Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Module_03_SSL - Citrix Synergy Labs Home Page

advertisement 
SSL
SSL Certificates
Overview
Topics in this module include:
• SSL and Digital Certificates
• SSL Administration
• SSL Deployment Decisions
• Deployment Scenarios
• SSL Offload Configurations
• Advanced SSL Settings
© 2012 Citrix | Confidential – Do Not Distribute
SSL and Digital Certificates
• The SSL protocol is a session layer encryption and authentication protocol
• SSL uses digital certificates to verify the identity of the holder
© 2012 Citrix | Confidential – Do Not Distribute
SSL Offload
The NetScaler system offers:
• High-performance SSL offload
ᵒ Sustains 6GBPS bulk encryption
ᵒ Supports up to 48,000 transactions per second
• A complete solution
ᵒ
ᵒ
ᵒ
ᵒ
Rich Traffic Management feature set
SSL VIP
Transparent SSL
Backend encryption
© 2012 Citrix | Confidential – Do Not Distribute
SSL Administration
An SSL certification can be obtained by:
• Requesting a certificate and key from a CA
• Using an existing SSL certificate and key
• Generating a new SSL certificate and key
© 2012 Citrix | Confidential – Do Not Distribute
SSL Session Process
© 2012 Citrix | Confidential – Do Not Distribute
SSL Keys
Keys must be generated in the following situations:
• Before generating and submitting a CSR to a CA
• Before generating a self-signed certificate for testing purposes
© 2012 Citrix | Confidential – Do Not Distribute
SSL Certificates
The NetScaler system certificate tools can generate:
• Root CA certificates
• Intermediate CA certificates
• Server certificates
• Client certificates
© 2012 Citrix | Confidential – Do Not Distribute
Certificate Key Pairs
A certificate must be paired with its corresponding key
• The certificate key pair is referred to as the certkey on the NetScaler system
• The certkey is then bound to the virtual server and used for SSL processing
© 2012 Citrix | Confidential – Do Not Distribute
SSL Deployment Decisions
Required components and settings include:
• A defined SSL termination point
• A server certificate installed on the NetScaler system
• The root, intermediate and client certificates installed on the client, depending
on environmental needs
• The appropriate servers, services and virtual servers configured on the
NetScaler system
© 2012 Citrix | Confidential – Do Not Distribute
Termination Points
SSL transactions can be terminated on the:
• Citrix NetScaler Application Switch
• Citrix Application Firewall
• Network Firewall
• Web server
© 2012 Citrix | Confidential – Do Not Distribute
Deployment Scenarios
• Front-end SSL with back-end HTTP
• Front-end SSL with back-end SSL
• Front-end SSL_TCP over SSL with back-end TCP
• SSL Bridge
© 2012 Citrix | Confidential – Do Not Distribute
Deploying Front-End SSL with Backend HTTP
• Requirements include:
• An installed certificate-key pair
• A load balancing virtual server using the SSL protocol
• One or more HTTP services associated with backend web servers
© 2012 Citrix | Confidential – Do Not Distribute
Deploying Front-End SSL with Backend SSL
• Requirements include:
• An installed certificate-key pair
• A load balancing virtual server
• An SSL service or services
© 2012 Citrix | Confidential – Do Not Distribute
Deploying Front-end SSL_TCP with Back-end
TCP
• Requirements include:
• An installed certificate-key pair
• A load balancing virtual server using the SSL_TCP protocol
• A TCP service or services
© 2012 Citrix | Confidential – Do Not Distribute
Deploying SSL_BRIDGE
• Requirements include:
• A load balancing virtual server using the SSL_BRIDGE protocol
• A SSL_BRIDGE service or services associated with back-end web servers
© 2012 Citrix | Confidential – Do Not Distribute
Configuring SSL Offload
© 2012 Citrix | Confidential – Do Not Distribute
SSL Virtual Servers
SSL virtual servers:
• Accept encrypted traffic
• Decrypts traffic
• Sends clear text messages to services bound to the vserver
© 2012 Citrix | Confidential – Do Not Distribute
SSL - Certificate Flow Chart
Request New Cert
Generate Key
SSL->Cert Management
Create RSA/DSA Key
Generate Request
SSL->Cert Management
Create Certificate Request
Create New Cert
Generate Key
SSL->Cert Management
Create RSA/DSA Key
Generate Request
SSL->Cert Management
Create Certificate Request
Submit to CA and
Receive Cert
Load Cert / Key
SSL->Certificate Key Pair
Create Certificate
SSL->Cert Management
Create Certificate
Load Cert / Key
SSL->Certificate Key Pair
Use Existing Cert
Transfer Cert to
/nsconfig/ssl
© 2012 Citrix | Confidential – Do Not Distribute
Convert Cert to
PEM /DER if needed
Load Cert / Key
SSL->Certificate Key Pair
SSL Offload
SSL – What Is It
• Broad use across website and applications
ᵒ Retailers
ᵒ Financial Institutions
ᵒ VPNs
• Secure Sockets Layer/Transport Layer Security
ᵒ TLS is current version
ᵒ SSL developed by Netscape Communications
© 2012 Citrix | Confidential – Do Not Distribute
NetScaler Basic SSL Configuration
• Basic NetScaler SSL entities
ᵒ Services
ᵒ Service Groups
ᵒ vServers
© 2012 Citrix | Confidential – Do Not Distribute
NetScaler Basic SSL Configuration
Installing SSL Certificates
ᵒ Done via GUI or CLI
• CLI Example:
- > add ssl certKey sslckey -cert server_cert.pem -key server_key.pem -password ssl
- Done
© 2012 Citrix | Confidential – Do Not Distribute
NetScaler Basic SSL Configuration
© 2012 Citrix | Confidential – Do Not Distribute
NetScaler Basic SSL Configuration
Configuration:
• Service
ᵒ add service svc-red-443 192.168.250.53 SSL 443
ᵒ Binding certificate
• bind ssl service svc-red-250-443 -certkeyName et-test-client-1024-3812.ctky
© 2012 Citrix | Confidential – Do Not Distribute
NetScaler Basic SSL Configuration
• vServer
ᵒ add lb vserver vsvr_rgb1_250_443 SSL 192.168.0.191 443
ᵒ Binding Certificate
• bind ssl vserver vsvr_rgb1_250_443 -certkeyName et-test-server-1024.certkey
© 2012 Citrix | Confidential – Do Not Distribute
NetScaler SSL Configuration
• Certificate Chaining
ᵒ Used for verifying CA not recognized by standard browsers
ᵒ Without the chain SSL session will terminate
• Configuration
ᵒ Ex:
• >link ssl certykey cert-inter-A ca-certkey
© 2012 Citrix | Confidential – Do Not Distribute
SSL Troubleshooting
NetScaler SSL Troubleshooting – Client Side
• In many cases it is useful to view the HTTP headers when debugging various
problems including
• Two free tools that are available are very useful for this task, and easy to use
ᵒ Live HTTP Headers for Mozilla/Firefox
ᵒ IE HTTP Headers for Internet Explorer
© 2012 Citrix | Confidential – Do Not Distribute
NetScaler SSL Troubleshooting – Client Side
• Live HTTP Headers is available at
• https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/
© 2012 Citrix | Confidential – Do Not Distribute
NetScaler SSL Troubleshooting – Client Side
• IE HTTP Headers can be downloaded from
ᵒ http://www.bluck.info/iehttpheaders
© 2012 Citrix | Confidential – Do Not Distribute
Troubleshooting Encrypted SSL Connections
Few options
• NetScaler based options:
ᵒ Connection Table
• Available in both CLI and GUI
- CLI:
NS10 > show connectiontable "DESTIP = 192.168.0.191"
SRCIP
SRCPORT
DSTIP
DSTPORT SVCTYPE IDLTIME
192.168.0.126
64527
192.168.0.191
443
SSL
3
ESTABLISHED C
Done
© 2012 Citrix | Confidential – Do Not Distribute
STATE
Troubleshooting Encrypted SSL Connections
• Show connection table in GUI:
© 2012 Citrix | Confidential – Do Not Distribute
Troubleshooting Encrypted SSL Connections
• Packet Level Analysis
ᵒ Nstcpdump
root@ns# nstcpdump.sh -ni eth0 dst host 192.168.0.191
Setting 1000 pages (8000 KB) of trace buffers ...
Enabling all nic trace mode=6 ...
Done.
Done.
Changing trace packet length from 0 to 0 ...
Done.
Saving current trace data in file 'pipe' ... in TCPDUMP format
reading from file -, link-type EN10MB (Ethernet)
18:20:01.648022 IP 192.168.0.126.64780 > 192.168.0.191.443: P 1399707342:1399707975(633) ack 3361875067 win
65535
18:20:01.660517 IP 192.168.0.126.64780 > 192.168.0.191.443: . ack 244 win 65457
18:20:01.661513 IP 192.168.0.126.64780 > 192.168.0.191.443: P 633:1252(619) ack 244 win 65535
18:20:01.678028 IP 192.168.0.126.64780 > 192.168.0.191.443: . ack 1969 win 65284
© 2012 Citrix | Confidential – Do Not Distribute
Troubleshooting Encrypted SSL Connections
• Wireshark Capture
ᵒ Still limited when the flow is encrypted:
© 2012 Citrix | Confidential – Do Not Distribute
Decoding SSL Traffic with
Wireshark
Decoding SSL Packet Captures with Wireshark
© 2012 Citrix | Confidential – Do Not Distribute
Decoding SSL Packet Captures with Wireshark
ᵒ What you need:
•
•
•
•
•
Wireshark installed with compiled SSL decryption
SSL Server IP Address
Port
Key File
Password (if required)
© 2012 Citrix | Confidential – Do Not Distribute
Decoding SSL Packet Captures with Wireshark
• Before Decryption:
© 2012 Citrix | Confidential – Do Not Distribute
Decoding SSL Packet Captures with Wireshark
• Add collected info
• in Wireshark for decryption
© 2012 Citrix | Confidential – Do Not Distribute
Decoding SSL Packet Captures with Wireshark
After decryption
© 2012 Citrix | Confidential – Do Not Distribute
Decoding SSL Packet Captures with Wireshark
• Decoding Tips
ᵒ
ᵒ
ᵒ
ᵒ
ᵒ
Vserver Config:
set ssl vs test -sessReuse DISABLED -sessTimeout 120
Full Handshake
Passworded Key File
Exported from Web Server
© 2012 Citrix | Confidential – Do Not Distribute
LAB – Module 3 – Exercise 2
To continue with the lab, browse to:
http://training.mycitrixcloud.net/geoilt
Enter you business email and this session code:
NETSCALER-WORKSHOP
© 2012 Citrix | Confidential – Do Not Distribute
Work better. Live better.
Related documents
OnlineBankingSecurit..
OnlineBankingSecurit..
Sample PowerPoint Presentation - Volunteer Centers of Michigan
Sample PowerPoint Presentation - Volunteer Centers of Michigan
Report for Lab 32
Report for Lab 32
Princess Nora Bint Abdul Rahman University College of Computer
Princess Nora Bint Abdul Rahman University College of Computer
SSL Supplement - YSU Computer Science & Information Systems
SSL Supplement - YSU Computer Science & Information Systems
SSL
SSL
Download
advertisement