Using Certificates In Https Clusters; About Server Certificates - Coyote Point Systems E350GX Installation And Administration Manual

Appendix E: Using Certificates in HTTPS Clusters

Using Certificates in HTTPS Clusters

The HTTPS protocol supports encrypted, secure communication between clients and servers. It requires that a
Secure Sockets Layer (SSL) authentication handshake occur between a client and a server in order for a connection
request to succeed.
When a client requests an HTTPS connection to a web server, the server (which has already been set up to support
SSL connections) sends a server certificate to the client for verification. The client checks the content of the
certificate against a local database of Certificate Authorities, and if it finds a match the connection is made. If no
match is found (as is often the case with self-signed certificates), the browser will display a warning and ask if you
want to continue with the connection.
A further level of trust can be enabled by setting the server up to request a client certificate in addition to the server
certificate. Copies of the client certificate are pre-installed on both client and server. When the server sends the
server certificate to the client, it also sends a request for a certificate from the client. Once the client accepts the
server certificate as described above, it sends the client certificate to the server for verification. The server compares
the client certificate it receives with its local copy of the client certificate, and if they match the connection is made.
Each Layer 7 HTTPS cluster requires a server certificate; client certificates are optional.
Web servers (such as Apache) and browsers (such as Internet Explorer and Firefox) are delivered with pre-installed
Trusted Root Certificates. Trusted Root Certificates are used to validate the server and client certificates that are
exchanged when an HTTPS connection is established.
Equalizer supports self-signed certificates, as well as signed certificates from Trusted Root Certificate Authorities
and from Certificate Authorities (CAs) without their own Trusted Root CA certificates. If a CA without its own
Trusted Root CA certificate issues your certificate, you will need to install at least two certificates: a server
certificate and a chained root (or intermediate) certificate for the CA. The intermediate certificate associates the
server certificate with a Trusted Root certificate.

About Server Certificates

In a typical HTTPS scenario described above, the client and server are communicating directly, and the server is
doing all the work of encrypting and decrypting packets, and sending the server certificate to the client. If you have
many systems servicing requests for the same website, you need to install certificates on each server.
With Equalizer, you do not need to install a server certificate on every server in a Layer 7 HTTPS cluster. Since
certificates are associated with host names and not IP addresses, you only need a server certificate for each HTTPS
cluster and the certificates are installed only on Equalizer -- not on each server. This reduces maintenance by
reducing the number of certificates required for a group of systems serving content for the same host name.
When a client requests a connection to an HTTPS cluster, Equalizer establishes the HTTPS connection with the
client, off loading SSL processing from all the servers in the HTTPS cluster. Equalizer communicates with the
clients via HTTPS; the traffic between Equalizer and the servers in an HTTPS cluster is HTTP (i.e., unencrypted).
Compared to the typical scenario where each server is establishing direct HTTPS connections with clients,
encrypting and decrypting packets, and serving content as well, SSL offloading improves the overall performance of
the cluster.
For even better performance, some Equalizer models are equipped with Xcel SSL Hardware Acceleration. With
Xcel, all SSL processing is done by dedicated Xcel hardware, enhancing overall HTTPS throughput. For more
information on Xcel, please visit the Coyote Point website ( ).
www.coyotepoint.com
Note that HTTPS and certificates can also be used on servers in Layer 4 TCP and UDP clusters, but you will need to
install a server and client certificate on each server in the cluster (since Equalizer is not doing any HTTPS/SSL
processing in Layer 4). In this scenario, no certificates are installed on Equalizer. Using a Layer 4 cluster is the
preferred method for passing HTTPS traffic through Equalizer when you do not need to take advantage of features
that are specific to Layer 7, such as cookie persistence, match rules, etc.
278 Equalizer Installation and Administration Guide