Presentation is loading. Please wait.

Presentation is loading. Please wait.

SSL.

Published byJob Cox Modified over 8 years ago

Similar presentations

Presentation on theme: "SSL."— Presentation transcript:

1 SSL

2 SSL Certificates

3 Overview Topics in this module include: SSL and Digital Certificates
SSL Administration SSL Deployment Decisions Deployment Scenarios SSL Offload Configurations Advanced SSL Settings

4 SSL and Digital Certificates
The SSL protocol is a session layer encryption and authentication protocol SSL uses digital certificates to verify the identity of the holder

5 SSL Offload The NetScaler system offers: High-performance SSL offload
Sustains 6GBPS bulk encryption Supports up to 48,000 transactions per second A complete solution Rich Traffic Management feature set SSL VIP Transparent SSL Backend encryption

6 SSL Administration An SSL certification can be obtained by:
Requesting a certificate and key from a CA Using an existing SSL certificate and key Generating a new SSL certificate and key

7 SSL Session Process

8 SSL Keys Keys must be generated in the following situations:
Before generating and submitting a CSR to a CA Before generating a self-signed certificate for testing purposes

9 SSL Certificates The NetScaler system certificate tools can generate:
Root CA certificates Intermediate CA certificates Server certificates Client certificates

10 Certificate Key Pairs A certificate must be paired with its corresponding key The certificate key pair is referred to as the certkey on the NetScaler system The certkey is then bound to the virtual server and used for SSL processing

11 SSL Deployment Decisions
Required components and settings include: A defined SSL termination point A server certificate installed on the NetScaler system The root, intermediate and client certificates installed on the client, depending on environmental needs The appropriate servers, services and virtual servers configured on the NetScaler system

12 Termination Points SSL transactions can be terminated on the:
Citrix NetScaler Application Switch Citrix Application Firewall Network Firewall Web server

13 Deployment Scenarios Front-end SSL with back-end HTTP
Front-end SSL with back-end SSL Front-end SSL_TCP over SSL with back-end TCP SSL Bridge

14 Deploying Front-End SSL with Backend HTTP
Requirements include: An installed certificate-key pair A load balancing virtual server using the SSL protocol One or more HTTP services associated with backend web servers

15 Deploying Front-End SSL with Backend SSL
Requirements include: An installed certificate-key pair A load balancing virtual server An SSL service or services

16 Deploying Front-end SSL_TCP with Back-end TCP
Requirements include: An installed certificate-key pair A load balancing virtual server using the SSL_TCP protocol A TCP service or services

17 Deploying SSL_BRIDGE Requirements include:
A load balancing virtual server using the SSL_BRIDGE protocol A SSL_BRIDGE service or services associated with back-end web servers

18 Configuring SSL Offload

19 SSL Virtual Servers SSL virtual servers: Accept encrypted traffic
Decrypts traffic Sends clear text messages to services bound to the vserver

20 SSL - Certificate Flow Chart
Request New Cert Generate Key SSL->Cert Management Create RSA/DSA Key Generate Request SSL->Cert Management Create Certificate Request Submit to CA and Receive Cert Load Cert / Key SSL->Certificate Key Pair Create New Cert Generate Key SSL->Cert Management Create RSA/DSA Key Generate Request SSL->Cert Management Create Certificate Request Create Certificate SSL->Cert Management Load Cert / Key SSL->Certificate Key Pair Use Existing Cert Transfer Cert to /nsconfig/ssl Convert Cert to PEM /DER if needed Load Cert / Key SSL->Certificate Key Pair Depending on the organization’s needs for the SSL virtual server, different pages of the SSL configuration interface will need to be used. In the flow charts above, each step that is performed in the GUI SSL configuration interface has the page information associated with it.

21 SSL Offload

22 SSL – What Is It Broad use across website and applications
Retailers Financial Institutions VPNs Secure Sockets Layer/Transport Layer Security TLS is current version SSL developed by Netscape Communications We all likely use SSL or talk about this protocol everyday. Whether it is in our personal lives doing online banking, buying a pair of jeans, the newest album from Amazon or in our professional lives logging into employers’ VPNs. But what is it? SSL or TLS is a set of cryptographic protocols that provide security over the internet. This is done at a high level by encrypting network traffic through a process of key exchange to ensure privacy. They make significant use of certificate authorities. Once your browser requests a secure page essentially to the user adds the "s" onto "http," the browser sends out the public key and the certificate, checking for three things: that the certificate comes from a trusted party; that the certificate is currently valid; and that the certificate has a relationship with the site from which it's coming. End users at browsers can typically determine that SSL is in use by some change of appearance of the browser in some fashion. At the risk of dating myself in the olden days a padlock symbol let you know that you are using encryption. Now typically you’ll get color change in the address bar area reflecting the status. (click) (click) (The browser then uses the public key to encrypt a randomly selected symmetric key. Public-key encryption takes a lot of computing, so most systems use a combination of public-key and symmetric key encryption. When two computers initiate a secure session, one computer creates a symmetric key and sends it to the other computer using public-key encryption. The two computers can then communicate using symmetric-key encryption. Once the session is finished, each computer discards the symmetric key used for that session. Any additional sessions require that a new symmetric key be created, and the process is repeated.)

23 NetScaler Basic SSL Configuration
Basic NetScaler SSL entities Services Service Groups vServers SSL specific entities include services (click), service groups (click) (which are essentially a group of services that are configured in the same way), vservers (click) and associated monitors. I’m not going to review the monitors today but will add a link for further review in the resources section. The setup of these entities is very similar to that of non-SSL entities. The additional steps in setting these up are around the certificates, installing them on the NS and binding them to the entities. (click)

24 NetScaler Basic SSL Configuration
Installing SSL Certificates Done via GUI or CLI CLI Example: > add ssl certKey sslckey -cert server_cert.pem -key server_key.pem -password ssl Done These steps can be completed through either the CLI or the GUI whichever you are most comfortable with using. Here is the CLI installation (click) as you can see it’s a pretty basic here but there are more options that you can find in the links in the resources section. One note there are steps to installing a new certificate. You will need to physically place the file on the Netscaler and then add it to the system for binding to the appropriate entities. If you are using the CLI you’ll need to transfer the certificate to the NS, typically via SCP to the /nsconfig/ssl directory. Note: Certificates and keys are stored in the /nsconfig/ssl directory by default. If your certificates or keys are stored in any other location, you must provide the absolute path to the files on the NetScaler appliance I’ve made a couple of assumptions here that the system has the SSL feature enabled and that the certificate exists already, either procured from your favorite provider whomever that is or if you have decided to offload SSL processing from an exisitng web server that its been exported from server as required. There is a step by step guide for converting certificates for import available on the Citrix Support Website. Check out the SSL Configuration Link in the resources section of this presentation. You also have the option of creating the signing request directly on the NS for transmittal to your preferred certificate provider and actually creating a self signed certificate and key on the NS, Note: This is only for testing purposes, a self signed certificate/key combo should never be used for any type of production purposes.

25 NetScaler Basic SSL Configuration
Here I am showing the SSL Installation Screen from the GUI. This screen presents all of the available options for installing certificates, including a method of transferring the certificate to the NS at the same time you configure the NS. There are 2 options to do that, to browse for the certificate from your local machine click the down arrow next to the Browse Appliance button to change it to browse local. Additionally you can use the insert function and copy the certificate text directly into the popup window. You’ll want to be careful here as far as how you open the certificate, some text editors will add carriage returns that you might not see. Notepad++ and Notepad don’t do this but typically the more document based apps will do this. (Wordpad is one of these) Once you’ve included all the required options click Install and the file will be transferred (if not already on the NS) and it will now be available for binding to your services and/or vservers.

26 NetScaler Basic SSL Configuration
Service add service svc-red SSL 443 Binding certificate bind ssl service svc-red certkeyName et-test-client ctky Service configuration (cick) for SSL type services is not much different from the configuration for other types of services.(click) With SSL end to end configuration, services need to provide a certificate to use with the backend as the clients do for the vservers. We do this by installing a valid certificate as we saw and then binding it to the service. (click) Again this certificate will be used for the communication between the NS and the backend server.

27 NetScaler Basic SSL Configuration
vServer add lb vserver vsvr_rgb1_250_443 SSL Binding Certificate bind ssl vserver vsvr_rgb1_250_443 -certkeyName et-test-server-1024.certkey Vserver configuration is again very similar to non-SSL, (clicK) we specify the vserver name, type of SSL, ip and port 443 by default. Again here we need to bind a certificate (click) for the vserver as in the service. This will be a server certificate that the client will check against to verify the identity of the server. Its important to note the step of certificate binding as the SSL vservers will not come up even if the services are up if there is not a certkey bound. This is an issue that while uncommon is reported to the Support team from time to time. The system will report this in the output of show lb vserver in the CLI and the vserver configuration screen. The vserver will be in the down state and you’ll see Certkey Not Bound in the display/output. Once you have the certkeys bound and the backend servers are responding to the monitors everything should be up and ready to go. There are many more options for SSL configuration that I wont cover here. The resources section has a link to the SSL section of the Netscaler configuration guide and contains everything I’ve covered here and all of the additional options as well. There in one additional certificate configuration option that I do want to touch on today and that is linking or chaining of certificates.

28 NetScaler SSL Configuration
Certificate Chaining Used for verifying CA not recognized by standard browsers Without the chain SSL session will terminate Configuration Ex: >link ssl certykey cert-inter-A ca-certkey Creating a chain of certificates is requried when the server certificate is issued by an intermediate certificate authority that is not recognized by standard browsers as a trusted certificate authority. To overcome this you need to send the CA certificate to the client in addition to the server certificate. The client browser will then use the cert that it trusts to trust the untrusted intermediate authority certificate. Without the chain being presented to the client the ssl session will be terminated as the client will not be able to complete the ssl portion of the handshake. The chain of certificates is exactly what it sounds like and is configured as you may think. We link the server certificate to its issuer (the intermediate certificate). So for this to work you will need to install the intermediate CA cert on the NS as previously discussed. Regardless of how many links are configured one of the certificates in the chain must be trusted by the client for the chain to be effective. For example you can link intermediate-cert-a to intermediate-cert-b which is linked to intermediate-cert-c which is trusted by the client application. Now this leads me to 2 important points, There is a limit to the number of certificates or links in the chain, NS supports sending up to 10 certificates in a chain for client side presentation (9 CA and 1 server). As you get closer to the limit it is important to keep a logical progression of the certificates so that you don’t leave out the certificate that is trusted by the client. A common issue with chains is a missing link to the trusted certificate which can lead to being unable to complete the connections, There is more details on this topic in the links via the resource section including a walkthrough of the setup via the GUI.

29 SSL Troubleshooting Now that we’ve got everything configured, bound and linked we’re all good right? Well not all the time and that’s really why we are here. The main stumbling block here is that we’ve been very careful to setup encryption and privacy of the traffic flows for this setup and now we need to have tools and visibility to see why it isnt working. Since at its core we are really talking about client/server network traffic one option that we have is http header traces taken at the client side.

30 NetScaler SSL Troubleshooting – Client Side
In many cases it is useful to view the HTTP headers when debugging various problems including Two free tools that are available are very useful for this task, and easy to use Live HTTP Headers for Mozilla/Firefox IE HTTP Headers for Internet Explorer Header review is a well known and effective method of troubleshooting connections for: Persistence failures when using cookie persistence Isolating authentication issues Backend server response issues There are tools for the most popular browsers in use that any of you are very familiar with so Ill just touch on them briefly as part of todays discussion. We’ll review (click) Live HTTP Headers for Firefox and (click) IE HTTP Headers for Internet Explorer.

31 NetScaler SSL Troubleshooting – Client Side
Live HTTP Headers is available at Live HTTP Headers for Firefox is available at the link here and its also in the resources section. Plus you can download it right from the browser as with other add-ons. (click) Here’s a screenshot which I am sure many of you are familiar with. Once installed, use the tools->livehttpheaders option to start capturing headersand get this screen s You’ll get a pop up window which shows all http request and response headers as shown. If desired, you can filter what requests will be captured as well. The IE based tool looks very similar (click)

32 NetScaler SSL Troubleshooting – Client Side
IE HTTP Headers can be downloaded from ieHTTP Headers is available at the link shown After installation, use View -> Explorer Bar -> ieHTTPHeaders to display the view pane and you’ll see that it looks and works much like the Firefox tool (click) These 2 tools will give you the client view of the connection as it happens. As with other HTTP connections you’ll be able to see the server responses but will be missing the SSL details as everything is decrypted for the client before the headers are displayed. So as useful as this information can be there is still the missing portions of the SSL handshake and the certificate exchange. Both of these tools allow you to save the headers for later review and/or sharing with others. The Firefox and IE are the most popular tools of this nature mostly due to the popularity and ubiquitous nature of the 2 browsers. As many admins will use Google Chrome we can get a similar behavior here as well.

33 NetScaler SSL Troubleshooting – Client Side
Here’s the screenshot of the Chrome built-in feature. Header reviews are not the only client side options that are available. You also have the option and will often be requested by support to get client side packet captures as well and for that I typically use Wireshark, which we’ll cover in a few slides. Now lets move to the NS side and review the available options we have here as there are a few more options at this connection point.

34 Troubleshooting Encrypted SSL Connections
Few options NetScaler based options: Connection Table Available in both CLI and GUI CLI: NS10 > show connectiontable "DESTIP = " SRCIP SRCPORT DSTIP DSTPORT SVCTYPE IDLTIME STATE SSL ESTABLISHED C Done Since the packet data is encrypted at this point there are just a few options for troubleshooting but we arent dead in the water here. TCP layer and below information will be viewable in nstcpdump and nstrace files. We can also verify the connections by reviewing the connection table on the NS. In the GUI this information is located under the System tree, Diagnostics and at the bottom of the right panel you’ll see a section titled Monitor Connections, and obviously TCP/IP connections is what we are looking for here. There’s a screenshot in the next slide. here I am showing the CLI output of the show connectiontable (click) command filtered by destination IP for brevity and Ill show a screenshot of the GUI on the next slide Both the GUI and CLI give you the tcp connection information, source and destination IP/port, service type which for this case will be SSL and the state. Here you can see that the state is Established which indicates a successful TCP connection. You can add a wealth of information that can prove valuable by adding –detail full to the show connectiontable command in the CLI and by checking the appropriate checkboxes on the GUI. This will give you full details ranging from the basics to window sizes, HTTP version and response codes. In my examples I am filtering on destination ip there are others available and I’d recommend using a filter or the connection table will tend to get unwieldy and not very useful.

35 Troubleshooting Encrypted SSL Connections
Show connection table in GUI: So here is the GUI output of the connectiontable with the checkboxes I mentioned previously just under the filter window. Now lets move on to the packet level tools available on the Netscaler: nstcpdump and nstrace

36 Troubleshooting Encrypted SSL Connections
Packet Level Analysis Nstcpdump nstcpdump.sh -ni eth0 dst host Setting 1000 pages (8000 KB) of trace buffers ... Done. Enabling all nic trace mode= Done. Changing trace packet length from 0 to Done. Saving current trace data in file 'pipe' ... in TCPDUMP format reading from file -, link-type EN10MB (Ethernet) 18:20: IP > : P : (633) ack win 18:20: IP > : . ack 244 win 65457 18:20: IP > : P 633:1252(619) ack 244 win 65535 18:20: IP > : . ack 1969 win 65284 There are two options available for packet level analysis on the NS. As I mentioned. Nstcpdump is standard tcpdump with a wrapper around it to allow for some netscaler specifics and nstrace is the tool used for creating capture files for deeper analysis. Typically the support team will ask for nstrace captures as it adds additional information into the trace that the nstcpdump output will not have, they will give you the syntax to use for each case. As you can see (click) the screen output is what you’ll see elsewhere when using tcpdump. Nstcpdump takes standard tcpdump syntax filters and beginning in version 9 of NS code, nstrace has added some filtering as well. Ill review the options for these commands in detail in later slides. Tcpdumps are widely used for troubleshooting and here we can get live data on the layer 3 connectivity but we will still be limited to ensuring that the TCP connection is working or not. What we need is a way to view the packet data to see where in the connection the issue lies. Normally this is done using a protocol analyzer, the most widely used is Wireshark.

37 Troubleshooting Encrypted SSL Connections
Wireshark Capture Still limited when the flow is encrypted: Here we see the captured packets in Wireshark. Its still encrypted and we are still limited to the layer 3 information. We get the additional info provided by the descriptions, we can see the amount of time requests and responses take and the order and missing packets if any, there are none missing here. However, the encrypted nature of this traffic is still a major stumbling block. The L3 info is great, as well as the timing of the packets if that is the issue. But what if your problem is data related or authentication related. We need to see the information contained in the packets for this. Wireshark provides for users a method of decoding the traffic, exposing the data above L4 for review. This can be a lifesaver for you and requires just a few steps to accomplish which Ill review.

38 Decoding SSL Traffic with Wireshark

39 Decoding SSL Packet Captures with Wireshark
Before we get to the session or vserver specific information there are a few settings we will want to verify in Wireshark to ensure a smooth and logical decryption process. There are settings for the 3 protocols involved here, IP, TCP and SSL. These are typically default settings but it makes sense to check before the decryption to avoid issues and frustration later on. So go to Edit, Preferences and drop down the Protocols menu. There is a good number so you’ll need to scroll down to and select each protocol in turn (click) For IP (click) we want to make sure that the Reassemble fragmented IP datagrams is checked (click) For TCP (click) There are 2 here, one we want to make sure is unchecked which is Validate the TCP Checksum if possible (click) and Allow subdissector to reassemble TCP streams (click) and this one is checked. Finally we move to SSL (click) where there are 2 as well and both should be checked. Reassemble SSL records and Reassemble SSL Application Data spanning multiple SSL records (click) If you have a need to make the changes to these default settings it is possible to save the settings as a configuration profile for either this set, what you normally use or both. Now that we have Wireshark set we can add the session or vserver specific info.

40 Decoding SSL Packet Captures with Wireshark
What you need: Wireshark installed with compiled SSL decryption SSL Server IP Address Port Key File Password (if required) Decoding traffic with wireshark requries a few key pieces of information which should be easily accessible for you as long as you can access the NS, which I assume you can because we’ve taken a packet capture and downloaded it locally to your workstation. You’ll need a copy of wireshark (Click) that has the SSL decryption compiled in, the recent versions for Windows have this by default but some versions for other oses may not. I’ve added a link to how to check these as it’s a bit out of scope as is recompiling it if you need to, theres info for that at the link as well. (click) SSL vServer IP Address where the client is connecting (click) Port, typically 443 but this is not a requirement (click) Key file (click) and the password for the key if needed. The majority of this info is readily available, typicallly the most difficult to get access to is the key file and any password that may be on the file. NOTE: It is not uncommon for a customer to be asked for this in the course of working with support on SSL issue and we are aware of the sensitivity of ssl keys for your enterprises. Internally it may be easier for you to procure the key files and do the decoding and transfer the decrpyted file to the support engineer or do live review over GTM. These options can also be scripted and loaded as a file in Wireshark if you are doing this on a regular basis.

41 Decoding SSL Packet Captures with Wireshark
Before Decryption: In the before shot you can clearly see that the traffic is encrypted and pretty much useless for troubleshooting. With the information listed previously we can take this encrypted data into readable information. With the encrypted capture opened (click)

42 Decoding SSL Packet Captures with Wireshark
Add collected info in Wireshark for decryption Go to Edit, Preferences, and Protocols. Scroll down the list to SSL and you’ll get the SSL options screen, which is the very back layer shown here. Click the Edit button to bring up the SSL Decrypt screen and new to add a new decrypt profile. Enter the required information in popup, for the key location you’ll need to be very specific and there is no browse option so I’d recommend you pick an easy place if you can, I typically use c:\sslkey for my needs. Hit Ok, then Apply and Ok and Apply and Ok and you should see the traffic decoded as shown here (next slide).

43 Decoding SSL Packet Captures with Wireshark
After decryption Select a packet with data and you’ll have an additional tab at the bottom entitled Decrypted SSL data. Click on this tab and you will be able to read the packet data unencrypted. Now that the traffic is readable it becomes a simpler task to troubleshoot, essentially it’s a HTTP connection.

44 Decoding SSL Packet Captures with Wireshark
Decoding Tips Vserver Config: set ssl vs test -sessReuse DISABLED -sessTimeout 120 Full Handshake Passworded Key File Exported from Web Server There are a few pointers for executing a successful capture that will be decrypted. (click) On the SSL vServer you will want to make sure that SSL Session reuse is disabled. Session reuse is exactly what is sounds like. At the packet level it consists of a partial handshake because the client sends the SSL ID with the request. You can run the following command (click) from the command line interface of the appliance to control the SSL session reuse: set ssl vs test –sessReuse DISABLED -sessTimeout 120 By default, the session reuse option is enabled on the appliance and the timeout value for the same is 120 seconds. Therefore, if a client sends a request on another TCP connection and the earlier SSL session ID within 120 seconds, appliance performs a partial handshake. This can limit the ability to decode the capture since we arent getting the full handshake. That leads me to the next one. (click) As the previous tip eluded to you will need to capture the entire handshake to do the decryption. The best practice for this is to have your tester (if not yourself) close out their browser. Start the trace on the Netscaler and then start the client connection process. This will ensure that the entire handshake is in the file and available for capture. This is a common cause when having decryption issues and Ill admit to not always catching this one myself sometimes. Nothing can be more frustrating when troubleshooting an issue to have to troubleshoot the capture process as well so you’ll want to be sure you don’t miss these 2 steps. The last 2 Ill cover are around the keys themselves: As we discussed briefly the key files can be password protected which you’ll need to remove or you can include in Wireshark, although since we are using PEM keys on the NS this option doesn’t apply to us. You can use openssl for removing the password. As I mentioned there’s a link to openssl documentation for the exact procedure in the resources section. Lastly, if you have exported the key from a web server you may need to properly extract the key. Again we’ll turn to openssl to accomplish this. The resulting output file can be read by text editor and copied into its own file for use.

45 NetScaler System SSL Specifics
Beyond header and packet level examination the Netscaler offers a wealth of data for troubleshooting and issue resolution that we’ll review from show and stat commands in the CLI/GUI, log details and counters and Ill review the processes that run in the BSD shell that handle the various SSL related tasks.

46 NetScaler SSL CLI Commands
Show ssl certkey <certKey name> Show ssl stats (stat ssl) Show ssl vserver <vserver name> Show ssl service <service name> Show ssl certlink Show ssl parameter When you do a “show” command, you generally extract a snapshot of configuration data and performance information from the Netscaler kernel and Many commands show extra data if an exact object is selected, so don’t rely on the generic version to show everything available, for example show ssl vserver shows more specific information when you specify a vserver rather than just the command itself. As you can see here I’ve listed the more common commands and as we’ve been through the basics of configuring SSL entities on NS most of these are probably self explanatory. (click) Show ssl certkey (click) Show ssl stats (stat ssl) The show ssl stats command is an alias command to stat ssl so both will give you the same information. In fact if you look at the man page for show ssl stat via the man show ssl stat command the output will be titled stat ssl. (click) Show ssl vserver <vserver name> (click) Show ssl service <service name> Again here we will want to specify the vserver and service to provide more data for individual entities (click) show ssl certlink If you run into an issue where you suspect a global setting may be related to or the cause of your issue you can list these at the CLI with the command: (click) show ssl parameter This will show advanced global ssl parameters such as (bolded) among other options. For stubborn issues you may want to check these global settings to determine if one of these are causing the issues at hand. Advanced SSL Parameters SSL quantum size: kB Max CRL memory size: MB Strict CA checks: NO Encryption trigger timeout mS Send Close-Notify YES Encryption trigger packet count: Deny SSL Renegotiation NO Subject/Issuer Name Insertion Format: Unicode OCSP cache size: MB Push flag: x0 (Auto) Strict Host Header check for SNI enabled SSL sessions: NO PUSH encryption trigger timeout 1 ms Show commands vs Stat commands Many of the show commands covered have stat partner commands. These commands provide two very different types of information for use. Stat commands derive rate and stats from performance records by computing the deltas between the 2 previous records. Provides the most commonly needed statistics without flooding the user with data, i.e. user friendly statistics Man commands can be used to provide help for individual field values, i.e. “man stat lb vserver

47 NetScaler Logs – newnslog - SSL Specific
Newnslog is a binary File and is stored in /var/nslog Over 100 SSL Counters Interact with newnslogs with nsconmsg Newnslogs can be trimmed Updated every 7 seconds Stores console messages, events and performance statistics Newnslogs can be trimmed as they can contain up to 2 days worth of counter information Nsconmsg is used to view the contents of the newnslog Nsconmsg for troubleshooting issues such as: network problems high CPU memory leaks etc. Uneven Load Balancing View newnslog from the GUI There are over 100 SSL specific counters in the newnslog file, ranging from SSL card status, to encrypted bytes, to TLS renegotiation counts for both front and back end connections. Each of these have their own SNMP OID that you can use to track proactively with you favorite SNMP manager. You can trim a newnslog based on a slice of time, and output the log to a new file Use the –s time=<time> paramater to specify the start time Use the –T option to define how long of a slice Example nsconmsg -K newnslog –k newlog.log -s time=27sep2005:21:50 -T 180 -d copy The format of the date is very exact and unforgiving, be warned If you find the end result is an hour off, it is probably due to daylight savings time vs. standard time (don’t be surprised)

48 NetScaler Logs - nsconmsg
nsconmsg uses the –d option to select what set of information to display Common display sets include current & past (Performance Record Variables) oldconmsg (a textual display, does not support all options) consmsg (console messages) event (event records, usually snmp trap related) stats (an entire list of variables from live system) statswt0 (variables that are non-zero from live system) Keep??

49 NetScaler Processes – SSL Specific
nsreadfile Used to read SSL Certificates nsCRLrefresh Used to update Certificate Revocation Lists nsfsyncd Used to keep files sync’d between HA nodes There are a few specific processes that are involved with SSL certificates on the Netscaler. These run in BSD and are not normally something you’d interact with but in the course of an issue you’ll want to know what these are. (click) nsreadfile which does what it sounds like, it reads the files when called for use (click) nsCRL refresh again sounds like what it does, but lets touch on CRLs for those of you who may not be familiar Certificate Revocation Lists: A certificate issued by a CA typically remains valid until its expiration date. However, in some circumstances, the CA may revoke the issued certificate before the expiration date (for example, when an owner's private key is compromised, a company's or individual's name changes, or the association between the subject and the CA changes). A Certificate Revocation List (CRL) identifies invalid certificates by serial number and issuer. Certificate authorities issue CRLs on a regular basis. You can configure the NetScaler appliance to use a CRL to block client requests that present invalid certificates. (click) nsfsyncd this process is used to keep files in sync between HA nodes which for our perspective today includes keys and certificates. I’ve tried to ensure that resources slides (coming up next) have the links to everything I’ve covered. (click) (Review)

50 NETSCALER-WORKSHOP LAB – Module 3 – Exercise 2
To continue with the lab, browse to: Enter you business and this session code: NETSCALER-WORKSHOP

51

Download ppt "SSL."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.
Network Security.

Network Security.
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Secure Socket Layer.

Secure Socket Layer.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Troubleshooting.

Troubleshooting.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.

Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Virtual Private Network (VPN) © N. Ganesan, Ph.D..
TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.

TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Similar presentations

Ads by Google