ServerIron SSL Implementation and

ServerIron SSL Implementation and Certificate Management White per Foundry Networks White per ge 1 of 1

Contents Overview... 4 Conventions... 4 Terminology... 5 SSL Background... 6 SSL Versions... 6 ServerIron Supported SSL Modes... 6 SSL Keys and Certificates... 7 SSL Certificate Management... 7 Foundry Networks White per Obtaining an SSL Certificate... 7 Using an Internal Certificate Authority... 8 Transferring an Existing Certificate... 9 Chaining SSL Certificates... 9 Using a Self Signed Certificate... 10 Transferring Key and Certificate Files... 11 Enabling the SCP server on the ServerIron... 11 SCP Clients... 11 Upload a PEM key file... 11 Upload a PEM certificate file... 12 Download a PEM key file... 12 Download a PEM certificate file... 12 Upload a PKCS#12 Key/Certificate... 12 Download a PKCS#12 Key/Certificate... 12 Upload a Chained Certificate... 12 Key and Certificate file maintenance... 12 Displaying a list of key files... 13 Displaying a list of certificate files... 13 Deleting Key and Certificate Files... 13 Updating Expiring Certificates... 13 SSL Configuration... 14 ge 2 of 2

Layer 4 Load Balancing... 14 Real Server Configuration... 14 Virtual Server Configuration... 14 SSL Termination Mode... 15 SSL Profile... 15 Real Server Configuration... 15 Virtual Server Configuration... 15 Source NAT... 16 SSL Proxy Mode... 16 Foundry Networks White per SSL Profile... 16 Real Server Configuration... 17 Virtual Server Configuration... 17 Source NAT... 17 Client Authentication... 17 Setting the Clock... 17 Certificate Revocation List (CRL)... 18 Client Certificate Insertion... 18 SSL Health Checks... 19 Application Health Checks in SSL... 20 Additional SSL Configuration Details... 21 Source NAT... 21 HTTP to HTTPS redirects... 21 Supporting HTTP and HTTPS... 21 Other (Non HTTPS) SSL Applications... 23 SSL Troubleshooting... 23 SSL Debugging Flowchart... 23 SSL Troubleshooting Commands... 25 ge 3 of 3

Overview This document will cover the implementation of Secure Socket Layer (SSL) and Transport Layer Security (TLS) in the Foundry s ServerIron product group. The goal of this document is to provide information to help the reader better understand SSL and TLS as well as to help them implement SSL/TLS on a Foundry ServerIron. The majority of this document uses examples for SSL encrypted HTTP traffic (HTTPS) on port 443. The ServerIron aliases port 443 as port ssl. When referring to protocols other than HTTPS, these protocols will be specified (IMAPS, LDAPS, etc.). Conventions Although TLS and SSL are technically different, they are both configured as SSL on the ServerIron. This document will heretofore collectively refer to both technologies simply as SSL. If it is necessary to make any distinctions between the two, specific version numbers will accompany the name (SSLv2, SSLv3, TLSv1.0, etc.) Foundry Networks White p er Text in the Courier font, in a grey box is used for configuration examples, sample output, etc. y special attention to the configuration examples. Examples which start with the prompt ServerIron# represent commands that will be executed from the enabled (non config mode) prompt. Examples which start with ServerIron(config)# represent configuration commands executed with in the config terminal mode. Examples which start with ServerIron1/1# are commands executed within the rconsole. Examples which use a > or $ prompt are executed on a PC, Server, or similar equipment. Examples which have no prompt represent sample output or configuration options. ge 4 of 4

Terminology Term Definition CA Certificate Authority An entity which issues digital certificates for use by other parties. Chained Certificate An X.509 certificate for a host which is concatenated with the issuing CA s certificate, which was issued by a root CA. CRL Certificate Revocation List A list of certificates that have been revoked by the issuing Certificate Authority. CSR Certificate Signing Request A message sent from an applicant to a certificate authority in order to apply for a digital identity certificate. CSW Content Switching A ServerIron feature that allows layer 7 inspection, switching and data or content manipulation. EV Certificate Extended Validation Certificate A certificate which requires more extensive investigation of the requesting entity by the CA. FIPS Federal Information Processing Standard Standards published by the U.S. Government which regulate non military agencies. HIPPA Health Insurance Portability and Accountability Act U.S. Congressional Act which regulates many aspects of insurance carriers including electronic data storage and exchange. PCI DSS PEM PFX PKC PKCS#12 yment Card Industry Data Security Standard Data security regulations for organizations that process credit cards. Privacy enhanced Electronic Mail Base64 encoded DER Certificate. Personal information File exchange A Microsoft developed certificate format which later became standardized as PKCS#12. Public Key Cryptography Public Key Cryptography Standards #12 A certificate format commonly used to store X.509 private keys with accompanying public key certificates. PKI Public Key Infrastructure Binding of public keys with respective user identities by means of a certificate authority (CA). Self Signed Certificate A certificate that is signed by its own creator and whose legitimacy is not assured by a trusted authority. SNTP Simple Network Time Protocol A protocol used to distribute Universal Time (UTC) by synchronizing clocks of computer systems. SSL Secure Sockets Layer A cryptographic protocol developed by Netscape. TLS Transport Layer Security The successor to SSL, and the first to become an IETF standard (RFC 2246). VIP Virtual IP Also known as a Virtual Server. X.509 A standard for a PKI which specifies, amongst other things, standard formats for public key certificates and certificate revocation lists. Foundry Networks White per ge 5 of 5

SSL Background SSL is a Public Key Cryptography system. The purpose of SSL is two fold; the most commonly considered function of SSL is encryption. In order to establish and encrypted session with another entity, however, it is generally good practice to know who will be receiving your encrypted message. The second purpose of SSL therefore, is authentication. The most common form of authentication is server authentication. In order to establish trust, someone must be trusted in the first place. Browsers come pre loaded with certificates of trusted Certificate Authorities (CA). The trusted CAs then issue and sign the certificates for other entities; which by association then become trusted. This form of server authentication ensures users that they are sending their information to the intended entity. A second form of authentication offered by SSL is client authentication. When client authentication is enabled, both the server and the client will exchange their certificates with one another. Similar to server authentication, this provides reasonable assurance to the server that it is communicating with its intended party. Foundry Networks White p er SSL Versions SSL was originally conceived in 1994 by Netscape. SSLv1 was never an official implementation nor was there a related specification covering version 1. Noting many flaws, such as a lack of message integrity protection and sequence numbers, Netscape waited until the second revision of SSL before releasing it. SSLv2 was released by Netscape later that same year. In 1995, Microsoft introduced Private Communications Technology (PCT), which was backward compatible with SSLv2. Netscape also introduced SSL v3 in 1995. None of these specifications, however, were ever Internet Engineering Task Force (IETF) standards. In May 1996, a working group was established by IETF to standardize SSL. This working group produced RFC 2246 for Transport Layer Security (TLSv1.0) in January, 1999. Since then, there have been two revisions to the standard. TLSv1.1 was published as RFC 4346 and TLSv1.2 was published as RFC 5246 in August, 2008. At the time of this document s publication, the ServerIron supports SSLv2, SSLv3, TLSv1.0 and TLSv1.1. ServerIron Supported SSL Modes The ServerIron can be configured in three different modes for SSL. 1. Layer 4 Load Balancing This is standard TCP load balancing, and the ServerIron has no SSL awareness. a. This is the only option for ServerIron equipment that does not have SSL capable hardware. In cases where SSL capable hardware is available, this mode is typically not recommended as the ServerIron loses all visibility into the underlying traffic. 2. SSL Termination In this scenario, the ServerIron terminates all client side SSL traffic and communicates with the real servers in clear text. a. SSL Termination offloads the responsibility of SSL processing from the real servers and can greatly improve the performance of servers. It allows for secure communications from the client to the ServerIron, and limits the unencrypted traffic to a trusted domain. ge 6 of 6

3. SSL Proxy In this configuration, the ServerIron has two separate encrypted sessions, one with the client, and the other with the server. a. This is the most secure method, as it insures that all communication on the wire is encrypted from client to server, while still allowing the ServerIron complete visibility to the unencrypted traffic in order to make Layer 7 switching decisions. While this is the most secure method, it is not the preferred method due to the fact that it requires more resources on both the real servers and the ServerIron itself. In some cases, however, it may be required. Some companies require end to end encryption in order to maintain compliance with directives such as HIPPA or PCI DSS. Additionally, if all of the real servers are not in the same physical trusted domain as the ServerIron (e.g. remote servers) then it may be necessary to encrypt the traffic between the ServerIron and the servers. Foundr y Networks White p er SSL Keys and Certificates The ServerIron supports two X.509 certificate formats. The first is PKCS#12 (Public Key Cryptography Standard 12). PKCS#12 is successor to Microsoft s PFX key storage standard. The PKCS#12 contains both the SSL Certificate and the key in a single binary file. The second format is PEM. The PEM format is a Base 64 encoded format; in other words, it is ASCII based. This format requires two separate files, one for the certificate, and the other for the key. SSL Certificate Management Prior to ServerIron version 11.0, all certificate management was done via CLI. In 11.0, the ability to handle all SSL Certificate Management functions was introduced in the Web GUI. Any tasks discussed below that are done on the ServerIron (e.g. generating a key, CSR, etc.) or tasks that interact with the ServerIron (e.g. transferring keys and certificates) can now be done in the Web GUI. It is highly recommended that the Web GUI be used whenever possible. This guide, however, will focus only on the CLI. Obtaining an SSL Certificate There are many Certificate Authorities (CAs) out there from which you can purchase SSL certificates. Additionally, many companies use internal CA servers to issue certificates for their internal resources. It s important to remember that all browsers come pre loaded with certificates of CAs which they will trust. Obtaining a certificate from a lesser known CA or using an internal CA server may require that you use a chained certificate. Step 1 Create a key file. In the example below, a key file with a filename of foo.key that is 1024 bytes (length options are 512, 768, 1024 or 2048) and has a password of foundry. Note: key and certificate filenames are automatically truncated at 18 characters. To avoid any confusion, do not use filenames that exceed 18 characters. SLB-ServerIron#ssl genrsa foo.key 1024 foundry transfer_ssl_object_buf_to_bp : The object buffer length is 1209 transfer_ssl_object_buf_to_bp : The message length is 1339 ge 7 of 7

Step 2 Create a Certificate Signing Request (CSR). SLB-ServerIron#ssl gencsr foo.key You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. Country name (2 letter code) [US] State or province (full name) [California] Locality name (city) [San Jose]Santa Clara Organization name (Company name) [Foundry Networks]Foo, Inc. Organizational unit name (department) [Web administration]online Orders Common name (your domain name) [www.foundrynet.com]www.foo.com Email address [webadmin@foundrynet.com]webguru@foo.com SLB-ServerIron# -----BEGIN CERTIFICATE REQUEST----- MIIBujCCASMCAQAwejELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx FDASBgNVBAcTC1NhbnRhIENsYXJhMRIwEAYDVQQKEwlGb28sIEluYy4xFjAUBgNV BAsTDU9ubGluZSBPcmRlcnMxFDASBgNVBAMTC3d3dy5mb28uY29tMIGfMA0GCSqG SIb3DQEBAQUAA4GNADCBiQKBgQDdM7ju/D/XkNoSSxtE7fBY2F+9gE5mslIu1yK2 ZZk5ZJHZep3Hj8+e2ceafO7f7vBt+/9WfHnvlCZsYhSWRhrE/KvNMN3QnwGH8eSL djiclhizjnmyjaiahg/haucjgkh8809mwc65vblh4ifi2bpnjiluce2fgozfu+8r 3UDI3wIDAQABoAAwDQYJKoZIhvcNAQEFBQADgYEAwZPdILyofWmMHgSgE0kqyjiY n/vouiqn3ygmplp4cxnixmn5pkayxfhqcdkbcxd91dfr5zbe5cgn7wydpfkfuzhz 4+o+g719FBovWjsBA6XvaZ56NE32Zj48qzyNn7zaRLg2zNWhR3DKhv0cuMYrah9X Wap4+it5xOYSWUZDoeI= -----END CERTIFICATE REQUEST----- Foundry Networks White per Step 3 Complete the Request Process with the Certificate Authority The CA will request the CSR data from the previous step. Copy the output from the previous step. Be sure to include the first line BEGIN as well as the last line END in the request. They will also ask for information about the requester, company, method of payment, etc. Some of this information will be pre populated from the data which was input during the CSR process. Additionally, you will be asked to select a format for the certificate. If the CA offers a PEM or Base 64 format, you can choose that. Some CAs will list server types instead (Apache, iplanet, Microsoft IIS, etc.), choose Apache ModSSL, which will offer a PEM format. Save the file locally on your PC. Step 4 Upload the Certificate to the ServerIron For instructions on uploading the Certificate, please see the Transferring Key and Certificate files section. Using an Internal Certificate Authority As mentioned in the Background section of this document, SSL has two primary purposes. The first purpose is generally to encrypt, and the other is to authenticate. When a server is only accessed by a select group of users (generally employees) as opposed to the general public, there is a certain amount of trust that is often assumed as to the identity of the server. Even though the identity of the server may be trusted, the data that is accessed is often sensitive and sometimes subject to regulations which require that it is encrypted. Using an internal CA allows for the traffic encryption, but will still cause warnings to be issued to the clients regarding the validity of the certificate unless the certificate is chained (see below). Aside from (optionally) chaining the certificate, there is no additional configuration required when using and internal CA. Follow the same steps as shown in the Obtaining an SSL Certificate section. ge 8 of 8

In the following example, we will outline the steps for obtaining a Certificate from a Microsoft Certificate Services server. This example uses a Windows 2003 Server running Certificate Authority 5.2.3790.0. Other versions may vary slightly. 1. Using Internet Explorer, open the browser to the Certificate Server (default is /certsrv, e.g. http://myserver.foo.com/certsrv/). 2. Click on Request a Certificate. 3. Click on Or, submit an advanced certificate request. 4. Click on Submit a certificate request by using a base 64 encoded CMC or PKCS #10 file, or submit a renewal request by using a base 64 encoded PKCS #7 file. 5. In the Saved Request box, paste the Certificate Request (the output from Step 2 of Obtaining an SSL Certificate ). 6. Click Submit 7. If your Certificate Server is configured to automatically issue certificates with Administrative intervention, you will see the next page. If not, the Administrator of the server will need to approve your request and you can obtain your certificate at a later time. 8. Click on the Base 64 Encoded radio button. 9. Click Download Certificate Foundry Networks White per Transferring an Existing Certificate In some cases, a certificate may have already been requested and installed directly on a server. If you would like to use that same certificate, but move it to the ServerIron instead, you will need to export the certificate and key from the server. Once the file is exported, you will need to use OpenSSL to convert the file to PKCS#12 or PEM format. Windows users can download the Win32 version of OpenSSL here. Steps to convert the certificate will vary based on the original format of the key and certificate. Please review the OpenSSL documentation for details. Important Note: In order to transfer a PEM key to the ServerIron, the key MUST contain a password (also known as a passphrase). If the key does not contain a passphrase, you will need to convert it via OpenSSL. If you have an existing PEM key and certificate where the key is not password protected, you will need to use OpenSSL. Below is the syntax for converting the key: C:\Program Files\GnuWin32\bin>openssl rsa -in foo.key -des3 -out foo-passwd.key Once the certificate is in the PEM or PKCS#12 format, they will need to be uploaded to the ServerIron. For instructions on uploading the Certificate, please see the Transferring Keys and Certificates section. Chaining SSL Certificates As mentioned earlier, the CA that issues a web server certificate must be trusted by the client. By default, a client will never recognize an internal CA (internal CA certificates can be loaded into the client manually so that it can be trusted). Additionally, a lesser known public CA may not be trusted by a client. Every client varies in which CAs it chooses to trust and will also vary from version toversion as new CAs are deemed reputable by the software vendor (Microsoft, Mozilla, Apple, etc.). ge 9 of 9

If the CA is not trusted, the client s behavior (which will vary slightly, from client to client) is to warn the user or prevent access to the server. This behavior is similar to what is seen with any certificate the client deems as invalid (out of date range, unknown CA, self signed certificate, host name mismatch, etc.). To avoid this behavior, you can chain certificates together. Essentially, this process is trust by association. The intermediate CA receives its certificate from a trusted CA and then the intermediate CA issues a certificate to another server. Trust of the server is established by the client by chaining the intermediate CA s certificate (which was issued by a source trusted by the client) with the final certificate that was issued by the intermediate CA. Step 1 Obtain the Certificate of the Certificate Authority. Obtain the root certificate or certificate chain from the internal or public CA and save the file locally. Foundry Networks White p er Step 2 Upload the root certificate. To upload the root certificate, see the instructions below. Note: In order to use a chained certificate, you must add the command enable certificate chaining to the SSL profile. See the SSL Profile section for details. Using a Self Signed Certificate The ServerIron is capable of issuing and using self signed certificates. A self signed certificate is one which has not been issued by any Certificate Authority. When using a self signed certificate, all browsers should issue an alert to the user to indicate that it may not be safe to connect to this site. This can be overridden by having the user permanently accept the self signed certificate into their browser. For this reason, it is generally not recommended to use self signed certificates unless the application has extremely low volume. A good example of this would be an administrative website which would only be used by IT staff. Step 1 Create a key file. To issue a self signed certificate, start by generating an RSA key file as outlined in Step 1 of Obtaining an SSL Certificate. Step 2 Create a certificate. Note: key and certificate filenames are automatically truncated at 18 characters. To avoid any confusion, do not name files more than 18 characters. ServerIron#ssl gencert certkey foo.key signkey foo.key foundry foo-self.cer You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. Country name (2 letter code) [US] State or province (full name) [California] Locality name (city) [San Jose]Santa Clara Organization name (Company name) [Foundry Networks]Foo, Inc. Organizational unit name (department) [Web administration]it Common name (your domain name) [www.foundrynet.com]admin.foo.com Email address [webadmin@foundrynet.com]admin@foo.com ge 10 of 10

Note: In order to use a self signed certificate, you must add the command allow self signed cert to the SSL profile. See the SSL Profile section for details. Transferring Key and Certificate Files When adding a new certificate, the key file is often generated on the ServerIron itself. The certificate file, however, will need to be uploaded to the ServerIron. Additionally, if deploying the ServerIron in a High Availability (HA) pair, the key which was generated on one ServerIron, will need to be copied to the other. It may also be a good idea to export the key and keep it and the certificate somewhere offline. If a ServerIron should ever need to be replaced through an RMA process, the key and certificate could be lost. Backing these files up would prevent that loss. It is important, however, to note that the keys files are extremely sensitive. Key files can be used to decrypt SSL data; it is highly recommended that access to these files be strictly controlled. Reminder: All of this functionality is available in the Web GUI, beginning in version 11.0. Using the GUI will greatly simplify the process of transferring these files. Foundry Networks White per Note: key and certificate filenames are automatically truncated at 18 characters. To avoid any confusion, do not name files more than 18 characters. Enabling the SCP server on the ServerIron Before these files can be moved on or off the ServerIron, the SCP server functionality must be enabled. Step 1 Configure a domain name. ServerIron>enable No password has been assigned yet... ServerIron#conf term ServerIron(config)#ip dns domain-name si-1.foo.com Step 2 Create an RSA key of SSH (This has nothing to do with SSL keys). ServerIron(config)#crypto key generate dsa Step 3 Create a username. ServerIron(config)#username admin password foundry Step 4 Allow empty SSH passwords. ServerIron(config)#ip ssh permit-empty-password yes SCP Clients GUI based SCP clients will not work for copying key and certificate files. Linux users can use scp command line, Windows users are encouraged to use PSCP, which is the command line SCP client from PuTTY. You can download PSCP here. The commands below are written for Windows users. Please omit the p from pscp commands (use scp) for Linux. Upload a PEM key file To upload a PEM formatted key to the ServerIron, use the following syntax: pscp <local_filename> <username>@<ip_address>:sslkeypair:<remote_filename>:<password>:pem C:\certs>pscp foo.key admin@10.10.100.10:sslkeypair:foo.key:foundry:pem ge 11 of 11

Upload a PEM certificate file To upload a PEM formatted certificate to the ServerIron, use the following syntax: pscp <local_filename> <username>@<ip_address>:sslcert:<remote_filename>:pem C:\certs>pscp foo.cer admin@10.10.100.10:sslcert:foo.cer:pem Download a PEM key file To download a PEM formatted key from the ServerIron, use the following syntax: pscp <username>@<ip_address>:sslkeypair:<remote_filename>:<password>:pem <local_filename> C:\certs>pscp admin@10.10.100.10:sslkeypair:foo.key:foundry:pem foo.key Download a PEM certificate file To download a PEM formatted certificate from the ServerIron, use the following syntax: pscp <username>@<ip_address>:sslcert:<remote_filename>:pem <local_filename> Foundry Networks White per C:\certs>pscp admin@10.10.100.10:sslcert:foo.cer:pem foo.cer Upload a PKCS#12 Key/Certificate The PKCS#12 file is a binary file that contains both the key and the certificate. Since it contains the key, and uses a password, the sslkeypair flag is used, similar to when transferring a PEM key (versus a PEM certificate). To upload a PKCS#12 file to the ServerIron, use the following syntax: pscp <local_filename> <username>@<ip_address>:sslkeypair:<remote_filename>:<password>:pkcs12 C:\certs>pscp foo-p12.cer admin@10.10.100.10:sslkeypair:foo-p12.cer:foundry:pkcs12 Download a PKCS#12 Key/Certificate To download a PKCS#12 file from the ServerIron, use the following syntax: pscp <username>@<ip_address>:sslkeypair:<remote_filename>:<password>:pkcs12 <local_filename> C:\certs>pscp admin@10.10.100.10:sslkeypair:foo-p12.cer:foundry:pkcs12 foo-p12.cer Upload a Chained Certificate To chain a certificate, you must upload the CA s certificate to the ServerIron. To link the CA s certificate to the server certificate, you simply use the same destination file name. For example, if the filename foo.cer is the server s certificate that was issued by an Intermediate CA, that Intermediate CA s certificate will also be named foo.cer. Instead of overwriting the original file, the ServerIron will append the original foo.cer to the new incoming foo.cer. To upload the PEM formatted Intermediate CA s certificate, use the following syntax: pscp <local_filename> <username>@<ip_address>:sslcert:<remote_filename>:pem C:\certs>pscp ca-cert.cer admin@10.10.100.10:sslcert:foo.cer:pem Key and Certificate file maintenance It may become necessary to delete key or certificate files. This can be done via the rconsole. To connect to the rconsole from the CLI prompt, use the following command: ServerIron#rconsole 1 1 ServerIron1/1# ge 12 of 12

Displaying a list of key files ServerIron1/1#show ssl key * ssl key files: size foo.key 1209 Displaying a list of certificate files ServerIron1/1#show ssl cert * ssl cert files: size foo.cer 1484 foo-self.cer 1249 foo-p12.cer 2501 Deleting Key and Certificate Files If a key and/or certificate are no longer needed on the ServerIron, these files can be deleted. To delete an unwanted file, use the commands above to list the files. Once you have identified the file you want to delete, use the clear command as shown below. Foundry Networks White per SLB-ServerIron1/1#clear ssl cert foo-p12.cer SLB-ServerIron1/1#clear ssl cert foo.key Error : Cannot delete file foo.key, it is used being used by one or more SSL profiles Notice in the example above, if you attempt to remove a file that is in use, you will receive an error, and the file will not be deleted. You must remove the certificate or key from the appropriate SSL profile before it can be removed. Updating Expiring Certificates All certificates are issued with an expiration date. At the end of their valid issuance period, the certificate must be renewed or the clients will receive warnings letting them know that the certificate is no longer valid. In order to update a certificate that is already in use, you would need to delete the existing certificate. There are several steps in doing this; first, the SSL profile be disassociated with the virtual server. Next, the certificate would need to be removed from the SSL profile. Lastly, the file would need to be deleted. These steps take time, and no SSL processing can occur during this time. To minimize the impact of updating the SSL certificate, it is suggested that you use the following steps: Step 1 Upload the Renewed Certificate. Upload the certificate file as a new filename Step 2 Create a New SSL Profile. For instructions on creating an SSL profile for SSL Termination mode, click here. For instructions on creating and SSL profile for SSL Proxy mode, click here. Note: The new SSL profile can use the existing key; there is no restriction that will prevent the same key being used in two profiles. ge 13 of 13

The above steps can all be done without impacting production traffic. Once the new certificate is in place and the profile has been created, the final step is to associate the virtual server with the new profile. This step will cause all SSL traffic on that virtual server/port to stop and clients would need to reconnect and renegotiate their SSL sessions. Step 3 Associate the SSL Profile with the Virtual Server. For instructions on associating an SSL profile with a virtual server in SSL Termination mode, click here. For instructions on associating an SSL profile with a virtual server in SSL Proxy mode, click here. SSL Configuration This section will discuss the configuration for the three supported SSL modes. Foundry Networks White p er Layer 4 Load Balancing In this mode, the ServerIron does not require any specific SSL configuration or SSL hardware. The ServerIron treats the SSL traffic as TCP traffic. As a result, all certificates and keys are stored and managed on the individual real servers. Additionally, no Layer 7 features such as Content Switching (CSW) are available for SSL when using this configuration, as the ServerIron has no visibility into the encrypted traffic which passes through it. The ServerIron can, however, still conduct meaningful health checks. Both Simple and Complete SSL health checks are available. For additional information, please refer to the SSL Health Checks section. Real Server Configuration Real Servers are the application servers. These servers will be bound to the Virtual Servers which are VIPs which reside on the ServerIron. Below is an example configuration of a Real Server which is uses SSL. ServerIron(config)#server real rs1 10.10.100.50 ServerIron(config-rs-rs1)#port ssl For general information on configuring real servers, please review the ServerIron SLB Guide, available on the Foundry Knowledge Portal. Additional information on SSL Health checks can be found in the SSL Health Checks section of this document. Virtual Server Configuration Virtual Servers are VIPs configured on the ServerIron. These VIPs are bound to Real Servers. Below is an example configuration of a Virtual Server which is listening on port 443 and bound to real servers on port 443. SLB-ServerIron(config)#server virtual vs1 10.10.100.150 SLB-ServerIron(config-vs-vs1)#port ssl SLB-ServerIron(config-vs-vs1)#bind ssl rs1 ssl For general information on configuring virtual servers, please review the ServerIron SLB Guide, available on the Foundry Knowledge Portal. ge 14 of 14

SSL Termination Mode SSL session termination on the ServerIron requires SSL capable hardware. SSL capable hardware includes SSL management modules (WSM6 SSL 1 and WSM6 SSL 2) as well as SSL Service Modules (SRVC SSL6 1 and SRVC SSL6 2) for chassis products. The SI 4G SSL and SI 4G SSL FIPS are standalone SSL capable products. Chassis based ServerIrons with non SSL managements blades can add SSL Service Modules. Standalone products that are not equipped with SSL hardware cannot be upgraded. SSL Profile The SSL profile establishes a key and certificate pair that will be presented to the client and determines the supported cipher suites. This type of profile is referred to as a client side SSL profile. The profile is tied to a Virtual Server later in the Virtual Server configuration. To configure a basic client side SSL profile, use the following configuration: ServerIron>enable No password has been assigned yet... ServerIron#conf term ServerIron(config)#ssl profile foo ServerIron(config-ssl-profile-foo)#keypair-file foo.key ServerIron(config-ssl-profile-foo)#certificate-file foo.cer ServerIron(config-ssl-profile-foo)#cipher-suite all Foundry Networks White p er Additional configuration options for client side SSL profiles: disable-ssl-v2 enable-certificate-chaining enable-close-notify session-cache tcp-profile verify-client-cert Disable SSL version 2 support for this profile. Enable sending of entire certificate chain. Enable sending CLOSE-NOTIFY alert. Control session caching for SSL sessions. TCP profile name. Verify a client SSL certificate against as CA. TIP: After completing the profile configuration, it is a good idea to use the show run command to verify what you ve done. If there was any problem with the SSL key and certificate files you will not see the certificate file command in the configuration. This generally indicates a mismatch of keys and certificates. Real Server Configuration Configuring the real servers for SSL termination is identical to configuring standard HTTP (non SSL) real servers. All health checks and other port level configurations are done on http, not ssl. ServerIron(config)#server real rs1 10.10.100.50 ServerIron(config-rs-rs1)#port http ServerIron(config-rs-rs1)#port http keepalive Virtual Server Configuration The virtual server is configured as ssl. Any port level command (such as CSW) would be enabled on the SSL port. The ssl profile that was created earlier is now enabled on the virtual port. Lastly, the ssl protocol of the virtual server is bound to the http port of the real server. ServerIron(config)#server virtual test 10.10.100.200 ServerIron(config-vs-vs1)#port ssl ServerIron(config-vs-vs1)#port ssl ssl-terminate foo ServerIron(config-vs-vs1)#bind ssl rs1 http ge 15 of 15

Source NAT For information about Source NAT, please see the Additional SSL Configuration Details section of this document. SSL Proxy Mode SSL Proxy is the most secure configuration option available, allowing for end to end SSL encryption. It is also more complex as it requires keys and certificates on the ServerIron, as well as each real server. Another drawback is performance. With SSL Termination mode, the ServerIron is able to offload the responsibility of processing the SSL encryption from the real servers. In SSL Proxy mode, however, the real server will still need to process the SSL encryption. SSL Profile For SSL Proxy mode, there are two SSL Profiles that need to be created. The first is a client side profile. The client side SSL profile establishes a key and certificate pair that will be presented to the client and determines the supported cipher suites. The server side SSL profile configures the CA certificate that will be used to validate the certificate that is presented by the real servers. Both of these profiles are tied to a Virtual Server later in the Virtual Server configuration. In the example below, we configured foo ca.cer as the ca cert file. This is the certificate of the internal certificate authority that issued the server certificates. To configure a basic SSL profile, use the following configuration: ServerIron>enable No password has been assigned yet... ServerIron#conf term ServerIron(config)#ssl profile foo ServerIron(config-ssl-profile-foo)#keypair-file foo.key ServerIron(config-ssl-profile-foo)#certificate-file foo.cer ServerIron(config-ssl-profile-foo)#cipher-suite all ServerIron(config-ssl-profile-foo)#exit ServerIron(config)# ServerIron(config)#ssl profile foo-servers ServerIron(config-ssl-profile-foo-servers)#ca-cert-file foo-ca.cer Foundry Networks White per Additional configuration options for client side SSL profiles: disable-ssl-v2 enable-certificate-chaining enable-close-notify session-cache tcp-profile verify-client-cert Disable SSL version 2 support for this profile. Enable sending of entire certificate chain. Enable sending CLOSE-NOTIFY alert. Control session caching for SSL sessions. TCP profile name. Verify a client SSL certificate against as CA. Additional configuration options for server side SSL profiles: allow-self-signed-cert Allow self signed certificates during certificate verification. TIP: After completing the profile configuration, it is a good idea to use the show run command to verify what you ve done. If there was any problem with the SSL key and certificate files you will not see the certificate file command in the configuration. This generally indicates a mismatch of keys and certificates. ge 16 of 16

Real Server Configuration To configure the real server, simply specify the ssl port and configure the desired SSL Health Checks. ServerIron(config)#server real rs1 10.10.100.50 ServerIron(config-rs-rs1)#port ssl Virtual Server Configuration In the virtual server configuration, the client side SSL profile (foo) and the server side SSL profile are tied to the VIP. The ssl port of the VIP is bound to the ssl port of the real servers. ServerIron(config)#server virtual test 10.10.100.200 ServerIron(config-vs-vs1)#port ssl ServerIron(config-vs-vs1)#port ssl ssl-proxy foo foo-servers ServerIron(config-vs-vs1)#bind ssl rs1 ssl Source NAT For information about Source NAT, please see the Additional SSL Configuration Details section of this document. Foundry Networks White per Client Authentication Client Authentication is when the client (browser) presents an SSL certificate to the server (or ServerIron). Similar to server side SSL where the server presents the certificate to the client, the purpose of client authentication is to verify the identity of the presenter. Client Authentication is generally used in conjunction with other security measures (e.g. username and password). The configuration of client authentication is built on the base of either SSL Termination or SSL Proxy configuration. In addition to the basic SSL configuration, the client side SSL profile must also specify whether or not the client certificate should be requested, or required and when (per connection, or per handshake). Additionally, a CA certificate file (ca cert file) must be specified for the client side SSL profile (this was previously configured for SSL proxy on the server side profile). The CA certificate file must be from the CA that issued the client certificates. In the example below, we used an internal Certificate Authority for Foo to issue the client certificates. Below is an example configuration of a client side SSL profile for Client Authentication. ServerIron(config)#ssl profile foo ServerIron(config-ssl-profile-foo)#keypair-file foo.key ServerIron(config-ssl-profile-foo)#certificate-file foo.cer ServerIron(config-ssl-profile-foo)#cipher-suite all ServerIron(config-ssl-profile-foo)#verify-client-cert per-connection require ServerIron(config-ssl-profile-foo)#ca-cert-file foo-ca.cer Note: The Real Server and Virtual Server configurations remain unchanged from a typical SSL configuration (proxy or termination). Setting the Clock Since client authentication requires that the ServerIron verify the validity of the certificates presented by clients, it is extremely important that the clock be set correctly. Without the knowing the correct time and date certificates may appear to be presented before or after their validity period. Below is an example of how to set the clock and time zone. You can also use SNTP to help maintain accurate time. Additional information on setting up SNTP can be found in the ServerIron Administration Guide available on the Foundry Knowledge Portal. ge 17 of 17

ServerIron#clock set 08:12:00 10-22-08 ServerIron#conf t ServerIron(config)#clock timezone us pacific Certificate Revocation List (CRL) A CRL is sometimes used in conjunction with Client Authentication to revoke a certificate that was once valid, but should no longer be allowed. Examples of this would be if a user lost his or her laptop or that user has resigned; the certificate that was configured on their laptop can be revoked to prevent unauthorized access. Configuring a CRL on the ServerIron is done at a global level (rather than within an SSL profile). CRLs are downloaded from a URL on the CA. To configure a CRL, use the following syntax: ssl crl record <local name> <url> <file type> <refresh interval in hours> ServerIron(config)#ssl crl-record foo-ca http://internalca.foo.com/certsrv/certcrl.crl pem 1 Foundry Networks White per Client Certificate Insertion Some real servers need to see the client certificate for logging or for additional security. A client certificate, however, cannot be natively passed between the ServerIron and the real servers. A common way to resolve this is to put the client certificate into a HTTP header. By default, when configuring certificate insertion the ServerIron will insert a header called Client Cert with the value being the Base64 encoded. Note: Although the real server example below shows a http port configuration (SSL Termination), client certificate insertion is valid in both SSL Termination and SSL Proxy mode. To configure client certificate insertion, you will need to use a CSW policy. The policy will contain a two default actions. The first action will forward the packet using a group id (required). The second action will insert client certificate. Additionally, the policy will be applied to the virtual server, and the real servers must be given group id numbers. CSW Policy Example: ServerIron(config)#csw-policy "p1" ServerIron(config-csw-p1)#default forward 1 ServerIron(config-csw-p1)#default rewrite request-insert client-cert ServerIron(config-csw-p1)#exit Example of additional configuration required for Real Servers: ServerIron(config)#server real rs1 ServerIron(config-rs-rs1)#port http group-id 1 1 ServerIron(config-rs-rs1)#exit Example of additional configuration required for the Virtual Server: ServerIron(config)#server virtual vs1 ServerIron(config-vs-vs1)#port ssl csw-policy "p1" ServerIron(config-vs-vs1)#port ssl csw ServerIron(config-vs-vs1)#end For additional information on CSW Rules and Policies, please see Layer 7 Switching chapter of the ServerIron Server Load Balancer available on the Foundry Knowledge Portal. ge 18 of 18

With this configuration the modified headers (seen by the real server) will look like this: GET / HTTP/1.1\r\n Client-Cert: MIIEjzCCA3egAwIBAgIKESic+wAAAAAADDANBgkqhkiG9w0BAQUFADBHMRMwEQYKCZImiZPyLGQBGRYDY29 tmrowgaykczimizpylgqbgrykzm91bmryew5lddeumbiga1ueaxmlbwt0lwxhyi0xmtuwhhcnmdgxmda3mj IwMDU4WhcNMDkxMDA3MjIxMDU4WjCBgjELMAkGA1UEBhMCVVMxCzAJBgNVBA Host: intranet.foo.com\r\n User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; cs; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3\r\n Accept: */*\r\n Accept-Encoding: gzip, deflate\r\n Accept-Language: en\r\n Connection: Keep-Alive\r\n \r\n If you would prefer to have the certificate value in a human readable format, you can add an additional command to the virtual server that will parse the fields. Foundry Networks White p er Example of additional configuration required for the Virtual Server: ServerIron(config)#server virtual vs1 ServerIron(config-vs-vs1)#port ssl request-insert client-cert parsed-fields ServerIron(config-vs-vs1)#end With this configuration, the modified headers will appear in a human readable and parsed format. Below is an example of the modified headers (seen by the real server): GET / HTTP/1.1\r\n Client-Cert-Version: 2\r\n Client-Cert-Serial: 17\r\n Client-Cert-Start: 081007220058Z\r\n Client-Cert-End: 091007221058Z\r\n Client-Cert-Subject: countryname=us; stateorprovincename=ca; localityname=santa Clara; organizationname=foo, Inc.; organizationalunitname=it; commonname=joe User; \r\n Client-Cert-Subject-CN: Joe User\r\n Client-Cert-Issuer: commonname=internal-ca.foo.com; \r\n Client-Cert-Issuer-CN: internal-ca.foo.com\r\n Host: intranet.foo.com\r\n User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; cs; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3\r\n Accept: */*\r\n Accept-Encoding: gzip, deflate\r\n Accept-Language: en\r\n Connection: Keep-Alive\r\n \r\n SSL Health Checks By default, the ServerIron will only check real servers using ICMP. This method of health checking is only testing the overall status of the server, and doesn t reflect the status of a service or application. In order to check the health of the SSL port, you will need to enable the keepalive for SSL. ServerIron(config)#server real rs1 ServerIron(config-rs-rs1)#port ssl keepalive ge 19 of 19

A complete SSL handshake is a 9 way process (see Figure 1, below). By enabling keepalive, the default behavior of the ServerIron is to use a simple SSL health check. For a simple SSL health check, the ServerIron waits for the Server Hello Done message and sends a TCP reset (RST) to terminate the connection. If you prefer to complete the 9 way handshake, you can use the following global command: ServerIron(config)#no server use-simple-ssl-health-check Client Hello Server Hello Certificate Server Hello Done Client Key Exchange Change Cipher Spec Finished Change Cipher Spec Finished Foundry Networks White p er Figure 1 SSL Handshake Application Health Checks in SSL Using the simple or complete SSL health check will verify that the SSL service is running, but it does not check the application itself. In order to verify the HTTPS application, you will need to issue a GET or HEAD command and verify the response. Below is an example of setting up a HEAD command to test the application. ServerIron(config)#server real rs1 ServerIron(config-rs-rs1)#port ssl url "HEAD /" Note: This command MUST be accompanied with the global command to enable complete SSL health check, no server use simple ssl health check. Without the complete SSL handshake, the ServerIron will not issue the HEAD command. There are a number of additional health check options that are available using Boolean, Content Matching, etc. For additional information on Health Checks, please see Health Checks chapter of the ServerIron Server Load Balancer available on the Foundry Knowledge Portal. ge 20 of 20

Additional SSL Configuration Details Source NAT In some configurations, it is necessary to use source nat with a ServerIron. For additional details on Source NAT and when it is necessary, please review the ServerIron Server Load Balancing Guide. If it is necessary to use source nat in your configuration, you will need to add the for ssl parameter for SSL traffic. The example below shows two source nat commands. The first is for non SSL traffic, and the second is for SSL traffic. ServerIron(config)#server source-nat-ip 10.10.100.4 255.255.255.0 0.0.0.0 portrange 2 ServerIron(config)#server source-nat-ip 10.10.100.5 255.255.255.0 0.0.0.0 portrange 2 for-ssl HTTP to HTTPS redirects End users often forget to type https:// in their browsers. Configuring a virtual server to only accept SSL connections can lead to increase support calls and complaints from end users. You can setup a HTTP redirect to send all users from port 80 to port 443. To setup a redirect you will need to use a CSW policy. The CSW policy syntax is: default redirect <domain> [<url> [<url> <new port>]]. Below is an example of the HTTP redirection policy. The policy below uses wildcards (*) to redirect to the same host (domain) and url as originally requested on port 443 (https://), rather than port 80 (http://). Foundry Networks White per ServerIron(config)#csw-policy "p1" ServerIron(config-csw-p1)#default redirect * * 443 ServerIron(config-csw-p1)#exit Before we can apply the CSW policy to the port of the virtual server, we need a port that we can bind http to. The binding must be present and active in order to invoke the CSW policy. The recommended method for resolving this is to create pseudo port on the real server. Since this port is not configured on the server, we will configure the ServerIron to disable health checks on that port (keeping the port up, regardless). ServerIron(config)#server real rs1 ServerIron(config)#port 180 ServerIron(config)#port 180 no-health-check This policy would then be applied to the virtual server on the http port. Below is an example of the additional configuration that would be required for the virtual server. ServerIron(config)#server virtual vs1 ServerIron(config-vs-vs1)#port http ServerIron(config-vs-vs1)#port http csw-policy "p1" ServerIron(config-vs-vs1)#port http csw ServerIron(config-vs-vs1)#bind http rs1 180 ServerIron(config-vs-vs1)#end For additional information on CSW Rules and Policies, please see Layer 7 Switching chapter of the ServerIron Server Load Balancer available on the Foundry Knowledge Portal. Supporting HTTP and HTTPS In SSL Termination mode; once you have bound port 443 of the virtual server to port 80 of the real server, you will not be able to bind port 80 of the virtual server to port 80 of the real server. If it is ge 21 of 21

necessary to support both HTTP and SSL on the same VIP, to the same real servers, you must use an alias port. An alias port is configured in the real server configuration, but the real server itself will have no knowledge of this particular port. The examples below reflect configurations that support both SSL termination and HTTP ServerIron(config)#server real rs1 ServerIron(config-rs-rs1)#port http ServerIron(config-rs-rs1)#port http keepalive ServerIron(config-rs-rs1)#port 180 ServerIron(config-rs-rs1)#port 180 no-health-check ServerIron(config-rs-rs1)#end Notice that the configuration about does not enable a keepalive for the alias port, since the real server itself will have no knowledge of port 180. Foundry Networks White per ServerIron(config)#server virtual vs1 ServerIron(config-vs-vs1)#port http ServerIron(config-vs-vs1)#port ssl ServerIron(config-vs-vs1)#port ssl ssl-terminate foo ServerIron(config-vs-vs1)#bind http rs1 http ServerIron(config-vs-vs1)#bind ssl rs1 180 real-port http ServerIron(config-vs-vs1)#end Displaying the bindings (see below) will show that both http and ssl are active. Notice the SSL binding actually shows Active Active. This is the normal state for active alias ports. SLB-ServerIron 4G#show server bind Bind info Virtual server: vs1 Status: enabled IP: 10.10.100.200 http -------> rs4: 10.10.100.50, http (Active) ssl -------> rs4: 10.10.100.50, 180 (Active-Active) ge 22 of 22

Other (Non HTTPS) SSL Applications The ServerIron currently supports three other SSL encrypted protocols in addition to HTTPS. Starting in version 9.5.02a, the ServerIron supports LDAPS, POP3S and IMAPS in SSL Termination mode. This allows you to take the traditional protocol (LDAP, POP3 or IMAP) and secure it using SSL between the client and the ServerIron. The ServerIron will decode the SSL and pass the unencrypted traffic to the real server(s). An example configuration for all three protocols is below. Note that these are supported separately, but are shown as a single example for simplicity. ServerIron>enable No password has been assigned yet... ServerIron#conf term ServerIron(config)#server real rs1 ServerIron(config-rs-rs1)#port pop3 ServerIron(config-rs-rs1)#port imap4 ServerIron(config-rs-rs1)#port ldap ServerIron(config-rs-rs1)#exit ServerIron(config)#server real rs2 ServerIron(config-rs-rs2)#port pop3 ServerIron(config-rs-rs2)#port imap4 ServerIron(config-rs-rs2)#port ldap ServerIron(config-rs-rs2)#exit ServerIron(config)#server virtual vs1 ServerIron(config-vs-vs1)#port pop3s ServerIron(config-vs-vs1)#port pop3s ssl-terminate foo ServerIron(config-vs-vs1)#bind pop3s rs1 pop3 rs2 pop3 ServerIron(config-vs-vs1)#port imaps ServerIron(config-vs-vs1)#port imaps ssl-terminate foo ServerIron(config-vs-vs1)#bind imaps rs1 imap4 rs2 imap4 ServerIron(config-vs-vs1)#port ldaps ServerIron(config-vs-vs1)#port ldaps ssl-terminate foo ServerIron(config-vs-vs1)#bind ldaps rs1 ldap rs2 ldap ServerIron(config-vs-vs1)#exit Foundry Networks White p er SSL Troubleshooting The first step in diagnosing SSL related issues would be to refer to the flowchart below. You will also find SSL troubleshooting commands in this document. Some commands in this section can be used to self diagnose and resolve problems, while others may require interaction with Foundry TAC. If TAC assistance is required, you can open a case via the Foundry Knowledge Portal or by calling 1 877 TURBO CALL (877 887 2622). SSL Debugging Flowchart Below (Figure 2) is an SSL debugging flowchart. This flowchart should help resolve common SSL problems. ge 23 of 23

ge 24 of 24 Foundr y Networks White p er Figure 2

SSL Troubleshooting Commands Below is a list of commonly used troubleshooting commands. The commands are all executed from the rconsole prompt. Most of the output is self explanatory; what to look for will vary depending on the type of problem(s) you are experiencing. SHOW SSL STAT ALERT This command will provide SSL error counts. High or rapidly increasing numbers on any row may indicate a problem that should be investigated further. ServerIron1/1#sho ssl stat alert SSL alert detail counters: RX TX ************************************************************************** close_notify: 16 0 unexpected_message: 0 0 bad_record_mac: 0 0 decryption_failed: 0 0 record_overflow: 0 0 decompression_failure: 0 0 handshake_failure: 0 0 no_certificate: 0 0 bad_certificate: 0 0 unsupported_certificate: 0 0 certificate_revoked: 0 0 certificate_expired: 0 0 certificate_unknown: 0 0 illegal_parameter: 0 0 unknown_ca: 11 0 access_denied: 0 0 decode_error: 0 0 decrypt_error: 0 0 export_restrictionr: 0 0 protocol_version: 0 0 insufficient_security: 0 0 internal_error: 0 0 user_cancelled: 0 0 no_renegotiation: 0 0 Foundry Networks White per SHOW CP DEBUG This command will typically result in a message indicating All counters are zero. Sometimes, however, it will show a number in brackets (e.g. [85]) and a value indicating the number of times the error has occurred (see below). These types of errors are not indicative of a problem. Messages which should be of concern are accompanied by descriptions that will be easy to understand interpret. ServerIron1/1#show cp debug client sock error or timeout [ 85]: 5 ge 25 of 25

SHOW SSL STAT COUNTERS This command provides a lot of useful information about SSL connections both from the clients and to the real servers. The specific information to pay attention to will vary depending on the nature of the problem. ServerIron1/1#show ssl stat counters SSL debug counters: SSL connect attempts : 45 SSL Handshake complete : 29 SSL close count : 25 SSL RemoteClose cnt : 29 SSL reset count : 0 SSL Remote Reset cnt : 0 SSL tx shutdown : 25 TCP close cnt : 45 SSL current con : 0 SSL clientside con : 0 SSL_Recv cnt : 247 SSL Send cnt : 747 Alert(2) Rx cnt : 11 Alert(2) Tx Cnt : 0 SSL Session Attempt : 0 SSL Session Reuse failed : 0 SSL Rx Block cnt : 292 SSL Rx unblock cnt : 321 DMA DP->SDRAM2 : 80 DMA_SSL_MONITOR : 32 Foundry Networks White p er Cavium Inst err cnt : 0 Cavium reqid not found : 0 Cavium Rd/Wr same : 0 Cavium pending cnt : 0 SSL Get Client Hello fail : 0 FPGA ssl mon req cnt : 1039 FPGA ssl mon done cnt : 1039 SSL V2 rate limit drops : 0 Cavium Inst overflow err : 0 SSL Alert Incorrect len : 0 SSL Invalid record type : 0 SSL Record with no data : 0 SSL Insufficient data in : 0 SSL HS MSGS in data xfer : 0 SSL Random counters: Num ssl rand buffers : 2 Rand buffer size : 32768 Current fetch : 0 Rand errors : 0 SSL debug counters: SSL Recv CB unblk error : 0 SSL Recv Pkt drop cnt : 0 SSL Invalid sd error : 0 SSL ZeroCopy Recv Err : 0 SSL read error cnt : 0 SSL recv err code : 0 SSL read alert error : 0 SSL renegotiate start : 0 SSL read alert error : 0 SSL max. frag. err : 0 ge 26 of 26

SHOW SSL STAT CLIENT This command will display information relevant to the client side SSL connections. ServerIron1/1#show ssl stat client SSL Client statistics: *************************************************************************** SSL Connect attempts: 45 SSL Connect failed: 11 SSL Client Hello rcvd: 45 SSL Client Hello failed: 0 SSL Client Key Xchng rcvd: 29 SSL Client Key Xchng failed: 0 SSL Client Finish rcvd: 0 SSL Client Finish failed: 87 Client auth ok: 0 Client auth failed: 0 SSL Session Reuse Attempt: 0 SSL Session Reuse failed: 0 SSL Handshake complete: 29 SSL Connect closed: 45 SSL Close count: 25 SSL Remote Close cnt: 29 SSL Reset count: 0 SSL Remote Reset cnt: 0 Level 1 Alerts Received: 16 Level 2 Alerts Received: 11 Level 1 Alerts Send: 0 Level 2 Alerts Send: 0 SSL Rx bytes from TCP: 85719 SSL Tx bytes to TCP: 3325334 SSL Rx Appl Data from TCP: 80557 SSL Tx Appl Data to TCP: 3277454 SSL Rx nonappldata from TCP: 5162 SSL Tx nonappl Data to TCP: 47880 RSA Private Decrypt calls: 0 RSA Public Decrypt calls: 0 RSA Private Encrypt calls: 0 RSA Public Encrypt calls: 0 DH Compute key calls: 0 DH Generate key calls: 0 DSA Verify calls: 0 DSA Sign calls: 0 MD5 Raw hash calls: 0 SHA1 Raw hash calls: 0 3DES calls: 0 RC4 calls: 0 SSL MAC MD5 calls: 0 SSL MAC SHA1 calls: 1010 TLS MAC MD5 calls: 0 TLS MAC SHA1 calls: 0 Foundry Networks White per SHOW SOCKET STAT This command shows information related to all TCP sockets configured on the ServerIron. ServerIron1/1#show socket stat Socket Layer: Total sockets : 65000 Open sockets : 1 Max reached : 0 Sock mem alloc fail : 0 TCP Connection States: Listen : 1 SYN-rcvd : 0 SYN-sent : 0 Established : 0 Close-wait : 0 FIN-wait-1 : 0 Closing : 0 Last-Ack : 0 FIN-wait-2 : 0 Time-wait : 0 ConnProxy (client) states: Total count : 48000 Used count : 0 Wait connect : 0 Wait connect complt : 0 Wait reuse : 0 Wait data : 0 In Use : 0 Wait close : 0 Wait remote close : 0 Wait close complt : 0 Wait free : 0 RST rcvd : 0 ConnProxy (server) states: Total count : 48000 Used count : 0 Wait connect : 0 Wait connect complt : 0 Wait reuse : 0 Wait data : 0 In Use : 0 Wait close : 0 Wait remote close : 0 Wait close complt : 0 Wait free : 0 RST rcvd : 0 Reuse pool head : 0 ge 27 of 27

SHOW SSL AUTHENTICATION STAT This command is only relevant for client authentication configurations. The output provides useful information pertaining to authentication. ServerIron1/1#show ssl authentication-stat SSL certificate verification counters: Success : 0 Failure : 0 Unknown user : 0 Signature failed : 0 Certificate expired : 0 Certificate revoked : 0 Cert not yet valid : 0 Cert signature failed : 0 Issuer pubkey decode fail : 0 Self signed cert : 0 Issuer cert not found : 0 Subject Issuer mismatch : 0 Certificate untrusted : 0 Cert chain too long : 0 CRL counters: CRL load failed : 0 CRL signature failed : 0 Foundry Networks White per CRL not found : 0 CRL not yet valid : 0 CRL expired : 0 ge 28 of 28

Foundry Networks, Inc. Headquarters 4980 Great America rkway Santa Clara, CA 95054 1200 U.S. and Canada Toll free: (888) TURBOLAN Direct telephone: +1 408.586.1700 Fax: +1 408.207.1699 Email: info@foundrynet.com Web: http://www.foundrynet.com Foundry Networks, AccessIron, BigIron, EdgeIron, FastIron, IronPoint, IronView IronWare, JetCore, NetIron, ServerIron, Terathon, TurboIron, and the Iron family of marks are trademarks or registered trademarks of Foundry Networks, Inc. in United States and other countries. All other trademarks are the properties of their respective owners. Foundry Networks White per Although Foundry has attempted to provide accurate information in these materials, Foundry assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Foundry. Please note that Foundry's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing. 2008 Foundry Networks, Inc. All Rights Reserved. ge 29 of 29