Getting Started with CVDM-SSLSM

The CiscoView Device Manager for Cisco Catalyst 6500 SSL Services Module is an embedded device manager for single service module setup, feature and services configuration, and monitoring of the services module.

SSLSM Overview

The Secure Socket Layer Services Module is a Layer 4-through-Layer 7 service module that you can install into the Catalyst 6500 series switch. The module terminates secure socket layer (SSL) transactions and accelerates the encryption and decryption of data used in SSL sessions.

The module operates either in a standalone configuration or with the Content Switching Module (CSM). In a standalone configuration, secure traffic is directed to the module using policy-based routing (PBR). When used with the CSM, only encrypted client traffic is forwarded to the module, while clear text traffic is forwarded to the real servers.

The SSLSM uses the SSL protocol to enable secure transactions of data through privacy, authentication, and data integrity; the protocol relies upon certificates, public keys, and private keys.

The certificates, which are issued by certificate authority and are similar to digital ID cards, verify the identity of the server to the clients and the clients to the server. The certificates include the name of the entity to which the certificate was issued, the public key of the entity, and the time stamp that indicates the certificate expiration date.

The public and private keys are the ciphers that are used to encrypt and decrypt information. The public key is shared without any restrictions, but the private key is never shared. Each public-private key pair works together; data that is encrypted with the public key can only be decrypted with the corresponding private key.

This chapter includes the following topics:

• Before You Begin

• What's New

• Key Features in CVDM-SSLSM

• Starting CVDM-SSLSM

• Navigating in CVDM-SSLSM

• Editing the Preferences

• What Does the Setup Page Show Me?

• Viewing Running Configuration

• Delivering CLI Commands to the Device

• What's Next?

Before You Begin

Before you begin using CVDM-SSLSM:

•Make sure you have gone through the CVDM-SSLSM Readme and Release Notes.

•Install the necessary Java Plug-in

•Make sure you have necessary privileges. Privilege level 15 is ideal.

What's New

The new features in this release are:

Table 1-1 New Features for CVDM-SSLSM 1.1
Feature	Description
Public Key Infrastructure	New features are: •Import private key in Netscape Server Key (NET) format and certificates in DER format. •Import unencrypted keys. •Import certificate chain in PEM and PKCS7 format. •Certificate and private key validations. •Bulk export of certificates. •Export certificates to a redundant SSLSM. •Certificate Browser.
Statistics	•Statistics at proxy service granularity. •Delta monitoring. •Option to reset the counters. •Auto refresh of statistics.

Key Features in CVDM-SSLSM

The following table describes the key features of CVDM-SSLSM:

Table 1-2 Key Features
Feature	Description
Public Key Infrastructure	CVDM-SSLSM allows you to: •Manage Certificates: –Declare Trustpoints, import and export certificates –Visual indication of expiring and missing configured certificates. –Grouping of the Trustpoints by CA, enrollment status, and expiration date. –Certificate Wizards to create and enroll certificates, import and export certificates. •Create and manage Key Pairs •Create and manage ACLs •Create and manage certification authority pools
Proxy Service	CVDM-SSLSM allows you to set up server proxy, client proxy and enable backend encryption service using this feature.
Policies	CVDM-SSLSM allows you configure SSL policy, TCP, header insertion, and URL rewrite policies.
Statistics	CVDM-SSLSM shows you the TCP, SSL, and PKI statistics.

Starting CVDM-SSLSM

Step 1 In your browser, enter the IP address or DNS hostname of the SSLSM. The Enter Network Password dialog box appears.

Step 2 Enter your SSLSM username and password.

Step 3 Click OK. The CVDM splash screen appears.

Step 4 Enter your device username and password.

Step 5 Click Yes. The Warning - Security dialog box appears. To accept the security certificate and continue, click Yes.

Step 6 The SSH Credentials dialog box appears.

Step 7 Enter your SSH username and password. The Enter Enable Password dialog box appears.

Step 8 Enter enable password.

Step 9 Click OK. CVDM-SSLSM homepage appears.

Installing the Java Plug-in

You need to install the Java Plug-in. Java Plug-in improves the performance of CVDM-SSLSM and allows the application to use the latest Java runtime functionality. For CVDM, the plug-in speeds up caching and application loading. CVDM-SSLSM requires the Java Plug-in version 1.4.2_04.

The first time you invoke any Java Plug-in window, you are alerted if the plug-in is not installed. CVDM-SSLSM prompts you to download and install the plug-in files, using the installation screens or the procedure displayed. The next time you start the application, CVDM-SSLSM automatically uses the plug-in. Install the Java Plug-in provided with CVDM-SSLSM.

Navigating in CVDM-SSLSM

Before you begin using CVDM-SSLSM, you must understand the basic operation of the user interface, including the login procedure and user interface elements. See the following sections for more information:

• Understanding the CVDM-SSLSM Desktop

• What Does the Home Page Show Me?

• What Does the Setup Page Show Me?

• Understanding the Action Buttons

Understanding the CVDM-SSLSM Desktop

This section describes the main GUI elements of the CVDM-SSLSM application (see Figure 1-1).

Figure 1-1 CVDM-SSLSM GUI Elements


Figure 1-1 Reference	Location	Description
1	Menu bar	Provides File, Edit, View, and Help options. •File –File > Save to Startup—Saves the configuration running on the device as the startup configuration. –File > Exit—Logs you out of CVDM-SSLSM and closes the application. A warning appears if any configuration has not been applied to the SSLSM. •Edit –Edit > Preferences—Displays the Preferences dialog box, from which you can edit application preferences. For details, see Editing the Preferences •View –View > Home—Displays the Home page. –View > Setup—Displays the Features page. –View > Running Config > SSLSM...—Displays the configuration running on the SSLSM. FOr details, see Viewing Running Configuration –View > Refresh—Collects the most recent device information and updates CVDM-SSLSM with it. –View > Transport Log...—Displays the transport log of the device. You can clear the log or save the information to a file. •Help –Help > Help Topics—Displays online help. –Help > About—Displays CVDM-SSLSM version information.
1	Menu bar
2	Task bar	Provides access to CVDM-SSLSM functionality. •Home—Displays the home page. •Setup—Displays the features page. •Refresh—Collects the most recent device information and updates CVDM-SSLSM with it. •Deliver—Opens the Deliver Configuration to SSLSM dialog box, from which you can send accumulated CLI commands to the device. For details, see Delivering CLI Commands to the Device •Help—Displays context-sensitive help.
3	Page	CVDM-SSLSM working area in which you perform tasks.
4	Pane	One part of a divided page or dialog box.
5	Status bar	Provides the following information: •Message describing the status of the application. •Application user and privilege level. •Icon showing the security level of the connection. •Time stamp of the application startup time.
6	Selector	Hierarchy of the groups and objects available on the services page that allows you to access specific functions for a service module object. See "Selector" section for more information.
7	Left-most pane	Contains buttons, on the setup page, that allow you to access SSLSM functions.

What Does the Home Page Show Me?

The home page is the first screen that comes up when you start CVDM-SSLSM. It provides an overview of CVDM-SSLSM (see Figure 1-2).

Figure 1-2 CVDM-SSLSM Home Page

Table 1-3 CVDM-SSLSM Home Page Elements and Description
Figure 1-3 Reference	Location	Description
1	System Overview tab	Displays the overview of the system.
2	Connection Dashboard tab	Displays the statistics of the traffic through the SSLSM.
3	Certificate Dashboard tab	Displays the information on the certificates.
4	Service Dashboard tab	Displays the information on the PKI service, proxy service, policies, and VLANs.

The System Overview Dashboard displays the following information:


Field	Description
Hostname	The hostname of the SSLSM.
Software Version	The application image version.
System Up Time	The time elapsed since the SSL module was started.
Utilization (5 mins)	System utilization during the last 5 minutes. The following utilization information is available: •IOS CPU—The average utilization of the System CPU. •TCP CPU—The average utilization of the System CPU. •SSL CPU—The average utilization of the System CPU. •FDU CPU—The average utilization of the System CPU. •NVRAM—NVRAM utilization - [ NVRAM size in use / NVRAM size] Note The utilization values are not updated in real time. You need to refresh the application to update the utilization.

The Certificate Dashboard displays the following information:


Certificate Expiry Dashboard	Number of certificates expiring in the near future. The expiry count will be displayed at weekly granularity. This Week Number of certificates that will expire this week. Next Week Number of certificates that will expire next week. Week 3 Number of certificates that will expire the week after next. Week 4 Number of certificates that will expire in the fourth week from now.
CA Certificates
Valid Certificates	The number of valid CA certificates.
Expired Certificates	The number of invalid CA certificates.
SSL Certificates
Valid Certificates	The number of valid SSL certificates.
Expired Certificates	The number of invalid SSL certificates.

The Connection Dashboard displays the following information:


Statistics	The statistics are not updated in real time. You can view and update the statistics in Setup > Statistics.
TCP
Connections in ESTABLISHED state	Number of TCP connections in connections Established state.
Connections in TIME-WAIT state	Number of TCP connections in connections Time-Wait state.
SSL
Active Sessions	The number of SSL sessions with active connections. The value is rendered as horizontal bar charts.
Active Connections	The number of SSL connections in data, handshake and re-negotiation phase. The value is rendered as horizontal bar charts.
Average Connection Rate (past 5 mins)	The rate at which successful connections were setup in the past 5 minutes.
Handshake Failures (past 5 mins)	Total handshake failures in the past 5 minutes.

The Service Dashboard displays the following information:


PKI
Complete Certificate Chains	Number of complete certificate chains. A icon indicates that the certificate chain is complete.
Incomplete Certificate Chains	Number of incomplete certificate chains. A icon indicates that the certificate chain is incomplete.
Proxy Services
Proxy Services Up	Total Proxy Services that are operational. A icon indicates that the module is operationally up.
Proxy Services Down	Proxy services not operational due to fault conditions: invalid certificate, lack of server connectivity, and so forth, and those that are administratively down. A icon indicates that the module is administratively and operationally down. In Setup > Proxy Services dialog box, the administratively down status and operationally down status is indicated using different icons.
Policies
SSL Policies	Number of SSL policies configured on the module.
TCP Policies	Number of TCP policies configured on the module.
URL Rewrite Policies	Number of URL rewrite policies configured on the module.
HTTP Header Insertion Policies	Number of HTTP Header Insertion policies configured on the module.
VLANs
Total VLANs	Number of VLANs on the module.
Admin VLAN	The admin VLAN ID.
Admin IP Address	IP Address of the admin VLAN.
Admin Gateway	IP Address of the gateway configured for the admin VLAN.

All group objects contains a hyperlink. Click on the links to view the details for a group object.

FAQ

You can find answers for your questions on important tasks using FAQ. Select a question from the FAQ list, then click Go.

What Does the Setup Page Show Me?

The Setup page allows you to access the CVDM-SSLSM features. You can launch wizards from this page or you can start using the PKI, Proxy Service, Policy and VLAN features.

When you reach the Setup page, the following GUI elements appear in a pane on the left side of the content window:


GUI Element	Description
Wizards	Click to launch wizards that will guide you to in creating and managing Trustpoints and proxy services.
PKI	Allows you to manage public key infrastructure on the SSLSM.
Proxy Services	Allows you to manage SSL proxy services on the SSLSM.
Policies	Allows you to manage the policy templates on the SSLSM.
VLANs	Allows you to manage VLAN configurations on the SSLSM.
Statistics	Allows you to view the SSLSM statistics.

Selector

Figure 1-3 shows the selector; Table 1-4 describes the selector elements.

Figure 1-3 Selector

Table 1-4 Selector Elements
Figure 1-3 Reference	Location	Description
1	Object Grouper	You can group the objects using various parameters. Select your option from the list.
2	Selector handle	Click the handle to open and close the selector, or click the handle and drag it to resize it.
3	Group folder	Displays a group of objects. Click the plus (+) symbol to see the contents of this folder.
4	Subgroup folder	Displays a subgroup of objects. Click the plus (+) symbol to see the contents of this folder.
5	Object	Displays the individual entity contained in the group or subgroup. Click an object to open the page for that object.

Note Figure 1-3 shows what the selector looks like when folders, subfolders, and objects are displayed. Not all selectors contain all of these elements.

Understanding the Action Buttons

This section describes the action buttons that appear in the CVDM-SSLSM dialog boxes and wizards.

•For a description of the wizard action buttons, see Table 1-5.

•For a description of the dialog box action buttons, see Table 1-6.

Table 1-5 Wizard Action Buttons
Button	Action
Back	Takes you to the previous page.
Next	Takes you to the next page.
Finish	Takes you to the wizard summary page.
Cancel	Exits the wizard without making any changes.
Help	Displays context-sensitive online help.

Table 1-6 Dialog Box Action Buttons
Button	Action
OK	Saves your changes.
Cancel	Exits the dialog box without making any changes.
Help	Displays context-sensitive online help.

Editing the Preferences

Step 1 Select Edit > Preferences... The Preferences dialog box appears.

Step 2 Modify the appropriate values:


GUI Element	Action/Description
Show CLI Preview for Wizards check box	Select this checkbox if you want CVDM-SSLSM to display the CLI commands to be delivered to the device after you have completed a wizard. When this select this checkbox and click Finish in a wizard, the Deliver Configuration to the SSLSM dialog box opens and displays the CLI commands. For more information, see "Delivering CLI Commands to the Device" section.
Show CLI Preview on Delivery check box	Select this checkbox if you want CVDM-SSLSM to display the CLI commands to be delivered to the device. When this select the checkbox and click Deliver, the Deliver Configuration to SSLSM dialog box opens and displays the CLI commands. For more information, see "Delivering CLI Commands to the Device" section.
Confirm before Exiting check box	Select this checkbox if you want CVDM-SSLSM to confirm with you before exiting the application. Select the Always display this dialog box before exiting checkbox if you always want CVDM-SSLSM to confirm that you want to exit the application.
Refresh after Delivery check box	Select this check box to refresh CVM after delivering accumulated CLI commands for the device.

Viewing Running Configuration

Step 1 Select View > Running Config > SSLSM.... The Running Configuration for SSLSM dialog box appears. Information about the running configuration for the SSL Services Module is displayed.

Step 2 Click Save to File... to save the configuration information to a text file.

Delivering CLI Commands to the Device

You must deliver accumulated CLI commands to the device before any changes you make in CVDM-SSLSM will be applied.

Step 1 Click the Deliver button at the top of the page. The Deliver Configuration to SSLSM dialog box appears if you have configured CVDM- SSLSM to display the accumulated CLI commands when you click the Deliver button.

Note The Deliver Configuration to SSLSM dialog box also appears
when you click the Finish button in a wizard if you have configured CVDM-SSLSM to display the accumulated CLI commands after you have completed a wizard.

Note For Certificate Import and Export Wizards, Deliver CLI Commands dialog box will not appear.

Step 2 Modify the appropriate values:


GUI Element	Action/Description
Save to Startup checkbox	Click the checkbox to save the running configuration, generated by CVDM, as the device startup configuration.
Deliver button	Click to send the accumulated CLI commands to the device.
Save to File... button	Click to save the CLI commands as a text file.
Close button¹	Close the dialog box without delivering any CLI commands.
Deliver Later button²	Click to deliver the wizard CLI commands to the device at a later time.

¹This button is available only in the Deliver Configuration to SSLSM dialog box that is displayed after you click Deliver at the top of the window.

²This button is available only in the Deliver Configuration to SSLSM dialog box that is displayed after you click Finish in a wizard.

Note For Certificate Wizards, Deliver Later option will be disabled. The task will be performed immediately at the end of the wizard.

Note The Deliver Configuration to Switch/Module(s) dialog box displays all accumulated CLI commands that will be delivered to the device; therefore, any previous CLI commands that were not sent to the device are shown in this dialog box, as well as the CLI commands you have generated in this session.

What's Next?

You are about to set up an SSL Service. To set up the SSL service, first set up the Public Key Infrastructure. You need to configure Trustpoints and install the Key Pairs, Proxy Service Certificates, and the corresponding CA Certificates. You can use the Trustpoint wizards to setup the PKI.

Once the Proxy Service Certificates and Key Pairs are installed in the SSLSM PKI, the next task in setting up the SSL service is to configure Proxy Services. You can use the Proxy Service Wizard to setup up the SSL service to configure proxy service.

Table Of Contents