSL header is removed, if present, from the current client request. The default value for the sslheader setting is on.

addxfor on|off|anonymous|remove Specifies how the virtual SSL server handles the optional X-Forwarded-For HTTP header. When added, the X-Forwarded-For header contains information about the peer IP address of the current client connection. This information can be used for enhanced logging purposes. Valid options for the addxfor command are: on: An X-Forwarded-For header is added to the current client request. off: No action whatsoever is taken regarding the X-Forwarded-For header. anonymous: The peer IP address of the current client connection is hidden. remove: The X-Forwarded-For header is removed, if present, from the current client request. The default value for the addxfor setting is off. Note: If there are more than one ASA in a cluster and transparent proxy is set to off, then firewall load balancing (on the Alteon Application Switch) must also be set to off for the addxfor feature to work.

Chapter 10: ASA Command Reference 203 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-21 HTTP Settings Menu Options (/cfg/ssl/server/http)

Command Syntax and Usage

addvia on|off|anonymous|remove Specifies how the virtual SSL server handles the Via HTTP header. When added, the Via HTTP header contains information about the IP address of the virtual server on the Alteon Application Switch. Valid options for the addvia command are: on: A Via header is added to the current client request. off: No action whatsoever is taken regarding the Via header. anonymous: The IP address of the virtual server is hidden. remove: The Via header is removed, if present, from the current client request. The default value for the addvia setting is on.

addxisd on|off Specifies how the virtual SSL server handles the optional HTTP-X-ISD header. This header can be used for debugging purposes when end to end encryption or load balancing of backend servers is performed by the ASA. When added, the extra HTTP-X-ISD header contains information about the IP addresses of both the ASA that initiated the request and the responding backend server, the internal index number of the responding the backend server, whether connection pooling is enabled, the load balancing type and metric, and finally, whether end to end encryption was performed. Example of an added HTTP-X-ISD header: HTTP-X-ISD: 192.168.128.25 192.168.100.1 index=2; pool=on; lb=all-roundrobin; type=http-https Valid options for the addxisd command are: on: An HTTP-X-ISD header is added to the client request. off: No HTTP-X-ISD header is added to the client request. The default value for the addxisd setting is off.

addfront on|off|anonymous|remove Specifies how the virtual SSL server handles the Front-End-HTTPS header. When using Outlook Web Access (OWA) for Microsoft Exchange in combination with the ASA, the virtual SSL server must be configured to add this extra header. The Front-End-HTTPS header enables the receiving OWA server to transform embedded HTTP URLs in a correct manner. Valid options for the addfront command are: on: An extra Front-End-HTTPS header is added to the client request. off: No extra Front-End-HTTPS header is added to the client request. anonymous: No action whatsoever is taken regarding the Front-End-HTTPS header. remove: The Front-End-HTTPS header is removed, if present, from the current client request. The default value for the addfront setting is off.

204 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-21 HTTP Settings Menu Options (/cfg/ssl/server/http)

Command Syntax and Usage

addclicert on|off Specifies how the virtual SSL server handles the optional X-Client-Cert HTTP header. When added, the ASA will insert the entire client certificate (in PEM format) as a multiline HTTP header. The backend Web servers can then perform additional user authentication, based on the information in the client certificate. The backend servers can also make use of any auxiliary fields in the client certificate. Valid options for the addclicert command are: on: An extra X-Client-Cert HTTP header is added to the client request. off: No extra X-Client-Cert HTTP header is added to the client request. The default value for the addclicert setting is off.

addnostore on|off Specifies how the virtual SSL server handles the Cache-Control header in a HTTP 1.1 client connection request, or the Pragma header in a HTTP 1.0 client connection request. When added, the inadvertent release or retention of sensitive information is prevented by not allowing any part of the message to be stored in non-volatile storage. Information stored in volatile storage is removed as promptly as possible after having been forwarded. Valid options for the addnostore command are: on: A Cache-Control: no-store general-header is added to a client HTTP 1.1 request, and a Pragma: no-cache general-header is added to a client HTTP 1.0 request. off: No Cache-Control or Pragma header is added to the client request. The default value for the addnostore setting is on for all virtual SSL servers of the http type.

allowimage on|off Specifies whether or not to allow caching of images. on: No no-cache/no-store headers for images are added. off: No-cache/no-store headers for images are added.

allowdoc on|off Specifies whether or not to allow caching of PDF, Word and Excel documents when clicking document links on intranet web pages during a portal session. To be able to open a document via Inter- net Explorer, this setting should be set to on (default value). However, for security reasons you might want to turn caching of documents off. You can still save a document to your computer by right-clicking it and selecting Save target as. on: No no-cache/no-store headers for documents are added. off: No-cache/no-store headers for documents are added.

allowica on|off When running Citrix using a web client, caching must be allowed. This setting turns off the no- cache headers for ica files. on: No no-cache/no-store headers for ica files are added. off: No-cache/no-store headers for ica files are added.

Chapter 10: ASA Command Reference 205 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-21 HTTP Settings Menu Options (/cfg/ssl/server/http)

Command Syntax and Usage

cmsie on|off|shut Specifies how the virtual SSL server handles the Microsoft Internet Explorer (MSIE) session termination bug workaround. Valid options for the cmsie command are: on: If the client Web browser is MSIE, the virtual SSL server uses the RST (reset) TCP flag instead of the FIN (finish) TCP flag to terminate the client connection. off: The virtual SSL server will always use the FIN (finish) TCP flag to decide when to terminate a client connection. shut: Since terminating the session with RST may cause problems in some network environments, the ASA can be configured to close Windows MSIE SSL sessions with a TCP FIN but without an SSL shutdown, which also circumvents the MSIE SSL session termination bug. The default value for the cmsie setting is shut.

rhost on|off Specifies how the virtual SSL server handles the Host header in a HTTP client connection request. The rhost setting is mainly used when configuring the ASA for Global Server Load Balancing in conjunction with the related Alteon WebSwitch settings. Valid options for the rhost command are: on: The Host header contained in a HTTP client connection request is rewritten to the default value that is defined by using the /cfg/ssl/server #/http/defaulthos command. If the client Web browser does not include a Host header in its connection request, the default Host header is added. off: No action whatsoever is taken regarding the Host header. The default value for the rhost setting is off.

defaulthos Assigns a default text string to the Host header contained in a HTTP client connection request. The default host header text string you define is applied to the Host header in incoming HTTP client connections requests only when the rhost setting is set to on.

auth Displays the WWW-Authenticate Settings menu. To view menu options, see page 208.

maxrcount Sets the maximum number of persistent HTTP client requests allowed at a given time. The default value for the maxrcount setting is 40.

maxline Sets the maximum length of HTTP headers contained in a HTTP client connection request. The default value for the maxline setting is 8192.

206 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

/cfg/ssl/server /http/rewrite SSL Server HTTP Rewrite Configuration

[Rewrite Menu] rewrite - Set SSL triggered rewrite ciphers - Set accepted ciphers response - Set source of response URI - Set URI with the weak cipher alert

The Rewrite menu is used for enabling and configuring the HTTP rewrite functionality for a particular virtual SSL server.

Table 10-22 Rewrite Menu Options (/cfg/ssl/server/http/rewrite)

Command Syntax and Usage

rewrite on|off Enables or disables the rewrite functionality for the current virtual SSL server. When you enable the rewrite functionality, a customized error message can be sent back to the client’s Web browser in case the browser is unable to perform the required cipher strength. If the rewrite functionality is not enabled in such a scenario, the client request is simply rejected during the SSL handshake. For more information about how to configure an SSL server to use the rewrite functionality, see the “Configuring the ASA to Rewrite Client Requests” chapter in your Alteon SSL Accelerator 4.1.2 Application Guide. The default rewrite setting is off.

ciphers Lets you change the cipher list used when the SSL rewrite function is enabled. The default cipher list used when the rewrite function is not enabled corresponds to ALL@STRENGTH. When the rewrite function is enabled, the default rewrite cipher list is HIGH:MEDIUM. If you change the default rewrite cipher list from HIGH:MEDIUM when having the rewrite function enabled, remember that the rewrite cipher strength must always be higher than the cipher strength specified by using the /cfg/ssl/server #/ssl/ciphers command (where the default cipher list is ALL@STRENGTH). For more information about supported ciphers and cipher list formats, see page 343.

response iSD|WebServer Specifies whether the iSD (ASA) or a Web server should handle the response message sent back to the client. When response is set to WebServer, use the URI command to point to a resource on a Web server that can provide a customized error message. The default response setting is iSD.

URI Sets the URI pointing to a resource on a WebServer that provides the response message (when response is set to WebServer).

Chapter 10: ASA Command Reference 207 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

/cfg/ssl/server /http/auth SSL Server WWW Authentication Settings Configuration

[WWW-Authenticate Settings Menu] mode - Set authentication mode realm - Set realm for authentication xnet - Set xnet domain ena - Enable HTTP User Authentication dis - Disable HTTP User Authentication

The WWW-Authenticate Settings menu is used for restricting access to internal Web servers whose DNS names corresponds to the virtual server IP (VIP) address assigned to the current SSL server.

Users who try to access the resources included in the WWW authentication scheme need to provide their user name and password. These credentials are then validated against one or more authentication methods and user access groups defined in the Xnet domain that you specify as part of the WWW authentication configuration. In the context of WWW authentication, the significance of the Xnet domain is limited to the authentication method used for validating a user’s credentials, as well as the validation of a user’s group membership and associated access control lists.

The WWW-Authenticate Settings menu is only available if the virtual SSL server has been defined as being of the http type. For more information about virtual SSL server types, see the type command on page 192.

Table 10-23 WWW-Authenticate Settings Menu Options (/cfg/ssl/server/http/auth)

Command Syntax and Usage

mode basic|digest|ntlm|portal Sets the authentication mode used by the virtual SSL server. Valid options are: basic: When using basic authentication mode, a login popup window is displayed when the user tries to access the restricted resource. Use basic mode if you don’t have an SSL VPN portal through which users can be authenticated. digest: Not implemented yet. ntlm: Not implemented yet. portal: When using portal authentication mode, the SSL VPN portal Login page is displayed in the user’s Web browser when trying to access the restricted resource. For an SSL VPN user who already has logged in via the portal page and tries to access a resource restricted by WWW authentication, the login page will not be displayed again. The default authentication mode is basic.

208 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-23 WWW-Authenticate Settings Menu Options (/cfg/ssl/server/http/auth)

Command Syntax and Usage

realm Assigns a name to the realm. The realm is mainly for the user’s own information, and is displayed in the login popup window (when using basic authentication mode). The default realm name is Xnet.

xnet Sets the Xnet domain, identified by its domain number. In the context of WWW authentication, the significance of the Xnet domain is limited to applying the authentication methods contained in the Xnet domain configuration. For basic authentication mode, specify the Xnet domain in which you have defined the user access groups that should be provided access to the restricted resource. Make sure that the access rules allow access to the password restricted resource. For portal authentication mode, specify the Xnet domain whose SSL VPN portal you want to use for authenticating users who try to access the password restricted resource. As when using basic authentication mode, the Xnet domain you specify must encompass the user access groups that should be provided access to the restricted resource.

ena Enables HTTP user authentication.

dis Disables HTTP user authentication.

Chapter 10: ASA Command Reference 209 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

/cfg/ssl/server /dns SSL Server DNS Settings Configuration

[DNS Settings Menu] domain - Set the default domain for vip search - Set DNS search list

The DNS Settings menu is used for specifying the default DNS domain name associated with the virtual server IP (VIP) address that is assigned to the current SSL server. The menu is also used for specifying the order in which DNS domain names are searched when an SSL VPN user enters an incomplete URL on the SSL VPN Portal’s Browse Intranet tab.

The DNS Settings menu is only available when the virtual SSL server has been defined as being of the http, socks, or portal type. For more information about virtual SSL server types, see the type command on page 192.

Table 10-24 DNS Settings Menu Options (/cfg/ssl/server/dns)

Command Syntax and Usage

domain Sets the default DNS domain name associated with the virtual server IP (VIP) address that is assigned to the current virtual SSL server. Specifying a default DNS domain name is useful if you want the client Web browser to send the cookie set by the current SSL server to all virtual SSL servers residing in the same domain. This eliminates the need for an SSL VPN user to log in repeatedly when requesting various intranet resources after having logged in to the SSL VPN portal. To enable this feature, the current SSL server must be of the portal type, and the domain setting must be set to on. To change the current domain setting for the SSL server, use the /cfg/ssl/server #/portal/domain command. Typically, you specify only the second level domain name and the top level domain name. Example: secondleveldomain.topleveldomain

search Sets the search domains, which are automatically appended to the host names an SSL VPN user types in the various address fields in the SSL VPN Portal (if a match is found). For example, if you specify the search domain example.com, an SSL VPN user can access the Web page inside.example.com by only typing inside in the URL field displayed on the Browse Intranet page in the SSL VPN portal. If you specify more than one domain name, separate the names with comma (,). The domains are searched in the order you specify them, and the search stops when a valid domain name is found.

210 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

/cfg/ssl/server /socks Socks Settings Configuration

[Socks Settings Menu] version - Set socks version methods - Set socks methods commands - Set socks commands xnet - Set xnet domain defgroup - Set default group hproxy - Set support for portal http proxy applet http - HTTP proxy settings menu

From SSL VPN version 4.1, SOCKS support is also enabled for portal servers, using the /cfg/ssl/server 1/portal/applet command (enabled by default). The Socks Set- tings menu is still available for backward compatibility and for customers who wants support for the SSL VPN client only (i.e. no SSL VPN Portal support is required).

The Socks Settings menu is only available if the virtual SSL server has been defined as being of the Socks type. For more information about virtual SSL server types, see the type command on page page 192.

Table 10-25 Socks Settings Menu Options (/cfg/ssl/server/socks)

Command Syntax and Usage

version v4|v5|v45 Sets the Socks protocol version used in the communication between the ASA cluster and SSL VPN socks clients. Valid options are: v4: Only protocol version 4 is accepted. v5: Only protocol version 5 is accepted, and socks clients using version 4 are rejected. v45: Both protocol versions 4 and 5 are accepted, and socks clients using either version are accepted. The default Socks protocol setting is v45. Note: Socks version 4 neither supports strong authentication, nor authentication method negotia- tion.

Chapter 10: ASA Command Reference 211 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-25 Socks Settings Menu Options (/cfg/ssl/server/socks)

Command Syntax and Usage

methods user|none Sets the preferred Socks authentication method(s) for Socks protocol version 5. For clients connecting with Socks protocol version 4, these settings are ignored since version 4 does not support authentication. The authentication method you set here comes into play when an SSL VPN user connects to the Xnet domain using the SSL VPN client (i.e. not via the SSL VPN Portal). The available options are: user: Username/Password client authentication is required. none: No client authentication is required. When setting the Socks authentication method to none, make sure you also specify a default user access group (using the defgroup command). The default Socks authentication method is set to user. Note: The Socks authentication method you specify here interacts with the authentication methods defined in the Xnet domain using the /cfg/xnet/domain #auth command. When the Socks method is set to user, an SSL VPN user connecting to the Xnet domain in “transparent mode” is prompted for the user name and password via a pop-up window. These credentials are then verified against one of the authentication methods defined in the Xnet domain. If a match is found, the SSL VPN user is authenticated and the user’s group membership is determined.

commands Sets the permitted Socks client command(s). If you enter more than one command, separate the entries using comma (,). The available options are: connect: Allows the Socks client to send a CONNECT request to the server when it wants to establish a connection to an application server (the destination host). bind: Allows the Socks client to send a BIND request when it wants to prepare for an inbound connection from an application server (the destination host). A client BIND request is only sent after a primary connection to the application server has been established with a CONNECT request. The default Socks commands are set to connect and bind.

xnet

212 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-25 Socks Settings Menu Options (/cfg/ssl/server/socks)

Command Syntax and Usage

defgroup Sets an existing user access group that has been defined using the /cfg/xnet/domain #/group command as the default user access group. The default group is applied when an SSL VPN user’s group membership cannot be determined. This typically happens when an SSL VPN user connects to the Xnet domain in “transparent mode”, and the Socks authentication is set to none. In such a case, the non-authenticated SSL VPN user will automatically become a member of the specified default group, and the access control lists associated with the default group will determine which rights are granted to the user. Note: Because the user to which the default group applies is not authenticated by any means, make sure that the access control lists associated with the group do not grant excessive rights.

hproxy on|off Enables support for the HTTP proxy Java applet that can run in the client browser when the Xnet domain is configured to run in browser-based mode. As the name implies, the HTTP proxy Java applet acts as an HTTP proxy to the client web browser and tunnels HTTP traffic to the Xnet domain via Socks and SSL. By enabling support for the HTTP proxy Java applet, no URLs in Web pages sent to the client browser will break. However, the user will need to reconfigure the proxy server settings in the browser to access intranet Web servers. Instructions for how to change these settings are provided in a pop-up window on the portal Web page when the SSL VPN user selects a service where the HTTP proxy Java applet is involved. The default hproxy setting is off. Note! From version 4.1, support for the HTTP Proxy Java applet is enabled by default for portal servers, with the /cfg/ssl/server 1/portal/applet setting.

http Displays the HTTP Proxy Settings menu. To view menu options, see page 214.

Chapter 10: ASA Command Reference 213 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

/cfg/ssl/server /socks/http HTTP Proxy Settings Configuration

[HTTP Proxy Settings Menu] sslheader - Set add SSL header sslsidhead - Set add SSL SID header addxfor - Set add X-Forwarded-For header addvia - Set add Via header addxisd - Set add HTTP-X-ISD debug header addclicert - Set add Client-Cert as a HTTP header addnostore - Set add no-cache/no-store HTTP header maxrcount - Set Max number of persistent client requests maxline - Set Max line length

The HTTP Proxy Settings menu is used to specify how the virtual SSL server should handle different types of HTTP headers.

Table 10-26 HTTP Proxy Settings Menu Options (/cfg/ssl/server/socks/http)

Command Syntax and Usage

214 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-26 HTTP Proxy Settings Menu Options (/cfg/ssl/server/socks/http)

Command Syntax and Usage

Chapter 10: ASA Command Reference 215 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-26 HTTP Proxy Settings Menu Options (/cfg/ssl/server/socks/http)

Command Syntax and Usage

maxrcount Sets the maximum number of persistent HTTP client requests allowed at a given time. The default value for the maxrcount setting is 40.

maxline Sets the maximum length of HTTP headers contained in a HTTP client connection request. The default value for the maxline setting is 8192.

216 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

/cfg/ssl/server /portal Portal Settings Configuration

[Portal Settings Menu] authentica - Set User authentication dhost - Set Default backend host dscheme - Set Default backend scheme dgroup - Set default group xnet - Set xnet domain domain - Set add cookie domain using dns/domain applet - Set support for vpn client and portal applets persistent - Set use persistent session cookies wiper - Set use ActiveX component for clearing cache

The Portal settings menu is e.g. used for mapping the current SSL server to a configured Xnet domain, and to enable a client Web browser sending its authentication cookie to all virtual SSL servers within the same domain. Support for Java applets on the SSL VPN Portal and SOCKS support for the SSL VPN client is enabled using the applet command (enabled by default). The wiper command (also enabled by default) clears the cache following a Portal session.

The Portal Settings menu is only available if the virtual SSL server has been defined as being of the portal type. For more information about virtual SSL server types, see the type command on page 192.

Table 10-27 Portal Settings Menu Options (/cfg/ssl/server/portal)

Command Syntax and Usage

authentica on|off By setting this command to off, the ASA can make use of the VPN functionality to SSL acceler- ate an existing intranet Web site, e.g. a portal. Both relative site links (e.g. /site/file.html) and absolute site links (e.g. http://inside.example.com/site/file.html) will be rewritten to include the ASA rewrite prefix. This cannot be achieved with the traditional SSL offload mechanism. The ASA rewrite prefix (boldface) is added to the link properties as shown below: https://vip.example.com/http/inside.example.com/site/file.html To access the intranet Web site, the user should enter the SSL VPN Portal’s IP address or host name. The user will then be redirected to the intranet Web site (specified with the dhost command) without first having to log in to the SSL VPN Portal. If set to off, the dhost, dscheme and dgroup commands will also be displayed on the Portal settings menu (see below). The default setting is on.

Chapter 10: ASA Command Reference 217 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-27 Portal Settings Menu Options (/cfg/ssl/server/portal)

Command Syntax and Usage

dhost Sets the backend Web server host address and path (if required) when authentication is disabled. Example: inside.example.com/portal.html

dscheme http|https Sets the protocol used to access an intranet Web site when authentication is disabled.

dgroup Sets the default group in which users will be placed when authentication is disabled. Users bypassing the SSL VPN Portal this way will automatically be placed in a default group specified with this command. Prior to disabling authentication, configure the default group using the /cfg/xnet/domain #/group command and add the desired access rules for that group. Note: Be careful when defining the access rules for the default group so that user access is truly limited to the specified intranet Web site and allowed links on that Web site.

xnet Maps the current portal SSL server to a configured Xnet domain. To get an overview of the available Xnet domains and their respective configurations, use the /cfg/xnet/cur command.

domain on|off When domain is set to on, the cookie used for client authentication (and set by the current SSL server) can be sent from the client Web browser to all virtual SSL servers within the same domain. The domain to which the cookie is sent is specified by using the /cfg/ssl/server #/dns/domain command. Setting the domain value to on eliminates the need for the SSL VPN user to log in repeatedly when requesting various intranet resources after having logged in to the SSL VPN portal. The default domain setting is set to off.

applet on|off on: Java applets will be supported on the SSL VPN Portal, i.e. when using the Port forwarder, Telnet/SSH access and HTTP Proxy features. SOCKS tunneling using the SSL VPN client will also be supported. off: Java applets will not be supported on the SSL VPN Portal. SOCKS tunneling using the SSL VPN client will not be supported. The default setting is on.

persistent on|off By setting this command to on, persistent cookies will be used for the Portal login session. This means that the user will still be logged in to the Portal even if the browser is shut down. The default setting is off.

218 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-27 Portal Settings Menu Options (/cfg/ssl/server/portal)

Command Syntax and Usage

wiper When Internet Explorer is used, some programs (e.g. Microsoft Word) will only be able to display files requested via the Portal if the files are cached. By setting the wiper command to on, caching will be allowed without leaving sensitive files in the browser cache after a session. When the user enters the Portal he will be asked to download an ActiveX component, i.e. the Wiper. When the user logs out from the Portal or closes browser window, a message will be displayed, asking the user whether or not to clear the cache. A second message will also be displayed, asking the user whether or not to clear the browser history (visited URLs). on: An ActiveX component will be downloaded to the browser and caching will be allowed. The ActiveX component will clear the cache when the Portal session is terminated or when the browser is closed. off: No ActiveX component will be downloaded. To allow caching of documents, use the /cfg/ssl/server #/http/allowdoc/on command. The cache will however not be cleared. The default setting is on. Note: For best performance, the allowdoc command should be set to off when wiper is set to on

Chapter 10: ASA Command Reference 219 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

/cfg/ssl/server /adv Advanced Settings Menu

[Advanced Settings Menu] string - String menu blockstrin - Set strings to block pool - Connection pooling menu traflog - UDP syslog Traffic Log menu standalone - Standalone (no switch) menu loadbalanc - Load balancing menu sslconnect - SSL connect menu

The Advanced Settings menu is used for handling the connection pooling, load balancing, and end to end encryption capabilities of the selected virtual SSL server. The number of menu items available in the Advanced Settings menu vary according to the type of virtual SSL server currently selected.

Table 10-28 Advanced Settings Menu Options (/cfg/ssl/server/adv)

Command Syntax and Usage

string Displays the Load Balancing String menu. To view menu options, see page 222. Note: The string menu item is only available when the virtual SSL server type is set to the generic or http type.

blockstrin Specifies which of the defined match strings that are used for blocking client requests. If a client request contains data that matches one of the specified string definitions, the client connection request is terminated. To clear all currently specified blocking strings, press ENTER when asked to enter string numbers, then answer yes to the question if you want to clear the list. Note: The blockstrin command is only available when the virtual SSL server type is set to the generic or http type.

pool Displays the Pool Settings menu. To view menu options, see page 225. Note: The pool menu item is only available when the virtual SSL server type is set to http.

traflog Displays the Traffic Log Settings menu. To view menu options, see page 226. Note: The traflog menu item is only available when the virtual SSL server type is set to http or portal.

220 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-28 Advanced Settings Menu Options (/cfg/ssl/server/adv)

Command Syntax and Usage

standalone Displays the Standalone menu. To view menu options, see page 228. Note: When virtual SSL server type is set to socks, only this menu item is available.

loadbalanc Displays the Load Balancing Settings menu. To view menu options, see page 232. Note: The loadbalanc menu item is only available when the virtual SSL server is set to the generic or http type.

sslconnect Displays the SSL Connect Settings menu. To view menu options, see page 249. Note: The sslconnect menu item is only available when the virtual SSL server is set to one of the following: generic, http, or portal.

Chapter 10: ASA Command Reference 221 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

/cfg/ssl/server /adv /string Load Balancing Strings Configuration

[LB String 1 Menu] match - Set string to match location - Set locations to perform the match in icase - Set ignore case in to match negate - Set negate the result of the match del - Remove string

The LB String menu is used for defining strings matching the specified location in a client request. Resulting matches can then be taken into account in the load balancing configuration of the backend servers. When a backend server is configured to use string as the load balancing type, the backend server is only load balanced if a match of the defined string and location is found in a client request. To access the LB String menu, the selected virtual SSL server must be set to the generic or http type.

Table 10-29 LB String Menu Options (/cfg/ssl/server/adv/string)

Command Syntax and Usage

match Lets you define the string matched against incoming client requests handled by the virtual SSL server. A match string may contain the asterisk (*) wildcard character to represent one or more unspecified characters. Example: *.gif Note: After having defined a match string, you must also specify the desired match location(s).

222 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-29 LB String Menu Options (/cfg/ssl/server/adv/string)

Command Syntax and Usage

location Specifies the client request location(s) to which the match string is mapped. A match only occurs when the match string is found in the specified location. Valid match locations can be the name of a header in an HTTP request (such as User-Agent), or an HTTP method (such as GET). Valid match locations are the following special components that may appear in a URL: Params (object parameters) Query (query information) If used, these components appear in the URL in accordance with this generic syntax: :///;?# A valid special string location is: cookie-override: By default, cookie-based persistence overrides string load balancing settings. To override persistence for a string, add cookie-override to the location value for the string. In this way, it is possible to use cookie-based persistence for e.g. all URLs except those ending with *.gif. For a match to occur, you must also specify a valid match location, e.g. URL, cookie-override. The valid macro location values are: url: all of the valid method fields are searched for a match of the defined string. A match of the defined string will only occur if the match string is found in one of the known methods listed below. unknown: unknown method for the ASA. A match will only occur if a method other than the known methods is found. (If you specify url,unknown, as the locations, a match will occur if the match string is found in either a known or unknown method, or both.) header: all of the valid header fields are searched for a match of the defined string. A match will only occur if the match string is found in one of the known headers. other: unknown header field for the ASA. A match will only occur if a header other than the known headers is found. (If you specify header,other, as the locations, a match will occur if the match string is found in either a known or unknown header, or both.) Valid methods are: options, get, head, post, put, delete, trace, and connect. Valid headers are: accept, accept-charset, accept-encoding, accept- language, accept-ranges, age, allow, authorization, cache-control, connection, content-base, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, cookie2, date, etag, expires, fragment, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified- since, keep-alive, last-modified, location, max-forwards, params, pragma, pragma, proxy-authenticate, proxy-authorization, proxy- connection, public, query, range, referer, retry-after, server, set-cookie, set-cookie, transfer-encoding, upgrade, user-agent, vary, via, warning, www-authenticate, x-forwarded-for, and x-ssl. To enter multiple locations, separate the location names with comma (,). To look for a match string in all components of a URL, specify the following as the location: URL,Params,Query.

Chapter 10: ASA Command Reference 223 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-29 LB String Menu Options (/cfg/ssl/server/adv/string)

Command Syntax and Usage

icase on|off Specifies whether case should be considered when searching for a match of the defined string in the specified location of a client request. When set to off, a match string defined as *.GIF is considered different data than the *.gif string found in the URI of a client request, and a match will therefore not occur. The default icase setting is on, which means that case is ignored.

negate on|off Specifies whether the match string you have defined should be negated when searching for a match in a client request. When set to on, all client requests that do not contain the defined match string in the specified location will induce a match. The default negate setting is off.

del Removes the current match string.

224 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

/cfg/ssl/server /adv/pool Connection Pooling Configuration

[Pool Settings Menu] timeout - Set pool age timeout ena - Enable connection pooling dis - Disable connection pooling

The Pool Settings menu is used for configuring the connection pooling settings of the ASA. Connection pooling provides for the reuse of SSL sessions in order to improve throughput. When the ASA load balances the backend servers, it can pool both encrypted (port 443) and unencrypted (port 81) server side connections. To access the Pool Settings menu, the selected virtual SSL server must be set to the http type.

Table 10-30 Pool Settings Menu Options (/cfg/ssl/server/adv/pool)

Command Syntax and Usage

timeout Sets the time frame during which a client connection can be idle before the client socket is closed. The default value is 15 seconds.

ena Enables pooling of server side connections for the selected virtual SSL server. Note: When connection pooling is enabled, transparent proxy mode must be set to off. Transpar- ent proxy mode is configured by using the /cfg/ssl/server #/proxy command. The default proxy mode value is on.

dis Disables pooling of server side sockets for the selected virtual SSL server.

Chapter 10: ASA Command Reference 225 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

/cfg/ssl/server /adv/traflog Traffic Syslog Configuration

[Traffic Log Settings Menu] sysloghost - Set syslog host IP udpport - Set syslog portnumber priority - Set syslog priority facility - Set syslog facility ena - Enable traffic UDP syslog logging dis - Disable UDP traffic logging

The Traffic Log Settings menu is used for configuring a syslog server, to which UDP syslog messages for all HTTP requests handled by the currently selected virtual SSL server, can be sent. Enabling traffic logging via syslog messages will generate a substantial amount of network traffic, and also place additional CPU load on each ASA device in the cluster. Besides, syslog servers are not generally intended for this type of log messages, and the syslog server might therefore not be able to cope with the amount of syslog messages generated within a cluster of multiple ASA devices. In environments where traffic logging must be performed on the SSL terminating device itself due to laws or regulations, traffic logging via syslog messages can be used. It can also be used temporarily for debugging purposes. This setting will generate traffic; therefore it is recommended that you set up syslog on the backend server if possible.

In general, it is therefore recommended that traffic logging is performed on the backend Web servers instead. The traffic logging performed by backend Web servers can be enhanced by configuring the ASA to add certain HTTP headers. For more information about available extra HTTP headers, see the HTTP Settings menu on page 201.

Below is an example of a syslog message generated on an ASA device: Mar 8 14:14:33 192.168.128.24 : 192.168.128.189 TLSv1/SSLv3 DES-CBC3-SHA "GET / HTTP/1.0"

226 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

To access the Traffic Log Settings menu, the selected virtual SSL server must be set to either the http type or the portal type.

Table 10-31 Traffic Log Settings Menu Options (/cfg/ssl/server/adv/traflog)

Command Syntax and Usage

sysloghost Specifies the IP address of the syslog server to which syslog messages will be sent using a UDP (User Datagram Protocol) connection.

udpport Specifies the UDP port number of the syslog server. The default UDP syslog server port number is set to 514.

priority debug|info|notice Configures the priority level of syslog messages that are sent. Valid priority levels, listed from low to high, are: debug: Messages that contain information mainly of use only for debugging purposes. info: Informational messages. notice: Conditions that are not error conditions, but should possibly be handled specially. The default priority level is set to info.

facility auth|authpriv|daemon|local0-7 Configures the facility parameter of syslog messages. The facility parameter is used to specify what type of program is logging the message. This lets the configuration file specify that messages from different facilities will be handled differently. The default facility parameter is set to local4.

ena Enables traffic logging via syslog messages to the specified syslog server.

dis Disables traffic logging via syslog messages to the specified syslog server. Traffic logging via syslog messages is disabled by default.

Chapter 10: ASA Command Reference 227 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

/cfg/ssl/server /adv /standalone Standalone Menu

[Standalone Menu] iplist - List of IP addresses for this Virtual server ena - Enable Standalone for this server dis - Disable standalone for this server

The Standalone menu is used to enable or disable standalone mode for the selected virtual SSL server. The menu is also used to access the IP List menu, in which a set of IP addresses used by the selected virtual SSL server can be specified.

When the ASA is connected to an Alteon Application Switch, the virtual SSL server is always mapped to a virtual server IP address defined on the Application Switch. When the Application Switch receives a client connection request destined for the virtual server, the switch will broadcast an ARP request and redirect the traffic to one particular ASA in the cluster, based on the selected load balancing metric.

When running the ASA in standalone mode—without being connected to an Alteon Applica- tion Switch—each virtual SSL server is still mapped to a virtual server IP address, but the ASA itself must now respond to the ARP requests for incoming client connections destined for the virtual server IP address.

If your particular ASA is equipped with one NIC and you only need to use a maximum of two virtual servers, you can make the ASA broadcast ARP requests by simply assigning the real IP address of the ASA to one virtual server, and the Management IP (MIP) address to the other virtual server. In this case, you don’t have to enable and configure the standalone feature.

If your particular ASA is equipped with dual NICs and you only need to use one virtual server, you can make the ASA broadcast ARP requests by assigning the real IP address of the NIC that faces the Internet side to the virtual server (assuming that the other NIC faces the clean intranet side, and that the MIP can only be reached from within that side). Neither in this case do you have to enable and configure the standalone feature, but you will be restricted to using one single virtual server IP address.

However, as soon as you need to go beyond these limitations regarding the number of virtual servers, you can use the standalone feature to set up an alias IP address for each virtual server IP address required on the ASA.

228 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

The standalone feature is also useful when there is more than one ASA in the cluster, and you want to perform load balancing of a virtual SSL server between all the ASAs in the cluster without using an Alteon Application Switch. In such a case you can define a virtual server IP address for each ASA in the cluster and map the virtual server IP addresses to the same virtual SSL server (assuming the virtual server IP addresses use different TCP ports). Provided all virtual server IP addresses are associated with the same FQDN and registered in DNS, the DNS server can then be configured to perform round robin DNS. The virtual server IP addresses are automatically brought up as evenly distributed virtual interfaces on the ASAs in the cluster. Moreover, if one ASA device should fail, the virtual server IP address bound to the virtual interface on that device is automatically migrated to another ASA in the cluster. This solves the problem with round robin DNS not having any healthcheck mechanism.

Table 10-32 Standalone Menu (/cfg/ssl/server/adv/standalone)

Command Syntax and Usage

iplist Displays the IP List menu. To view menu options, see page page 230.

ena Enables standalone mode for this virtual SSL server.

dis Disables standalone mode for this virtual SSL server. By default, standalone mode for a virtual SSL server is disabled.

Chapter 10: ASA Command Reference 229 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

/cfg/ssl/server /adv /standalone/iplist IP List Menu

[IP List Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number

The IP List menu is used for adding, removing, and listing virtual server alias IP addresses that are used by the current SSL server. For the purpose of load balancing a virtual SSL server between a number of ASA devices in the cluster using round robin DNS, one virtual server alias IP address is added for each ASA device in the cluster.

If you have only one ASA device in the cluster and need to create several virtual servers, you normally add and assign only one virtual server alias IP address to a particular virtual SSL server. Hence, only one IP address is added to the IP list.

NOTE – When standalone mode is enabled, the virtual IP address that may have specified for the SSL server using the /cfg/ssl/server #/vip command is overridden by the virtual standalone IP address added to the IP list. If you add more than one standalone IP address to the list, only the first address in the list will be used for logging the statistics related to the virtual SSL server. Bear this in mind when you decide the order of standalone IP addresses in the list.

When configuring standalone mode for the selected SSL server, the virtual server alias IP address(es) added to the list must not be the real IP address of the ASA(s), nor the Manage- ment IP (MIP) address of the ASA cluster.

230 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

You should also make sure that the alias IP addresses you add to the list are associated with the correct FQDN and registered in DNS.

Table 10-33 IP List Menu (/cfg/ssl/server/adv/standalone/iplist)

Command Syntax and Usage

list Lists added values by their index number and IP address.

del Removes the IP address that is represented by the index number you specify. Use the list command to view all IP addresses and related index numbers currently added to the list.

add Adds a virtual server IP address to the list. The virtual server IP address you specify for the virtual SSL server will bind to a virtual interface on the ASA device. You only need to add more than one IP address to the list when there is more than one ASA device in the cluster and you want to perform load balancing of the selected SSL server using round robin DNS. In this case, add one alias IP address for each ASA device in the cluster.

insert Lets you assign a specific index number to the virtual server IP address you add. The index number you specify must be in use. IP addresses with an index number higher than (and including) the one you specify will have their current index number incremented by 1.

move Lets you move a virtual server IP address up or down in the list. To view all virtual server IP addresses, use the list command.

Chapter 10: ASA Command Reference 231 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

/cfg/ssl/server /adv /loadbalanc Load Balancing Settings

[Load Balancing Settings Menu] type - Set load balancing type persistenc - Set persistence strategy cookie - Cookie settings menu metric - Set load balancing metric health - Set health check type script - Health check script menu interval - Set health check interval (s) remotessl - Remote SSL connect menu backend - Backend servers menu ena - Enable load balancing dis - Disable load balancing

The Load Balancing Settings menu is used for configuring the various settings related to persistency in client connections, load balancing of backend servers, and health checking of the backend servers. To access the Load Balancing Settings menu, the selected virtual SSL server must be set to the generic or http type.

Table 10-34 Load Balancing Settings Menu Options (/cfg/ssl/server/adv /loadbalanc)

Command Syntax and Usage

type all|string Specifies the load balancing type applied to configured backend servers. Valid options are: all: All backend servers are load balanced according to the specified load balancing metric. Load balancing strings that may have been defined are ignored. string: Only those backend servers for which you have configured one or more match strings are load balanced. Load balancing of these backend servers occur only when a match of the specified string is found in a client request; the load balancing is then performed in accordance with the load balancing metric you have specified. To load balance all backend servers when type is set to string, make sure you have configured each backend server to use one or more match strings. Backend servers are configured by using the /cfg/ssl/server #/adv/loadbalanc/backend # command. Note: When the load balancing type is set to string, persistency options set to cookie or session are ignored.

232 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-34 Load Balancing Settings Menu Options (/cfg/ssl/server/adv /loadbalanc)

Command Syntax and Usage

persistenc none|cookie|session Specifies the method to use in order to obtain persistency in client connections. When a client ini- tiates a connection request to establish a new session, the connection is issued to a backend server according to the load balancing metric you have specified. For all subsequent client requests within an established session, however, the chosen persistency method comes into play and overrides the load balancing metric. Valid options for obtaining persistency in client connections are: none: Specifies that no method is used to obtain persistency in client connections. cookie: Specifies that persistency in client connections is based on cookie information generated and inserted by the ASA. To successfully use this option, client browsers must accept cookies. session: Specifies that persistency in client connections is based on the SSL session information. The default persistence method is none. Note that the cookie and session persistency options are ignored when the load balancing type is set to string. For more information on the type command, see page 232.

cookie Displays the Cookie Settings menu. To view menu options, see page 236.

metric hash|roundrobin|leastconn Specifies the load balancing metric to use for determining which of the configured backend servers that will be the target of the next client request. Valid options are: hash: With this option, a hash metric on the source IP address information in a client connection request is used to select a backend server. roundrobin: Round robin. With this option, new client connection requests are issued to each backend server in turn in a continuously repeating sequence. leastconn: Least connections. With this option, a new client connection request is issued to the backend server with the fewest current connections. The number of connections currently open on each backend server is measured in real time. The leastconn option is the most self- regulating, with the fastest servers typically getting the most connections over time, due to their ability to accept, process, and shut down connections faster than slower servers. The default load balancing metric is hash.

Chapter 10: ASA Command Reference 233 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-34 Load Balancing Settings Menu Options (/cfg/ssl/server/adv /loadbalanc)

Command Syntax and Usage

health none|tcp|ssl|auto|script Specifies the health check method the selected virtual SSL server should use when health checking the backend servers. Valid options are: none: No health checking of backend servers. If load balancing is enabled, all backend servers are included in the load balancing scheme and the backend servers will at all times be considered as “up”. Failed connections to backend servers are still logged (as a total) and can be viewed using the /stats/server #/becnctfail command. tcp: A TCP connection is opened to the backend servers, and is then closed. ssl: A TCP connection is opened to the backend servers, and an SSL connection is then established. Thereafter, the SSL connection is shut down and the TCP connection is closed. Using the ssl health check method requires that you have enabled SSL connect for the current virtual SSL server. To view the current SSL connect settings, enter the following command: /cfg/ssl/server #/adv/sslconnect/cur auto: The default health check method, which uses a built-in script. For more information about the built-in scripts, see the “Script-Based Health Checks” chapter in the Alteon SSL Accelerator 4.1.2 Application Guide. script: Uses a customized health check script, which must first be created by using commands available in the Health Check Script menu. For more information about creating customized health check scripts, see the “Script-Based Health Checks” chapter in the Alteon SSL Accelerator 4.1.2 Application Guide. The default health check method is auto.

script Displays the Health Check Script menu. To view menu options, see page 240.

interval Sets the interval in seconds for health checks of the backend servers to occur. The default health check interval is 10 seconds. Note: Each ASA in the cluster performs its own health checking of backend servers. Therefore, if you set the health check interval to a low value, a considerable amount of network traffic may be generated. The amount of network traffic increases with the number of ASAs in the cluster and the number of backend servers included in the health checking.

remotessl Displays the Remote SSL Connect Settings menu. To view menu options, see page 243.

backend Displays the Backend Server menu. To view menu options, see page 246.

ena Enables load balancing of backend servers.

234 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-34 Load Balancing Settings Menu Options (/cfg/ssl/server/adv /loadbalanc)

Command Syntax and Usage

dis Disables load balancing of backend servers.

Chapter 10: ASA Command Reference 235 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

/cfg/ssl/server /adv /loadbalanc/cookie Cookie Settings Configuration

[Cookie Settings Menu] mode - Set cookie mode name - Set cookie name domain - Set cookie domain expires - Set cookie expires expiresdel - Set cookie expires delta localvips - Configure other local VIPs offset - Set cookie value offset length - Set cookie value length

The Cookie Settings menu is used for configuring the cookie properties used by the selected virtual SSL server when cookie is the selected persistence strategy. The Cookie Settings menu is only available when you have configured the virtual SSL server to use cookie-based persistency. For more information on persistency options, see the persistenc command on page 233.

236 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-35 Cookie Settings Menu Options (/cfg/ssl/server/adv/loadbalanc/cookie)

Command Syntax and Usage

mode insert|passive|rewrite Specifies the mode for cookie-based persistence. The default cookie mode is insert (i). The following three modes are available: insert (i): Insert mode. When a client sends a connection request without a cookie, the backend server responds with the requested data, and the ASA inserts a cookie into the data packet. The ASA then uses this cookie on all subsequent connection requests (within a given session) from the same client to bind to the backend server that was first selected using the current load balancing metric. passive (p): Passive mode. When selecting this mode, the backend server must be configured to embed a cookie in the response to the client request. The backend server may be configured to embed a cookie that contains either a backend server IP address in hexadecimal form, or a string of characters as the cookie value. The ASA will then look for this cookie in all subsequent connection requests (within a given session) from the same client, before establishing a connection to a backend server. If the backend server embeds its own IP address in the cookie, the ASA will use the IP address information in the cookie to direct all subsequent traffic within a given session to the corresponding backend server. If the backend server embeds a string of characters as the cookie value, the ASA will perform a hash on the cookie value. The ASA will then select a backend server and direct all subsequent traffic within a given session to the same backend server, based on the hashed cookie value. rewrite (r): Rewrite mode. When selecting this mode, the backend server must be configured to return a special persistence cookie, which the ASA is configured to recognize. When recognized, the ASA intercepts the cookie and rewrites the value to include server-specific information before sending it on to the client. Subsequent connection requests (within a given session) from the same client are sent to the same backend server. For configuration examples including the three different cookie-based persistence modes, see “Configuring Cookie-Based Persistence” in Chapter 7 of the Alteon SSL Accelerator 4.1.2 Appli- cation Guide.

name Sets a cookie name that can be used to identify the cookie used by the virtual SSL server. The default cookie name is ISDSSL.

Chapter 10: ASA Command Reference 237 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-35 Cookie Settings Menu Options (/cfg/ssl/server/adv/loadbalanc/cookie)

Command Syntax and Usage

domain Sets a domain name that is valid for the cookie, e.g. .example.com. In global server load balancing (GSLB) configurations, the case might be that the client browser returns the cookie to another server than the server from which it was originally sent, if they both respond to the same host name (e.g. www.example.com). Since this other server will not recognize the cookie id, it will forward the cookie to other servers using the domain name specified as cookie domain name. Only used for Insert mode.

expires Sets an absolute expiration date for the cookie. The cookie will be cached on the client’s local disk until the date expires, then it will be deleted automatically. Enter the date according to one of the following formats: Sun, 06 Nov 2004 08:49:37 GMT Sunday, 06-Nov-04 08:49:37 GMT Sun Nov 6 08:49:37 2004 If no expiration date is set, the cookie will expire as soon as the client Web browser is shut down. Only used for Insert mode.

expiresdel Sets the time frame during which the cookie will be active. When this time has expired, the cookie will be deleted automatically. If you want to specify a value in hours, enter an integer directly followed by the letter h. If you want to specify a value in minutes, enter an integer directly followed by the letter m. If you enter an integer only, the value in seconds is implied. To specify a value consisting of hours, minutes and seconds, enter e.g. 12h15m30s. If no expiration value is set, the cookie will expire as soon as the client Web browser is shut down. Only used for Insert mode.

localvips Configures other local virtual server IP addresses. The local server needs to recognize sessions that belong to the official site virtual server IP address, as well as its own virtual server IP address that is used in a global server load balancing (GSLB) configuration.

offset Sets the starting point of the real cookie value within a longer string. The offset value directs the ASA to start looking for the real cookie value at the specified location in the string. The default cookie offset value is 1 (byte).

238 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-35 Cookie Settings Menu Options (/cfg/ssl/server/adv/loadbalanc/cookie)

Command Syntax and Usage

length Sets the number of bytes to extract for the cookie value within a longer string. For Passive cookie mode, if you have configured your backend server to use a string of characters that is embedded as the cookie value, you can set the length can be set from 0 to 64 bytes. For Insert or Rewrite cookie mode, if you want the ASA to include the IP address of the backend server in the cookie value, you must set the cookie length to 8. The cookie mode can be set to insert, rewrite, or passive. For Insert or Rewrite cookie mode, if you want the ASA to include both the IP address of the backend server and the IP address of the virtual server (the VIP on the Alteon Application Switch) in the cookie value, you must set the cookie length to 16. The default cookie length value is 8.

Chapter 10: ASA Command Reference 239 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

/cfg/ssl/server /adv /loadbalanc/script Health Check Script Configuration

[Health Check Script Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number

The Health Check Script menu is used for creating a customized script used for health checking backend servers that are load balanced by the ASA. The script you create is only applied when you have specified script as the health check method in the menu for “Load Balancing Settings” on page 232 (/cfg/ssl/server #/adv/loadbalanc/health). For detailed information about creating customized health check scripts, see Chapter 8, “Script-Based Health Checks” chapter in the Alteon SSL Accelerator 4.1.2 Application Guide.

Table 10-36 Health Check Script Menu Options (/cfg/ssl/server/adv/loadbalanc /script)

Command Syntax and Usage

list Lists the current health check script, where each line is a script command and represented by a unique index number. The lines in the script are processed one after the other, starting from the lowest index number and ending with the highest index number.

del Removes the line in the health check script represented by the index number you specify. Use the list command to view all lines and related index numbers in the current health check script.

240 Chapter 10: ASA Command Reference 212939-F, November 2003 Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

Table 10-36 Health Check Script Menu Options (/cfg/ssl/server/adv/loadbalanc /script)

Command Syntax and Usage

add