1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Network Hardware
  5. CSS11501 - 100Mbps Ethernet Load Balancing...
  6. Configuration manual

Cisco CSS11501 - 100Mbps Ethernet Load Balancing Device Configuration Manual

11000 series secure content accelerator
Hide thumbs Also See for CSS11501 - 100Mbps Ethernet Load Balancing Device:
1
2
3
4
Table Of Contents
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
Table of Contents

Advertisement

Quick Links

Download this manual
Cisco 11000 Series Secure
Content Accelerator

Configuration Guide

Software Version 4.1.0
December 2002
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel:
408 526-4000
800 553-NETS (6387)
Fax:
408 526-4100
Text Part Number: 78-13124-05

Advertisement

Table of Contents
loading

Related Manuals for Cisco CSS11501 - 100Mbps Ethernet Load Balancing Device

Summary of Contents for Cisco CSS11501 - 100Mbps Ethernet Load Balancing Device

  • Page 1: Configuration Guide

    Cisco 11000 Series Secure Content Accelerator Configuration Guide Software Version 4.1.0 December 2002 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Text Part Number: 78-13124-05...
  • Page 2 You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the Cisco equipment or one of its peripheral devices. If the equipment causes interference to radio or television reception, try to correct the interference by using one or more of the following measures: •...
  • Page 3 Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.;...

  • Page 5: Table Of Contents

    Product Overview Secure Content Accelerator Versions Installing the Hardware and Software C H A P T E R Site Requirements Required Tools and Equipment Shipment Contents Unpacking the Secure Content Accelerator Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...
  • Page 6 C H A P T E R Overview Configuration Security Passwords Access Lists Factory Default Reset Password Before You Begin Initiating a Management Session Serial Management and IP Address Assignment Telnet Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...
  • Page 7 Example: Generating a Certificate 4-24 Supporting SNMP 4-25 Example: Configuring SNMP 4-25 Supporting RIP 4-26 Example: Configuring RIP 4-26 Supporting Other Secure Protocols 4-27 Example: Configuring a Secure Mail Server 4-27 Supporting FIPS 4-27 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...
  • Page 8 Example: Restricting Access using an Access List 5-14 Example: Reloading (Rebooting) the Appliance 5-17 Example: Setting an Enable Password 5-18 Example: Configuring SNMP 5-19 SSL Configuration Examples 5-22 Example: Setting up a Secure Server 5-22 Cisco 11000 Series Secure Content Accelerator Configuration Guide viii 78-13124-05...
  • Page 9 More Information 6-10 Specifications A P P E N D I X Electrical Specifications Environmental Specifications Physical Specifications Deployment Examples A P P E N D I X Single Device Load Balancing Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...
  • Page 10 Methods to Manage the Device Initiating a Management Session Serial Management and IP Address Assignment Telnet C-10 Top Level Command Set C-11 Non-Privileged Command Set C-11 clear screen C-11 C-11 enable C-11 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...
  • Page 11 C-20 show ip name-server C-20 show ip routes C-21 show ip statistics C-21 show keepalive-monitor C-21 show log C-22 show memory C-22 show messages C-22 show netstat C-23 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...
  • Page 12 C-35 show ssl session-stats C-36 show ssl statistics C-38 show ssl tcp-tuning C-40 show syslog C-41 show system-resources C-41 show telnet C-42 show terminal C-42 show timezone C-42 show version C-43 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...
  • Page 13 C-51 copy running-configuration startup-configuration C-52 copy startup-configuration C-52 copy startup-configuration running-configuration C-53 copy to flash C-53 copy to running-configuration C-54 copy to startup-configuration C-54 disable C-55 erase running-configuration C-55 Cisco 11000 Series Secure Content Accelerator Configuration Guide xiii 78-13124-05...
  • Page 14 C-63 Configuration Command Set C-64 access-list C-64 clock C-65 C-66 exit C-66 finished C-66 help C-67 hostname C-67 interface C-68 ip address C-68 ip domain-name C-69 ip name-server C-69 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...
  • Page 15 C-81 snmp trap-type generic C-82 sntp interval C-83 sntp server C-84 C-84 syslog C-85 telnet access-list C-86 telnet enable C-87 telnet port C-87 timezone C-88 web-mgmt access-list C-88 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...
  • Page 16 C-96 finished C-96 gencsr C-96 help C-97 import pkcs12 C-98 import pkcs7 C-98 C-99 reverse-proxy-server C-100 secpolicy C-101 server C-102 tcp-tuning C-102 Backend Server Configuration Command Set C-104 activate C-104 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...
  • Page 17 C-111 serverauth ignore C-112 session-cache enable C-112 session-cache size C-113 session-cache timeout C-113 sslv2 enable C-114 sslv3 enable C-114 suspend C-115 tcp-tuning C-115 tlsv1 enable C-116 transparent C-116 urlrewrite C-117 Cisco 11000 Series Secure Content Accelerator Configuration Guide xvii 78-13124-05...
  • Page 18 C-122 exit C-123 finished C-123 help C-123 info C-124 Key Configuration Command Set C-125 binhex C-125 C-125 C-126 exit C-126 finished C-126 genrsa C-126 help C-127 info C-128 net-iis C-128 Cisco 11000 Series Secure Content Accelerator Configuration Guide xviii 78-13124-05...
  • Page 19 C-136 session-cache size C-136 session-cache timeout C-137 sslv2 enable C-137 sslv3 enable C-138 suspend C-138 tcp-tuning C-139 tlsv1 enable C-139 urlrewrite C-140 Security Policy Configuration Command Set C-141 crypto C-141 C-143 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...
  • Page 20 C-150 ephrsa C-151 exit C-151 finished C-151 help C-152 httpheader C-152 info C-153 ip address C-153 keepalive enable C-154 keepalive frequency C-154 keepalive maxfailure C-155 C-155 localport C-156 log-url C-156 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...
  • Page 21 C-165 TCP Tuning Configuration Command Set C-167 2msltime C-167 delay-ack C-168 finwt2time C-169 keepalive C-169 keepalive-cnt C-170 keepalive-intv C-171 max-rexmit C-171 maxrt C-172 maxseg C-172 C-173 nodelay C-174 nopush C-174 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...
  • Page 22 Installing a MaxOS Image (Xmodem) Extracting a Device Configuration Resetting the Environment to Factory Defaults Command Set D-10 ? (question mark) D-10 baud D-10 boot D-10 D-10 D-11 eaddr D-11 Cisco 11000 Series Secure Content Accelerator Configuration Guide xxii 78-13124-05...
  • Page 23 Troubleshooting the Hardware SSL Introduction A P P E N D I X Introduction to SSL Port Blocking Mechanism Before You Begin Using Existing Keys and Certificates Apache mod_SSL ApacheSSL Cisco 11000 Series Secure Content Accelerator Configuration Guide xxiii 78-13124-05...
  • Page 24 Cisco Secure Content Accelerator Management Regulatory Information A P P E N D I X Regulatory Standards Compliance Canadian Radio Frequency Emissions Statement FCC Class A CISPR 22 (EN 55022) Class A VCCI Cisco 11000 Series Secure Content Accelerator Configuration Guide xxiv 78-13124-05...
  • Page 25 Figure 5-14 Save Changes Button 5-17 Figure 5-15 Change Password Example 5-18 Figure 5-16 SNMP Configuration Example 5-19 Figure 5-17 SNMP Trap Example 5-20 Figure 5-18 Add SNMP Trap Host Example 5-21 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...
  • Page 26 Figure 5-41 Key Displayed Example 5-41 Figure 5-42 Generate CSR Example 5-42 Figure 5-43 Generate Self-Signed Certificate 5-43 Figure 5-44 Self-Signed Certificate Example 5-44 Figure 5-45 Successfully Generated Self-Signed Certificate 5-45 Cisco 11000 Series Secure Content Accelerator Configuration Guide xxvi 78-13124-05...
  • Page 27 Figure C-1 Command Hierarchy Figure E-1 Troubleshooting Flowchart 1 Figure E-2 Troubleshooting Flowchart 2 Figure E-3 Troubleshooting Flowchart 3 Figure F-1 Port Blocking Figure F-2 Port Blocking with Dropped Traffic Cisco 11000 Series Secure Content Accelerator Configuration Guide xxvii 78-13124-05...
  • Page 28 Figures Cisco 11000 Series Secure Content Accelerator Configuration Guide xxviii 78-13124-05...
  • Page 29 Output Description for show ssl session-stats C-37 Table C-6 Output Description for show ssl statistics C-39 Table E-1 Troubleshooting the Hardware Table F-1 Secure Content Accelerator Cryptographic Algorithms Table G-1 Regulatory Standards Compliance Cisco 11000 Series Secure Content Accelerator Configuration Guide xxix 78-13124-05...
  • Page 30 Tables Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 31: About This Guide

    About This Guide This guide can help you successfully install and configure the Cisco 11000 Series Secure Content Accelerators (SCA and SCA2). It also provides helpful troubleshooting suggestions for potential hardware and software problems. How to Use This Guide This section describes the contents of this guide.
  • Page 32 This appendix presents a short introduction to SSL and a description of how the components are used in configuration. Instructions for generating keys and certificates with OpenSSL is also included chapter. Cisco 11000 Series Secure Content Accelerator Configuration Guide xxxii 78-13124-05...
  • Page 33 (such as the command Courier text line interface) or is returned by the computer. indicates commands and text you enter in a command line. Courier bold text Cisco 11000 Series Secure Content Accelerator Configuration Guide xxxiii 78-13124-05...

  • Page 34: Obtaining Documentation

    Obtaining Documentation The following sections explain how to obtain documentation from Cisco Systems. World Wide Web You can access the most current Cisco documentation on the World Wide Web at the following URL: http://www.cisco.com Translated documentation is available at the following URL: http://www.cisco.com/public/countries_languages.shtml...

  • Page 35: Ordering Documentation

    If you are reading Cisco product documentation on Cisco.com, you can submit technical comments electronically. Click Leave Feedback at the bottom of the Cisco Documentation home page. After you complete the form, print it out and fax it to Cisco at 408 527-0730.

  • Page 36: Obtaining Technical Assistance

    Technical Assistance Center The Cisco TAC is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two types of support are available through the Cisco TAC: the Cisco TAC Web Site and the Cisco TAC Escalation Center.
  • Page 37 If you cannot resolve your technical issues by using the Cisco TAC Web Site, and you are a Cisco.com registered user, you can open a case online by using the TAC Case Open tool at the following URL: http://www.cisco.com/tac/caseopen If you have Internet access, it is recommended that you open P3 and P4 cases through the Cisco TAC Web Site.
  • Page 38 1 or priority level 2; these classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer will automatically open a case.
  • Page 39 C H A P T E R Overview This chapter describes the features and functions of the Secure Content Accelerator. This chapter contains the following sections: Product Overview • Secure Content Accelerator Versions • Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 40: Chapter 1 Overview

    Simply load your own certificate and key when they are available. The Cisco 11000 Series Secure Content Accelerator is compatible with all Cisco content switches—the Cisco LocalDirector, the Catalyst Content Switching Module, and the Cisco CSS 11000 Series Content Services Switches.

  • Page 41: Table 1-1 Secure Content Accelerator Model Differences

    250 MHz Motorola 8240 600 MHz IBM 750CXE 64MB 256MB Flash 16MB 32MB Cryptographic Engine Rainbow FastMap 200 Broadcom 5821 Maximum 1024-bit 4000 RSA Operations/ Second Hardware Digest Hardware Cipher Hardware RNG Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...
  • Page 42 Chapter 1 Overview Secure Content Accelerator Versions Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 43: Site Requirements

    This chapter contains the following sections: Site Requirements • • Shipment Contents Unpacking the Secure Content Accelerator • Installing the Hardware • • Panel Descriptions Connecting to Power • • Connecting to Ethernet Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 44: Required Tools And Equipment

    Null modem cable • • Two power cables Secure Content Accelerator compact disk containing: • Secure Content Accelerator documentation – – Release Notes PDF version of this guide – Firmware files – Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 45: Installing The Hardware

    The Secure Content Accelerator can be placed on a flat surface as a free-standing unit or rack-mounted in an equipment cabinet. The following sections describe the steps to install the Secure Content Accelerator as a: Free-standing unit • Rack-mounted unit • Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 46: Installing As A Free-Standing Unit

    Position the Secure Content Accelerator on a level surface in an area with access to your network cabling. When installing the Secure Content Accelerator note that Ethernet and serial cables attach to the front of the chassis and power cables attach to the back. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 47: Installing As A Rack-Mounted Unit

    The front panel of the Secure Content Accelerator, shown in Figure 2-1, contains the following connectors, switches, and LEDs: Two DB9 serial ports, marked “AUX” and “CONSOLE” • • Two RJ-45 10/100 Ethernet interface ports, marked “SERVER” and “NETWORK” Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 48: Figure 2-1 Secure Content Accelerator Front Panel

    Two power switches • Figure 2-2 Secure Content Accelerator Rear Panel Figure 2-3 shows the LED layout of the SCA Ethernet ports. Table 2-1 describes the function of each LED on the SCA. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 49: Figure 2-3 Sca Ethernet Port Detail

    Figure 2-4 shows the LED layout of the SCA2 Ethernet ports. Table 2-2 describes the function of each LED on the device. Figure 2-4 SCA2 Ethernet Port Detail Reset Switch Test LED 100 ACT LNK Server 100 ACT LNK Network Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 50: Identifying Sca Models

    Plug the power cords into dedicated three-wire grounding receptacles. Switch the power switches to the 1 (on) position. Connect the power supplies to different circuits to further ensure Note appliance availability. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 51: Connecting To Ethernet

    Connect the “Server” port to the servers (or to the “Network” port if using one-port mode). Check the LK LEDs for connection viability. If one or both LK LEDs are not lit, see Appendix E, Troubleshooting, for suggestions. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...
  • Page 52 Chapter 2 Installing the Hardware and Software Connecting to Ethernet Cisco 11000 Series Secure Content Accelerator Configuration Guide 2-10 78-13124-05...

  • Page 53: Chapter 3 Using The Quickstart Wizard

    This chapter contains the following sections: Before You Begin • • Initiating a Management Session Starting the QuickStart Wizard • • Using the QuickStart Wizard Using the QuickStart Wizard with a Configured Appliance • Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 54: Before You Begin

    Follow these steps to initiate a management session via a serial connection and set an IP address for the device. W hen configuring an SCA2 via a serial connection, the displayed Note prompt is “SCA2” unless a hostname has been defined for the device. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 55: Telnet

    Telnet After you have assigned an IP address to the Cisco Secure Content Accelerator using the serial console CLI, you can connect to the appliance via telnet. Initiate a telnet session with the IP address previously assigned to the appliance.

  • Page 56: Telnet

    Is the above information correct? (y/n): Enter y if the listing is correct. Go to “Using the QuickStart Wizard” below. Enter n if the information is incorrect. You are prompted for the configuration information again. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 57: Using The Quickstart Wizard

    (See Appendix F for a discussion of port blocking.) You can abort the current clear text port designation and enter a different TCP service port, or approve using TCP service port 80 for clear text. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 58: Using The Quickstart Wizard

    (_), hyphen (-), and period (.) characters. Key names must begin with an alphabetic character and have a limit of 15 characters. Enter the URL for a PEM encoded key file: Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...
  • Page 59 After the certificate is properly loaded, configure a security policy as described below. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...
  • Page 60 RSA key size of 1024, exp ARC2_MD5, DES_SHA1, ARC4_SHA1, MD5, and SHA1 default-RSA key size of 1024, ARC4_MD5, ARC4_SHA1 and exp ARC4_MD5, ARC4_SHA1, ARC2_MD5 RSA key size of 512, exp ARC4_MD5, MD5, and SHA1 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...
  • Page 61 If the information is correct, type y. The logical secure server you have configured is created. If you type n, the server configuration process restarts using the current secure server. Would you like to use the QuickStart wizard to create another ssl-server? (y/n): Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...
  • Page 62 A summary screen shows information about the device, keys, certificates, security policies, and the logical secure servers configured on it. SCA myDevice Keys capacity 255, defined 3 ----------------------------------- Name ----------------------------------- default default-512 default-1024 Cisco 11000 Series Secure Content Accelerator Configuration Guide 3-10 78-13124-05...
  • Page 63 10.1.2.3:80 myCert *not set* Default Gateway: 10.1.14.1 The list of keys includes all those loaded into the device. The columns and their descriptions are shown in the table below. Cisco 11000 Series Secure Content Accelerator Configuration Guide 3-11 78-13124-05...
  • Page 64 The number of the security policy as loaded into the device RC (Reference The number of SSL servers using the security policy Count) PolicyList The names of the individual cryptographic schemes associated with each security policy Cisco 11000 Series Secure Content Accelerator Configuration Guide 3-12 78-13124-05...
  • Page 65 QuickStart wizard finishes. If you type n, the QuickStart wizard finishes. Caution If the configuration is not saved to flash memory, the configuration is lost during a power cycle or when the reload command is used. Cisco 11000 Series Secure Content Accelerator Configuration Guide 3-13 78-13124-05...

  • Page 66: Using The Quickstart Wizard With A Configured Appliance

    Using the QuickStart Wizard with a Configured Appliance Using the QuickStart Wizard with a Configured Appliance If you wish to run the QuickStart wizard for a previously configured Cisco Secure Content Accelerator, follow these steps: Initiate a management session and start the configuration manager as described previously.

  • Page 67: Chapter 4 Using The Configuration Manager

    Generating Keys and Certificates • Supporting SNMP • Supporting RIP • • Supporting Other Secure Protocols Supporting FIPS • Working with Syslogs • • Disabling SSL Versions Enabling Keepalives • Setting the Idle-Timeout • Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 68: Figure

    Configuration mode, simply enter end or exit or press CTRL+D. The finished command returns to the Top Level from any mode. Appendix C lists all commands for SSL devices. Refer to Chapter 6 for FIPS Mode instructions. Note Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 69: Configuration Security

    Passwords Cisco Secure Content Accelerator devices use two levels of password protection: access- and enable-level. Access-level passwords control who can access the device via telnet and serial connections. Enable-level passwords control who can view the same data available with access-level passwords as well as view sensitive data and configure the device.

  • Page 70: Factory Default Reset Password

    The nature of the changes depends upon whether you are securing a previously unsecured site, or adding the SSL appliance to an already secure server installation. These changes are described in section “Web Site Changes” in Appendix B. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 71: Initiating A Management Session

    Enter Privileged and Configuration modes and set the IP address using the following commands. Replace the IP address in the example with the appropriate one. SCA> enable SCA# configure (config[SCA])# ip address 10.1.2.5 netmask 255.255.255.0 (config[SCA])# Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 72: Telnet

    Telnet After you have assigned an IP address to the Cisco Secure Content Accelerator using the serial console CLI, you can connect to the appliance via telnet. Initiate a telnet session with the IP address previously assigned to the appliance.

  • Page 73: Example: Setting Up Basic Device Parameters

    Set an enable password to protect the appliance configuration. The password is requested whenever the enable command is given. Note Passwords are not echoed to the screen. (config[myDevice])# password enable Enter new password: Confirm password: (config[myDevice])# end SCAE Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 74: Example: Setting Up A Secure Server

    Enter Certificate Configuration mode and create a certificate named myCert. Then load the PEM-encoded certificate file. Return to SSL Configuration Mode. (config-ssl[myDevice])# cert my create (config-ssl-cert[myCert])# pem certFile (config-ssl-cert[myCert])# end (config-ssl[myDevice])# Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...
  • Page 75 Then exit to Top Level mode. (config-ssl[myDevice])# server myServer create (config-ssl-server[myServer])# ip address 10.1.2.4 (config-ssl-server[myServer])# sslport 443 (config-ssl-server[myServer])# remoteport 81 (config-ssl-server[myServer])# key myKey (config-ssl-server[myServer])# cert myCert (config-ssl-server[myServer])# secpolicy myPol (config-ssl-server[myServer])# finished SCA# Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 76: Example: Setting Up A Backend Server

    (config-ssl-backend[myBackServ])# ip address Assign port 443 for SSL traffic and port 80 for clear text traffic. (config-ssl-backend[myBackServ])# localport 80 (config-ssl-backend[myBackServ])# remoteport 443 Specify a security policy for the server. (config-ssl-backend[myBackServ])# secpolicy strong Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-10 78-13124-05...

  • Page 77: Example: Setting Up A Reverse-Proxy Server

    Assign port 8080 for clear text traffic. (config-ssl-rproxy[myRevServ])# localport 8080 Specify a security policy for the server. (config-ssl-rproxy[myRevServ])# secpolicy strong When using FIPS Mode only security policies Note configured for FIPS 140-2-compliant operation are available. Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-11 78-13124-05...

  • Page 78: Example: Configuring Secure Url Rewrite

    Enter Server Configuration mode for the server you wish to configure URL rewrites. (config-ssl[SCA])# server myServer (config-ssl-server[myServer])# The urlrewrite command uses the following syntax: urlrewrite < domainName > [sslport < portid >] [clearport < portid >] <redirectonly> Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-12 78-13124-05...
  • Page 79 A wildcard can be used to specify multiple SSL hosts in the same domain. (config-ssl-server[myServer])# urlrewrite *.mybusiness3.com sslport 443 clearport 81 Do not use *.com as a filter. The definition is too broad. Note Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-13 78-13124-05...

  • Page 80: Example: Configuring Sntp Servers

    *.mybusiness3.com For more information about URL rewriting, contact your Cisco representative for a copy of the white paper SSL Offloaders and Contextual Consistency. Example: Configuring SNTP Servers Up to four SNTP servers can be configured on the Secure Content Accelerator.

  • Page 81: Example: Restricting Access Using An Access List

    SNMP subsystem as well. This example demonstrates how to create two access lists and assign each to a management subsystem. Enter Privileged and Configuration modes. SCA> enable SCA# configure (config[myDevice)# Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-15 78-13124-05...

  • Page 82: Configuring An Ethernet Interface

    In the following example, the “Network” interface of myDevice is forced to full duplex. Make sure to save this configuration to flash. (config[myDevice])# interface network (config-if[network])# duplex full (config-if[network])# speed 100 (config-if[network])# finished SCA# Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-16 78-13124-05...

  • Page 83: Example: Saving A Configuration File

    Use the same key object names previously used to reference the keys. Step-Up Certificates and Server-Gated Cryptography Cisco Secure Content Accelerator support both Netscape International Step-Up Certificates and Microsoft Server-Gated Cryptography. Ephemeral RSA must be enabled for the device to function properly with these certificates. Load the certificate normally.

  • Page 84: Configuring Certificate Groups

    CACertFile. The name of the PEM-encoded certificate generated by the intermediary CA is localCertFile. The name of the certificate group is CACertGroup. Initiate a management session as described previously. Enter Privileged and Configuration modes. SCA> enable SCA# configure (config[myDevice)# Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-18 78-13124-05...
  • Page 85 (config-ssl[myDevice])# server server1 create (config-ssl-server[server1])# ip address 10.1.2.4 (config-ssl-server[server1])# localport 443 (config-ssl-server[server1])# remoteport 81 (config-ssl-server[server1])# secpolicy myPol (config-ssl-server[server1])# certgroup chain CACertGroup (config-ssl-server[server1])# cert localCert (config-ssl-server[server1])# key localKey (config-ssl-server[server1])# finished SCA# Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-19 78-13124-05...

  • Page 86: Example: Importing Certificate Groups

    SCA# Example: Importing Certificate Groups PKCS#7 certificate groups can be imported directly into the device. This example demonstrates how to import a PEM-encoded PKCS#7 file into the Cisco Secure Content Accelerator. Initiate a management session as described previously. Enter Privileged and Configuration modes.

  • Page 87: Using Client And Server Certificate Authentication

    Initiate a management session as described previously. Enter Privileged and Configuration modes. SCA> enable SCA# configure (config[myDevice])# Enter SSL Configuration mode and Backend Server Configuration mode for the server myBackServ. (config[myDevice])# ssl (config-ssl[myDevice])# backend-server myBackServ (config-ssl-backend[myBackServ])# Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-21 78-13124-05...
  • Page 88 Exit to Privileged mode, and save the configuration to flash memory. If it is not saved, the configuration is lost during a power cycle or when the reload command is used. (config-ssl-backend[myBackServ])# finished SCA# write flash SCA# Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-22 78-13124-05...

  • Page 89: Example: Configuring Client Certificate Authentication

    Exit to Privileged mode, and save the configuration to flash memory. If it is not saved, the configuration is lost during a power cycle or when the reload command is used. (config-ssl-server[myServ])# finished SCA# write flash SCA# Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-23 78-13124-05...

  • Page 90: Generating Keys And Certificates

    Note Using the HTTPS protocol ensures that your key is transmitted securely. Example: Generating a Certificate Enter Privileged, Configuration, and SSL Configuration modes. SCA> enable SCA# configure (config[myDevice])# ssl (config-ssl[myDevice])# Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-24 78-13124-05...

  • Page 91: Supporting Snmp

    Using the HTTPS protocol ensures that your certificate is transmitted securely. Supporting SNMP Cisco Secure Content Accelerator devices have basic support for SNMP functions. The device is shipped with SNMP disabled. This example demonstrates how to set basic SNMP data.

  • Page 92: Supporting Rip

    SCA# write flash SCA# Supporting RIP Cisco Secure Content Accelerator devices support Routing Information Protocol (RIP) versions 1 and 2. This example demonstrates how to enable RIP version 1 packet usage. Example: Configuring RIP Initiate a management session as described previously.

  • Page 93: Supporting Other Secure Protocols

    Supporting Other Secure Protocols Supporting Other Secure Protocols Along with SSL, Cisco Secure Content Accelerator devices can support other secure protocols using TLS v1.0, SSL v2.0, and SSL v3.0. IMAPS, POP3S, NNTPS, and LDAPS are some examples. The steps below show how to configure the SSL appliance for setting up a secure server to process only POP3S (S-POP) mail.

  • Page 94: Working With Syslogs

    In certain situations, you may want to disable individual SSL versions. The SCA allows you to enable or disable these on a version-by-version basis for individual servers. Initiate a management session as described previously. Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-28 78-13124-05...

  • Page 95: Enabling Keepalives

    (m axfailure), the virtual server is marked as “suspended”. W hen the hardware server comes back online, the keepalive messages discover the server and mark it “active” again. Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-29 78-13124-05...
  • Page 96 (config-ssl-server[myServer])# finished SCA# Save the configuration to flash memory. If not saved, the configuration is lost during a power cycle or when the reload command is used. SCA# write flash SCA# Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-30 78-13124-05...

  • Page 97: Setting The Idle-Timeout

    (config[myDevice])# end SCA# Save the configuration to flash memory. If not saved, the configuration is lost during a power cycle or when the reload command is used. SCA# write flash SCA# Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-31 78-13124-05...
  • Page 98 Chapter 4 Using the Configuration Manager Setting the Idle-Timeout Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-32 78-13124-05...

  • Page 99: Chapter 5 Graphical User Interface Reference

    Graphical User Interface Reference This chapter describes how to use the Graphical User Interface (GUI) to configure the Cisco Secure Content Accelerator. The GUI provides a convenient, Web browser-based method of configuring the Secure Content Accelerator. The GUI cannot be used to configure the Secure Content Accelerator Note in FIPS Mode.

  • Page 100: Overview

    CLI command. Web management status is shown in the returned listing as follows: Web Management: disabled Enter Privileged and Configuration modes and enable Web management using these commands: enable configure web-mgmt enable Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 101: Restricting Access To Web Management

    Figure 5-1. Use “admin” for the user name. If no enable password has been configured, the GUI starts at the General content area. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 102: Configuring For Client-Side Access

    (config[myDevice])> ssl (config-ssl[myDevice])> server web create (config-ssl-server[web])> ip address 127.0.0.1 (config-ssl-server[web])> sslport 443 (config-ssl-server[web])> remoteport 80 (config-ssl-server[web])> no transparent (config-ssl-server[web])> cert default-1024 (config-ssl-server[web])> key default-1024 (config-ssl-server[web])> secpolicy all (config-ssl-server[web])> finished myDevice# Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 103: Administrative Time Out

    The GUI is divided into two main parts: the area panel on the left and content tabs on the right. Figure 5-2 shows an example of this interface. Take a few moments to familiarize yourself with the screen layout. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 104: Figure 5-2 Basic User Interface Example

    IP statistics, set DNS information • Log: Set syslog message hosts and clear and view the device message log • Tools: Reboot the device, manage running and startup configurations, update firmware, and run diagnostic commands Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 105: General Configuration Examples

    Follow these steps to change the hostname of the device to myDevice. Click General to activate the General content tabs. Click the Settings tab. The Settings page opens, as shown in Figure 5-3 Type “myDevice” in the Device Name text box. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 106: Example: Resetting The Ip Address

    Type the new IP address information including the appropriate netmask and default router in the Internet Address, Netmask, and Gateway text boxes, respectively, on the Settings tab. The Settings page opens, as shown in Figure 5-4. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 107: Example: Configuring An Ethernet Interface

    Click Network to activate the Network tabs. Use the list box in the Network Interface or Server Interface panel of the Settings tab to change the Ethernet interface settings. The Settings page is shown in Figure 5-5. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 108: Example: Enabling Rip

    Figure 5-5 Ethernet Interface Configuration Example Click Update. Example: Enabling RIP Click Network to activate the Network tabs. Click the Settings tab. The Settings page opens, as shown in Figure 5-6. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-10 78-13124-05...

  • Page 109: Example: Adding A Route To The Routing Table

    Click Update. Example: Adding a Route to the Routing Table Click Network to activate the Network tabs. Click the Route tab. The Route page opens, as shown in Figure 5-7. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-11 78-13124-05...

  • Page 110: Figure 5-7 Routing Table Configuration Example

    Scroll to the bottom of the page, if necessary, to see the Add Route button. Click Add Route. The Add Route window opens as shown in Figure 5-8. Figure 5-8 Adding a Route Example Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-12 78-13124-05...

  • Page 111: Example: Working With Syslogs

    Enter the appropriate port ID, and select the desired facility from the Facility drop-down list box. Click Update. Use the View Log tab to display the syslog and clear the syslogs. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-13 78-13124-05...

  • Page 112: Example: Restricting Access Using An Access List

    Click the Access Control Lists tab. The Access Control Lists page opens, as shown in Figure 5-10. Figure 5-10 Access List Configuration Example Click Add Access Entry. The Add Access Control List window opens, as shown in Figure 5-11. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-14 78-13124-05...

  • Page 113: Figure 5-11 Add Access List Entry Example

    Appendix C for more information.) Click OK to create the access list entry and close the window. Click the Subsystem tab. The Subsystem page opens, as shown in Figure 5-12. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-15 78-13124-05...

  • Page 114: Figure 5-12 Subsystem Access Configuration Example

    Type the number of the access list just created in the Access Control List Id text box of the Web Management panel. (You can also change the TCP port on this tab.) Click Update. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-16 78-13124-05...

  • Page 115: Example: Reloading (Rebooting) The Appliance

    Any changes you have made but have not saved are lost. Figure 5-14 Save Changes Button Click Reboot on the Restart page. The appliance reboots using the configuration stored in flash memory. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-17 78-13124-05...

  • Page 116: Example: Setting An Enable Password

    Click Update to set the password. T o remove an existing Enable password entirely, clear the Enable Note checkbox, type the existing password in the Old Password text box. Click Update. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-18 78-13124-05...

  • Page 117: Example: Configuring Snmp

    Click Update after changing the value in each field and selecting the Enabled check box. Click the Traps tab. The Traps page opens, as shown in Figure 5-17. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-19 78-13124-05...

  • Page 118: Figure 5-17 Snmp Trap Example

    Figure 5-17 SNMP Trap Example Click Add Trap Host to specify a host to which to send trapping messages. The Add Trap Host window opens, as shown in Figure 5-18. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-20 78-13124-05...

  • Page 119: Figure 5-18 Add Snmp Trap Host Example

    Threshold/Hysteresis Low text box. Note Additional information is presented in the online Help for this tab. Click Help in the top right corner of the window. Click Update to set the configuration. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-21 78-13124-05...

  • Page 120: Ssl Configuration Examples

    GUI. Click SSL to activate the SSL tabs. Click the Private Keys tab. The Private Keys page opens, as shown in Figure 5-19. Figure 5-19 Private Keys Tab Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-22 78-13124-05...

  • Page 121: Figure 5-20 Add Private Key Example

    Paste Private Key Here text box on the Paste tab. For an example of key generation, see “ Example: Generating an RSA Private Key”.) Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-23 78-13124-05...

  • Page 122: Figure 5-21 Importing A Private Key File Example

    Next, load a certificate to assign to the secure server. In this example, a certificate is imported into the GUI. Click the Certificates tab. The Certificates page opens, as shown in Figure 5-22. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-24 78-13124-05...

  • Page 123: Figure 5-22 Certificates Tab

    Chapter 5 Graphical User Interface Reference SSL Configuration Examples Figure 5-22 Certificates Tab Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-25 78-13124-05...

  • Page 124: Figure 5-23 Add Certificate Example

    Chapter 5 Graphical User Interface Reference SSL Configuration Examples Click Add Certificate. The Add Certificate window opens, as shown in Figure 5-23. Figure 5-23 Add Certificate Example Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-26 78-13124-05...

  • Page 125: Figure 5-24 Importing A Certificate Example

    Several security policies are pre-loaded into the Secure Content Accelerator. You can use any of these or create your own policy when configuring a server. This examples demonstrates how to create a user-defined security policy. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-27 78-13124-05...

  • Page 126: Figure 5-25 Security Policies Tab

    Chapter 5 Graphical User Interface Reference SSL Configuration Examples Click the Security Policies tab. The Security Policies page opens, as shown in Figure 5-25. Figure 5-25 Security Policies Tab Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-28 78-13124-05...

  • Page 127: Figure 5-26 Add Security Policy Example

    CTRL+clicking the entries in the Security Policy Algorithms list box. Click OK to create the policy. Now, set up the secure server. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-29 78-13124-05...

  • Page 128: Figure 5-27 Secure Servers Tab

    Click the Secure Servers tab. The Secure Servers page opens, as shown in Figure 5-27. Figure 5-27 Secure Servers Tab Click Add Secure Server. The Add Secure Server window opens, as shown in Figure 5-28. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-30 78-13124-05...

  • Page 129: Figure 5-28 Add Secure Server Information Example

    If you wish to use a log server, enter the appropriate information in the Log Server IP text boxes. You can disable any of the SSL/TLS versions by clearing your choice in the SSL Version Support check boxes. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-31 78-13124-05...

  • Page 130: Figure 5-29 Server Certificate And Security Policy Example

    (including wildcard, if appropriate) in the URL Clear-T ext Port text box. Edit the port definitions, if necessary. Click Add, as shown in Figure 5-31, to define the URL rewrite rule. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-32 78-13124-05...

  • Page 131: Figure 5-31 Add Url Rewrite Rule Example

    For more information, see the “Example: Configuring Note Secure URL Rewrite” section on page 4-12. Select the desired options in the Client Certificate Authentication panel, shown in Figure 5-32. Figure 5-32 Add Secure Server Information Example Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-33 78-13124-05...

  • Page 132: Figure 5-33 Add Http Headers Example

    Click OK to create the secure server on the Secure Content Accelerator. The same procedures are used to create and edit backend servers and reverse-proxy servers. Options presented in the window change, depending upon the type of server being configured. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-34 78-13124-05...

  • Page 133: Example: Creating And Using Certificate Groups

    Certificate Group”, below, for a demonstration. Click SSL to activate the SSL tabs. Click the Certificate Groups tab. The Certificate Groups page is shown in Figure 5-35. Figure 5-35 Certificate Groups Tab Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-35 78-13124-05...

  • Page 134: Figure 5-36 Add Certificate Group Example

    Either click Edit next to an existing secure server, or click Add Secure Server to create a new server. The appropriate secure server window opens. Locate the Server Certificate and Security Policy panel. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-36 78-13124-05...

  • Page 135: Example: Supporting Other Secure Protocols

    Select strong from the Security Policy list box. Select default-1024 from the Certificate list box. Select default-1024 from the Private Key list box. These options are shown in Figure 5-38. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-37 78-13124-05...

  • Page 136: Example: Generating An Rsa Private Key

    Click SSL to activate the SSL tabs. Click Add Private Key. The Add Private Key window opens. Click the Generate tab. The Generate an RSA Private Key window opens, as shown in Figure 5-39. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-38 78-13124-05...

  • Page 137: Figure 5-39 Generating A Private Key

    DES encryption and can be saved to a file. Display key using Des3 Encryption: The private key is displayed using • 3DES encryption and can be saved to a file. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-39 78-13124-05...

  • Page 138: Figure 5-40 Key Not Displayed Example

    Encryption were selected, the key is generated and a window opens, displaying the encrypted key. This is shown in Figure 5-41. Click Download Encrypted Private Key to make a backup copy of the key, if desired. Click Close. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-40 78-13124-05...

  • Page 139: Figure 5-41 Key Displayed Example

    Chapter 5 Graphical User Interface Reference SSL Configuration Examples Figure 5-41 Key Displayed Example Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-41 78-13124-05...

  • Page 140: Example: Generating A Self-Signed Certificate

    Click Add Certificate. The Add Certificate window opens. Click the Generate CSR/Self-signed Certificate tab. The Generate CSR/Self-signed Certificate page opens, as shown in Figure 5-42. Figure 5-42 Generate CSR Example Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-42 78-13124-05...

  • Page 141: Figure 5-43 Generate Self-Signed Certificate

    Select the appropriate header from the CSR Header list box. Click OK. The certificate is created and the Generate Certificate Signing Request (CSR) opens, as shown in Figure 5-43. Figure 5-43 Generate Self-Signed Certificate Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-43 78-13124-05...

  • Page 142: Figure 5-44 Self-Signed Certificate Example

    Click Self-sign this CSR to generate a self-signed digital certificate to be used for testing while you wait for the certificate to be signed. The Generate Self-signed Certificate window opens, as shown in Figure 5-44. Figure 5-44 Self-Signed Certificate Example Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-44 78-13124-05...

  • Page 143: Figure 5-45 Successfully Generated Self-Signed Certificate

    The Generate Self-signed Certificate window is shown in Figure 5-45. Click Close. Figure 5-45 Successfully Generated Self-Signed Certificate Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-45 78-13124-05...

  • Page 144: Example: Importing A Pkcs#7 Certificate Group

    Select the encoding option for the file to import by clicking the appropriate Encoding option button. Either type the name and path of the PKCS#7 file to import, or click Browse and navigate to and select the file. Click OK. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-46 78-13124-05...

  • Page 145: Example: Importing A Pkcs#12 Certificate Group

    Type the key password in the Password text box. Either type the name and path of the PKCS#12 file to import, or click Browse and navigate to and select the file. Click OK. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-47 78-13124-05...

  • Page 146: Running The Secure Server Wizard

    Follow the instructions and prompts in the wizard to configure the secure server. When you have completed configuring the server, you can immediately configure another one or exit the Secure Server wizard. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-48 78-13124-05...

  • Page 147: Chapter 6 Fips Operation

    FIPS 140-2-compliant operation. This chapter contains the following sections: FIPS Capabilities • Using FIPS Mode • • Command Changes Returning to Normal Operation • More Information • FIPS operation is only available on the SCA2. Note Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 148: Chapter 6 Fip Operation

    Using FIPS Mode A tamper-evident sticker is affixed to the Secure Content Note Accelerator. When using the device for FIPS-compliant operation, this sticker must remain in place and untouched. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...
  • Page 149 You need to provide an access-level password of at least 8 characters. Enter new password: Confirm password: You need to provide an enable-level password of at least 8 characters. Enter new password: Confirm new password: Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...
  • Page 150 “FailSafe” password as described in “Factory Default Reset Password” section on page 4-4. All configuration will be lost! Use the enable-level password to enter Privileged Mode. Enter the enable-level password: Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 151: Creating A Server In Fips Mode

    Assign an IP address, key, certificate, and FIPS-compliant security policy. [FIPS] ssl-server[mySecServ]#> ip address 10.1.114.30 [FIPS] ssl-server[mySecServ]#> key myOwnKey [FIPS] ssl-server[mySecServ]#> cert myOwnCert [FIPS] ssl-server[mySecServ]#> secpolicy fips [FIPS] ssl-server[mySecServ]#> Exit to Top Level Mode. [FIPS] ssl-server[mySecServ]#> finished [FIPS] SCA# Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...
  • Page 152 FIPS security policy. [FIPS] ssl-config[SCA]#> server mySecServ [FIPS] ssl-server[mySecServ]#> secpolicy myFIPS [FIPS] ssl-server[mySecServ]#> Exit to Top Level Mode. [FIPS] ssl-server[mySecServ]# finished [FIPS] SCA# Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 153: Command Changes

    Differing Command Behaviors Some commands behave differently while the Secure Content Accelerator is in FIPS Mode. These commands and notes about their usage are presented in Table 6-2, below. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 154: Table 6-2 Fips Mode Command Changes

    FIPS Mode passwords must be at least eight characters in length and are limited to a character set containing the alphabet, Arabic numerals, period (.), hyphen (-), underscore (_), and !@#$%^&*+=[]{};:<>?~ . Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 155: Returning To Normal Operation

    Press y when prompted to reboot the Secure Content Accelerator. After the device reboots, you are prompted for the access-level password. When the password is accepted, the “[FIPS]” portion of the prompt is removed, reflecting normal operation of the Secure Content Accelerator. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 156: More Information

    Chapter 6 FIPS Operation More Information More Information For more information about the NIST Cryptographic Module Validation Program, see http://csrc.nist.gov/cryptval/cmvp.htm. Cisco 11000 Series Secure Content Accelerator Configuration Guide 6-10 78-13124-05...

  • Page 157: Appendix

    A P P E N D I X Specifications This appendix presents the specifications for both Secure Content Accelerator versions. It contains the following sections: Electrical Specifications • Environmental Specifications • • Physical Specifications Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 158: Electrical Specifications

    (all current-carrying conductors). Environmental Specifications Table A-2 describes the Secure Content Accelerator environmental specifications. Table A-2 Environmental Specifications Specification Secure Content Accelerator Ambient Operating Temperature 41°-105° F (5°-40° C) (maximum) Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 159: Physical Specifications

    Table A-3 describes the Secure Content Accelerator physical specifications. Table A-3 Physical Specifications Specification Secure Content Accelerator Chassis Dimensions (H x W x D) 10x1.75x17 inches (25x4.4x42.5 cm) Shipping Weight 6 lbs (2.72 kg) Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...
  • Page 160 Appendix A Specifications Physical Specifications Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 161: Appendix

    This appendix contains the following sections: Single Device • • Load Balancing Use with the CSS • Connecting the Device to a Terminal Server • • Web Site Changes Transparent Local-Listen • Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 162: Appendix B Deployment Example

    If the load balancer is using URL- or cookie-related load balancing, install the appliance in front of the load balancer. In this configuration, the load balancer receives clear text packets decrypted by the SSL device. Figure B-2 shows a typical installation. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 163: Use With The Css

    Using the Secure Content Accelerator with the CSS allows Layer 4 load balancing of the Secure Content Accelerator and Layer 5 routing and load balancing for content decrypted by the Secure Content Accelerator. Four deployment scenarios are recommended: In-Line • Transparent Sandwich • Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 164: In-Line

    Secure Content Accelerator or the CSS. However, the deployment provides a low level of scalability, based upon the capacity of the CSS. An example deployment is shown in Figure B-3. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 165: Figure B-3 Secure Content Accelerator In-Line Installation

    TCP service port to the CSS. All port 80 traffic is bridged transparently to the CSS. Table B-1 shows basic configuration actions for both the CSS and Secure Content Accelerator. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 166: Table B-1 In-Line Installation Device Configuration

    0.0.0.0 0.0.0.0 10.176.11.1 1 !************************* INTERFACE ************************* interface ethernet-8 bridge vlan 8 !************************** CIRCUIT ************************** circuit VLAN1 ip address 10.176.10.1 255.255.255.0 circuit VLAN8 ip address 10.176.11.2 255.255.255.0 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...
  • Page 167 10.176.11.100 add service s1 add service s2 add service s3 add service s4 protocol tcp port 81 url "/secure/*" active Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 168: Figure B-4 Secure Content Accelerator Transparent Sandwich Installation

    The transparent sandwich deployment is moderately difficult to configure with good scalability. A minimum of two CSS devices are required. Figure B-4 shows a typical deployment. Figure B-4 Secure Content Accelerator Transparent Sandwich Installation Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...
  • Page 169 Secure Content Accelerator devices. There is no way to differentiate between equal cost paths without mapping to an ingress flow. Table B-2 shows basic configuration actions for the CSS devices and Secure Content Accelerator. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...
  • Page 170 – specify a VIP, any port 443 traffic not destined to that VIP can be routed over the VLAN specified for port 80 and SSL traffic terminated on origin servers Cisco 11000 Series Secure Content Accelerator Configuration Guide B-10 78-13124-05...
  • Page 171 7 interface ethernet-8 bridge vlan 8 !************************** CIRCUIT ************************** circuit VLAN1 ip address 10.176.1.1 255.255.255.0 circuit VLAN2 ip address 10.176.2.1 255.255.255.0 circuit VLAN3 ip address 10.176.3.1 255.255.255.0 Cisco 11000 Series Secure Content Accelerator Configuration Guide B-11 78-13124-05...
  • Page 172 10.176.2.3 type transparent-cache active service ssl3 port 443 protocol tcp ip address 10.176.3.3 type transparent-cache active service ssl4 port 443 protocol tcp ip address 10.176.4.3 type transparent-cache active Cisco 11000 Series Secure Content Accelerator Configuration Guide B-12 78-13124-05...
  • Page 173 !*************************** OWNER *************************** owner test content ssl protocol tcp port 443 add service ssl1 add service ssl2 add service ssl3 add service ssl4 add service ssl5 add service ssl6 active Cisco 11000 Series Secure Content Accelerator Configuration Guide B-13 78-13124-05...
  • Page 174 6 interface ethernet-7 bridge vlan 7 interface ethernet-8 bridge vlan 8 !************************** CIRCUIT ************************** circuit VLAN2 ip address 10.176.2.3 255.255.255.0 circuit VLAN3 ip address 10.176.3.3 255.255.255.0 Cisco 11000 Series Secure Content Accelerator Configuration Guide B-14 78-13124-05...
  • Page 175 10.176.10.10 protocol tcp active service s2 ip address 10.176.10.11 protocol tcp active service s3 ip address 10.176.10.12 protocol tcp active service s4 ip address 10.176.10.13 protocol tcp active Cisco 11000 Series Secure Content Accelerator Configuration Guide B-15 78-13124-05...
  • Page 176 The resulting log file can be utilized by all popular log analysis tools. Figure B-5 shows a typical deployment. Cisco 11000 Series Secure Content Accelerator Configuration Guide B-16 78-13124-05...

  • Page 177: Figure B-5 Secure Content Accelerator One-Armed Non-Transparent Proxy Installation

    443 traffic terminates on Secure Content Accelerator devices each connected to the CSS via a single port. Table B-3 shows basic configuration actions for both the CSS and Secure Content Accelerator. Cisco 11000 Series Secure Content Accelerator Configuration Guide B-17 78-13124-05...

  • Page 178: Table B-3 One-Armed Non-Transparent Proxy Installation Device Configuration

    Below is a sample configuration for the CSS. !Generated on 11/18/2000 17:38:37 !Active version: ap0400007s configure !*************************** GLOBAL *************************** bridge spanning-tree disabled ip route 0.0.0.0 0.0.0.0 10.100.1.1 1 Cisco 11000 Series Secure Content Accelerator Configuration Guide B-18 78-13124-05...
  • Page 179 10.176.10.11 protocol tcp active service s3 ip address 10.176.10.12 protocol tcp active service s4 ip address 10.176.10.13 protocol tcp active service ssl1-443 port 443 protocol tcp ip address 10.176.1.3 active Cisco 11000 Series Secure Content Accelerator Configuration Guide B-19 78-13124-05...
  • Page 180 443 protocol tcp ip address 10.176.1.6 active service ssl4-444 port 444 protocol tcp ip address 10.176.1.6 active service ssl5-443 port 443 protocol tcp ip address 10.176.1.7 active Cisco 11000 Series Secure Content Accelerator Configuration Guide B-20 78-13124-05...
  • Page 181 81 url "/*" active content ssl vip address 10.176.11.100 protocol tcp port 443 add service ssl1-443 Cisco 11000 Series Secure Content Accelerator Configuration Guide B-21 78-13124-05...

  • Page 182: One-Armed Transparent Proxy

    The one-armed transparent proxy deployment is the most complex to configure, but it provides a high degree of scalability and extended features, including IP address accounting. Figure B-6 shows a typical deployment. Cisco 11000 Series Secure Content Accelerator Configuration Guide B-22 78-13124-05...

  • Page 183: Figure B-6 Secure Content Accelerator One-Armed Transparent Proxy Installation

    CSS properly. Static routes must be added to the CSS so that traffic that should not pass • through the Secure Content Accelerator devices is routed properly. Cisco 11000 Series Secure Content Accelerator Configuration Guide B-23 78-13124-05...
  • Page 184 Accelerator devices and management stations requiring ICMP or SNMP to operate will not have access to SSL processing. Table B-4 shows basic configuration actions for both the CSS and Secure Content Accelerator. Cisco 11000 Series Secure Content Accelerator Configuration Guide B-24 78-13124-05...

  • Page 185: Table B-4 One-Armed Transparent Proxy Installation Device Configuration

    Create Layer 5 rules for secure content • • Create content rules as required for non-secure content Define ACLs and upstream router service to • ensure proper routing of traffic not terminated on the CSS Cisco 11000 Series Secure Content Accelerator Configuration Guide B-25 78-13124-05...
  • Page 186 4 interface ethernet-5 bridge vlan 5 interface ethernet-6 bridge vlan 6 interface ethernet-7 bridge vlan 7 interface ethernet-8 bridge vlan 8 !************************** CIRCUIT ************************** circuit VLAN1 ip address 10.176.1.1 255.255.255.0 Cisco 11000 Series Secure Content Accelerator Configuration Guide B-26 78-13124-05...
  • Page 187 10.176.10.10 protocol tcp active service s2 ip address 10.176.10.11 protocol tcp active service s3 ip address 10.176.10.12 protocol tcp active service s4 ip address 10.176.10.13 protocol tcp active Cisco 11000 Series Secure Content Accelerator Configuration Guide B-27 78-13124-05...
  • Page 188 10.176.4.3 active service ssl5 port 443 protocol tcp type transparent-cache no cache-bypass ip address 10.176.5.3 active service ssl6 port 443 protocol tcp type transparent-cache no cache-bypass ip address 10.176.6.3 active Cisco 11000 Series Secure Content Accelerator Configuration Guide B-28 78-13124-05...
  • Page 189 10.176.11.100 active !**************************** ACL **************************** acl 8 clause 10 permit any any destination any apply circuit-(VLAN8) Cisco 11000 Series Secure Content Accelerator Configuration Guide B-29 78-13124-05...

  • Page 190: Connecting The Device To A Terminal Server

    Connecting the Device to a Terminal Server The Secure Content Accelerator can be connected to a terminal server, such as the Cisco 2511 Access Server. You will need a standard RJ45-DB9F adapter (CAB-9AS-FDTE, part number 74-0495-01). Attach the RJ45-DB9F adapter to the CONSOLE port of the Secure Content Accelerator.

  • Page 191: Web Site Changes

    SSL servers. Unlike conventional transparent mode, the IP address specified within the configuration will not be used to listen for inbound traffic, but rather only for sending outbound Cisco 11000 Series Secure Content Accelerator Configuration Guide B-31 78-13124-05...
  • Page 192 ECMP (or some other hashing mechanism) is still necessary for proper routing of traffic within the offloading triangle. Cisco 11000 Series Secure Content Accelerator Configuration Guide B-32 78-13124-05...

  • Page 193: Appendix

    • Editing and Completion Features Command Hierarchy • • Configuration Security Methods to Manage the Device • Initiating a Management Session • • Top Level Command Set Configuration Command Set • Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 194: Input Data Format Specification

    Items within angle brackets (“<>”) are required information. Items within square brackets (“[]”) are optional information. Items separated by a vertical bar (“|”) are options. You can choose any of them. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 195: Appendix C Command Summary

    Displays the previous command in the command history CTRL+U Erases characters from the cursor to the beginning of the line CTRL+W Erases the previous word CTRL+Z Leaves current mode and returns to Top Level mode Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...
  • Page 196 The TAB key can also be used to finish a command if the command is uniquely identified by user input. SCA> show cop[TAB] results in SCA> show copyrights Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 197: Command Hierarchy

    Secure Content Accelerator device fit into the logical hierarchy show in Figure C-1. Figure C-1 Command Hierarchy TOP LEVEL NON-PRIVILEGED COMMANDS PRIVILEGED CONFIGURATION INTERFACE CERTIFICATE SECURITY BACKEND CERTIFICATE SERVER REVERSE-PROXY TCP-TUNING GROUP POLICY SERVER SERVER TCP-TUNING TCP-TUNING TCP-TUNING Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 198: Configuration Security

    Passwords Cisco Secure Content Accelerator devices use two levels of password protection: access- and enable-level. Access-level passwords control who can access the device via telnet and serial connections. Enable-level passwords control who can view the same data available with access-level passwords as well as view sensitive data and configure the device.

  • Page 199: Access Lists

    All configuration is lost when using the factory default reset Caution password. Methods to Manage the Device You can configure the Cisco Secure Content Accelerator using one of thre methods, two of which use the CLI configuration manager. Serial connection, configuration manager •...
  • Page 200 Chapter 3. Brief instructions are also included for initiating a management session using the configuration manager. For instructions on using the telnet and serial console CLI configuration managers, see Chapter 4 for instructions on using the GUI, see Chapter 5. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 201: Initiating A Management Session

    Enter Privileged and Configuration modes and set the IP address using the following commands. Replace the IP address in the example with the appropriate one. SCA> enable SCA# configure (config[SCA])# ip address 10.1.2.5 (config[SCA])# Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 202: Telnet

    HOST/PATH/FILENAME using the http://, https://, ftp://, or tftp:// prefix. Telnet After you have assigned an IP address to the Cisco Secure Content Accelerator using the serial connection configuration manager, you can connect to the appliance via telnet. Initiate a telnet session with the IP address previously assigned to the appliance.

  • Page 203: Top Level Command Set

    Availability: Serial, Telnet; FIPS Mode (serial only) Clears the display, leaving only one prompt line. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) enable Enters or leaves Privileged Mode. enable no enable Cisco 11000 Series Secure Content Accelerator Configuration Guide C-11 78-13124-05...

  • Page 204: Exit

    Related Commands quit (Non-Privileged Command Set) help Displays help information for the specified command. help [command] Syntax Description command The name of the command. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-12 78-13124-05...

  • Page 205: Monitor

    Pauses the configuration manager until a key is pressed. paws Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) ping Sends ICMP packets to the specified IP address. ping <ipaddr|name> Cisco 11000 Series Secure Content Accelerator Configuration Guide C-13 78-13124-05...

  • Page 206: Quit

    When executed from telnet, the telnet connection is closed. Related Commands exit (Non-Privileged Command Set) set monitor-interval Sets the number of seconds between monitor-prefixed command refreshes. set monitor-interval <value> no set monitor-interval Cisco 11000 Series Secure Content Accelerator Configuration Guide C-14 78-13124-05...

  • Page 207: Show Arp

    Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Related Commands show version (Non-Privileged Command Set) show cpu Displays CPU utilization information the device. show cpu [continuous] [interval <value>] Cisco 11000 Series Secure Content Accelerator Configuration Guide C-15 78-13124-05...

  • Page 208: Show Date

    Availability: Serial, Telnet; FIPS Mode (serial only) Related Commands rdate-server (Configuration Command Set) show device Displays information about the device. show device Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) show dns show dns Cisco 11000 Series Secure Content Accelerator Configuration Guide C-16 78-13124-05...

  • Page 209: Show Flows

    Displays the last commands executed. show history Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Related Commands show terminal (Top Level Command Set) terminal history (Top Level Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-17 78-13124-05...

  • Page 210: Show Interface

    Displays information for the “Network” interface. server Displays information for the “Server” interface. continuous Displays errors continuously. interval Specifies an interval for display updates. value The interval in seconds. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-18 78-13124-05...

  • Page 211: Show Interface Statistics

    If a single interface is not specified, statistics are displayed for both interfaces. If continuous is specified, statistics are updated every second. Use the interval option to specify an interval for display updates. Press any key to stop displaying statistics. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-19 78-13124-05...

  • Page 212: Show Ip Domain-Name

    Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Related Commands ip domain-name (Configuration Command Set) show dns (Non-Privileged Command Set) show ip domain-name (Non-Privileged Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-20 78-13124-05...

  • Page 213: Show Ip Routes

    Displays a list of keepalive-monitor IP addresses for one or more devices. show keepalive-monitor Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) SSL errors from IP addresses specified with the keepalive-monitor command are ignored. Related Commands keepalive-monitor (Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-21 78-13124-05...

  • Page 214: Show Log

    The zones flag is used to display information for each memory zone. show messages Displays the diagnostic message buffer for the device. show messages Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-22 78-13124-05...

  • Page 215: Show Netstat

    Availability: Serial, Telnet; FIPS Mode (serial only) Related Commands password (Configuration Set) show password access Displays access password configuration status. show password access Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-23 78-13124-05...

  • Page 216: Show Password Enable

    Availability: Serial, Telnet; FIPS Mode (serial only). Related Commands password (Configuration Set) show processes Displays information, by thread, about processes running on the device. show processes Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-24 78-13124-05...

  • Page 217: Show Rdate-Server

    Displays the routing table stored in the device. show route Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Related Commands show ip routes (Top Level Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-25 78-13124-05...

  • Page 218: Show Sessions

    (Configuration Command Set) show sntp-server Displays SNTP-server information for the device. show sntp-server Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) The SNTP server is used for date and time information. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-26 78-13124-05...

  • Page 219: Show Ssl

    Syntax Description certname The name of the certificate. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) If you do not specify a certificate name, all certificate entity information is displayed. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-27 78-13124-05...

  • Page 220: Show Ssl Certgroup

    (Non-Privileged Command Set) show ssl key (Non-Privileged Command Set) show ssl secpolicy (Non-Privileged Command Set) show ssl server (Non-Privileged Command Set) show ssl statistics (Non-Privileged Command Set) ssl (Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-28 78-13124-05...

  • Page 221: Show Ssl Errors

    Error Description SSL Negotiation Errors The number of SSL negotiation failures Total SSL Connections Rejected The number of SSL connections rejected when the pre-defined limit of connections has been exceeded Cisco 11000 Series Secure Content Accelerator Configuration Guide C-29 78-13124-05...
  • Page 222 Generated when reading from a remote server server Broken Connection Read Errors Generated when reading from a remote server from remote server after the remote server as reset the connection Cisco 11000 Series Secure Content Accelerator Configuration Guide C-30 78-13124-05...
  • Page 223 "Operation already in progress" "lower error" "I/O error" "Destination host is down" "Unsupported protocol" "Destination network is down" "Destination host unreachable" "Destination network unreachable" "Protocol Family not supported" "Prototype error" Cisco 11000 Series Secure Content Accelerator Configuration Guide C-31 78-13124-05...
  • Page 224 "Operation already in progress" "lower error" "I/O error" "Destination host is down" "Unsupported protocol" "Destination network is down" "Destination host unreachable" "Destination network unreachable" "Protocol Family not supported" "Prototype error" Cisco 11000 Series Secure Content Accelerator Configuration Guide C-32 78-13124-05...

  • Page 225: Show Ssl Key

    (Non-Privileged Command Set) show ssl secpolicy (Non-Privileged Command Set) show ssl server (Non-Privileged Command Set) show ssl statistics (Non-Privileged Command Set) ssl (Configuration Command Set) See the section “SSL Configuration Command Set”. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-33 78-13124-05...

  • Page 226: Show Ssl Secpolicy

    See the sections “SSL Configuration Command Set” and “Key Configuration Command Set”. show ssl secpolicy Displays summary data for the specified security policy on the device. show ssl secpolicy [polname] Syntax Description polname The name of the security policy. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-34 78-13124-05...

  • Page 227: Show Ssl Server

    If you do not specify a secure server name, all secure server information is displayed. Related Commands show ssl (Non-Privileged Command Set) show ssl cert (Non-Privileged Command Set) show ssl certgroup (Non-Privileged Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-35 78-13124-05...

  • Page 228: Show Ssl Session-Stats

    Use the interval keyword to specify an interval for display updates. Press any key to stop displaying information. Table C-5 below presents a description of the items in the output. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-36 78-13124-05...

  • Page 229: Table C-5 Output Description For Show Ssl Session-Stats

    (All Servers) An SSL session cache miss has occurred. Reuse Attempt on Timed Out Session (All Servers) An SSL session cache (RATS) reuse attempt has occurred for a session id that has timed out. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-37 78-13124-05...

  • Page 230: Show Ssl Statistics

    (Configuration Command Set) See the section “SSL Configuration Command Set”. show ssl statistics Displays SSL statistics summed over all secure logical servers on the device. show ssl statistics [continuous] [interval <value>] Cisco 11000 Series Secure Content Accelerator Configuration Guide C-38 78-13124-05...

  • Page 231: Table C-6 Output Description For Show Ssl Statistics

    The number of SSL connections refused Total SSL Connections Rejected The number of SSL connections rejected when the pre-defined limit of connections has been exceeded Total Connections Accepted The number of client connections accepted Cisco 11000 Series Secure Content Accelerator Configuration Guide C-39 78-13124-05...

  • Page 232: Show Ssl Tcp-Tuning

    Keyword indicating all TCP tuning information should be displayed. servername Specifies the server for which TCP tuning parameters should be displayed. defaults Keyword indicating default TCP tuning values should be displayed. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-40 78-13124-05...

  • Page 233: Show Syslog

    Availability: Serial, Telnet; FIPS Mode (serial only) Use the continuous option to update the information every second. Use the interval option to specify an interval for display updates. Press any key to stop displaying information. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-41 78-13124-05...

  • Page 234: Show Telnet

    (Non-Privileged Command Set) terminal pager (Non-Privileged Command Set) terminal reset (Non-Privileged Command Set) terminal width (Non-Privileged Command Set) show timezone Displays timezone information for the device. show timezone Cisco 11000 Series Secure Content Accelerator Configuration Guide C-42 78-13124-05...

  • Page 235: Show Version

    (Configuration Command Set) web-mgmt port (Configuration Command Set) show telnet (Non-Privileged Command Set) terminal baud Sets the baud for communicating with the Secure Content Accelerator. terminal baud <1200|2400|4800|9600|19200|38400|115200> Cisco 11000 Series Secure Content Accelerator Configuration Guide C-43 78-13124-05...

  • Page 236: Terminal History

    The number of commands to store in the history buffer. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Use the no form of the command to disable the history list. The default is 25. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-44 78-13124-05...

  • Page 237: Terminal Length

    Enables the terminal pager. terminal pager no terminal pager Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Using the no form of the command disables the pager. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-45 78-13124-05...

  • Page 238: Terminal Reset

    Sets the width of the terminal window. terminal width <width> Syntax Description width The desired width of the terminal window. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-46 78-13124-05...

  • Page 239: Traceroute

    The number of hops to trace. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) When issued from a serial or telnet connection, the command returns information based upon the device’s hardware. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-47 78-13124-05...

  • Page 240: Privileged Command Set

    Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Related Commands show ip routes (Non-Privileged Command Set) show routes (Non-Privileged Command Set) ip route (Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-48 78-13124-05...

  • Page 241: Clear Ip Statistics

    Use the show sessions command to display the open management sessions. Related Commands show sessions (Non-Privileged Command Set) clear log Clears diagnostics message buffer. clear log Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-49 78-13124-05...

  • Page 242: Clear Messages

    (Non-Privileged Command Set) show ssl statistics (Non-Privileged Command Set) clear ssl statistics Resets all SSL statistics for the device. clear ssl statistics Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-50 78-13124-05...

  • Page 243: Configure

    (Privileged Command Set) copy startup-configuration (Privileged Command Set) copy startup-configuration running configuration (Privileged Command Set) copy to running-configuration (Privileged Command Set) copy to startup-configuration (Privileged Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-51 78-13124-05...

  • Page 244: Copy Running-Configuration Startup-Configuration

    (Privileged Command Set) copy running-configuration startup-configuration (Privileged Command Set) copy startup-configuration running configuration (Privileged Command Set) copy to running-configuration (Privileged Command Set) copy to startup-configuration (Privileged Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-52 78-13124-05...

  • Page 245: Copy Startup-Configuration Running-Configuration

    (Privileged Command Set) copy to running-configuration (Privileged Command Set) copy to startup-configuration (Privileged Command Set) copy to flash Uploads a Cisco Secure Content Accelerator image file to the device flash. copy to flash [url] Syntax Description The URL of the file.

  • Page 246: Copy To Running-Configuration

    [url] Syntax Description The URL of the file. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) If you do not specify a URL, you are prompted for it. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-54 78-13124-05...

  • Page 247: Disable

    Availability: Serial, Telnet Related Commands copy running-configuration (Privileged Command Set) copy to running-configuration (Privileged Command Set) erase startup-configuration (Privileged Command Set) erase startup-configuration Erases the startup-configuration on the device. erase startup-configuration Cisco 11000 Series Secure Content Accelerator Configuration Guide C-55 78-13124-05...

  • Page 248: Fips Enable

    Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) When using the quick-start command in FIPS Mode to Note create a server, only the FIPS and weak security policies are available. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-56 78-13124-05...

  • Page 249: Refresh

    The access list identifier. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) If you do not specify an access list id, information for all access lists is displayed. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-57 78-13124-05...

  • Page 250: Show Diagnostic-Report

    Related Commands show device (Non-Privileged Command Set) show memory (Non-Privileged Command Set) show memory zones (Non-Privileged Command Set) show netstat (Non-Privileged Command Set) show processes (Non-Privileged Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-58 78-13124-05...

  • Page 251: Show Running-Configuration

    (Privileged Command Set) show startup-configuration (Privileged Command Set) show snmp Displays SNMP configuration information for the device. show snmp Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-59 78-13124-05...

  • Page 252: Show Startup-Configuration

    (Privileged Command Set) copy startup-configuration (Privileged Command Set) copy startup-configuration running-configuration (Privileged Command Set) copy to flash (Privileged Command Set) erase start-up-configuration (Privileged Command Set) show running-configuration (Privileged Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-60 78-13124-05...

  • Page 253: Write Flash

    (Privileged Command Set) copy startup-configuration (Privileged Command Set) copy startup-configuration running-configuration (Privileged Command Set) copy to flash (Privileged Command Set) erase startup-configuration (Privileged Command Set) show running-configuration (Privileged Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-61 78-13124-05...

  • Page 254: Write Messages

    Related Commands copy running-configuration startup-configuration (Privileged Command Set) copy startup-configuration running-configuration (Privileged Command Set) copy to running-configuration (Privileged Command Set) erase running-configuration (Privileged Command Set) show running-configuration (Privileged Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-62 78-13124-05...

  • Page 255: Write Terminal

    Appendix C Command Summary Top Level Command Set write terminal Displays the running-configuration of the device. write terminal Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-63 78-13124-05...

  • Page 256: Configuration Command Set

    To activate the access list, you must also use the remote-management access-list, snmp access-list, telnet access-list, or web-mgmt access-list commands. A device can have up to 999 configured access lists. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-64 78-13124-05...

  • Page 257: Clock

    (Privileged Command Set) snmp access-list (Configuration Command Set) telnet access-list (Configuration Command Set) web-mgmt access-list (Configuration Command Set) clock Allows the administrator to set the date or time. clock <date|time> Cisco 11000 Series Secure Content Accelerator Configuration Guide C-65 78-13124-05...

  • Page 258: End

    Leaves Configuration Mode and returns to Privileged Mode. exit Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) finished Leaves Configuration Mode and returns to Top Level mode. finished Cisco 11000 Series Secure Content Accelerator Configuration Guide C-66 78-13124-05...

  • Page 259: Help

    Use the no form of the command to clear the hostname of the current device. The command prompt reflects the new name the next time Note Configuration mode is entered. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-67 78-13124-05...

  • Page 260: Interface

    <<ipaddr> [netmask < >]>|<ipaddr/netabbr>> netmask no ip address Syntax Description ipaddr The IP address to assign to the device. netmask <netmask> The netmask for the device. netabbr The netmask abbreviation. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-68 78-13124-05...

  • Page 261: Ip Domain-Name

    (Configuration Command Set) ip name-server Sets the one or more name servers to use with the device. ip name-server <ipaddr> Syntax Description ipaddr The IP address of the Domain Name Server. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-69 78-13124-05...

  • Page 262: Ip Route

    Use the no form of the command to delete the specified static route entry from the device’s routing table. Related Commands show ip routes (Non-Privileged Command Set) show route (Non-Privileged Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-70 78-13124-05...

  • Page 263: Ip Route Default

    The source IP address from which SSL errors are to be ignored. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Up to two IP addresses, set individually, are allowed. Related Commands show keepalive-monitor (Non-Privileged Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-71 78-13124-05...

  • Page 264: Mode One-Port

    Sets the access- or enable-level password for the current device or sets the idle timeout period. password <access | enable | idle-timeout <minutes>> no password <access | enable> no password idle-timeout Cisco 11000 Series Secure Content Accelerator Configuration Guide C-72 78-13124-05...

  • Page 265: Rdate-Server

    Specifies and RDATE-protocol server to be used for date and time information on the device. rdate-server <ipaddr> no rdate-server Syntax Description ipaddr The IP address of the RDATE server. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-73 78-13124-05...

  • Page 266: Registration-Code

    Enables Routing Interface Protocol (RIP) for the current device. rip [v1|v2] no rip [v1|v2] Syntax Description Specifies RIP v1. Specifies RIP v2. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-74 78-13124-05...

  • Page 267: No Snmp

    (Non-Privileged Command Set) snmp access-list (Non-Privileged Command Set) snmp contact (Configuration Command Set) snmp default community (Configuration Command Set) snmp enable (Configuration Command Set) snmp location (Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-75 78-13124-05...

  • Page 268: Snmp Access-List

    (Configuration Command Set) snmp trap-host (Configuration Command Set) snmp trap-type enterprise (Configuration Command Set) snmp trap-type generic (Configuration Command Set) telnet access-list (Configuration Command Set) web-mgmt access-list (Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-76 78-13124-05...

  • Page 269: Snmp Contact

    (Configuration Command Set) snmp default community Assigns a default community for the SNMP subsystem to use when sending trapping information. snmp default community <comName> no snmp default community Cisco 11000 Series Secure Content Accelerator Configuration Guide C-77 78-13124-05...

  • Page 270: Snmp Enable

    Availability: Serial, Telnet; FIPS Mode (serial only) Use the no form of the command to disable SNMP without clearing SNMP data. The device must be rebooted (reloaded) before this command takes Note effect. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-78 78-13124-05...

  • Page 271: Snmp Location

    (Configuration Command Set) snmp default community (Configuration Command Set) snmp enable (Configuration Command Set) snmp trap-host (Configuration Command Set) snmp trap-type enterprise (Configuration Command Set) snmp trap-type generic (Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-79 78-13124-05...

  • Page 272: Snmp Trap-Host

    (Configuration Command Set) snmp default community (Configuration Command Set) snmp enable (Configuration Command Set) snmp location (Configuration Command Set) snmp trap-type enterprise (Configuration Command Set) snmp trap-type generic (Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-80 78-13124-05...

  • Page 273: Snmp Trap-Type Enterprise

    Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-81 78-13124-05...

  • Page 274: Snmp Trap-Type Generic

    Enables generic SNMP traps. snmp trap-type generic no snmp trap-type generic Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Use the no form of the command to disable generic SNMP traps. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-82 78-13124-05...

  • Page 275: Sntp Interval

    Related Commands show device (Non-Privileged Command Set) show sntp (Non-Privileged Command Set) sntp server (Configuration Command Set) write terminal (Privileged Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-83 78-13124-05...

  • Page 276: Sntp Server

    Related Commands show device (Non-Privileged Command Set) show sntp (Non-Privileged Command Set) sntp interval (Configuration Command Set) write terminal (Privileged Command Set) Enters SSL Configuration mode for the current device. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-84 78-13124-05...

  • Page 277: Syslog

    Keyword indicating a specific syslog facility should be used. facilityid A numeral (from 0 to 7, inclusive) specifying the syslog facility to be used. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-85 78-13124-05...

  • Page 278: Telnet Access-List

    Availability: Serial, Telnet Use the no form of the command to remove the specified access list. The access list still exists but is no longer used by the telnet subsystem. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-86 78-13124-05...

  • Page 279: Telnet Enable

    The TCP service port to be used to manage the current device via a telnet session. default Keyword indicating that the telnet service port be returned to the default of 23. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-87 78-13124-05...

  • Page 280: Timezone

    GMT offset integer is not. Related Commands show date (Non-Privileged Command Set) web-mgmt access-list Assigns an existing access list to be used with web browser-based management requests. web-mgmt access-list <id> no web-mgmt access-list <id> Cisco 11000 Series Secure Content Accelerator Configuration Guide C-88 78-13124-05...

  • Page 281: Web-Mgmt Enable

    Use the no form of the command to diable web browser-based management access. Related Commands show web-management (Non-Privileged Command Set) web-mgmt access-list (Configuration Command Set) web-mgmt port (Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-89 78-13124-05...

  • Page 282: Web-Mgmt Port

    The port assignment is used at the next Web management connection attempt. Related Commands access-list (Configuration Command Set) show web-management (Non-Privileged Command Set) web-mgmt access-list (Configuration Command Set) web-mgmt enable (Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-90 78-13124-05...

  • Page 283: Interface Configuration Command Set

    Sets the current interface to full duplex. half Sets the current interface to half duplex. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Exits Interface Configuration mode and returns to Configuration mode. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-91 78-13124-05...

  • Page 284: Finished

    Forces the speed of the current Ethernet interface to 10þMbps or 100þMbps. speed <10|100> Syntax Description Sets the current interface speed to 10 Mbps. Sets the current interface speed to 100 Mbps. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-92 78-13124-05...

  • Page 285: Ssl Configuration Command Set

    15 characters. Related Commands show ssl (Non-Privileged Command Set) show ssl server (Non-Privileged Command Set) See the section “Backend Server Configuration Command Set”. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-93 78-13124-05...

  • Page 286: Cert

    The following example creates a certificate object named myCert and enters Certificate Configuration mode for the certificate object myCert. cert myCert create Related Commands show ssl cert (Non-Privileged Command Set) See the section “Certificate Configuration Command Set”. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-94 78-13124-05...

  • Page 287: Certgroup

    The following example creates a certificate object named myCertGroup and enters Certificate Group Configuration mode for certificate group myCertGroup. cert myCertGroup create Related Commands show ssl certgroup (Top Level Command Set) See the section “Certificate Group Configuration Command Set”. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-95 78-13124-05...

  • Page 288: End

    Leaves SSL Configuration Mode and returns to Top Level mode. finished Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) gencsr Generates a certificate signing request and/or self-signed certificate. gencsr <key <keyname>> [newhdr] [digest md5|sha1] [output <filename|url>] Cisco 11000 Series Secure Content Accelerator Configuration Guide C-96 78-13124-05...

  • Page 289: Help

    Related Commands See the section “Key Configuration Command Set”. help Displays help information for the specified command. help [command] Syntax Description command The name of the command. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-97 78-13124-05...

  • Page 290: Import Pkcs12

    <name> <der|pem> [prefix <prefixText>] |url]] Syntax Description name The user-defined name of the certificate group object. Indicates the file is DER-encoded. Indicates the file is PEM-encoded. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-98 78-13124-05...

  • Page 291: Key

    Key names can consist of Arabic numerals and upper- and lowercase alphabetic, underscore (_), hyphen (-), and period (.) characters. Key names must begin with an alphabetic character or underscore and have a limit of 15 characters. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-99 78-13124-05...

  • Page 292: Reverse-Proxy-Server

    Arabic numerals and upper- and lowercase alphabetic, underscore (_), hyphen (-), and period (.) characters. Reverse-proxy server names must begin with an alphabetic character or underscore and have a limit of 15 characters. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-100 78-13124-05...

  • Page 293: Secpolicy

    The following example creates a security policy named mypolicy and enters Security Policy Configuration mode for the security policy mypolicy. secpolicy mypolicy create Related Commands show ssl secpolicy (Non-Privileged Command Set) See the section “Security Policy Configuration Command Set”. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-101 78-13124-05...

  • Page 294: Server

    15 characters. Related Commands show ssl server (Non-Privileged Command Set) See the section “Server Configuration Command Set”. tcp-tuning Enters TCP Tuning Configuration mode at the global level. tcp-tuning no tcp-tuning Cisco 11000 Series Secure Content Accelerator Configuration Guide C-102 78-13124-05...
  • Page 295 Availability: Serial, Telnet; FIPS Mode (serial only) The no form of the command is used to return all TCP tuning values to factory default. Related Commands See the section “TCP Tuning Configuration Command Set”. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-103 78-13124-05...

  • Page 296: Backend Server Configuration Command Set

    The no form of the command is used to disable server authentication using the certificate group. When using the no form of the command, you need not specify any certificate group name. Only one certificate group can be used. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-104 78-13124-05...

  • Page 297: End

    Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) finished Leaves Backend Server Configuration Mode and returns to Top Level mode. finished Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-105 78-13124-05...

  • Page 298: Help

    Sets the specified IP address for the backend server. ip address <ipaddr> [netmask <mask>] no ip address Syntax Description ipaddr The IP address to assign to the backend server. netmask <mask> The netmask valid for the IP address. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-106 78-13124-05...

  • Page 299: Keepalive Enable

    1 to 255 seconds (inclusive); the default is 5 seconds Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Related Commands keepalive enable (Backend Server Configuration Command Set) keepalive maxfailure (Backend Server Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-107 78-13124-05...

  • Page 300: Keepalive Maxfailure

    Availability: Serial, Telnet; FIPS Mode (serial only) Caution Traffic sent on this TCP service port is not secured by SSL during transmission to the server. It must be secured by another means. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-108 78-13124-05...

  • Page 301: Log-Url

    Specifies the TCP service port through which redirected secure connections are sent. remoteport <port|default> Syntax Description port The used to transfer secure traffic. default Sets the port specification to 443. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-109 78-13124-05...

  • Page 302: Secpolicy

    Related Commands secpolicy (SSL Configuration Command Set) show ssl secpolicy (Non-Privileged Command Set) See the section “Security Policy Configuration Command Set”. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-110 78-13124-05...

  • Page 303: Serverauth Domain-Name

    Availability: Serial, Telnet; FIPS Mode (serial only) Using the no form of the command disables server certificate authentication. Related Commands certgroup serverauth (Backend Server Configuration Command Set) serverauth ignore (Backend Server Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-111 78-13124-05...

  • Page 304: Serverauth Ignore

    Related Commands certgroup serverauth (Backend Server Configuration Command Set) serverauth enable (Backend Server Configuration Command Set) session-cache enable Enables session caching. session-cache enable no session-cache enable Cisco 11000 Series Secure Content Accelerator Configuration Guide C-112 78-13124-05...

  • Page 305: Session-Cache Size

    (Backend Server Configuration Mode) session-cache timeout Specifies the session cache length before being timed out. session-cache timeout <seconds> Syntax Description seconds Specifies the number of seconds before the cache times out. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-113 78-13124-05...

  • Page 306: Sslv2 Enable

    Using the no form of the command disables SSL version 3 protocols. You cannot disable SSL version 2 and 3 and TLS protocols. This command is not available in FIPS mode. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-114 78-13124-05...

  • Page 307: Suspend

    Related Commands activate (Backend Server Configuration Mode) tcp-tuning Enters TCP Tuning Configuration mode at for this server. tcp-tuning Cisco 11000 Series Secure Content Accelerator Configuration Guide C-115 78-13124-05...

  • Page 308: Tlsv1 Enable

    When transparent proxy behavior is disabled, the device accepts connections on the IP address of the Secure Content Accelerator rather than on the server address. The no form of the command is used to disable this behavior. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-116 78-13124-05...

  • Page 309: Urlrewrite

    URL rewrite information can be displayed by using the command show ssl server. Related Commands show ssl server (Non-Privileged Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-117 78-13124-05...

  • Page 310: Certificate Configuration Command Set

    [url] Syntax Description The location of the file. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) If you do not enter the URL, you are prompted for it. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-118 78-13124-05...

  • Page 311: End

    Leaves Certificate Configuration Mode and returns to Top Level mode. finished Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) help Displays help information for the specified command. help [command] Syntax Description command The name of the command. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-119 78-13124-05...

  • Page 312: Pem-Paste

    If you do not enter the file name or URL, you are prompted for it. Related Commands pem-paste (Certificate Configuration Command Set) pem-paste Allows a PEM-encoded X.509 certificate to be pasted into the configuration manager. pem-paste Cisco 11000 Series Secure Content Accelerator Configuration Guide C-120 78-13124-05...
  • Page 313 You can use a text editor to copy the certificate from a file. After the certificate is pasted, you must press Enter twice to complete the command. If a password is required, you are prompted for it. Related Commands pem (Certificate Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-121 78-13124-05...

  • Page 314: Certificate Group Configuration Command Set

    See the section “Certificate Configuration Command Set”. Exits Certificate Group Configuration mode, activates all changes, and returns to SSL Configuration mode. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-122 78-13124-05...

  • Page 315: Exit

    The name of the command. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) If you do not specify a command, help information is displayed for all Certificate Group Commands Cisco 11000 Series Secure Content Accelerator Configuration Guide C-123 78-13124-05...

  • Page 316: Info

    Appendix C Command Summary Configuration Command Set info Displays current information about the certificate group being created or edited. info Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-124 78-13124-05...

  • Page 317: Key Configuration Command Set

    Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) If you do not enter the URL, you are prompted for it. If a password is required, you are prompted for it. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-125 78-13124-05...

  • Page 318: End

    Leaves Key Configuration Mode and returns to Top Level mode. finished Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) genrsa Generates an RSA key. genrsa [bits <512|1024>] [encrypt <des|des3>] [seed <seedstring>] [output <filename|url>] Cisco 11000 Series Secure Content Accelerator Configuration Guide C-126 78-13124-05...

  • Page 319: Help

    PEM-encoded file named mykey.pem. genrsa bits 1024 encrypt des seed lemon output mykey.pem help Displays help information for the specified command. help [command] Syntax Description command The name of the command. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-127 78-13124-05...

  • Page 320: Info

    If you do not enter the URL, you are prompted for it. If a password is required, you are prompted for it. Loads a PEM-encoded X.509 private key into the key entry. pem [url] Syntax Description The location of the file. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-128 78-13124-05...

  • Page 321: Pem-Paste

    You can use a text editor to copy the key from a file. After the key is pasted, you must press Enter twice to complete the command. If a password is required, you are prompted for it. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-129 78-13124-05...

  • Page 322: Reverse-Proxy Server Configuration Command Set

    (Reverse-Proxy Server Configuration Command Set) certgroup serverauth Assigns a certificate group to be used for server certificate authentication. certgroup serverauth <certgroupname> no certgroup serverauth Syntax Description certgroupname The name of the certificate group. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-130 78-13124-05...

  • Page 323: End

    Availability: Serial, Telnet; FIPS Mode (serial only) exit Exits Reverse-Proxy Server Configuration mode, activates all changes, and returns to SSL Configuration mode. exit Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-131 78-13124-05...

  • Page 324: Finished

    If you do not specify a command, help information is displayed for all Reverse-Proxy Server Configuration Commands info Displays current information about the reverse-proxy server being edited or created. info Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-132 78-13124-05...

  • Page 325: Localport

    Availability: Serial, Telnet; FIPS Mode (serial only) Use the no form of the command to remove the specified log-url server from the list. Only one log-url server can be configured. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-133 78-13124-05...

  • Page 326: Secpolicy

    Related Commands secpolicy (SSL Configuration Command Set) show ssl secpolicy (Non-Privileged Command Set) See the section “Security Policy Configuration Command Set”. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-134 78-13124-05...

  • Page 327: Serverauth Enable

    Ignore errors caused by using the certificate before it is valid. invalid-ca Ignore errors caused by an unrecognized CA. domain-name Ignore errors due to an invalid domain name. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-135 78-13124-05...

  • Page 328: Session-Cache Enable

    The number of cached sessions. The default is 1024. The acceptable range is 1 to 76,800 (SCA) or 1 to 307,200 (SCA2). Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-136 78-13124-05...

  • Page 329: Session-Cache Timeout

    SSL version 2 and 3 and TLS protocols. This command is not available in FIPS mode. Related Commands sslv3 enable(Reverse-Proxy Server Configuration Command Set) tlsv1 enable (Reverse-Proxy Server Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-137 78-13124-05...

  • Page 330: Sslv3 Enable

    If you are editing an existing reverse-proxy server and you use the suspend • command alone, the all open connections on the server are finished, and no new connections are accepted. No connections are accepted until the activate command is used. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-138 78-13124-05...

  • Page 331: Tcp-Tuning

    SSL version 2 and 3 and TLS protocols. The command no tlsv1 enable is not available in FIPS mode. Related Commands sslv2 enable(Reverse-Proxy Server Configuration Command Set) sslv3 enable (Reverse-Proxy Server Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-139 78-13124-05...

  • Page 332: Urlrewrite

    URL rewrite information can be displayed by using the command show ssl server. Related Commands show ssl server (Non-Privileged Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-140 78-13124-05...

  • Page 333: Security Policy Configuration Command Set

    Cryptographic Scheme Encryption Authentication Exchange Assignments ARC4-MD5 ARC4 (128) RSA (1024) strong, default, all ARC4-SHA ARC4 (128) SHA1 RSA (1024) strong, default, all DES-CBC3-MD5 3DES (168) RSA (1024) strong, all Cisco 11000 Series Secure Content Accelerator Configuration Guide C-141 78-13124-05...
  • Page 334 If you enter crypto weak and no crypto NULL-MD5 commands, the NULL-MD5 cryptography scheme is removed from the current security policy. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-142 78-13124-05...

  • Page 335: End

    Availability: Serial, Telnet; FIPS Mode (serial only) exit Exits Security Policy Configuration mode, activates all changes, and returns to SSL Configuration mode. exit Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-143 78-13124-05...

  • Page 336: Finished

    If you do not specify a command, help information is displayed for all Security Policy Configuration Commands info Displays current information about the security policy being edited or created. info Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-144 78-13124-05...

  • Page 337: Server Configuration Command Set

    The name of the certificate. default The pre-loaded default certificate. default-1024 The pre-loaded 1024-bit default certificate. default-512 The pre-loaded 512-bit default certificate. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-145 78-13124-05...

  • Page 338: Certgroup Chain

    Only one certificate chain is allowed. Related Commands certgroup (SSL Configuration Command Set) show ssl certgroup (Non-Privileged Command Set) See also “Certificate Group Configuration Command Set”. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-146 78-13124-05...

  • Page 339: Certgroup Clientauth

    Enables client certificate authentication. clientauth enable no clientauth enable Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Use the no form of the command to disable client certificate authentication. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-147 78-13124-05...

  • Page 340: Clientauth Error

    HTML error page listing the reason for the error. Then the SSL session is disconnected. ignore The server silently ignores the authentication error and continues the SSL connection. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-148 78-13124-05...

  • Page 341: Clientauth Verifydepth

    Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Related Commands certgroup clientauth (Server Configuration Command Set) clientauth enable (Server Configuration Command Set) clientauth error (Server Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-149 78-13124-05...

  • Page 342: End

    HTML page specified by the url argument. The SSL session is disconnected. The location of the error page for redirection. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) The default behavior is failhtml. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-150 78-13124-05...

  • Page 343: Ephrsa

    Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) finished Leaves Server Configuration Mode and returns to Top Level mode. finished Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-151 78-13124-05...

  • Page 344: Help

    Adds the server certificate to the HTTP stream. pre-filter Pre-filters the client header. prefix Allows a prefix string to be added to the HTTP stream. This text must be entered within quotes. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-152 78-13124-05...

  • Page 345: Info

    Syntax Description ipaddr The IP address to assign to the secure server. netmask <mask> The netmask valid for the IP address. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-153 78-13124-05...

  • Page 346: Keepalive Enable

    1 to 255 seconds (inclusive); the default is 5 seconds Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Related Commands keepalive enable (Server Configuration Command Set) keepalive maxfailure (Server Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-154 78-13124-05...

  • Page 347: Keepalive Maxfailure

    Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Only one key is allowed per server. If you enter this command with a different key, that reference replaces the earlier one. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-155 78-13124-05...

  • Page 348: Localport

    Related Commands remoteport (Server Configuration Command Set) sslport (Server Configuration Command Set) log-url Specifies a host for logging of URL requests. log-url <ipaddr> [port <portid>] [facility <facilityid>] no log-url <ipaddr> Cisco 11000 Series Secure Content Accelerator Configuration Guide C-156 78-13124-05...

  • Page 349: Remoteport

    It must be secured by another means. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Related Commands localport (Server Configuration Command Set) sslport (Server Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-157 78-13124-05...

  • Page 350: Secpolicy

    Related Commands secpolicy (SSL Configuration Command Set) show ssl secpolicy (Non-Privileged Command Set) See the section “Security Policy Configuration Command Set”. session-cache enable Enables session caching. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-158 78-13124-05...

  • Page 351: Session-Cache Size

    Availability: Serial, Telnet; FIPS Mode (serial only) Related Commands session-cache enable (Server Configuration Mode) session-cache timeout (Server Configuration Mode) session-cache timeout Specifies the session cache length before being timed out. session-cache timeout <seconds> Cisco 11000 Series Secure Content Accelerator Configuration Guide C-159 78-13124-05...

  • Page 352: Sharedcipher Error

    HTML page specified by the url argument. The SSL session is disconnected. The location of the error page for redirection. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) The default behavior is failhtml. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-160 78-13124-05...

  • Page 353: Sslport

    Using the no form of the command disables SSL version 2 protocols. You cannot disable SSL version 2 and 3 and TLS protocols. This command is not available in FIPS mode. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-161 78-13124-05...

  • Page 354: Sslv3 Enable

    Related Commands sslv2 enable(Server Configuration Command Set) tlsv1 enable (Server Configuration Command Set) suspend Suspends the function of the server. suspend [now] Syntax Description Suspends actions of the server immediately. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-162 78-13124-05...

  • Page 355: Tcp-Tuning

    Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Related Commands See the section “TCP Tuning Configuration Command Set”. tlsv1 enable Enables TLS version 1 protocols. tlsv1 enable no tlsv1 enable Cisco 11000 Series Secure Content Accelerator Configuration Guide C-163 78-13124-05...

  • Page 356: Transparent

    The device listens on the hardware server’s IP address for incoming client connections and uses the client’s IP address for connecting to the hardware server. This is default behavior. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-164 78-13124-05...

  • Page 357: Urlrewrite

    An * (asterisk) wild card character can be used to specify more than one server in a single domain, e.g., “*.company.com”. Up to 32 URL rewrite rules can be configured. Use the no form of the command to clear the specified rule. If more Cisco 11000 Series Secure Content Accelerator Configuration Guide C-165 78-13124-05...
  • Page 358 URL rewrite information can be displayed by using the command show ssl server. Related Commands show ssl server (Non-Privileged Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-166 78-13124-05...

  • Page 359: Tcp Tuning Configuration Command Set

    The number of seconds a segment can exist on the network before being discarded; the valid range is from 5 to 300 seconds (inclusive). default The factory default. At the time of publication, the factory default is 5 seconds. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-167 78-13124-05...

  • Page 360: Delay-Ack

    If no global settings exist for a parameter, the factory default parameter is used instead. See RFC 1122. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-168 78-13124-05...

  • Page 361: Finwt2Time

    The number of seconds a to keep a TCP connection open without active traffic; the valid range is from 0 to 65535 seconds (inclusive). default The factory default. At the time of publication, the factory default is 60 seconds. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-169 78-13124-05...

  • Page 362: Keepalive-Cnt

    If no global settings exist for a parameter, the factory default parameter is used instead. See RFC 1122. Related Commands keepalive (TCP Tuning Configuration Command Set) keepalive-intv (TCP Tuning Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-170 78-13124-05...

  • Page 363: Keepalive-Intv

    The number of number of keepalives that are sent; the valid range is from 1 to 65535 (inclusive). default The factory default. At the time of publication, the factory default is 12. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-171 78-13124-05...

  • Page 364: Maxrt

    Use the no form of the command to return the maxrt to the global value. If no global settings exist for a parameter, the factory default parameter is used instead. maxseg Specifies the maximum TCP segment size. maxseg <bytes|default> no maxseg Cisco 11000 Series Secure Content Accelerator Configuration Guide C-172 78-13124-05...

  • Page 365: Mtu

    If no global settings exist for a parameter, the factory default parameter is used instead. See RFC 894. Note This parameter can only be set at the global level. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-173 78-13124-05...

  • Page 366: Nodelay

    See RFC 896. nopush Controls whether data is sent if the segment size (maxseg) is not full. nopush <0|1|on|off|default> no nopush Syntax Description nopush is disabled. nopush is enabled. nopush is enabled. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-174 78-13124-05...

  • Page 367: Probe-Max

    30000 to 65535 milliseconds (inclusive). default The factory default. At the time of publication, the factory default is 60000 milliseconds. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-175 78-13124-05...

  • Page 368: Probe-Min

    Use the no form of the command to return the probe-min to the global value. If no global settings exist for a parameter, the factory default parameter is used instead. Related Commands probe-max (TCP Tuning Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-176 78-13124-05...

  • Page 369: Push-All

    Related Commands nopush (TCP Tuning Configuration Command Set) rto-def Specifies the default retransmission timeout. rto-def <milliseconds|default> no rto-def Cisco 11000 Series Secure Content Accelerator Configuration Guide C-177 78-13124-05...

  • Page 370: Rto-Max

    65535 milliseconds (inclusive). default The factory default. At the time of publication, the factory default is 64000 milliseconds. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-178 78-13124-05...

  • Page 371: Rto-Min

    If no global settings exist for a parameter, the factory default parameter is used instead. See RFC 1122 and RFC 2988. Related Commands rto-def (TCP Tuning Configuration Command Set) rto-max (TCP Tuning Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-179 78-13124-05...

  • Page 372: Slow-Start

    See RFC 2001 and RFC 2581. stdurg Controls the octet pointed to by the urgent pointer. stdurg <0|1|on|off|default> no stdurg Cisco 11000 Series Secure Content Accelerator Configuration Guide C-180 78-13124-05...
  • Page 373 Time stamping is disabled. Time stamping is enabled. Time stamping is enabled. Time stamping is disabled. default 1 (on); time stamping is enabled. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-181 78-13124-05...

  • Page 374: Wnd-Scale

    Use the no form of the command to return the ts to the global value. If no global settings exist for a parameter, the factory default parameter is used instead. See RFC 1323. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-182 78-13124-05...

  • Page 375: Appendix

    ) in the console. The >> prompt displayed when the device has failed any self-tests is self-test failure>>. This appendix contains the following sections: • Text Conventions Getting Help • Examples • • Command Set Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 376: Appendix D Minimax Command Summary

    Though a command string may be displayed on multiple lines in this guide, it must be entered on a single line with not returns except at the end of the complete command. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 377: Getting Help

    Help for individual commands having arguments is available by partially typing the command and pressing Enter. An example is below. >>ip ip what? address -- assign an ip address route -- assign default route >> Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 378: Examples

    Check the environment by entering the following command. An example of the associated response is included. >>env cbaud=9600 autoboot=N autorun=N verbose=false netaddr=10.1.2.5 netmask=255.255.255.0 gwaddr=10.1.2.254 bootfile=/flash/maxos.bz2 TZ=GMT10DST TERM=ansi FIPS_MODE=0 COLUMNS=80 ROWS=25 bootdevice=/flash/maxos.bz2 build=200208160004 version=4.1.0 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 379: Installing A Maxos Image (Netcat

    Using the command console, change the active directory to the one where Netcat and the image file are located. Enter the following command, substituting the IP address of the SSL device. nc -w 5 10.5.162.105 11768 <css-sca-2fe-k9.phz Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 380: Installing A Maxos Image (Xmodem

    3. Enter the do command at the MiniMax prompt. The following is displayed. >>do >> Downloading SSSS The "S" is actually a non-ASCII character sent to the screen Note while MiniMax is waiting for the file to be sent. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 381: Extracting A Device Configuration

    MiniMax, you can list the contents of the configuration file for capture. Set up the terminal emulation program to capture text. Enter the following command to list the configuration to the window. >> cat /flash/startup-config Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 382: Resetting The Environment To Factory Defaults

    Enter resetenv to return the device to factory settings. Note You are not prompted to continue. The process begins once you have types the command and pressed Enter. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...
  • Page 383 Check the environment again by entering the following command. An example of the associated response is included. >>env cbaud=9600 autoboot=N autorun=N verbose=false netaddr=192.0.2.254 netmask=255.255.255.0 gwaddr= bootfile=/flash/maxos.bz2 TZ=GMT10DST TERM=ansi FIPS_MODE=0 COLUMNS=80 ROWS=25 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 384: Command Set

    The new baud for the connection. boot Boots the device with the current flash image. boot Lists the specified file to the terminal. cat <filename> Syntax Description filename The path and filename to list. Cisco 11000 Series Secure Content Accelerator Configuration Guide D-10 78-13124-05...

  • Page 385: Eaddr

    Option indicating that interface speed will be configured. Option indicating the specified Ethernet interface(s) should be configured as 10Mbit/sec. Option indicating the specified Ethernet interface(s) should be configured as 100Mbit/sec. Cisco 11000 Series Secure Content Accelerator Configuration Guide D-11 78-13124-05...

  • Page 386: Env

    The example below shows how to set the last three octets of the MAC addresses of both interfaces, beginning with the address specified. >> eaddr -ib 010000 Prints the nvram environment to the console. Cisco 11000 Series Secure Content Accelerator Configuration Guide D-12 78-13124-05...

  • Page 387: Help

    Keywords identifying the address to change. ipaddr The new IP address. maskbits The numeral indicating the appropriate mask to use; this netmask shortcut is used only with the address keyword. Cisco 11000 Series Secure Content Accelerator Configuration Guide D-13 78-13124-05...

  • Page 388: Netstat

    Displays open file descriptors and sockets on the device. netstat printenv Prints the nvram environment to the console. printenv rdate-server Assigns an RDATE server. rdate-server <ipaddr> Syntax Description ipaddr The IP address of the RDATE server to use. Cisco 11000 Series Secure Content Accelerator Configuration Guide D-14 78-13124-05...

  • Page 389: Reboot

    Deletes a file from the flash file directory. rm <filename> Syntax Description filename The name of the file to delete. Related Commands sbridge Connects the specified Ethernet port and starts the bridge. sbridge [network|server] Cisco 11000 Series Secure Content Accelerator Configuration Guide D-15 78-13124-05...

  • Page 390: Show

    Specifies file download information is to be displayed. Specifies ARP information is to be displayed. route Specifies route information is to be displayed. Usage Guidelines If no system is specified, a help message is displayed. Cisco 11000 Series Secure Content Accelerator Configuration Guide D-16 78-13124-05...

  • Page 391: Version

    Appendix D MiniMax Command Summary Command Set version Displays firmware version information. version Processes a downloaded image file, if available, and copies it to the flash. Cisco 11000 Series Secure Content Accelerator Configuration Guide D-17 78-13124-05...
  • Page 392 Appendix D MiniMax Command Summary Command Set Cisco 11000 Series Secure Content Accelerator Configuration Guide D-18 78-13124-05...

  • Page 393: Appendix

    A P P E N D I X Troubleshooting This appendix provides general troubleshooting information for the Secure Content Accelerator. This appendix contains the section “Troubleshooting the Hardware” Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 394: Troubleshooting The Hardware

    SSL device and other networking hardware agree. Using the CLI, enter the show interface command to display the settings for the appliance Ethernet interfaces. Make sure you have a valid networking topology. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...
  • Page 395 Use a serial management session to connect to the device. The serial console displays either A serious error has occurred. Please see >> self-test Appendix D, “MiniMax Command Summary” for failure>> more information. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...
  • Page 396 “Returning to Normal Operation” in Chapter 6 for more information. Few security policies are available when The device is operating in FIPS Mode. Only configuring servers. security policies containing FIPS 140-2-compliant algorithms are available in FIPS Mode. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...
  • Page 397 The device might be operating in FIPS Mode. exit the configuration mode. Only servers configured with FIPS 140-2-compliant algorithms are available to traffic. The assigned security policy must contain at lease one FIPS-compliant algorithm. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 398: Figure E-1 Troubleshooting Flowchart

    RMA Unit: Faulty responsive? serial connection Is 1- or 2-port Set intended mode correctly operation mode; set? reload device Are the network Configure network settings correct? settings Go to next flowchart Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 399: Figure E-2 Troubleshooting Flowchart

    Does "show localport and netstat" display transparency proper listening settings; reload if sockets? necessary Is the proxy Continue with set to transparent next flowchart operation? Refer to the Configuration Guide Deployment section Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 400: Figure E-3 Troubleshooting Flowchart

    Are any firewalls or suite operability or ACLs in place? use a different client Eliminate ACLs or filters preventing access Does the device operate as expected? Continue with configuration and operation as desired Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 401: Appendix

    Introduction to SSL • • Port Blocking Mechanism Before You Begin • Using Existing Keys and Certificates • • Configuration Security Cisco SSL Configuration Components • • Cisco Secure Content Accelerator Management Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 402: Introduction To Ssl

    You can configure the Cisco Secure Content Accelerator using either the GUI or CLI, or through the QuickStart wizard (available through both the CLI and GUI).

  • Page 403: Figure F-1 Port Blocking

    TCP service port 80 for both basic HTTP connections and for transfer of decrypted secure data between the devices and the server. Below are some alternatives for this scenario. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 404: Before You Begin

    When prompted either to name a key or certificate file or check the name of a key or certificate file, please ensure the names follow these conventions. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 405: Apache Mod_Ssl

    Click Copy to file. The Certificate Manager Export Wizard opens. Click Next. Select the DER-encoded binary X.509 radio button. Click Next. Specify a file name and location. Click Next. Click Finish. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 406: Iis 5 On Windowsþ2000

    Right-click the Web site object and click Properties in the shortcut menu. Click the Directory Security tab. Click View Certificate in the Secure Communications panel. The Certificate Viewer appears. Click the Details tab. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 407: Configuration Security

    Passwords Cisco Secure Content Accelerator devices use two levels of password protection: access- and enable-level. Access-level passwords control who can access the device via telnet and serial connections. Enable-level passwords control who can view the same data available with access-level passwords as well as view sensitive data and configure the device.

  • Page 408: Access Lists

    • An associated key specifying the public/private key pair to use • A single certificate or certificate group to use • • A security policy specifying the cryptographic scheme(s) to use Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...

  • Page 409: Real Server Ip Addresses

    X.509 files, IIS4 backup format (NET-IIS), PKCS#12 files, and PCKS#7 certificate groups. Step-Up Certificates and Server-Gated Cryptography Cisco Secure Content Accelerator devices support both Netscape International Step-Up Certificates and Microsoft Server-Gated Cryptography. No special configuration is needed for the device to function properly with these certificates.

  • Page 410: Security Policies

    GUI. Security Policies Cisco Secure Content Accelerator can process a wide range of single and composite cryptography schemes. The following table shows a comparison of the individual schemes. If you configure the device to use the weak security policy, all schemes marked as “weak”...
  • Page 411 NULL-MD5 None None weak, default, all NULL-SHA None SHA1 None weak, default, all ARC4 is compatible with RC4™ RSA Data Security. 2 ARC2 is compatible with RC2™ RSA Data Security. Cisco 11000 Series Secure Content Accelerator Configuration Guide F-11 78-13124-05...

  • Page 412: Cisco Secure Content Accelerator Management

    Appendix F SSL Introduction Cisco Secure Content Accelerator Management Cisco Secure Content Accelerator Management You can configure the Cisco Secure Content Accelerator using one of three methods, two of which use the CLI configuration manager. Serial connection, configuration manager •...
  • Page 413 For instructions on using telnet or serial console CLI configuration managers, see Chapter 4; for instructions on using the GUI, see Chapter 5. To use the Secure Content Accelerator in FIPS-compliant operation mode, see Chapter 6. Cisco 11000 Series Secure Content Accelerator Configuration Guide F-13 78-13124-05...
  • Page 414 Appendix F SSL Introduction Cisco Secure Content Accelerator Management Cisco 11000 Series Secure Content Accelerator Configuration Guide F-14 78-13124-05...

  • Page 415: Appendix

    Accelerator. This appendix includes the following sections: Regulatory Standards Compliance • • Canadian Radio Frequency Emissions Statement FCC Class A • CISPR 22 (EN 55022) Class A • • VCCI Cisco 11000 Series Secure Content Accelerator Configuration Guide G-15 78-13124-05...

  • Page 416: Regulatory Standards Compliance

    • Canadian Radio Frequency Emissions Statement This Class A digital apparatus complies with Canadian ICES-003. Cet appareil numérique de la classe A est conforme à la norme NMB-003 du Canada. Cisco 11000 Series Secure Content Accelerator Configuration Guide G-16 78-13124-05...

  • Page 417: Fcc Class A

    To maintain compliance with the limits of a Class A digital device, Cisco requires that you use quality interface cables when connecting to this device. During testing for certification Category 5 cables were used.

  • Page 418: Cispr 22 (En 55022) Class A

    This is a class A product. In a domestic environment this product Warning may cause radio interference in which case the user may be required to take adequate measures. VCCI Cisco 11000 Series Secure Content Accelerator Configuration Guide G-18 78-13124-05...
  • Page 419 Memory area in which device configuration may be saved; configuration Flash memory information not stored in the flash memory is lost during a power cycle or when the device is rebooted or reloaded. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...
  • Page 420 The user-specified non-secure TCP port used by the Cisco Secure Content Remote Port Accelerator to send decrypted data to and receive data to be encrypted from the logical secure server.
  • Page 421 An application-level protocol used to monitor and perform basic configuration Simple Network of network devices. Management Protocol (SNMP) The user-specified secure TCP port monitored by the Cisco Secure Content Server Port Accelerator for secure transaction requests. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...
  • Page 422 Glossary Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-05...
  • Page 423 GUI 5-42 GUI example 5-24 loading naming conventions 3-7, 4-9, 4 cables QuickStart wizard cable type step-up 4-17 Category 5 step-up and server-gated cryptography caution using existing Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-04...
  • Page 424 SNMP commands C-75 certgroup clientauth command in server SSL configuration command set C-93 configuration command set C-147 TCP tuning command set C-167 clientauth enable command in server using configuration command set C-147 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-04...
  • Page 425 C-7, 12 table of non-privileged command set C-11 CSS, use with other secure protocols 4-27, 5-37 examples password 3-10 in-line privileged command set C-48 one-armed proxy B-16 QuickStart wizard Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-04...
  • Page 426 SNMP 5-19 configuring a secure mail server 4-27 enabling RIP 5-10 configuring RIP 4-26 generating an RSA key 5-38 configuring SNMP 4-25 generting a certificate 5-42 configuring SNTP servers 4-14 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-04...
  • Page 427 5-24 configuring a certificate chain 5-35 IIS 4 on Windows NT configuring a key 5-22 IIS 5 configuring an Ethernet interface importing certificate groups 4-20 configuring a reverse-proxy server 5-34 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-04...
  • Page 428 QuickStart wizard PCKS7 file importing 4-20 using existing port blocking power cords connecting power supply management session ensuring availability initiating 3-2, 4-5, C-9 privileged command set C-48 MiniMax commands mounting brackets Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-04...
  • Page 429 C-104 certgroup serverauth command in reverse-proxy server configuration command set C-130 secure server configuring with CLI 4-21 configuration manager example description GUI example 5-22, 5-30 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-04...
  • Page 430 4-28 MIB-II support Stronghold SNTP syslog product overview configuration manager example 4-28 SNTP servers configuration manager example 4-14 specifications electrical TCP tuning configuration command set C-167 environmental telnet connection Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-04...

  • Page 431: Troubleshooting E

    4-12 warning CISPR 22 (EN 55022) Class A equipment rack stability grounding power systems shock hazard 2-3, 2-4 site requirement Web management configuring client-side access enabling restricting access See also GUI Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-04...
  • Page 432 Index Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-04...

Table of Contents