SSL Optimization

Part 1: Overview of SSL

SSL provides a way for client and server applications to communicate securely over a potentially insecure network. It provides authentication, and prevents eavesdropping and tampering. In the most common use case, you can SSL to transport HTTP traffic, and provide one-way identification: only the Web server authenticates itself to the Web browser.

A Simple SSL Handshake

SteelHeads accomplish this without compromising end-to-end security and the established trust model. Your private keys remain in the data center and are not exposed in the remote branch office location where they might be compromised.

The handshake is the sequence of message exchanges at the start of an SSL connection.   In an ordinary SSL handshake, the client and server first establish identity using public-key cryptography, and then negotiate a symmetric session key to use for data transfer.

Distributed termination is enabled by default and is on the Optimization > SSL: Advanced Settings page.

The time-out value specifies the amount of time the client can reuse a session with an SSL server after the initial connection ends. The range is 6 minutes to 24 hours. The default value is 10 hours.

Distributed termination improves performance by reducing the CPU load on the server-side SteelHead and shortens the key negotiation process by avoiding WAN round trips to the server. Distributed termination also shortens the key negotiation process by avoiding WAN round trips to the server.

Part 2: How SteelHead Terminate SSL

At a high level, SteelHeads terminate an SSL connection by making the client think it is talking to the server and making the server think it is talking to the client.

To enable SSL connection termination, you must configure the server-side SteelHead to include proxy certificates and private keys for the purpose of emulating the server.  When the SteelHead poses as the server, there does not need to be any change to either the client or the server. The security model is not compromised—the optimized SSL connection continues to guarantees server-side authentication, and prevents eavesdropping and tampering.

To secure the inner SteelHead channel, you must configure each SteelHead with the certificate of the peer SteelHead (secure peering). There are various methods to accomplish a secure inner channel between the SteelHeads. The authentication is mutual, with the client initiating the connections to authenticate the server, and server authenticates the client.

To securely terminate an SSL connection to an SSL server, the following list is a high-level configuration for the server-side SteelHead

• A certificate and private key pair for the server. This certificate and private key pair does not have to be the same as the one used by the actual server. In a production environment, it would typically be signed by a CA trusted by the client. You can import a signed server certificate into a SteelHead without a private key if you have used the same SteelHead to generate the certificate signing request for that server certificate.
• The certificate of the client-side SteelHead.

Part 2: Configuring SSL and Secure Inner Channel

Prerequisite Tasks

Complete these prerequisite tasks before you begin SSL configuration:

Step 1: Connect to the Management Console using HTTPS to protect your SSL private keys and certificates.

Step 2: On the client-side and server-side SteelHead, make sure you have a valid Enhanced Cryptography License Key.

Step 3: Back up your private keys and the CA-signed certificates before you begin the SSL configuration process.

SSL Required Components

1. Enhanced Cryptography License Key  http://sslcert.riverbed.com
2. Proxy Certificate and Private Key: The proxy certificate is the certificate you configure on the server-side SteelHead for the server. Do not confuse this with the certificate used for the secure inner channel or secure peering between the two SteelHeads. The proxy certificate can be self-signed, signed by a well-known CA, or signed by your organization‘s own CA. It can be the same as, or different from, the certificate used by the actual server.
3. Certificate Chain Discovery

Use the following command on the server-side SteelHead to enable certificate chain discovery:

protocol ssl backend server chain-cert cache enable

Or Optimization > SSL: Advanced Settings and Select Enable SSL Server Certificate Chain Discover

By default, this option is disabled.

4. Certificate Authority Certificates
5. Peer Certificates

Each SteelHead participating in SSL optimization requires a peer certificate.  The peer certificates allow the client-side and server-side SteelHeads to establish a secure inner channel. You can distribute these certificates several different ways: manual cut-and-paste; using the white, gray, and black peering lists; or through the SCC.

Basic Steps

Step 1: Configuring SSL Main Settings (Optimization > SSL: SSL Main Settings)

Apply && Save && Restart Services

Step 2:

Setting up a Simple SSL Deployment

Step 1: To set up the client-side SteelHead:

• On the client-side SteelHead, choose Networking > App Definitions: Port Labels to display the Port Labels page in the Management Console.
• Select the Secure label, remove port 443, select Remove Selected, and click Apply.
• Default bypass rules contain all secure label ports, and hence secure traffic is not optimized by default.
• Choose Administration > Maintenance: Licenses to verify that the Enhanced Cryptographic License Key is installed on the client-side and server-side SteelHeads.

Step 2: To set up the server-side SteelHead:

• On the server-side SteelHead, choose Optimization > SSL: SSL Main Settings to display the SSL Main Settings page in the Management Console.
• Select Enable SSL Optimization and click Apply.

Add the proxy certificate and a private key for the server to the server-side SteelHead.

SSL Main Settings Page

Step 3: Configure secure peering (traditional peering)

Choose Optimization > SSL: Secure Peering(SSL) to display the Secure Peering (SSL) Page.

Under Certificate, select PEM, and copy and paste the certificate to the clipboard. ( This is the self-signed peering certificate that represents the server-side SteelHead for securing the inner channel. Do not confuse this certificate with the proxy certificate on the server-side SteelHead that represents the server. )

PEM Certificate

• On the client-side SteelHead, choose Optimize > SSL: SSL Main Settings, select Enable SSL Optimization and click Apply.
• Choose Optimization > SSL: Secure Peering (SSL).
• Under Peering Trust, select Add a New Trusted Entity.

+gAwIBAglJAOv70zE/OLuKMAOGCSqGSlb3DQEBBQU @ Cert Text AMIGAMSAwHgYD VQQDExdTdGVIbGhIYWQgVkMxUOOwMD3ENTh FRjEiMCAGA1 U Add Trusted Entity Issued To No Trusted E " height="477" width="576">

• Select Trust New Certificate, type an Optional Local Name, paste the copied server-side SteelHead self-signed peering certificate into the Cert Text box, and click Add
• Save the configuration and restart the optimization service on both SteelHeads.
• Choose Reports > Networking: Current Connections report in the Management Console on the server-side SteelHead, to verify that the connections are being optimized. This report summarizes the SSL connection requests and connection rate.

Part 1： Configuring SSL Server Certificates and Certificate Authorities