Cisco 11503 - CSS Content Services Switch Configuration Manual page 217

Content services switch ssl configuration guide

Hide thumbs Also See for 11503 - CSS Content Services Switch:

Administration manual (392 pages)

Hardware installation manual (184 pages)

Getting started manual (142 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

Table of Contents

Chapter 8

Examples of CSS SSL Configurations

When the TCP connection is finished, the four flows (the two flows between the

client and SSL module, and the two flows between the SSL module and the

Server) are torn down.

An entire SSL session can comprise Multiple TCP connections. For each of those

connections, the same process takes place among the client, SSL module, and

server. The SSL Session ID maintains the stickiness between the client and the

SSL module and the cookie maintains the stickiness between the SSL module and

the servers. In this way, stickiness can be maintained consistently through the

entire web transaction.

OL-5655-01

The client transmits the encrypted payment or order information through an

SSL connection (TCP SYN received through destination port 443). In this

example, when the client connection reaches the CSS, the CSS uses a Layer 5

SSL Session ID sticky content rule to load balance the SSL connection among

the three SSL modules (M1, M2, and M3). When the inbound TCP SYN

connection reaches the SSL module (the SSL server), it terminates the TCP

connections from the client.

Once an SSL module is selected (for example, M1), the CSS forwards the

SSL packet to that module. The Session ID is saved in the sticky table for

subsequent SSL connections from the same client. Once this SSL flow is

mapped, the CSS forwards all subsequent packets for this connection to SSL

module M1. If there are additional SSL connections associated with this

transaction (as determined by the SSL Session ID), the CSS also forwards and

maps the packets to SSL module M1.

The SSL module terminates the SSL connection and decrypts the packet data.

The SSL module then initiates an HTTP connection to a content rule

configured on the CSS. The data in this HTTP connection is clear text.

The HTTP content rule uses the Layer 5 HTTP cookies or URL sticky content

rule on this HTTP request. The cookie or URL string in this clear text HTTP

request is used to locate the same server (ServerABC) as the one initially used

by the non-SSL HTTP connection in the transactions (for example, online

shopping). The CSS forwards the request to ServerABC and maps this flow.

Once the flow is mapped, the return HTTP response from the server is sent to

the same SSL module (M1) that sent the original request. The SSL module

encrypts the response as an SSL packet (it translates flows from

HTTP-to-HTTPS for outbound packets) and sends the packets back to the

client through the correct SSL connection.

Cisco Content Services Switch SSL Configuration Guide

8-3

Table of Contents

Related Products for Cisco 11503 - CSS Content Services Switch

This manual is also suitable for:

11500 series

Cisco 11503 - CSS Content Services Switch Configuration Manual page 217

Related Manuals for Cisco 11503 - CSS Content Services Switch

Related Products for Cisco 11503 - CSS Content Services Switch

This manual is also suitable for:

Table of Contents