SSL. SSL Certificates © 2012 Citrix | Confidential – Do Not Distribute Overview Topics in this...

SSL Certificates

© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute

Overview

Topics in this module include:

• SSL and Digital Certificates

• SSL Administration

• SSL Deployment Decisions

• Deployment Scenarios

• SSL Offload Configurations

• Advanced SSL Settings


SSL and Digital Certificates

• The SSL protocol is a session layer encryption and authentication protocol

• SSL uses digital certificates to verify the identity of the holder


SSL Offload

The NetScaler system offers:

• High-performance SSL offloadᵒ Sustains 6GBPS bulk encryptionᵒ Supports up to 48,000 transactions per second

• A complete solutionᵒ Rich Traffic Management feature setᵒ SSL VIPᵒ Transparent SSLᵒ Backend encryption


SSL Administration

An SSL certification can be obtained by:

• Requesting a certificate and key from a CA

• Using an existing SSL certificate and key

• Generating a new SSL certificate and key


SSL Session Process


SSL Keys

Keys must be generated in the following situations:

• Before generating and submitting a CSR to a CA

• Before generating a self-signed certificate for testing purposes


SSL Certificates

The NetScaler system certificate tools can generate:

• Root CA certificates

• Intermediate CA certificates

• Server certificates

• Client certificates


Certificate Key Pairs

A certificate must be paired with its corresponding key

• The certificate key pair is referred to as the certkey on the NetScaler system

• The certkey is then bound to the virtual server and used for SSL processing


SSL Deployment Decisions

Required components and settings include:

• A defined SSL termination point

• A server certificate installed on the NetScaler system

• The root, intermediate and client certificates installed on the client, depending on environmental needs

• The appropriate servers, services and virtual servers configured on the NetScaler system


Termination Points

SSL transactions can be terminated on the:

• Citrix NetScaler Application Switch

• Citrix Application Firewall

• Network Firewall

• Web server


Deployment Scenarios

• Front-end SSL with back-end HTTP

• Front-end SSL with back-end SSL

• Front-end SSL_TCP over SSL with back-end TCP

• SSL Bridge


Deploying Front-End SSL with Backend HTTP

• Requirements include:

• An installed certificate-key pair

• A load balancing virtual server using the SSL protocol

• One or more HTTP services associated with backend web servers


Deploying Front-End SSL with Backend SSL



• A load balancing virtual server

• An SSL service or services


Deploying Front-end SSL_TCP with Back-end TCP



• A load balancing virtual server using the SSL_TCP protocol

• A TCP service or services


Deploying SSL_BRIDGE


• A load balancing virtual server using the SSL_BRIDGE protocol

• A SSL_BRIDGE service or services associated with back-end web servers


Configuring SSL Offload


SSL Virtual Servers

SSL virtual servers:

• Accept encrypted traffic

• Decrypts traffic

• Sends clear text messages to services bound to the vserver


SSL - Certificate Flow Chart

Request New CertGenerate Request

SSL->Cert ManagementCreate Certificate Request

Create New CertGenerate Key

SSL->Cert ManagementCreate RSA/DSA Key

Create CertificateSSL->Cert Management

Create Certificate

Generate RequestSSL->Cert Management

Create Certificate Request

Use Existing CertTransfer Cert to

/nsconfig/sslLoad Cert / Key

SSL->Certificate Key PairConvert Cert to

PEM /DER if needed

Load Cert / KeySSL->Certificate Key Pair

Generate KeySSL->Cert Management

Create RSA/DSA Key

Submit to CA and Receive Cert

Load Cert / KeySSL->Certificate Key Pair

SSL Offload


SSL – What Is It

• Broad use across website and applicationsᵒ Retailersᵒ Financial Institutionsᵒ VPNs

• Secure Sockets Layer/Transport Layer Securityᵒ TLS is current versionᵒ SSL developed by Netscape Communications


NetScaler Basic SSL Configuration

• Basic NetScaler SSL entitiesᵒ Servicesᵒ Service Groupsᵒ vServers



Installing SSL Certificatesᵒ Done via GUI or CLI

• CLI Example:- > add ssl certKey sslckey -cert server_cert.pem -key server_key.pem -password ssl- Done



Configuration:

• Serviceᵒ add service svc-red-443 192.168.250.53 SSL 443ᵒ Binding certificate

• bind ssl service svc-red-250-443 -certkeyName et-test-client-1024-3812.ctky



• vServerᵒ add lb vserver vsvr_rgb1_250_443 SSL 192.168.0.191 443 ᵒ Binding Certificate

• bind ssl vserver vsvr_rgb1_250_443 -certkeyName et-test-server-1024.certkey


NetScaler SSL Configuration

• Certificate Chainingᵒ Used for verifying CA not recognized by standard browsersᵒ Without the chain SSL session will terminate

• Configurationᵒ Ex:

• >link ssl certykey cert-inter-A ca-certkey

SSL Troubleshooting


NetScaler SSL Troubleshooting – Client Side

• In many cases it is useful to view the HTTP headers when debugging various problems including

• Two free tools that are available are very useful for this task, and easy to useᵒ Live HTTP Headers for Mozilla/Firefoxᵒ IE HTTP Headers for Internet Explorer



• Live HTTP Headers is available at• https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/

https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/



• IE HTTP Headers can be downloaded fromᵒ http://www.bluck.info/iehttpheaders

http://www.bluck.info/iehttpheaders


Troubleshooting Encrypted SSL Connections

Few options

• NetScaler based options:ᵒ Connection Table

• Available in both CLI and GUI- CLI:NS10 > show connectiontable "DESTIP = 192.168.0.191"SRCIP SRCPORT DSTIP DSTPORT SVCTYPE IDLTIME STATE 192.168.0.126 64527 192.168.0.191 443 SSL 3 ESTABLISHED CDone



• Show connection table in GUI:



• Packet Level Analysisᵒ Nstcpdump

root@ns# nstcpdump.sh -ni eth0 dst host 192.168.0.191

Setting 1000 pages (8000 KB) of trace buffers ... Done.

Enabling all nic trace mode=6 ... Done.

Changing trace packet length from 0 to 0 ... Done.

Saving current trace data in file 'pipe' ... in TCPDUMP format

reading from file -, link-type EN10MB (Ethernet)

18:20:01.648022 IP 192.168.0.126.64780 > 192.168.0.191.443: P 1399707342:1399707975(633) ack 3361875067 win 65535

18:20:01.660517 IP 192.168.0.126.64780 > 192.168.0.191.443: . ack 244 win 65457

18:20:01.661513 IP 192.168.0.126.64780 > 192.168.0.191.443: P 633:1252(619) ack 244 win 65535

18:20:01.678028 IP 192.168.0.126.64780 > 192.168.0.191.443: . ack 1969 win 65284



• Wireshark Captureᵒ Still limited when the flow is encrypted:

Decoding SSL Traffic with Wireshark


Decoding SSL Packet Captures with Wireshark



ᵒ What you need:• Wireshark installed with compiled SSL decryption• SSL Server IP Address• Port • Key File• Password (if required)



• Before Decryption:



• Add collected info

• in Wireshark for decryption


Decoding SSL Packet Captures with WiresharkAfter decryption



• Decoding Tipsᵒ Vserver Config:ᵒ set ssl vs test -sessReuse DISABLED -sessTimeout 120ᵒ Full Handshakeᵒ Passworded Key Fileᵒ Exported from Web Server


LAB – Module 3 – Exercise 2

To continue with the lab, browse to:

http://training.mycitrixcloud.net/geoilt

Enter you business email and this session code:

NETSCALER-WORKSHOP



Work better. Live better.Work better. Live better.

SSL. SSL Certificates © 2012 Citrix | Confidential – Do Not Distribute Overview Topics in this...

Documents

Transcript of SSL. SSL Certificates © 2012 Citrix | Confidential – Do Not Distribute Overview Topics in this...