Other Protocols Supported For Ssl - Brocade Communications Systems ServerIron ADX 12.4.00a Security Manual

6
Configuration Examples for SSL Termination and Proxy Modes
Define client Iinsertion mode and prefix
The client certificate insertion mode and prefix can be optionally configured within a CSW policy as
described in the following. To configure the client insertion mode, use the default rewrite
request-insert command as shown.
ServerIronADX(config)# csw-policy cswp1
ServerIronADX(config-csw-cswp1)# default rewrite request-insert client-cert
Syntax: [no] default rewrite request-insert client-cert [entire-chain | leaf-cert | wellknown-fields]
Selecting the entire-chain parameter directs the ServerIron ADX to insert the entire chain including
the leaf certificate in BASE64 encoded form. This is the default mode.
Selecting the leaf-cert parameter directs the ServerIron ADX to insert only the leaf certificate in
BASE64 encoded form, even though the certificate chain is present.
If the wellknown-fields parameter is selected the important information of the client certificate is
retrieved and inserted as the HTTP headers, in plain text. If this mode is chosen, the following
headers are inserted: "Client-Cert-Version", "Client-Cert-Serial", "Client-Cert-Start", "Client-Cert-End",
"Client-Cert-Subject", "Client-Cert-Subject-CN", "Client-Cert-SubjectAlt-CN", "Client-Cert-Issuer" and
"Client-Cert-Issuer-CN".
You can add a prefix to the default HTTP names using the default rewrite request-insert
certheader-prefix command. In the following example, the prefix "SSL" added to the HTTP header
"Client-Cert" would become "SSL-Client-Cert".
ServerIronADX(config)# csw-policy cswp1
ServerIronADX(config-csw-cswp1)# default rewrite request-insert client-cert
certheader-prefix "SSL"
Syntax: [no] default rewrite request-insert client-cert certheader-prefix <prefix>
The value specified by the <prefix> variable is added to the default HTTP name.
The HTTP header names are shown in Table 18.
TABLE 18
Header Names
Client-Cert
Client-Cert-Version
Client-Cert-Serial
Client-Cert-Start
Client-Cert-End
Client-Cert-Subject
Client-Cert-Subject-CN
Client-Cert-Subject-Alt-CN
Client-Cert-Issuer
Client-Cert-Issuer-CN

Other protocols supported for SSL

SSL acceleration support is provided to other popular protocols such as LDAPS, POP3S, and IMAPS.
Configuration of SSL acceleration support for these protocols is shown the following example.
184
HTTP Header Names and Descriptions
Descriptions
The entire client certificate chain or the leaf certificate.
Version of the client certificate.
Serial number of the client certificate.
Date certificate not valid before.
Date certificate not valid after.
Subject's distinguished name.
Subject's common name.
Subject's alternative name.
Issuer's distinguished name.
Issuer's common name.
ServerIron ADX Security Guide
53-1002440-03