|
OverviewNetscaler可以加速SSL应用, 将encrypt/decrypt从server卸载下来,以节省CPU资源。 Features One-arm mode SSL bridge 这个模式注意流经Netscaler的流量都是加密的,因此其他的LB Feature也无法起作用。 Keys and CertificatesAn SSL certificate is a digital data form (X509) that identifies a particular company (domain) or an individual. An SSL key is the private component of the public-private key pair used in asymmetric key encryption (public key encryption). Cert和Key文件的来源 There are three ways to obtain SSL certificates and keys: 1.You can obtain an SSL certificate from an authorized Certificate Authority(CA), such as VeriSign. 第一步 先生成RSA文件或者DSA文件 You generate an RSA key by entering the following command: create ssl rsakey [-exponent (3|F4)] [-keyform (DER|PEM)] [-des] [-des3] [-password ] You generate a DSA key by entering the following command: create ssl dsakey [-keyform (DER|PEM)] [-des][-des3] [-password ] 第二步 Create and submit a Certificate Signing Request (CSR) to the CA. create ssl certreq -keyFile 然后将得到的CSR用email发给CA,并通过email从CA获得.key和.cert文件 第三步 安装certkey文件 add ssl certkey -cert [-key ] [-fipsKey ] [-inform (DER|PEM)] [-password] 2.You can use an existing SSL certificate and key. a) 从WebServer上用FTP将.key, .cert传输到Netscaler,always use binary mode for file transfer. Netscaler支持PEM和DER两种格式的.key 和 .cert, 并且.key和.cert必须是同一种格式才能成功安装。如果.key和.cert格式不同,那么需要先进行格式转换: 例如用openssl tool将DER格式的.key文件转换成PEM格式的.key文件 openssl pkcs8 -in keyfile.der -inform DER -out keyfile.pem -outform PEM b)安装.key and .cert为一个certkey文件 add ssl certkey -cert [-key ] [-fipsKey ] [-inform ( DER | PEM )] [-password] 例如,.key文件没有被加密: add certkey cert1 -cert /nsconfig/ssl/cert1024.pem -key /nsconfig/ssl/rsa1024.pem 例如,.key文件加密: add certkey cert1 -cert /nsconfig/ssl/cert1024.pem -key /nsconfig/ssl/rsa1024.pem -password Password: ******* 3.You can generate a new SSL certificate and key on the Application Switch. 可以让Netscaler自己生成.key和.cert,但是仅仅限于内部测试使用 第一步 先生成RSA文件或者DSA文件 You generate an RSA key by entering the following command: create ssl rsakey [-exponent (3|F4)] [-keyform (DER|PEM)] [-des] [-des3] [-password ] You generate a DSA key by entering the following command: create ssl dsakey [-keyform (DER|PEM)] [-des][-des3] [-password ] 第二步 Create and submit a Certificate Signing Request (CSR) to the CA. create ssl certreq -keyFile 然后将得到的CSR用email发给CA,并通过email从CA获得.key和.cert文件 第三步 生成证书 create ssl cert /nsconfig/ssl/rootcert.pem /nsconfig/ssl/ rootcertreq.pem ROOT_CERT -keyFile /nsconfig/ssl/rootcertkey. pem -keyform PEM -certForm PEM 第四步 安装证书 add certkey -cert [-key ] [-fipsKey ] [-inform ( DER | PEM )] [-password] 关于证书链Sending a Chain of Certificates 如果server的证书是由Intermediate CA颁发的,那么Client的Browser不会认得,这将导致SSL握手失败。可以让Netscaler把Intermediate CA的证书发给client,以完成握手。 link ssl certkey certKeyName specifies the name of the server certificate linkCertKeyName specifies the name of the issuer’s (intermediate CA’s) certificate.  首先创建server的certkey  add ssl certkey serv_cert -cert /nsconfig/ssl/cert.pem -key /nsconfig/ssl/key.pem 然后创建Intermediate CA的certkey add ssl certkey cacert_a –cert /nsconfig/ssl/ca_a.pem add ssl certkey cacert_b –cert /nsconfig/ssl/ca_b.pem add ssl certkey cacert_c –cert /nsconfig/ssl/ca_c.pem 最后连接这四个certkey, c>b>a>server_cert link ssl certkey cacert_b cacert_c link ssl certkey cacert_a cacert_b link ssl certkey server_cert cacert_a 更新已经存在的Certkey Netscaler可以对已经存在的certkey进行更新,并且没有outage 只要把新的.key和.cert放到正确位置,再用update命令既可 update ssl certkey [-cert ] [(-key [-password]) | -fipsKey ] [-inform (DER|PEM)][-noDomainCheck] 不带密码 update ssl certkey siteAcertkey -cert /nsconfig/ssl/cert.pem -key nsconfig/ssl/pkey.pem 带密码 update ssl certkey siteAcertkey -cert /nsconfig/ssl/cert.pem -key /nsconfig/ssl/pkey.pem -password 用原有参数和原有.key,.cert更新 update ssl certkey mydomaincert 创建SSL VIP为Load Balancing创建SSL VIP 1. Enable the Load Balancing and SSL Off-Loading features. enable ns feature SSL LB2. Define a server and service. service可以是HTTPS的 add service SSLService 192.168.1.10 SSL 443 或者service是HTTP的 add service src1 s1 HTTP 8080 二者区别是什么? 如果service是HTTPS的,那么就是end-to-end encryption3. Bind monitors to services (optional).4. Define a load balancing SSL virtual server. LB VIP是HTTPS的,这样certkey才能直接bind到LB VIP上 add vserver ssl_vip SSL 192.168.1.10 4435. Bind the load balancing virtual server to the services. Only HTTP or SSL services can be bound to an SSL virtual server. Bind theHTTP services for SSL Off-Loading with clear-text data on the backend, andbind the SSL services for SSL Off-Loading with encrypted data on the backend. 6. Set load-balancing policies (optional). By default a load-balancing virtual server is created with LEASTCONNECTIONas the Load Balancing policy is created.When session persistence is enabled, all client requests from the same clientare served by the same server. The server belongs to a web server farm that isbeing load balanced. Persistence can be enabled for virtual servers Session persistence is useful when a user needs to keep a connection to the same serveruntil the user is done with their transactions (such as when building a shoppingcart). 7. Bind a server certificate and key for the virtual server. bind certkey [-CA] [-vServer|-service] [-CA]: This argument indicates the certificate-key pair being bound isa CA certificate. If this option is not specified then the certificate-keypair is bound as normal server certificate.[-vServer|-service]: Select the -vServer flag to indicate that the certificate is to be bound to a SSL vserver or select the -service flag to indicate that the certificate is to be bound with a SSL service. By default, the certificate is bound to the vServer.8. Set server persistency (optional).9. Set advanced SSL configuration (optional).10.Save the configuration. 为Content Switching创建SSL VIP 1. Enable the Content Switching, Load-Balancing, and SSL Off-Loading features. enable feature CS LB SSL2. Define a server and service add service src1 s1 HTTP 8080 add service src2 s2 HTTP 8080 注意,service是HTTP的,因此Netscaler到service之间是明文传输3. Define a load balancing virtual server add vserver html_vip HTTP 192.168.1.10 804. Bind the load balancing virtual server to the service bind lb vserver html_vip src1 bind lb vserver html_vip src25. Set the load balancing policies (optional) add expression url_expr1 "URL EQ /*.cgi" add expression url_expr2 "URL EQ /*.asp" add cs policy cs_pol_dynamic rule "url_expr1||url_expr2"6. Define a content switching virtual server add cs vserver ssl_cs_vip SSL 10.102.1.100 4437. Define content switching policies bind cs vserver ssl_cs_vip html_vip -policy cs_pol_dynamic8. Bind server certificate and key for the virtual server. 将.cert,.key绑定到CS VIP上 bind certkey ssl_cs_vip siteAcertKey9. Advance SSL configuration (optional).10.Save the configuration. End-to-End加密 如果没有Netscaler,server对每个HTTPS请求都要进行单独握手, 加密,解密工作。 有了Netscaler,可以在Netscaler与server之间建立一个或几个SSL Session,然后把Client来的HTTPS request都multiplexing到Netscaler与server之间的SSL Session中。这样可以大量节约server的握手时间,并节约server的CPU资源,因为full-handshake是CPU密集型任务。 这个feature就是所谓的back-end security 使用方法就是,如果创建service时用的是HTTPS的,那么就启用了back-end security,否者就是普通的明文传输在Netscaler到server之间。 如果只做LB+back-end security,那么LB VIP和service就都必须是SSL类型的 如果做CS LB back-end security,那么service和CS VIP必须是SSL类型的,LB VIP是HTTP的,注意HTTP类型的LB VIP是可以bind一个SSL类型的service的。 做透明SSL加速的时候, service based SSL Acceleration是不支持back-end encryption的, VIP based支持。透明SSL加速必须用two-arm模式。 如果LB VIP是HTTP的, 而后面的service是SSL的,那么bind之后,HTTP request到VIP是明文的,VIP到service是加密的 当没有做back-end加密时,Client的HTTPS Request被VIP转换成为HTTP Request发给server,而如果Client所访问的内容被redirect了,比如code 302,server会发送重定向的URL,http://, 而当Client受到新的重定向的URL后,因为URL是http的,而Client和VIP之间实际是HTTPS的,这就需要做SSL Redirects set ssl vserver -ssl_redirect ENABLE SSL Bridge模式下, Netscaler不对SSL进行加速,支持透传加密的SSL会话而已,只有在server上有硬件PCI SSL加速卡时才比较适用。这种模式下,Netscaler只进行load balance和server persistency,而其他功能比如Content Switching, Sure connect无法使用,因为流量是加密的。 注意没有启用SSL功能 enable feature LB add server s1 192.168.1.100 add server s2 192.168.1.102 add service src1 s1 SSL_BRIDGE 443 add service src2 s2 SSL_BRIDGE 443 add vserver ssl_bridge_vip SSL_BRIDGE 192.168.1.10 443 bind lb vserver ssl_vip src1 bind lb vserver ssl_vip src2 10.During unbinding or over writing Server Certificates, all connections and SSL sessions created using the certificate will get terminated. While overriding an existing certification, the CLI or GUI displays a warning message as: ERROR: Warning: Current certificate replaces the previous binding |
|
|
来自: sys > 《netscaler》
