Advanced Configuration Topics; Multiple Ssl Tunnels In A Single Process; Fault-Tolerant Configuration; Load Balancing And Fault-Tolerance Of Expand Over Ssl - HP NonStop SSL Reference Manual

Advanced Configuration Topics

Multiple SSL Tunnels in a Single Process

A single HP NonStop SSL process can listen on multiple ports at once and forward them to different IP addresses/port
numbers. The following parameters are global to a single HP NonStop SSL instance:
•
SUBNET
•
TARGETSUBNET
•
run mode
The following three parameters can be supplied as comma-separated lists:
•
PORT
•
TARGETPORT
•
TARGETHOST
In case a comma-separated list is found, HP NonStop SSL will match the individual entries to create tuples (PORT,
TARGETPORT, and TARGETHOST). Incoming connections on each PORT will then be forwarded to the matching
TARGETPORT and TARGETHOST.
As an example, if you want to forward
•
connections coming in on port 1023 to port 1023 on host Host23
•
connections coming in on port 1024 to port 1024 on host Host24
you would start HP NonStop SSL as follows:
RUN HP NonStop SSL PROXYS; PORT 1023,1024; TARGETPORT 23,24; TARGETHOST Host23,Host24

Fault-tolerant Configuration

HP NonStop SSL services can be configured as persistent processes under control of the kernel subsystem, enabling
automatic recovery from failures, such as CPU outages. The SETUP macro included with the package will guide you
through the process of creating a persistent process (see chapter "Installation" for details).
Note: HP NonStop SSL cannot be run as a non-stop process. However, this is not required to achieve non-stop
availability. Running as a non-stop process would not add value, as TCP sessions are reset upon CPU takeover. Non-stop
availability is achieved with HP NonStop SSL as a persistent process which is automatically restarted upon failures.

Load Balancing and Fault-Tolerance of EXPAND over SSL

Using the EXPAND multi-line or multi-CPU path feature, it is possible to distribute the CPU load generated by the SSL
encryption of the EXPAND traffic across multiple CPUs. Having multiple EXPAND SSL lines connecting systems will
also provide fault-tolerance against CPU and other failures. If an EXPAND line goes down due to a HP NonStop SSL
EXPANDS process terminating for any reason, the traffic will be redirected over the remaining lines.
EXPAND Multi-Line versus Multi-CPU Paths
The choice between Multi-Line or Multi-CPU paths (SUPERPATH) is influenced by the nature of the traffic between
the systems, as well as the load-balancing and fault-tolerance goals to be achieved.
Multi-Line and Multi-CPU paths over SSL differ in the following aspects:
82 • Configuration
HP NonStop SSL Reference Manual