![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() |
The QuickStart wizard helps you set up the SSL appliance rapidly using the most basic information. To perform a more advanced configuration, use the configuration manager as described in Chapter 4. The QuickStart wizard presented in this chapter is available only from a CLI-based management session. See Chapter 5 for information about using the Secure Server wizard from a GUI-based management session.
This chapter contains the following sections:
Before configuring the SSL appliance you must have a certificate and keys for the server. You can use the files you received from the Certificate Authority, copy the keys and certificate from an existing secure server, use default keys and certificates preloaded in the device, or generate your own keys and certificates.
Instructions for exporting keys and certificates from existing server are found in "Using Existing Keys and Certificates" in Appendix E.
Additionally, be aware that you might have to make several changes to your Web pages. The nature of the changes depends upon whether you are securing a previously unsecured site, or adding the SSL appliance to an already secure server installation. These changes are described in the section "Web Site Changes" in Appendix B, Deployment Examples.
![]() |
Note When using the QuickStart wizard in FIPS Mode, only FIPS-approved algorithms are available. |
![]() |
Note When using the Secure Content Accelerator in FIPS Mode, only serial management is allowed. |
![]() |
Note When configuring an SCA2 via a serial connection, the displayed prompt is "SCA2" unless a hostname has been defined for the device. |
1. Attach the included null modem cable to the appliance port marked "CONSOLE". Attach the other end of the null modem cable to a serial port on the configuring computer.
2. Launch any terminal emulation application that communicates with the serial port connected to the appliance. Use these settings: 9,600 baud, 8 data bits, no parity, 1 stop bit, no flow control.
3. Press Return. Initial information is displayed followed by an SCA>
prompt.
4. Enter Privileged and Configuration modes and set the IP address using the following commands. Replace the IP address in the example with the appropriate one.
SCA> enable
SCA# configure
(config[SCA])# ip address 10.1.2.5 netmask 255.255.255.0
(config[SCA])#
![]() |
Note When prompted to supply a file name during serial management, you must supply it as a URL in the form of HOST/PATH/FILENAME using the http://, https://, ftp://, or tftp:// prefix. |
1. Initiate a telnet session with the IP address previously assigned to the appliance.
2. An SCA>
prompt is displayed.
![]() |
Note When prompted to supply a file name during a telnet management session, you must supply it as a URL in the form of HOST/PATH/FILENAME using the http://, https://, ftp://, or tftp:// prefix. |
Use the appropriate instructions below to run the CLI configuration manager.
Enter csacfg at a Linux shell prompt.
Enter csacfg at a Unix shell prompt.
To start the configuration manager, use the Start menu and point to Programs>Cisco Systems and click Cisco Secure Content Acc. Manager, or double-click the shortcut on the desktop.
Follow the instructions below appropriate to the management session initiated.
enable
quick-start
If you are using telnet, go to "Using the QuickStart Wizard" below.
If you are using a serial connection and the device has not been assigned an IP address, you are prompted to assign a hostname and IP address before beginning the QuickStart configuration process.
Would you like to specify a hostname and IP address for this device?:
Enter the hostname for this device:
The hostname is a user-specified device name. In this example, we use the name myDevice. When prompted for them, enter the IP address, netmask, and default gateway for the device. You are prompted to accept the information before continuing with configuration.
The following configuration will be saved to the device.
Hostname : myDevice
Ip address : 10.1.11.100
Netmask : 255.255.255.0
Default gateway addr : 10.1.11.10
Is the above information correct? (y/n):
Enter y if the listing is correct. Go to "Using the QuickStart Wizard" below. Enter n if the information is incorrect. You are prompted for the configuration information again.
![]() |
Note When the appliance is configured in the default two-port mode, the configuring computer must be connected via the "Server" port. If the appliance is configured to use one-port mode, the configuring computer must be connected via the "Network" port. |
If only the new device is listed, attach the configuration manager and enter Privileged mode using the following command sequence, entering the appropriate IP address and netmask when prompted:
attach
CS-macaddress must be assigned an ip address before attaching.
Enter an IP address for CS-macaddress:
Enter the netmask for CS-macaddress (suggested netmask):
If more than one device is listed, attach the configuration manager and enter Privileged mode by using the following command sequence, entering the appropriate IP address and netmask when prompted:
on CS-macaddress attach
CS-macaddress must be assigned an ip address before attaching.
Enter an IP address for CS-macaddress:
Enter the netmask for CS-macaddress (suggested netmask):
In either case, macaddress is the hyphen-delimited MAC address of the device. A netmask is suggested. The following prompt appears.
Would you like to use the QuickStart wizard for CS-
ipaddress? (y/n):
(The IP address is the same as the one you assigned to the device.) Type y to continue with the QuickStart wizard. Typing n launches the configuration manager. Go to "Using the QuickStart Wizard".
![]() |
Note Screen text displayed in this section reflects that found in the QuickStart wizard for the remote configuration manager. Information for appropriate responses through all configuration manager methods is presented. |
Read the opening screen information and respond to the prompt.
Would you like to use the QuickStart wizard to create an ssl-server? (y/n):
If you do not have a key and certificate available and do not wish to use a default key and certificate, enter n or q. If you have read and agree with the introductory information, enter y. The following text is be displayed:
Enter a name for your ssl-server:
Enter a name for the logical secure server ("ssl-server") you are configuring. The name is used for identification purposes only. (In this example, we name the server myServer.) If it already exists, you are asked to provide a different name.
Enter the IP address for 'myServer':
This is the IP address of the real server to which the clear text should be sent.
Enter the SSL port [443]:
Enter the TCP service port for the appliance to monitor for secure connection requests. The default is 443, but you can specify a different number. You cannot specify a TCP service port already configured to the same IP address.
Enter the clear text port:
Enter the number of the TCP service port for the SSL appliance to use to send clear text to the server. If you specify TCP service port 80, you are warned that the port will be unavailable for non-SSL requests. (See Chapter 3 for a discussion of port blocking.) You can abort the current clear text port designation and enter a different TCP service port, or approve using TCP service port 80 for clear text.
CONFIGURE SSL-SERVER 'myServer' KEY
SSL-server name : myServer
Ip address : 10.1.2.3
Secure Port : 443
Clear Port : 80
Each ssl-server is associated with a key.
1. Key is stored in a file on a disk.
2. Want to use an existing or default Key.
Choose the option corresponding to your situation (1/2):
![]() |
Note If you are using a key created with an IIS or non-PEM-encoded key or certificate, use the default keys and certificates included with SSL device. After configuring the device with the QuickStart wizard, use the configuration manager to load your own certificate and key. See "Example: Setting up a Secure Server" in Chapter 4 and "SSL Configuration Command Set" in Appendix C. |
If you have the key on disk or available via a URL, type 1.
Enter the name of the key for ssl-server 'myServer':
Enter the name to assign a key. This name is used for identification only.
Enter PEM encoded X509 private key filename:
Enter the file name and path or the URL for the key as prompted. If the QuickStart wizard is unable to find or load the file, you receive an error message and are allowed to restart key assignment. After the key is properly loaded, configure the certificate as described below.
CONFIGURE SSL-SERVER 'myServer' CERTIFICATE
SSL-server name : myServer
Ip address : 10.1.2.3
Secure Port : 443
Clear Port : 80
Key name : default
Each ssl-server is associated with a certificate.
1. Certificate is stored in a file on a disk.
2. Want to use an existing or default Certificate.
Choose the option corresponding to your situation (1/2):
If you have the certificate on disk or available via a URL, type 1.
Enter the name of the certificate for ssl-server 'myServer':
Enter the name to assign the certificate. This name is used for identification only.
Enter PEM encoded X509 private certificate filename:
Enter the file name and path or URL for the certificate as prompted. If the QuickStart wizard is unable to find or load the file, you receive an error message and are allowed to restart certificate assignment. After the certificate is properly loaded, configure a security policy as described below.
To use a certificate already loaded into the appliance (including default certificates) rather than certificate on disk, type 2 when prompted to choose an option. All available certificates are displayed. Enter the name of the certificate to use. If you enter an invalid certificate name, you receive an error message and are prompted to re-enter the certificate name.
CONFIGURE SSL-SERVER 'myServer' SECURITY POLICY
SSL-server name : myServer
IP address : 10.1.2.3
Secure Port : 443
Clear Port : 80
Key name : default
Cert name : default
You need to enter a security policy for ssl-server 'myServer'.
To simplify the encryption algorithms, you have 3 options:
strong - RSA key size of 1024, DES_SHA1, 3DES_SHA1, ARC4_MD5 and ARC4_SHA1
weak - RSA key size of 512, exp DES_SHA1, ARC2_MD5, ARC4_MD5 and ARC4_SHA1
default - RSA key size of 1024, ARC4_MD5, ARC4_SHA1 and exp ARC4_MD5, ARC4_SHA1, MD5
ARC4 is compatible with RC4™ RSA Data Security; ARC2 is compatible with RC2™ RSA Data Security.
Enter the security policy for ssl-server 'myServer' [default]:
At the prompt, enter the name of the security policy to use. The "strong" policy includes the most secure algorithms. The "weak" policy algorithms are less secure and appropriate for export use. The "default" policy algorithms are those most commonly used. See Chapter 3 for more algorithm information. If you enter an invalid security policy name, you receive an error message and are prompted to re-enter the name.
![]() |
Note When using the QuickStart wizard in FIPS Mode, only the FIPS security policy is available. The FIPS security policy contains only FIPS-approved algorithms. |
After the name of the security policy is accepted, you are prompted to verify the logical secure server configuration.
SSL-SERVER 'myServer' SUMMARY
The following SSL-server will be created:
SSL-server name : myServer
IP address : 10.1.2.3
Secure Port : 443
Clear Port : 80
Key name : default
Cert name : default
Security Policy name : strong
Is the above information correct? (y/n) :
If the information is correct, type y. The logical secure server you have configured is created. If you type n, the server configuration process restarts using the current secure server.
Would you like to use the QuickStart wizard to create another ssl-server? (y/n):
SETUP CONFIGURATION PASSWORD PROTECTION
Would you like to set a password to protect configuration of the SSL-R? (y/n):
Type y, and enter a password. Re-enter it to confirm.
You must set an enable password for the device to ensure its configuration security. The password you enter is not displayed.
Would you like to set a name for this device? (y/n/q):
Type y, and enter a name for the SSL appliance.
A default gateway is needed to connect outside of your local subnet.
Would you like to set a default gateway for this device? (y/n/q): y
Enter a default gateway for this device:
A summary screen shows information about the device, keys, certificates, security policies, and the logical secure servers configured on it.
SCA myDevice
Keys
-----------------------------------
Name Id RC V
-----------------------------------
default 1 0 Y
default-512 2 0 Y
default-1024 3 0 Y
Certificates
----------------------------------------------------------
Name Id RCCG RCPS V
----------------------------------------------------------
default 1 0 0 Y
default-512 2 0 1 Y
default-1024 3 0 0 Y
Certificate groups
*no certificate group list entries*
Security Policies
------------------------------------------
Name Id RC Policy List
------------------------------------------
default 1 0 ARC4-MD5,ARC4-SHA,EXP-ARC4-MD5,EXP-ARC4-SHA
EXP1024-ARC4-MD5,EXP1024-ARC2-CBC-MD5
EXP1024-ARC4-SHA,NULL-MD5,NULL-SHA
weak 2 0 EXP-ARC4-MD5,EXP-ARC4-SHA,EXP-ARC2-MD5,
EXP1024-ARC4-MD5,EXP1024-ARC2-CBC-MD5,
EXP1024-DES-CBC-SHA,EXP1024-ARC4-SHA,NULL-MD5,
NULL-SHA,EXP-DES-CBC-SHA
fips 3 0 DES-CBC-SHA,DES-CBC3-SHA
strong 4 1 DES-CBC-MD5,DES-CBC-SHA,DES-CBC3-MD5,DES-CBC3-SHA,
ARC4-MD5,ARC4-SHA
all 5 0 DES-CBC-MD5,DES-CBC-SHA,DES-CBC3-MD5,DES-CBC3-SHA,
ARC4-MD5,ARC4-SHA,EXP-ARC4-MD5,EXP-ARC4-SHA,
EXP-ARC2-MD5,EXP1024-ARC4-MD5,EXP1024-ARC2-CBC-MD5,
EXP1024-DES-CBC-SHA,EXP1024-ARC4-SHA,NULL-MD5,
NULL-SHA,EXP-DES-CBC-SHA
noexport56 6 0 DES-CBC-SHA,DES-CBC3-MD5,DES-CBC3-SHA,
ARC4-SHA,EXP-ARC4-MD5,EXP-ARC2-MD5,EXP-DES-CBC-SHA
SSL Servers
----------------------------------------------------------------------
Name Secure SSL IP KC PKey Secpolicy
Id Plaintext IP Cert CA Group
----------------------------------------------------------------------
myServer 10.1.2.3:443 Y myKey strong
001 10.1.2.3:80 myCert
The list of keys includes all those loaded into the device. The columns and their descriptions are shown in the table below.
Column | Description |
---|---|
Id | The number of the key as loaded into the device |
RC (Reference Count) | The number of logical secure servers using the key |
V (Validity) | The validity of the key as loaded into the device |
The list of certificates includes all certificates loaded into the device. The columns and their descriptions are shown in the table below.
Column | Description |
---|---|
Id | The number of the certificate as loaded into the device |
RCCG (Reference Count Certificate Group) | The number of certificate groups using the certificate |
RCPS (Reference Count Proxy Server) | The number of SSL servers using the certificate |
V (Validity) | The validity of the certificate as loaded into the device; "Y" indicates the certificate is valid, "N" indicates the certificate is invalid |
The list of security policies includes all those configured on the device. The columns and their descriptions are shown in the table below.
Column | Description |
---|---|
Name | The name of the security policy |
Id | The number of the security policy as loaded into the device |
RC (Reference Count) | The number of SSL servers using the security policy |
PolicyList | The names of the individual cryptographic schemes associated with each security policy |
The list of SSL servers includes all those configured on the device. The columns and their descriptions are shown in the table below.
Column | Description |
---|---|
Name | The name of the SSL server |
Id | The number of the SSL server as loaded into the device |
Secure SSL IP | The IP address and TCP service port to monitor for SSL transaction requests |
Plaintext IP | The IP address and TCP service port used to send decrypted SSL traffic to the server |
KC | The validity of the key and certificate pair assigned to the SSL server; "U" indicates the key or certificate is not defined, "Y" indicates the key and certificate match, "N" indicates the key and certificate do not match |
PKey | The name of the private key assigned to the SSL server |
Cert | The name of the certificate assigned to the SSL server |
Secpolicy | The name of the security policy assigned to the SSL server |
CA Group | The name of the certificate chain, if one has been assigned to the server |
You are asked whether to save the configuration to flash memory.
Would you like to save your configuration to flash? (y/n):
If you type y, you will be asked to wait while the configuration is saved to flash, and the QuickStart wizard finishes. If you type n, the QuickStart wizard finishes.
![]() |
Caution If the configuration is not saved to flash memory, the configuration is lost during a power cycle or when the reload command is used. |
1. Initiate a management session and start the configuration manager as described previously.
2. Use the appropriate method to attach to the device (remote management only), depending upon the number of devices in the list returned by the show device list command.
3. Enter Privileged mode.
4. Enter the command quick-start. If multiple devices are in Privileged mode when using the remote configuration manager, enter on devname quick-start, where devname is the name of the device.
5. Go to "Using the QuickStart Wizard".
![]() |
Note Non-FIPS-compliant servers can be reconfigured with the QuickStart wizard in FIPS Mode using only FIPS 1024-approved SSL security policies. |
Posted: Wed Aug 21 02:00:43 PDT 2002
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.