C H A P T E R 3 - Initial Configuration

C H A P T E R 3

Initial Configuration

This chapter describes the steps required to initialize and configure an SSL proxy blade for use in a network environment. This setup procedure assumes that the SSL proxy blade has already been installed according to the previous installation instructions and all relevant network cables are connected.

This chapter contains the following sections:

Initializing the SSL Proxy Blade

To Initialize the SSL Proxy Blade

To Create Keys and Certificates

To Create Services for the Servers

To Verify and Save the Configuration

To Set Up a Telnet Session

Initializing the SSL Proxy Blade

To use the SSL proxy blade, it must be initialized with required information using the blade console, which is accessible through the Sun Fire B1600 system controller. Once the SSL proxy blade has been initially configured, it can be managed through Telnet.

To Initialize the SSL Proxy Blade

1. Gather the required information.

When the SSL proxy blade is powered on for the first time, you must set the values for the parameters listed in TABLE 3-1 before the device can operate correctly. Use the empty value column as a worksheet.


Parameter Name	Default	Description
Name	SSL proxy blade	Name for the SSL proxy blade for administration purposes.
Management (admin) IP address	0.0.0.0	IP address for administration by means of Telnet.
Administration port netmask	255.255.255.0	Netmask for the local administration subnet.
Default gateway	0.0.0.0	IP address of the gateway in the local subnet.
Security officer password	so	Initial security officer password. Should be changed by the security officer.
Management VLAN	0	This parameter must be set based on your network setup.
Traffic ports
Secure/clear portpair	443/880	TCP port numbers for secure/clear client traffic.
Certificates	none	If you have no certificates, then you can create a key and generate a signing request. For simplicity, in this setup we will create a self-signed certificate.
Keys	none	RSA private key that can be used to generate a certificate request or a self-signed certificate.
Services IP addresses	none	Each service supports a server. To set up the services, you need the IP address of each HTTP server for which the SSL proxy blade should process SSL traffic.

2. Set up the SSL proxy blade.

a. Log on to the SSL proxy blade.

When the SSL Proxy blade console is accessed, the Login: prompt displays after the boot process completes.

# telnet B1600_sc_ip-addr

sc> console Sn

Login: so

Password:

Where n is the slot number for the SSL proxy blade.

Note - For initial setup you must be logged in as the security officer (so).

After validating the user and password the command prompt should now be displayed: CLI#

b. Change the security officer password with the command:

 CLI# set password

For more information about user access and privileges see the User Access.

c. Run the set management command and the setup command.

After logging in for the first time you need to run the setup command before setting any configuration information. The setup command prompts you for the required information listed above.

CLI# set management

Enter port number (1..2) (1):

Enter inband (admin) IP Address (0.0.0.0):

Enter inband (admin) netmask (255.255.255.0):

CLI# setup

Enter secure port (https) (443):

Enter clear port (http) (880):

Change the password:

Enter login password:

Enter new password:

Re-enter new password:

Password changed.

    Setup has completed successfully.

    You should add keys and services to complete the configuration.

    To save the configuration enter: config save

CLI#

The setup command configures the blade for the first time. You can use specific commands to change the initial parameters later.

3. Verify that the blade is connected.

a. To verify connectivity, ping any host on the same subnet from the SSL proxy blade. The ping should report the host to be alive.

CLI# ping ip-addr

PING 192.50.50.11 from 192.100.100.205: 56 data bytes

64 bytes from 192.50.50.11: icmp_seq=0 ttl=255 time=0 ms

--- ping statistics ---

1 packets transmitted, 1 packets received, 0% packet loss

round-trip min/avg/max = 0/0/0 ms

    host is alive.

CLI#

Note - In the previous command the IP address (ip-addr) must be entered as a numeric IP address and not a hostname.

b. To verify Telnet, use Telnet to connect to the SSL proxy blade.

This option allows you to continue the setup process from a local area network

To Create Keys and Certificates

Before the SSL proxy blade can process SSL traffic, the keys and certificates must be installed.

See Keys and Certificates for more information on the import and create commands.

1. Create a key.

CLI# create key keyname

Enter key strength (1024): 512/1024/2048

Key keyname generated.

2. Create a certificate.

You may create a self-signed certificate for a temporary certificate used for testing purposes.

CLI#  create certificate

Enter key name: keyname

Enter country (US): abbreviated_country

Enter state or province (CA): abbreviated_state

Enter locality (Company Town): town_name

Enter common name (www.company-name.com): www1.my-company.com

Enter organization (Company Name): my_company_name

Enter organization unit (Company Unit): department

Enter email address (support@company-name.com): email@company_name.domain

Certificate generated.

Or, you may create a certificate signed by a certificate authority.

CLI# create certrequest

Enter key name: previously_created_keyname

Enter country (US):

Enter state or province (CA):

Enter locality (Company Town):

Enter common name (www.companyname.com):

Enter organization (Company Name):

Enter organization unit (Company Unit):

Enter email address (support@company-name.com):

    Certificate signing request previously_created_keyname generated.

3. Hand off this certificate request to a certificate authority. Use this certificate authority to generate the certificate.

CLI# import certificate

To Create Services for the Servers

After the certificates have been installed, you can create services for each server. The services enable the SSL proxy blade to process SSL traffic.

Create a service:

CLI# create service

Enter service name: new_servicename

Enter key name: keyname

Enter server IP Address: (0.0.0.0): server_ip-addr

Enter cipher (export/best/optional/high/medium/low) (best): cipher

Enter portpair number (1..4) (1): 1

Service new_servicename created.

See Services for a full explanation of service settings.

To Verify and Save the Configuration

1. Use the show management command to display the current SSL proxy blade configuration.

CLI# show management

    port 1:

      management (admin) IP:      192.50.50.205

      management (admin) netmask: 255.255.255.0

      management (admin) gateway: 0.0.0.0

    port 2:

      management (admin) IP:      0.0.0.0

      management (admin) netmask: 255.255.255.0

      management (admin) gateway: 0.0.0.0

CLI#

2. Use the show portpair command to list all TCP port settings:

CLI# show portpair

    portpair 1:

      secure port:     443

      clear port:      880

    portpair 2:

      secure port:     0

      clear port:      0

    portpair 3:

      secure port:     0

      clear port:      0

    portpair 4:

      secure port:     0

      clear port:      0

Other configuration information can be displayed using the commands described in TABLE 3-2.

3. Save the configuration as permanent.

CLI# config save

When you log out you will be reminded if the configuration has not been saved and given an option to cancel the logout. Configuration changes that are not saved will be lost if the SSL proxy blade is rebooted. The command config compare can determine if the configuration in memory is different than the permanent configuration stored in flash.

4. Verify and start processing.

Note - Browsers have preloaded recognized CA certificates. Thus, with self-signed certificates as used in this example, a browser will not recognize the CA and issues a warning.

a. Perform diagnostics (if required).

The show version and show features commands display information about the SSL proxy blade version and enabled capabilities, respectively. This information identifies the exact SSL proxy blade version and model. The show boot command displays the version of internal hardware/software components and is provided for diagnostic purposes.

Use the show log command and the associated set log command to generate run time logs that monitor system operations. The log output can be directed to internal or external destinations. The log contains information about administration and other system events. Use the show log command to see the current log configuration and export log to view the contents of the logs.

See Event Logging Commands for more details.

The show stats command displays various system statistics. This is useful to determine the patterns of client traffic for your SSL proxy blade. This information helps you fine tune the configuration or to plan for timely upgrades. See Statistics for details.

b. Use the following CLI# commands to display important information about the SSL proxy blade configuration.


Command	Description
`show portpair`	Shows all TCP port settings
`show all`	Shows all system information
`show log`	Shows logging config. information
`export log`	Shows log messages
`show stats`	Shows statistics
`show features`	Shows software license information
`show version`	Shows software version
`show boot`	Shows release version information
`show state`	Shows various system settings
`show link`	Shows inband port link settings
`show interface`	Shows inband interface settings

These and other show commands are described in detail in Appendix G.

c. Start processing.

After adding certificates, services, and configuring the Sun Fire B10n content load balancing blade, you can start the SSL proxy blade using the start command. The start command is used to start the SSL proxy blade processing SSL traffic.

CLI# start

5. Exit the CLI interface.

After the setup process is finished, and the SSL proxy blade is successfully processing traffic, use the logout command to exit the command-line interface.

To Set Up a Telnet Session

When the SSL proxy blade is installed the management IP address is used. Telnet sessions are kept open for 30 minutes after the last activity.

1. Ping the administration port to verify proper connectivity.

You can also use the ping command to verify connection to another computer terminal from the SSL proxy blade serial port.

2. On Telnet, the Login: prompt is displayed after the following telnet command:

telnet> open ip-addr

After connecting to the administration port on the SSL proxy blade, the Login prompt is displayed.

Use the set management command to change the default administration IP address.

CLI# set management

    Enter administration IP (192.168.0.12): admin_ip-addr

    Enter administration netmask (255.255.255.0): admin_netmask