User’s Guide and Command Reference

User’s Guide and Command Reference

Alteon SSL Accelerator 4.1.2 Secure Sockets Layer Offload Device

Part Number: 212939-F, November 2003

TM

4655 Great America ParkwaySanta Clara, CA 95054

Phone 1-800-4Nortelwww.nortelnetworks.com

Alteon SSL Accelerator 4.1.2 User’s Guide and Command Reference

2212939-F, November 2003

Copyright 2003 Nortel Networks, Inc., 4655 Great America Parkway, Santa Clara, California 95054, USA. All rights reserved. Part Number: 212939-F.

This document is protected by copyright and distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this document may be reproduced in any form by any means without prior written authorization of Nortel Networks, Inc. Documentation is provided “as is” without warranty of any kind, either express or implied, including any kind of implied or express warranty of non-infringement or the implied warranties of merchantability or fitness for a particular purpose.

U.S. Government End Users: This document is provided with a “commercial item” as defined by FAR 2.101 (Oct 1995) and contains “commercial technical data” and “commercial software documentation” as those terms are used in FAR 12.211-12.212 (Oct 1995). Government End Users are authorized to use this documentation only in accordance with those rights and restrictions set forth herein, consistent with FAR 12.211- 12.212 (Oct 1995), DFARS 227.7202 (JUN 1995) and DFARS 252.227-7015 (Nov 1995).

Nortel Networks, Inc. reserves the right to change any products described herein at any time, and without notice. Nortel Networks, Inc. assumes no responsibility or liability arising from the use of products described herein, except as expressly agreed to in writing by Nortel Networks, Inc. The use and purchase of this product does not convey a license under any patent rights, trademark rights, or any other intellectual property rights of Nortel Networks, Inc.

CryptoSwift® HSM is a registered trademark of Rainbow Technologies, Inc.

Portions of this manual are Copyright 2001 Rainbow Technologies, Inc. All rights reserved.

Export

This product, software and related technology is subject to U.S. export control and may be subject to export or import regulations in other countries. Purchaser must strictly comply with all such laws and regulations. A license to export or reexport may be required by the U.S. Department of Commerce.

Licensing

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit(http://www.openssl.org/).

This product includes cryptographic software written by Eric Young ([email protected]).

This product includes software written by Tim Hudson ([email protected]).

This product includes software developed by the Apache Software Foundation (http://www.apache.org/).

See Appendix D, “License Information,” for more information.

212939-F, November 2003

3

Contents

Preface 13Who Should Use This Book 13Related Documentation 13How This Book Is Organized 14New Product Names 15Typographic Conventions 16How to Get Help 17

Part 1: User’s Guide

Chapter 1: Introducing the ASA 21Features 22

Performance 22Scalability and Redundancy 22Certificate and Key Management 22Advanced Processing 23Load Balancing of Secure SSL Sessions 23Networking 23Statistics Viewing 24Logging Capabilities 24Management 24Supported Standards 24Compatibility 24SSL VPN 25

New Software Features 26SSL Acceleration 26SSL VPN 26


212939-F, November 20034 � Contents

Chapter 2: Introducing the ASA 310-FIPS 27HSM Overview 27Extended Mode vs. FIPS Mode 28

FIPS 140-1 Level 3 Security 29The Concept of iKey Authentication 29

Types of iKeys 29Wrap Keys for ASA 310-FIPS Clusters 30Available Operations and iKeys Required 31

Additional HSM Information 32

Chapter 3: Initial Setup 33Clusters 33Ports and Interfaces within a Cluster 34Configuration at Boot Up 35Installing and Adding ASAs 36

Installing an ASA in a New Cluster 36Adding an ASA to an Existing Cluster 39

Installing and Adding an ASA 310-FIPS 42Installing an ASA 310-FIPS in a New Cluster 43Adding an ASA 310-FIPS to an Existing Cluster 49

Reinstalling the Software 56

Chapter 4: Upgrading the ASA Software 59Performing Minor/Major Release Upgrades 60

Activating the Software Upgrade Package 61Upgrading a Mixed ASA Cluster 63

Chapter 5: Managing Users and Groups 65User Rights and Group Membership 65Adding a New User 66Changing a User’s Group Assignment 70Changing a User’s Password 71

Changing Your Own Password 71Changing Another User’s Password 72

Deleting a User 73


212939-F, November 2003Contents � 5

Chapter 6: Managing Certificates and Client Authentication 75Generating and Submitting a CSR Using the CLI 76Adding Certificates to the ASA 81

Using a Copy-and-Paste Operation to Add Certificates 82Using a Copy-and-Paste Operation to Add a Private Key 84Using TFTP or FTP to Add Certificates and Keys 86

Update Existing Certificate 88Create a New Certificate 88

Configuring a Virtual SSL Server for Client Authentication 89Generating Client Certificates on the ASA 91Managing Revocation of Client Certificates 95

Revoking Client Certificates Issued by an External CA 96Revoking Client Certificates Issued within your Own Organization 97Creating Your Own Certificate Revocation List 98

Chapter 7: Using the Quick Server Setup Wizard 101Create an HTTP Server 101Create a Socks server 106Create a Portal Server 108

Chapter 8: The Command Line Interface 111Connecting to the ASA 112

Establishing a Console Connection 112Establishing a Telnet Connection 113Establishing a Connection Using SSH (Secure Shell) 114

Accessing the ASA 116CLI vs. Setup 117Command Line History and Editing 118Idle Timeout 118



Chapter 9: Troubleshooting the ASA 119Cannot Connect to ASA via Telnet or SSH 120

Verify the Current Configuration 120Enable Telnet or SSH Access 120Check the Access List 120Check the IP Address Configuration 121

Cannot Add an ASA to a Cluster 122Cannot Contact the MIP 123

Check the Access List 123Add Interface 1 IP Addresses and MIP to Access List 123

The ASA Stops Responding 124Telnet or SSH Connection to the Management IP Address 124Console Connection 124

A User Password is Lost 125Administrator User Password 125Operator User Password 125Boot User Password 125

An ASA HSM Stops Processing Traffic 126Resetting HSM Cards on the ASA 310-FIPS 128An ASA 310-FIPS Cluster Must be Reconstructed onto New Devices 131System Diagnostics 135

Installed Certificates and Virtual SSL Servers 135Network Diagnostics 135Active Alarms and the Events Log File 137Error Log Files 137

Part 2: Command Reference



Chapter 10: ASA Command Reference 141Menu Basics 141Global Commands 142Command Line History and Editing 144Command Line Interface Shortcuts 146

Command Stacking 146Command Abbreviation 146Tab Completion 146Using Submenu Name as Command Argument 147Using Slashes (/) and Spaces in Commands 148

The Main Menu 149Menu Summary 149

Information Menu 150Events Menu 154HSM Command 155iSD List Command 155Information Local Command 155Information Ethernet Command 155

Statistics Menu 156Cluster Wide SSL Statistics Server Menu 158Local Statistics Menu 161

Single iSD Statistics Menu 163Single ISD Statistics for Virtual SSL Server Menu 165Single iSD Host SSL Server Healthcheck Command 170Single iSD Host SSL Server Poolstatus Command 170

AAA Statistics Menu 171Configuration Menu 172

Viewing, Applying and Removing Changes 174



SSL Configuration Menu 175DNS Client Settings Configuration 177Certificate Management Configuration 179Certificate Revocation Configuration 185Automatic CRL Menu 187SSL Server Management Configuration 190Network Traffic Dump Commands 194SSL Settings Configuration 196SSL Server TCP Settings Configuration 199SSL Server HTTP Settings Configuration 201SSL Server HTTP Rewrite Configuration 207SSL Server WWW Authentication Settings Configuration 208SSL Server DNS Settings Configuration 210Socks Settings Configuration 211HTTP Proxy Settings Configuration 214Portal Settings Configuration 217Advanced Settings Menu 220Load Balancing Strings Configuration 222Connection Pooling Configuration 225Traffic Syslog Configuration 226Standalone Menu 228IP List Menu 230Load Balancing Settings 232Cookie Settings Configuration 236Health Check Script Configuration 240Remote SSL Connect Configuration 243Remote SSL Connect Verify Configuration 245Backend Server Configuration 246SSL Connect Configuration 249SSL Connect Verify Configuration 251



Xnet Menu 252Xnet Domain Configuration 253SSL VPN Portal Configuration 256Portal Colors Configuration 258Authentication Configuration 259RADIUS Configuration 261Radius Servers Menu 263LDAP Configuration 264LDAP Servers Menu 266NTLM Configuration 268NTLM Servers Menu 269Local Database Configuration 270Advanced Settings Configuration 273Network Access Configuration 274Subnet Access Configuration 275Service Access Configuration 276Application Specific Menu 278Client Filter Configuration 280Group Configuration 282Access Rule Configuration 285Link Configuration 287Port Forwarder Link Configuration 292Extended Profile Configuration 295RADIUS Accounting Configuration 297RADIUS Accounting Servers Configuration 298



System Configuration 299Cluster Wide Routes Configuration 300Date and Time Configuration 301NTP Servers Configuration 302DNS Servers Configuration 303Syslog Servers Configuration 304Cluster Management Configuration 305iSD Host Configuration 306Host Routes Configuration 310Interface Configuration 311Interface Ports Configuration 313Host Ethernet Port Configuration 314System Access Configuration 315Administrative Applications Configuration 316SNMP Management Configuration 318SNMPv2-MIB Configuration 319SNMP Community Configuration 320SNMP Notification Target Configuration 321Audit Configuration 322RADIUS Audit Server Configuration 324Browser-Based Management Configuration 325Browser-Based Management Configuration with SSL 326User Access Configuration 327Edit User Menu 329User Access Groups Menu 330Current System Configuration 331

Boot Menu 332Software Management Menu 334

Current Software Status Command 336Maintenance Menu 337

Hardware Security Module Menu 339

Part 3: Appendices

Appendix A: Supported Ciphers 343Cipher List Formats 345Modifying a Cipher List 345Supported Cipher Strings and Meanings 347



Appendix B: The ASA SNMP Agent 349Supported MIBs 350

The SNMPv2 MIB 350The Alteon iSD Platform MIB 350The Alteon iSD-SSL MIB 351

Supported Traps 351

Appendix C: Syslog Messages 353List of Syslog Messages 353

Appendix D: License Information 357

Appendix E: HSM Security Policy 363

Appendix F: Definition of Key Codes 381Syntax Description 381

Allowed Special Characters 382Redefinable Keys 383Example of a Key Code Definition File 384

Glossary 385

Index 393



212939-F, November 200313

Preface

This User’s Guide and Command Reference describes how to configure and use the Nortel Networks Alteon SSL Accelerator (ASA) with SSL offload and VPN software.

Who Should Use This Book

This User’s Guide and Command Reference is intended for network installers and system administrators engaged in configuring and maintaining a network. It assumes that you are familiar with Ethernet concepts and IP addressing.

Related Documentation

For full documentation on installing and using the Alteon SSL Accelerator’s many features, see the following manuals:

� Alteon SSL Accelerator 4.1.2 Application Guide (part number 212940-F November 2003)Provides examples on how to configure the ASA with SSL offload and VPN software.

� Alteon SSL Accelerator Hardware Installation Guide (part number 212941-B, August 2002)Describes installation of the ASA 310, ASA 310 FIPS, and ASA 410 hardware models.

� Alteon SSL Accelerator BBI Quick Guide (part number 215310-B, November 2003)Describes configuration via the Browser-Based Interface.

� Alteon SSL Accelerator 4.1.2 Release Notes (part number 212942-F, November 2003)Lists new features available in version 4.1.2 and provides up-to-date product information.


14 � Preface212939-F, November 2003

How This Book Is Organized

The chapters in this book are organized as follows:

Part 1: User’s Guide

Chapter 1, “Introducing the ASA” provides an overview of the major features of the Alteon SSL Accelerator, including its physical layout and the basic concepts of its operation.

Chapter 2, “Introducing the ASA 310-FIPS” provides information about the ASA 310 equipped with HSM cards, as well as information about the available security modes and the concept of iKey authentication.

Chapter 3, “Initial Setup” describes how to install the ASA in a new cluster, and how to add an ASA to an existing cluster. The chapter also provides information about the concept of ASA clusters, as well as the usage and configuration of ports and networks within a cluster. A sec-tion describing how to reinstall the software is also included.

Chapter 4, “Upgrading the ASA Software” describes how to upgrade the ASA software for a minor release upgrade, and a major release upgrade.

Chapter 5, “Managing Users and Groups” describes the management of users, groups, and passwords. The chapter also explains how the Administrator user role can be fully separated from the Certificate Administrator user role.

Chapter 6, “Managing Certificates and Client Authentication” describes how to generate and prepare keys and certificates for use with the ASA.

Chapter 7, “Using the Quick Server Setup Wizard” describes how to use the Quick Server Setup wizard.

Chapter 8, “The Command Line Interface” describes how to connect to the ASA and access the information and configuration menus.

Chapter 9, “Troubleshooting the ASA” provides suggestions for troubleshooting basic prob-lems. Information about performing system diagnostics on the ASA is also included, as well as a few operations related to the ASA 310-FIPS model.


Preface � 15212939-F, November 2003

Part 2: Command Reference

Chapter 10, “ASA Command Reference” provides an overview of the ASA menu system and details of all menus and options.

Part 3: Appendices

Appendix A, “Supported Ciphers” provides a list of ciphers supported in this product.

Appendix B, “The ASA SNMP Agent” provides information about the SNMP agent on the ASA, and which MIBs (Management Information Bases) are supported.

Appendix C, “Syslog Messages”, contains a list of all syslog messages that can be sent to a syslog server that is added to the ASA system configuration.

Appendix D, “License Information” provides licensing information for the software used in this product.

Appendix E, “HSM Security Policy” provides detailed information on the security policy of the HSM card that comes installed in the ASA 310-FIPS.

“Glossary” includes definitions of terminology used throughout this document.

New Product Names

All references to the old product name – iSD-SSL or iSD – in commands or screen outputs should be interpreted as Alteon SSL Accelerator, or ASA in short.

All references to Xnet (e.g. Xnet domain) apply to the SSL VPN feature.

All references to Alteon Application Switch should be interpreted as applying to both Alteon Application Switch and Alteon Web Switch.



Typographic Conventions

The following table describes the typographic styles used in this book.

Table 1 Typographic Conventions

Typeface or Symbol

Meaning Example

AaBbCc123 This type is used for names of commands, files, and directories used within the text.

View the readme.txt file.

It also depicts on-screen computer output and prompts.

Main#

AaBbCc123 This bold type appears in command exam-ples. It shows text that must be typed in exactly as shown.

Main# sys

<AaBbCc123> This italicized type appears in command examples as a parameter placeholder. Replace the indicated text with the appropriate real name or value when using the command. Do not type the brackets.

To establish a Telnet session, enter:host# telnet <IP address>

This also shows book titles, special terms, or words to be emphasized.

Read your User’s Guide thoroughly.

[ ] Command items shown inside brackets are optional and can be used or excluded as the situation demands. Do not type the brackets.

host# ls [-a]


Preface � 17212939-F, November 2003

How to Get Help

If you purchased a service contract for your Nortel Networks product from a distributor or autho-rized reseller, contact the technical support staff for that distributor or reseller for assistance.

If you purchased a Nortel Networks service program, contact one of the following Nortel Net-works Technical Solutions Centers:

Additional information about the Nortel Networks Technical Solutions Centers is available at the following URL:

http://www.nortelnetworks.com/help/contact/global

An Express Routing Code (ERC) is available for many Nortel Networks products and services. When you use an ERC, your call is routed to a technical support person who specializes in sup-porting that product or service. To locate an ERC for your product or service, refer to the fol-lowing URL:

http://www.nortelnetworks.com/help/contact/erc/index.html

Technical Solutions Center Telephone

Europe, Middle East, and Africa 00800 8008 9009or

+44 (0) 870 907 9009

North America (800) 4NORTEL or (800) 466-7835

Asia Pacific (61) (2) 8870-8800

China (800) 810-5000

http://www.nortelnetworks.com/help/contact/global

http://www.nortelnetworks.com/help/contact/erc/index.html



212939-F, November 2003

Part 1: User’s GuideThis section introduces the Alteon SSL Accelerator and provides information on how to per-form initial setup, software upgrades, and common tasks involving certificates and client authentication. Troubleshooting information, as well as information about how to access the command line interface, is also included.

For instructions relating to the Alteon SSL VPN feature included in version 4.1.2, read Part 2 of the Application Guide. Software commands are however listed together with the rest of the ASA commands in Chapter 10, “ASA Command Reference.”

This User’s Guide section contains the following topics:

� Chapter 1, “Introducing the ASA

� Chapter 2, “Introducing the ASA 310-FIPS

� Chapter 3, “Initial Setup

� Chapter 4, “Upgrading the ASA Software

� Chapter 5, “Managing Users and Groups

� Chapter 6, “Managing Certificates and Client Authentication

� Chapter 7, “Using the Quick Server Setup Wizard

� Chapter 8, “The Command Line Interface

� Chapter 9, “Troubleshooting the ASA


212939-F, November 200320 � Part 1: User’s Guide

212939-F, November 2003

21

CHAPTER 1Introducing the ASA

The Alteon SSL Accelerator (ASA) is a peripheral Secure Socket Layer (SSL) offload plat-form that attaches to an Alteon Application Switch or a comparable switch from another ven-dor. The ASA performs a TCP three-way handshake with the client through the Alteon Application Switch and performs all the SSL encryption and decryption for the session. Com-bined with the load balancing features of the Alteon Application Switch, the ASA offloads SSL encryption/decryption functions from back-end servers.

For more information on the basic operations of the ASA, see the “Public Key Infrastructure and SSL” chapter in the Application Guide.

Added on to the SSL acceleration features, the SSL VPN feature supports remote access to intranet resources (such as applications, mail, files, intranet web pages) via a secure connec-tion.

For more information on the SSL VPN feature see Part 2 of the Application Guide.

The ASA is delivered on following hardware platforms.

� ASA 310

� ASA 410

� VPN 3050

For detailed technical specification of the hardware platforms, see the “Specifications” appen-dix in the Alteon SSL Accelerator Hardware Installation Guide and the Alteon VPN 3050 Hardware Installation Guide.

The ASA is also available with a FIPS-compliant Hardware Security Module (HSM):

� ASA 310-FIPS

For more information about ASA 310-FIPS, see “Introducing the ASA 310-FIPS” on page 27.


212939-F, November 200322 � Chapter 1: Introducing the ASA

Features

Performance� Accelerates SSL processing—offloads SSL encryption and decryption from the back end

server.

� Depending on your model, supports from 600 to 2000 SSL transactions per second for each ASA device.

Scalability and Redundancy� Provides dynamic scalability—up to 256 ASAs can be added to each cluster.

� Supports 256 virtual SSL servers.

� Provides dynamic plug and play—ASAs can be added to or removed from a cluster dynamically without disrupting network traffic.

� Provides a single system image (SSI)—all ASAs in a given cluster are configured as a sin-gle system.

� Ability to create multiple clusters of ASAs, each capable of serving its own group of real servers.

� High level of redundancy in the master/slave cluster design; even if three master ASAs in a cluster would fail, additional slave ASAs will still be operational and can accept config-uration changes.

Certificate and Key Management� Supports certificate and key management—private keys generated in Apache, OpenSSL,

Stronghold, WebLogic, and Microsoft IIS 4.0 can be imported.

� Supports client authentication, generation of client certificates, revocation of client certifi-cates, and automatic retrieval of CRLs.

� Supports validation of private keys and certificates via the command line interface.

� Supports generation of certificate signing requests (CSR) via the command line interface.

� Supports creation of test certificates (self-signed) via the command line interface, for instant testing of SSL features.

� Supports automatic retrieval of Certificate Revocation Lists (CRL) via HTTP, TFTP, or LDAP (version 3).

� Support for PKCS7 certificates, where the user is prompted to select a certificate when the certificate file contains multiple certificates.


212939-F, November 2003Chapter 1: Introducing the ASA � 23

� Support for adding an X-Client-Cert multiline HTTP header to a client request. Using this feature will make the ASA insert the entire client certificate (in PEM format) as a multi-line HTTP header. The backend Web servers can then perform additional user authentica-tion, based on the information in the client certificate. The backend servers can also make use of any auxiliary fields in the client certificate.

Advanced Processing� Supports rewriting of client requests—customized error messages can be sent to the cli-

ent’s Web browser if the browser is unable to perform the required cipher strength. With-out this feature, the client request would simply be rejected during the SSL handshake.

� Ability to transmit extra SSL information to the backend servers, such as the negotiated cipher suit and client certificate information (in case client certificates were required by the virtual SSL server). The information is conveyed by configuring the virtual SSL server to add an extra SSL header to the client’s request.

Load Balancing of Secure SSL Sessions� Supports end to end encryption, in which traffic between the ASA(s) and backend servers

can also be encrypted. Benefits of SSL acceleration are maintained, with minimal perfor-mance degradation.

� Supports load balancing of encrypted and unencrypted traffic for up to 256 backend servers, with health checking and persistent client connections.

Networking� Supports creating multiple interfaces within a cluster, to separate client traffic

and management traffic for example.

� Support for clustering over multiple subnets.

� Supports assigning two physical network ports to one interface, in order to create a port failover (high availability) solution where one ASA is attached to two Alteon Application Switches.

� Support for configuring the sizes of TCP send and receive buffers.

� Supports Ethernet autonegotiation. In network environments where autonegotiation is not used, the Ethernet autonegotiation feature can be disabled. Instead, a fixed speed of 10, 100, or 1000 Mbit per second can then be specified for each particular port on each ASA host in the cluster.

� Supports pooling and reuse of previously used backend connections.



� Supports addition of a Front-End-HTTPS header to a client request. When using Outlook Web Access (OWA) for Microsoft Exchange in combination with the ASA, the virtual SSL server can be configured to add this extra header. The Front-End-HTTPS header enables the receiving OWA server to transform embedded HTTP URLs in a correct manner.

Statistics Viewing� Supports histograms to measure transactions per second (TPS) and throughput. Statistics

can be viewed for individual or multiple ASAs in a cluster.

� Ability to show statistics for the local Ethernet NICs.

Logging Capabilities� Support for traffic logging via UDP syslog messages. UDP syslog messages for all HTTP

requests handled by an SSL server can be sent to a configured syslog server. This feature can be used as an alternative to performing traffic logging on the backend Web servers in environments where traffic logging must be performed on the SSL terminating device itself due to laws or regulations.

� Support for RADIUS accounting and auditing.

Management � Configuration via built-in command line interface, accessible via both Telnet, Secure Shell

and the Serial port.

� Ability to control remote access via Telnet and Secure Shell down to specific machines.

� Configuration via Web User Interface

Supported Standards� Supports SSL version 2.0 and 3.0, plus TLS version 1.0.

� Supports SMTPS, POP3S, and IMAPS in addition to the standard HTTPS.

� Supports SNMP version 1 and SNMP version 2c.

Compatibility� Compatible with all Alteon Application Switches, Alteon Web Switches and comparable

switches from other vendors.


212939-F, November 2003Chapter 1: Introducing the ASA � 25

SSL VPNThe SSL VPN feature supports remote access to intranet resources (such as applications, mail, files, intranet web pages) via a secure connection. The underlying protocol used for these ses-sions is SSL.

With the SSL VPN feature activated, mobile workers, telecommuters and partners can access information and/or applications on the intranet. What information should be accessible to the user after login is determined by access rules (ACLs).

The intranet’s resources can be accessed in two ways:

� From any computer connected to the Internet (browser-based mode). The user connects to the VPN portal via the web browser. When authorized, available services/resources on the intranet are displayed on a portal web page provided by the ASA.

� From a computer with the SSL VPN client software installed (transparent mode). The user starts the desired application, e.g. his or her mail client. If the destination matches a domain name or IP address defined in the SSL VPN client, the request is redirected to the ASA for authorization. When authorized, the user’s request is passed on to the original destination, e.g. the intranet mail server.

The SSL VPN feature is added on to the SSL accelerator features, which makes it possible to use the product for normal SSL acceleration duty as well.

For configuration examples, see Part Two of the Application Guide.



New Software Features

SSL Acceleration� Support for SSL Acceleration of Web sites containing absolute links. See page 217.

SSL VPN� Native Outlook support. Enables full access to an intranet Microsoft Exchange server

through a secure connection. Available on the SSL VPN Portal’s Advanced tab and as a group link. See page 292.

� New command for configuring a group for users whose NTLM password has expired. By defining a group link for the password expiry group, users can automatically be directed to a single site where the password can be changed. See page 268.

� New command for enabling secure SSL transfer (LDAPS) of requests sent between the ASA and the LDAP server. See page 264.

� Support for retrieving group information from another authentication scheme (Local data-base or LDAP) besides the one used for authentication. See page 273.

� New command for hiding the Nortel logo bottom left on the SSL VPN Portal. See page 256.

� Support for persistent cookies for the Portal login session. See page 217.

� Support for proxy chaining via an intranet HTTP Proxy server. Available for the features on the SSL VPN Portal’s Advanced tab and for the corresponding group links, i.e. Termi-nal, Proxy and Forwarder. See page 287.

� Support for auto configuration/clearing of browser settings removed for the HTTP Proxy feature on the SSL VPN Portal’s Advanced tab as well as for the Proxy group link.

� Various enhancements/fixes described in the Release Notes.

212939-F, November 2003

27

CHAPTER 2Introducing the ASA 310-FIPS

This section provides information about the ASA 310-FIPS model, which comes installed with the HSM (Hardware Security Module) card. The HSM card complies with all the security requirements specified by the Federal Information Processing Standard (FIPS) 140-1, Level 3 standards. Each ASA 310-FIPS device is equipped with two identical HSM cards.

NOTE – When using the ASA 310-FIPS device in a cluster, remember that all Alteon SSL Accelerator devices in the cluster must be of the ASA 310-FIPS model.

HSM Overview

The HSM card found on the ASA 310-FIPS model is an SSL accelerator, just like the ordinary CryptoSwift card found on the regular models of both the ASA 310 and the ASA 410. In addi-tion to cryptographic acceleration, the HSM card brings extra security to sensitive operations and is designed to withstand physical tampering.

� The HSM card provides a secure storage area for cryptographic key information. The stor-age area is secured by a constantly monitored tamper detection circuit. If tampering is detected, the battery backup power to memory circuits on the card is removed. Critical security parameters, such as private keys that are contained in the storage area, will then be destroyed and rendered useless to the intruder.

� Any sensitive information that is transferred between two HSM cards within the same ASA 310-FIPS, or between any number of HSM cards within a cluster of ASA 310-FIPS devices, is encrypted using a shared secret stored (also known as a wrap key) on the HSM card.


212939-F, November 200328 � Chapter 2: Introducing the ASA 310-FIPS

� Some user operations require a two-phase authentication, which involves using both hard-ware tokens (called iKeys) and an associated password to provide an extra layer of secu-rity. For example, if the ASA 310-FIPS is power cycled (as in the case of theft), no SSL traffic is processed until the operator logs in to the HSM card using both an iKey and the correct password.

� All cryptographic requests, such as generating private keys or performing encryption, are automatically routed to the HSM card by the ASA application and performed on the HSM card only.

Extended Mode vs. FIPS Mode

When installing the very first ASA 310-FIPS into a new cluster, you can choose to initialize the HSM cards in either Extended mode or FIPS mode. Extended mode is the default selection, and is appropriate whenever your security policy does not explicitly require that you conform to the FIPS 140-1, Level 3 standard (see below for more information).

The main difference between Extended mode and FIPS mode involves how private keys are handled. For both modes, all private keys are stored encrypted in the database on the ASA 310 FIPS. When the HSM card is initialized in Extended mode, the encrypted private key needed to perform a specific operation is transferred to the HSM card over the PCI bus. The private key is then decrypted on the HSM card itself, using the wrap key that was generated during the ini-tialization and since stored on the card. The private key is thus never exposed in plain text out-side the HSM card.

When the HSM card is initialized in FIPS mode, the encrypted private key needed to perform a specific operation is read from the database into RAM, together with the wrap key from the HSM card. The private key is then decrypted in RAM, where it remains accessible for subse-quent operations.

Also, when the ASA 310-FIPS is initialized in FIPS mode, all private keys must be generated on the ASA 310-FIPS device itself. Importing private keys, or certificate files that contain pri-vate keys, is not allowed due to the FIPS security requirements. This means that certain CLI commands that are used for importing certificates and keys via a copy and paste operation, or via TFTP/FTP, cannot be used when the ASA 310-FIPS is initialized in FIPS mode.


212939-F, November 2003Chapter 2: Introducing the ASA 310-FIPS � 29

FIPS 140-1 Level 3 SecurityThe HSM card contains all of the security requirements specified by the FIPS 140-1, Level 3 standards. FIPS 140-1 is a U.S. government standard for implementations of cryptographic modules, that is, hardware or software that encrypts and decrypts data or performs other cryp-tographic operations (such as creating or verifying digital signatures).

FIPS 140-1 is binding on U.S. government agencies deploying applications that use cryptography in order to secure sensitive but unclassified (SBU) information, unless those agencies have been specifically exempted from compliance by the relevant U.S. laws refer-enced in the standard.

For more information about the FIPS specification, visithttp://csrc.nist.gov/publications/fips/index.html and scroll down to “FIPS 140-1”.

The Concept of iKey Authentication

Access to sensitive data on a ASA 310-FIPS is protected by a combination of hardware tokens (called iKeys), passwords, and encryption procedures.

The iKey is a cryptographic token that is used as part of the authentication process for certain operations involving the HSM cards. Whenever you perform an operation on the ASA 310 FIPS calling for iKey authentication, you are prompted by the Command Line Interface to insert the requested iKey into the USB port on the appropriate HSM card. (When prompted for a particular iKey, a flashing LED always directs you to the correct HSM card.)

Types of iKeysFor each HSM card there are two unique iKeys used for identity-based authentication: the HSM-SO iKey, and the HSM-USER iKey. Each of these iKeys define the two user roles avail-able: Security Officer and User. A password must be defined for each user role, and the pass-words are directly associated with the corresponding iKey. The ASA 310-FIPS is equipped with two HSM cards, and you therefore need to maintain two pairs of HSM-SO and HSM-USER iKeys with their associated passwords for each single ASA 310-FIPS device.

After a HSM card has been initialized, that card will only accept the HSM-SO and HSM-USER iKeys that were used when initializing that particular card. You cannot create backup copies of the associated HSM-SO iKey and HSM-USER iKey, and a lost HSM-SO or HSM-USER password cannot be retrieved. It is therefore extremely important that you establish rou-tines for how the iKeys are handled.

http://csrc.nist.gov/publications/fips/index.html



Wrap Keys for ASA 310-FIPS ClustersIn addition to the HSM-SO and HSM-USER iKeys specific for each HSM card, one pair of iKeys (the black HSM-CODE iKeys) need also be maintained for each cluster of ASA 310-FIPS units.

NOTE – You are strongly recommended to label two of the black HSM-CODE iKeys “CODE-SO” and “CODE-USER” respectively; these iKeys will be referred to as such both in the doc-umentation and in the Command Line Interface.

During the initialization of the first ASA 310-FIPS in a cluster, a wrap key is automatically generated. The wrap key is a secret shared among all ASA 310-FIPS in the cluster. It encrypts and decrypts sensitive information that is sent over the PCI bus within an ASA 310-FIPS, and over the network among the ASA 310-FIPS devices in the cluster. By inserting the CODE-SO iKey and the CODE-USER iKey in turns when requested by the Setup utility, the wrap key is split onto these two iKeys. When adding an additional ASA 310-FIPS to the cluster, the CODE-SO and the CODE-USER iKeys are used to transfer the wrap key to the HSM cards on ASA device(s) that have been added. Once the wrap key has been transferred, all synchroniza-tion of sensitive information within the cluster takes place transparently to the user.

No passwords are associated with the CODE-SO and CODE-USER iKeys. However, for all operations that involves using the CODE-SO and CODE-USER iKeys, these keys are used in addition to the HSM-SO and HSM-USER iKeys (which in turn require the correct passwords for successful authentication).

!CAUTION—If you enter the wrong password for the HSM-USER fifteen (15) times in a row, the HSM-USER iKey will be rendered unusable. This is due to the strict security specifications placed on the ASA 310-FIPS.


212939-F, November 2003Chapter 2: Introducing the ASA 310-FIPS � 31

Available Operations and iKeys RequiredFor information about the type of iKeys required to perform a specific operation, see Table 2-1.

Table 2-1 Available Operations and iKeys Required

Type of iKey Required

Operation Performed HSM-SO HSM-USER CODE-SO and CODE-USER

Installing a new ASA 310-FIPS in a new cluster

� � �

Adding an ASA 310-FIPS to an existing cluster

� � �

Logging in to the HSM card �

Splitting the wrap key onto a pair of CODE iKeys

� � �

Changing the HSM-SO iKey pass-wordNote: To resume normal operations after having changed the HSM-SO iKey password, the HSM-USER iKey is required to re-login to the HSM card.

� �

Changing the HSM-USER iKey pass-word

�



Additional HSM Information

� For detailed information about installing a new ASA 310-FIPS in a new cluster or adding an ASA 310-FIPS in an existing cluster, see “Installing and Adding an ASA 310-FIPS” on page 42.

� For detailed information about how to log in to the HSM card after a reboot, see “An ASA HSM Stops Processing Traffic” on page 126.

� For information about how to split the wrap key onto a backup set of CODE-SO and CODE-USER iKeys, or how to change an HSM-SO or HSM-USER iKey password, see “Hardware Security Module Menu” on page 339.

� For information about how to reset the HSM cards, see “Resetting HSM Cards on the ASA 310-FIPS” on page 128.

� For information about HSM card LED status, see Chapter 1 of the Alteon SSL Accelerator Hardware Installation Guide.

� For information about the HSM card’s security policy, see Appendix E, “HSM Security Policy.

� To view the HSM card’s FIPS 140-1 validation certificate, see Appendix B, “FIPS 140-1 Validation Certificate” in the Alteon SSL Accelerator Hardware Installation Guide

212939-F, November 2003

33

CHAPTER 3Initial Setup

This chapter covers the basic setup and initialization process for the Alteon SSL Accelerator (ASA). It introduces the concept of ASA clusters, and provides detailed instructions for rein-stalling the ASA software, should it become necessary.

Clusters

All ASAs are members of a cluster. A cluster is a group of ASAs that share the same configu-ration parameters. There can be more than one ASA cluster in the network, each with its own set of parameters and services to be used with different real servers. Every cluster has a Man-agement IP (MIP) address, which is an IP alias to one of the ASAs in the cluster. The MIP address identifies the cluster and is used when making configuration changes via a Telnet or SSH connection or when configuring the system using the Web User Interface.

Each time you perform an initial setup of an ASA and select new in the Setup menu, you cre-ate a new cluster which initially only has one single member. You can add one or more ASAs to any existing cluster by performing an initial setup and select join in the Setup menu.

When using an Alteon Application Switch, all ASAs in a cluster can form a Real Server Group. Traffic intended for the ASA cluster can then be load balanced by the Alteon Applica-tion Switch.

The configuration parameters are stored in a database, which is replicated among the ASAs designated as masters in a cluster. By default, the first four ASAs in a given cluster are set up as masters. Additional ASAs are automatically set up as slaves, which means they depend on a master ASA in the same cluster for proper configuration. However, even if three of the masters fail, the remaining ASA(s) are still operational and can have configuration changes made to them.

The ASA software supports clustering over multiple subnets. If more than one ASA is required and the ASA you wish to join to the cluster is installed in a different subnet, the new ASA must be configured as a slave. Master ASAs cannot exist on different intranet subnets.


212939-F, November 200334 � Chapter 3: Initial Setup

Ports and Interfaces within a Cluster

When installing an ASA in a new cluster, or adding an ASA to an existing cluster, you are asked to specify a port number by the Setup utility. The port number you specify refers to a physical port on the network interface card of a particular ASA model.

The ASA 310 or ASA 410 Copper NIC, which is equipped with two integrated Intel PRO/100+ copper port NICs for Ethernet or Fast Ethernet, has two ports numbered 1 and 2 respectively.

The ASA 310 or ASA 410 Fiber NIC, which is equipped with one 3Com Gigabit fiber-optic port NIC for Gigabit Ethernet in addition to the dual integrated Intel PRO/100+ NICs, has three ports. Ports 1 and 2 refer to the integrated ports on the Intel PRO/100+ NIC, whereas port 3 refers to the 3Com Gigabit fiber-optic port NIC.

The Setup utility will automatically detect the number of available ports and display the valid range within square brackets when prompting for a port number. The port number you specify in the Setup utility is initially assigned to Interface 1, which is always present. When adding additional ASAs to the cluster, you need to make sure you specify a port number that is cur-rently used on Interface 1.

NOTE – In order to make use of the 3Com Gigabit fiber-optic port NIC found on theASA 310 or ASA 410 Fiber NIC model, all devices in the cluster must be of this same model. If your cluster consists of other ASA models besides the ASA 310 or ASA 410 Fiber NIC model, only the dual integrated ports on the Intel PRO/100+ NIC (also) found on the ASA 310 or ASA 410 Fiber NIC model can be used.

After you have installed one or more ASAs in a cluster, you can create a separate interface within the cluster (exclusively used for client traffic, and not for management purposes for example), and assign an unused port to that interface. You can also assign more than one port to one interface, in order to configure a failover solution with the ASA connected to two Alteon Application Switches, should one NIC fail.

For more information on the commands used to create an additional interface, see “Interface Configuration” on page 311.

For more information on assigning ports to a particular interface, see “Interface Ports Configu-ration” on page 313.


212939-F, November 2003Chapter 3: Initial Setup � 35

Configuration at Boot Up

When starting an ASA for the very first time, you need to:

� Connect the ASA uplink port to a compatible port on the Alteon Application Switch.

� Connect a terminal to the console port.For more information, see “Connecting to the ASA” on page 112.

� Press the power-on button.

� Wait until you get a login prompt.

� Log in as user: admin, password: admin

NOTE – If you have the ASA 310-FIPS model, please see the instructions from page page 43 and onwards.

When you log in after having started the ASA the first time, you will automatically enter the setup utility menu (see Figure 3-1). After selecting join or new, you will be prompted for the minimum information required to make the ASA operational.

Figure 3-1 The Setup Menu

The amount of information you need to provide will depend on whether you are installing the ASA to join an existing cluster of ASAs, or if you are installing it as a single ASA that is con-nected to the Alteon Application Switch. If you are installing the ASA to join an existing clus-ter, less information is needed because the ASA will fetch most of the configuration from the other ASA(s) in the cluster. In either case you must provide an IP address for the ASA itself and the default gateway, as well as provide the network mask (or accept the suggested value of 255.255.255.0). You will also be asked to provide a Management IP address. When you select join in the Setup menu, you will be asked for the Management IP address already assigned to the existing cluster.

[Setup Menu] join - Join an existing iSD cluster new - Initialize iSD as a new installation boot - Boot Menu info - Information Menu exit - Exit [global command, always available]



Installing and Adding ASAs

Installing an ASA in a New ClusterWhen you log in after having started the ASA the first time, you will automatically enter the setup utility menu (see Figure 3-1).

1. To install an ASA as a single device connected to the Alteon Application Switch, or to install an ASA as the first member in a new cluster, choose new from the Setup menu.

When you select new in the Setup menu, you need to assign a Management IP address to the new cluster that is created, even though the cluster initially only contains a single ASA.

2. Configure the port number for the management network, and the basic IP network settings.

!CAUTION—Each ASA cluster in the network must have a unique MIP address. The MIP address you assign to a cluster when selecting new in the Setup menu must be different from all other IP addresses used on your network, including the IP address you assign to each partic-ular ASA in the cluster.

[Setup Menu] join - Join an existing iSD cluster new - Initialize iSD as a new installation boot - Boot Menu info - Information Menu exit - Exit [global command, always available]>> Setup# newSetup will guide you through the initial configuration of the iSD.

(new setup, continued)Enter port number for the management network [1-3]: 1 <Specify the port you want to use for network connectivity>Enter IP address for this machine: <IP address>Enter network mask [255.255.255.0]: <Press ENTER if correct>Enter VLAN tag id (or zero for no VLAN) [0]: <VLAN tag id or ENTER>Enter gateway IP address (or blank to skip): <gateway IP address>Enter the Management IP (MIP) address: <IP address>Trying to contact gateway...okMaking sure the MIP does not exist...ok



Answer the requested information to enable network access of the ASA. Make sure that the IP address you assign to the machine, and the Management IP address you assign to the cluster are unique on your network and that they are within the same network address range.

If a connected router or switch attaches VLAN tag IDs to incoming packets, specify the VLAN tag ID used.

The gateway IP address you specify must also be within the same network address range as the machine IP address and the Management IP address. If not, a built-in control function in the Setup utility will detect the erroneous configuration and ask you to check your network set-tings before trying again.

You will only be prompted for a port number when installing an ASA Copper NIC or Fiber NIC. The valid range of port numbers depend on the particular model:

� For the ASA 310 or ASA 410 Copper NIC, equipped with two integrated Intel PRO/100+ copper port NICs for Ethernet or Fast Ethernet, valid port numbers are 1 or 2. Both ports are identical in terms of performance.

When installing an ASA 310 or ASA 410 Copper NIC, you are recommended to specify port number 1 for the initial interface (Interface 1) that is configured during the installa-tion. After the installation is complete, you can change the port value for the existing inter-face, or configure an additional interface to which you assign port number 2.

� For the ASA 310 or ASA 410 Fiber NIC, which is equipped with one 3Com Gigabit fiber-optic port NIC for Gigabit Ethernet in addition to the dual integrated Intel PRO/100+ NICs, valid port numbers are 1 through 3. Port number 3 refers to the enhanced 3Com Gigabit fiber-optic port NIC.

When installing an ASA 310 or ASA 410 Fiber NIC, you may want to specify port num-ber 3 for the default Interface 1 configured during the installation. This instructs the ASA to use the enhanced 3Com Gigabit fiber-optic port for the initial interface. To use the 3Com Gigabit fiber-optic port NIC found on the ASA 310 or ASA 410 Fiber NIC model, make sure all devices in the cluster are of this same model.

If your cluster consists of other models besides the ASA 310 or ASA 410 Fiber NIC model, only the dual integrated ports on the Intel PRO/100+ NIC (ports 1 and 2) can be used. In this case, you should therefore specify port 1 for the management interface.

NOTE – When adding additional ASAs to the cluster (by selecting join in the Setup utility), you must specify the port number that is currently used in and assigned to the management interface (Interface 1). In most cases, this will be the same port number as the one you specify in the Setup utility when selecting new.



3. Configure the time zone and NTP and DNS server settings.

If you don’t have access to the IP address of an NTP server or DNS server at this point, you can configure these items after the initial setup is completed. See page 302 for information on how to configure NTP servers, and page 303 for information on how to configure DNS serv-ers.

4. Generate new SSH host keys and define a password for the admin user.

In order to maintain a high level of security when accessing the ASA via a SSH connection, it is recommended that you accept the default choice to generate new SSH host keys.

Make sure you remember the password you define for the admin user. You will need to pro-vide the correct admin user password when logging in to the cluster for configuration pur-poses, and also when adding another ASA to the cluster by performing a join in the Setup menu.

(new setup, continued)Enter a timezone or ’select’ [select]: <Press ENTER to select>Select a continent or ocean: <Continent or ocean by number>Select a country: <Country by number>Select a region: <Region by number, if applicable>Selected timezone: <Suggested timezone, based on your selections>Enter the current date (YYYY-MM-DD) [2003-03-01]: <Press ENTER if correct>Enter the current time (HH:MM:SS) [09:26:16]: <Press ENTER if correct>Enter NTP server address (or blank to skip): <IP address>Enter DNS server address (or blank to skip): <IP address>

(new setup, continued)Generate new SSH host keys (yes/no) [yes]: <Press ENTER to accept>This may take a few seconds...okEnter a password for the "admin" user: Re-enter to confirm:



5. When the Setup utility has finished, log in to the ASA and continue with the configuration.

Log in as the admin user with the password you defined in Step 4, and the Main menu is displayed. You can now continue the configuration of the ASA using the command line interface (CLI). For more information about the CLI, see “The Command Line Interface” on page 111.

Adding an ASA to an Existing ClusterAfter having installed the first ASA in a cluster, additional ASAs may be added to the same cluster by specifying the Management IP (MIP) address that identifies the cluster.

You add additional ASAs to an existing cluster by selecting join from the Setup menu in the ASA, after it has booted. This is the only way to add a new ASA to an existing cluster. Trying to select new from the Setup menu and provide the Management IP address of the existing cluster will not work. The reason to this is that new indicates creating a new cluster, and each cluster must have a unique Management IP address.

Master ASAs cannot exist on different intranet subnets. If the ASA you are joining is installed on a different subnet, this ASA must be configured as a slave.

NOTE – If the Access list consists of entries, i.e. IP addresses for control of Telnet and SSH access, also add the Management IP address (MIP), the IP address of Interface 1 of the existing ASA and the intranet IP address you have in mind for the new ASA to the Access list. This must be done before joining the new ASA, otherwise the ASAs will be unable to communicate. Use the cfg/sys/accesslist command.

To successfully perform a join from the Setup menu, all the ASAs in a cluster must run the same software version. If the ASA you are about to add has a different software version, you need to adjust it to run the same software version as on the ASA(s) currently installed in the cluster. This must be done before performing a join. For more information, see “Reinstalling the Software” on page 56. Another option is to upgrade the whole cluster to the same software version as on the new ASA. For more information, see “Performing Minor/Major Release Upgrades” on page 60. You can check the currently installed software version by using the /boot/software/cur command.

Initializing system......okSetup successful. Relogin to configure.

login:



When you log in after having started the ASA the first time, you will automatically enter the setup utility menu (see Figure 3-1).

1. Choose join from the Setup menu to add an ASA to an existing cluster.

2. Specify the port number that is used in the cluster for the default management interface, enter the machine IP address, and the cluster management IP address.

Assign a unique IP address to the device and provide the Management IP address of the (exist-ing) cluster to which you want to add the ASA. Make sure that the IP address you assign to the device is within the same network address range as the Management IP address of the cluster. If not, a built-in control function in the Setup utility will detect the error and ask you to check your configuration before trying again.

If a connected router or switch attaches VLAN tag IDs to incoming packets, specify the VLAN tag ID used.

To check the Management IP of an existing cluster, connect to the cluster and use the /cfg/sys/cluster/cur command.

[Setup Menu] join - Join an existing iSD cluster new - Initialize iSD as a new installation boot - Boot Menu info - Information Menu exit - Exit [global command, always available]>> Setup# joinSetup will guide you through the initial configuration of the iSD.

(join setup, continued)Enter port number for the management network [1-3]: 1 <Specify the port that is currently used for network connectivity on the management interface (Interface 1)>Enter IP address for this machine: <IP address>Enter network mask [255.255.255.0]:Enter VLAN tag id (or zero for no VLAN) [0]: <VLAN tag id or ENTER>

The system is initialized by connecting to the management serveron an existing iSD, which must be operational and initialized.Enter the Management IP (MIP) address: <IP address>



NOTE – You will only be prompted for a port number when adding an ASA 310 or ASA 410 Copper NIC or an ASA 310 or ASA 410 Fiber NIC to a cluster. Make sure you specify the port number that is currently used on Interface 1 in the cluster. On an ASA 310 or ASA 410 Fiber NIC, port number 3 corresponds to the enhanced Gigabit fiber-optic port. To check the port assignment on Interface 1 of an existing cluster, connect to the cluster and use the /cfg/sys/cluster/host #/interface 1/cur command.

3. Provide the correct admin user password, and specify the appropriate iSD type.

Type the correct password for the admin user.

When adding up to three additional ASAs to a cluster containing a single ASA, you may con-figure each additional ASA as either master or slave. For up to three additional ASAs, the default setting is master. When adding one or more ASAs to a cluster that already contains four ASAs, each additional ASA is automatically configured as slave. It is recommended that there are 2-4 master ASAs in each cluster, so in most cases there is no need to change the default setting. If needed, you can always reconfigure an ASA by changing the Type setting after the initial setup. For more information, see the type command under “iSD Host Config-uration” on page 306.

4. Wait until the Setup utility has finished.

The setup utility is now finished. The ASA that has now been added to the cluster will auto-matically pick up all configuration data from one of the already installed ASAs in the cluster. After a short while you will get a login prompt.

If needed, you can now continue with the configuration of the ASA FIPS units using the com-mand line interface (CLI). Log in as the admin user, and the Main menu is displayed. For more information about the CLI, see “The Command Line Interface” on page 111.

(join setup, continued)Enter the existing admin user password:Enter the type of this iSD (master/slave) [master]:......ok

(join setup, continued)Setup successful.

login:



Installing and Adding an ASA 310-FIPS

The ASA 310-FIPS model is an ASA 310 where the ordinary SSL accelerator card has been replaced by the HSM (Hardware Security Module) SSL accelerator card. For more information about the ASA 310-FIPS model, see “Introducing the ASA 310-FIPS” on page 27.

After having installed the first ASA 310-FIPS, additional ASA 310-FIPS units can be added to the same cluster by specifying the Management IP (MIP) address that identifies the cluster. For more information about adding an ASA 310-FIPS to an existing cluster, see page 49.

Before installing or adding an ASA 310-FIPS, please make sure that you have fully understood the concept of iKeys. You might also want to decide the labeling scheme you want to use for identifying which iKey is used to initialize a certain HSM card, and also label two of the black cluster-specific iKeys “CODE-SO” and “CODE-USER” respectively in advance. For more information about the concept of iKeys and the ASA 310-FIPS model in general, see “Intro-ducing the ASA 310-FIPS” on page 27. You should also decide a password scheme since you will define passwords not only for the admin user, but also for the HSM-SO iKeys, the HSM-USER iKeys, and possibly a secret passphrase (when selecting FIPS mode).



Installing an ASA 310-FIPS in a New ClusterWhen you log in as the admin user after having started the ASA 310-FIPS the first time, the Setup menu is displayed.

1. Choose new from the Setup menu to install the ASA 310-FIPS as the first member in a new cluster.

2. Configure the port number for the management interface, and the basic IP network set-tings.

Provide answers to the requested information to enable network access of the ASA 310-FIPS. Make sure that the IP address you assign to the machine, and the Management IP address you assign to the cluster (a new cluster is actually created, even though it only contains a single ASA 310-FIPS to start with), are unique on your network and that they are within the same network address range. The gateway IP address you specify must also be within the same net-work address range as the machine IP address and the Management IP address. If not, a built-in control function in the Setup utility will detect the erroneous configuration and ask you to check your network settings before trying again.

[Setup Menu] join - Join an existing iSD cluster new - Initialize iSD as a new installation boot - Boot Menu info - Information Menu exit - Exit [global command, always available]>> Setup# newSetup will guide you through the initial configuration of the iSD.

(new setup, continued)Enter port number for the management network [1-2]: 1 <Specify the port you want to use for network connectivity>Enter IP address for this machine: <IP address>Enter network mask [255.255.255.0]: <Press ENTER if correct>Enter gateway IP address (or blank to skip): <gateway IP address>Enter the Management IP (MIP) address: <IP address>Trying to contact gateway...okMaking sure the MIP does not exist...ok



3. Configure the time zone and NTP and DNS server settings.

If you don’t have access to the IP address of an NTP server or DNS server at this point, you can configure these items after the initial setup is completed. See page 302 for information on how to configure NTP servers, and page 303 for information on how to configure DNS serv-ers.

4. Generate new SSH host keys and define a password for the admin user.

In order to maintain a high level of security when accessing the ASA 310-FIPS via a SSH con-nection, it is recommended that you accept the default choice to generate new SSH host keys. Note that both Telnet access and SSH access to the ASA 310-FIPS is disabled by default. If your security policy permits accessing the ASA 310-FIPS over the network for configuration purposes, you are recommended to enable only SSH connections. For more information about using SSH, see “Establishing a Connection Using SSH (Secure Shell)” on page 114.

Make sure you remember the password you define for the admin user. You will need to pro-vide the correct admin user password when logging in to the cluster for configuration pur-poses, and also when adding another ASA 310-FIPS to the cluster by performing a join in the Setup menu.

5. Choose the appropriate security mode for the ASA 310-FIPS cluster.

Decide which security mode to use for the new ASA 310-FIPS cluster—FIPS mode or Extended Security mode. The default Extended Security mode should be used whenever your security policy does not explicitly require conforming to the FIPS 140-1, Level 3 standard.

(new setup, continued)Enter a timezone or ’select’ [select]: <Press ENTER to select>Select a continent or ocean: <Continent or ocean by number>Select a country: <Country by number>Select a region: <Region by number, if applicable>Selected timezone: <Suggested timezone, based on your selections>Enter the current date (YYYY-MM-DD) [2003-03-01]: <Press ENTER if correct>Enter the current time (HH:MM:SS) [09:26:16]: <Press ENTER if correct>Enter NTP server address (or blank to skip): <IP address>Enter DNS server address (or blank to skip): <IP address>

(new setup, continued)Generate new SSH host keys (yes/no) [yes]: <Press ENTER to accept>This may take a few seconds...okEnter a password for the "admin" user: Re-enter to confirm:



For more information about the FIPS mode and the Extended Security mode, see “Introducing the ASA 310-FIPS” on page 27.

6. Initialize HSM card 0 by inserting the first pair of HSM-SO and HSM-USER iKeys, and by defining passwords.

Step 6 and Step 7 are related to initializing the HSM cards that your ASA 310-FIPS is equipped with. The Setup utility will identify the first HSM card as card 0, and the second HSM card as card 1. Each HSM card is initialized by inserting the proper iKeys and defin-ing a password for each user role. To successfully initialize both HSM cards, you need to have the following iKeys:

� One pair of iKeys to be used for initializing HSM card 0.

� The purple HSM Security Officer iKey, embossed with “HSM-SO”.

� The blue HSM User iKey, embossed with “HSM-USER”.

Label these iKeys and HSM card 0 in a way so that the connection between them is obvi-ous. After HSM card 0 has been initialized, this card will only accept the HSM-SO and HSM-USER iKeys that were used when initializing this particular HSM card. Even if you choose to use the same HSM-SO and HSM-USER passwords when you initialize card 1 as the passwords you defined when initializing card 0, the HSM-SO and HSM-USER iKeys for card 1 are not interchangeable with the HSM-SO and HSM-USER iKeys for card 0.




Label these iKeys and HSM card 1 in a way so that the connection between them is obvi-ous. If you will use more than one ASA 310-FIPS device in the cluster, you must also take steps to identify which pair of iKeys is used on which HSM card on which device in the cluster.

(new setup, continued)Use FIPS or Extended Security Mode? (fips/extended) [extended]: <Press ENTER to accept the default extended mode, or change the security mode to fips>



You also need to make sure that you can easily access the USB ports on the HSM cards, located on the rear of the ASA 310-FIPS device. When an operation requires inserting an HSM iKey, a flashing LED will direct you to the USB port on the correct HSM card.

NOTE – For more information about iKeys, see “The Concept of iKey Authentication” on page 29.

7. Initialize HSM card 1 by inserting the second pair of HSM-SO and HSM-USER iKeys, and by defining passwords.

Remember to take steps to label each pair of HSM-SO and HSM-USER iKeys and the HSM card to which each set of iKeys is associated during the initialization.

(new setup, continued)Verify that HSM-SO iKey (purple) is inserted in card 0 (with flashing LED).Hit enter when done.Enter a new HSM-SO password for card 0: <define an HSM-SO password>Re-enter to confirm:The HSM-SO iKey has been updated.Verify that HSM-USER iKey (blue) is inserted in card 0 (with flashing LED).Hit enter when done.Enter a new HSM-USER password for card 0: <define an HSM-USER password>Re-enter to confirm:The HSM-USER iKey has been updated.Card 0 successfully initialized.

(new setup, continued)Verify that HSM-SO iKey (purple) is inserted in card 1 (with flashing LED).Hit enter when done.Enter a new HSM-SO password for card 1: <define a new HSM-SO password, or use the same HSM-SO password as for card 0>Re-enter to confirm:The HSM-SO iKey has been updated.Verify that HSM-USER iKey (blue) is inserted in card 1 (with flashing LED).Hit enter when done.Enter a new HSM-USER password for card 1: <define a new HSM-USER password, or use the same HSM-USER password as for card 0>Re-enter to confirm:The HSM-USER iKey has been updated.Card 1 successfully initialized.



8. Split the wrap key from HSM card 0 onto the CODE-SO and CODE-USER iKeys.

This step is related to splitting the software wrap key used internally in the cluster, and then loading the split wrap key onto the two black CODE-SO and CODE-USER iKeys. These iKeys will then be used to transfer the cluster wrap key onto another HSM card either within the same ASA 310-FIPS device (as in Step 9), or to HSM cards in an ASA 310-FIPS device that is added to the current cluster.

Each ASA 310-FIPS device is shipped with four black CODE iKeys. However, you will only need to use two of these in one given cluster. The extra two black iKeys can be used to create a pair of backup CODE iKeys. For more information about how to create a pair of backup CODE iKeys, see the splitkey command on page 339.

To successfully split and load the cluster wrap key onto the correct iKeys, you need the follow-ing:

� Two black CODE iKeys, supposedly labeled “CODE-SO” and “CODE-USER” respec-tively.

If the black iKeys are not already labeled CODE-SO and CODE-USER respectively, you are recommended to do so before inserting them. Whenever the cluster wrap key needs to be trans-ferred onto an initialized HSM card, you will be prompted for the specific CODE iKey, in turns. Having each iKey properly labeled CODE-SO and CODE-USER respectively will make this procedure easier.

NOTE – Unlike the HSM-SO and the HSM-USER iKeys, the CODE-SO and CODE-USER iKeys are not specific for each HSM card. Instead, the CODE-SO and CODE-USER iKeys are specific for each cluster of ASA 310-FIPS units. Therefore, if you have more than one cluster of ASA 310-FIPS units, you need to take steps so that you can identify to which cluster a pair of CODE-SO and CODE-USER iKeys is associated.

(new setup, continued)Should new or existing CODE iKeys be used? (new/existing) [new]: <press ENTER to select new>Verify that CODE-SO iKey (black) is inserted in card 0 (with flashing LED).Hit enter when done.Verify that HSM-USER iKey (blue) is inserted in card 0 (with flashing LED).Hit enter when done.Verify that CODE-USER iKey (black) is inserted in card 0 (with flash-ing LED).Hit enter when done.Wrap key successfully split from card 0.



9. Transfer the cluster wrap key from the CODE-SO and CODE-USER iKeys onto HSM card 1.

10. If you selected FIPS mode as the security mode, define a passphrase.

If you selected FIPS mode prior to initializing HSM card 0 (Step 5 on page 44), you will also be asked to define a passphrase. Make sure you remember the passphrase as you will be prompted for the same passphrase when adding other ASA 310-FIPS units to the same cluster. When selecting Extended Security mode, this step will not appear.

11. When the Setup utility has finished, log in to the ASA 310-FIPS again and continue with the configuration.

The setup utility is now finished, and after a short while you will get a login prompt. Log in as the admin user with the password you defined in Step 4. The Main menu is then displayed. You can now continue with the configuration of the ASA 310-FIPS using the command line interface (CLI). For more information about the CLI, see “The Command Line Interface” on page 111.

(new setup, continued)Verify that CODE-SO iKey (black) is inserted in card 1 (with flashing LED).Hit enter when done.Verify that HSM-USER iKey (blue) is inserted in card 1 (with flashing LED).Hit enter when done.Verify that CODE-USER iKey (black) is inserted in card 1 (with flash-ing LED).Hit enter when done.Wrap key successfully combined to card 1.

(new setup, continued)Enter a secret passphrase (it will be used during addition of new iSDs to the cluster):Re-enter to confirm:

(new setup, continued)Initializing system......okSetup successful. Relogin to configure.

login:



NOTE – After successfully having initialized the HSM cards, you are automatically logged in to each HSM card as USER. You can verify the current HSM card login status by using the /info/hsm command. After a reboot has occurred (whether intentionally invoked, or due to a power failure), you must manually log in to the HSM cards for the ASA 310-FIPS device to resume normal operations. For more information about logging in to the HSM cards after a reboot, see “An ASA HSM Stops Processing Traffic” on page 126.

Adding an ASA 310-FIPS to an Existing ClusterYou add additional ASA 310-FIPS units to an existing cluster by selecting join from the Setup menu in the ASA 310-FIPS, after it has booted. This is the only way to add a new ASA 310-FIPS to an existing cluster. Trying to select new from the Setup menu and provide the Management IP address of the existing cluster will not work. The reason to this is that new indicates creating a new cluster, and each cluster must have a unique Management IP address. When adding an ASA 310-FIPS to an existing cluster, note that all devices in the cluster must be of this same model.

To successfully perform a join from the Setup menu, all ASA 310-FIPS units in the cluster must run the same software version. If the ASA 310-FIPS you are about to add has a different software version, you need to adjust it to run the same software version as on the ASA 310-FIPS units currently installed in the cluster. This must be done before performing a join. For more information, see “Reinstalling the Software” on page 56. Another option is to upgrade the whole cluster to the same software version as on the new ASA 310-FIPS. For more infor-mation, see “Performing Minor/Major Release Upgrades” on page 60. You can check the cur-rently installed software version by using the /boot/software/cur command.

When you log in as the admin user after having started the ASA 310-FIPS the first time, the Setup menu is displayed.

1. Choose join from the Setup menu to add the ASA 310-FIPS to an existing cluster.

[Setup Menu] join - Join an existing iSD cluster new - Initialize iSD as a new installation boot - Boot Menu info - Information Menu exit - Exit [global command, always available]>> Setup# joinSetup will guide you through the initial configuration of the iSD.



2. Specify the port number that is used in the cluster for the default management interface, enter the machine IP address, and the cluster management IP address.

Make sure you specify the port number that is currently used on Interface 1 in the cluster. To check the port assignment on Interface 1 of an existing cluster, connect to the cluster and use the /cfg/sys/cluster/host/interface 1/cur command.

Assign a unique IP address to the device and provide the Management IP address of the (exist-ing) cluster to which you want to add the ASA 310-FIPS. Make sure that the IP address you assign to the device is within the same network address range as the Management IP address of the cluster. If not, a built-in control function in the Setup utility will detect the error and ask you to check your configuration before trying again.

To check the Management IP of an existing cluster, connect to the cluster and use the /cfg/sys/cluster/cur command.

3. Provide the correct admin user password, and specify the appropriate iSD type.

Type the correct password for the admin user.

When adding up to three additional ASA 310-FIPS units to a cluster containing a single ASA 310-FIPS, you may configure each additional ASA 310-FIPS as either master or slave. For up to three additional ASA 310-FIPS units, the default setting is master. When adding one or more ASA 310-FIPS units to a cluster that already contains four ASA 310-FIPS units, each additional ASA 310-FIPS is automatically configured as slave. It is recommended that there are 2-4 master ASA 310-FIPS units in each cluster, so in most cases there is no need to change the default setting. If needed, you can always reconfigure an ASA 310-FIPS by changing the Type setting after the initial setup. For more information, see the type command under “iSD Host Configuration” on page 306.

(join setup, continued)Enter port number for the management network [1-2]: 1 <Specify the port that is currently used for network connectivity on the management interface (Interface 1)>Enter IP address for this machine: <IP address>

The system is initialized by connecting to the management serveron an existing iSD, which must be operational and initialized.Enter the Management IP (MIP) address: <IP address>

(join setup, continued)Enter the existing admin user password:Enter the type of this iSD (master/slave) [master]: ......ok



4. Initialize HSM card 0 by inserting the first pair of HSM-SO and HSM-USER iKeys, and by defining passwords.

Step 4 and Step 5 are related to initializing the HSM cards that your ASA 310-FIPS is equipped with. The Setup utility will identify the first HSM card as card 0, and the second HSM card as card 1. Make sure you have the required iKeys before proceeding. To success-fully initialize both HSM cards, you need to have the following iKeys:




Label these iKeys and HSM card 0 in a way so that the connection between them is obvi-ous. After HSM card 0 has been initialized, this card will only accept the HSM-SO and HSM-USER iKeys used when initializing this particular HSM card. Even if you choose to use the same HSM-SO and HSM-USER passwords when you initialize card 1 as the pass-words you defined when initializing card 0, the HSM-SO and HSM-USER iKeys for card 1 are not interchangeable with the HSM-SO and HSM-USER iKeys for card 0.




Label these iKeys and HSM card 1 in a way so that the connection between them is obvi-ous. Because you will have more than one ASA 310-FIPS device in the cluster, you must also take steps to identify which pair of iKeys is used on which HSM card on which device in the cluster.

You also need to make sure that you can easily access the USB ports on the HSM cards, located on the rear of the ASA 310-FIPS device. When an operation requires inserting an HSM iKey, a flashing LED will direct you to the USB port on the correct HSM card.



NOTE – For more information about iKeys, see “The Concept of iKey Authentication” on page 29.

5. Initialize HSM card 1 by inserting the second pair of HSM-SO and HSM-USER iKeys, and by defining passwords.

Remember to take steps to label each pair of HSM-SO and HSM-USER iKeys and the HSM card to which each set of iKeys is associated during the initialization. Because each ASA 310-FIPS device in the cluster will have two HSM cards, you must also take steps to identify to which ASA 310-FIPS device each pair of iKeys are associated. Your labeling must ensure that the connection is obvious between a pair of HSM-SO/HSM-USER iKeys, the HSM card that was initialized by using those iKeys, and the ASA 310-FIPS device holding that particular HSM card.

(join setup, continued)Verify that HSM-SO iKey (purple) is inserted in card 0 (with flashing LED). <insert the HSM-SO iKey specific for this HSM card>Hit enter when done.Enter a new HSM-SO password for card 0: <define an HSM-SO password>Re-enter to confirm:The HSM-SO iKey has been updated.Verify that HSM-USER iKey (blue) is inserted in card 0 (with flashing LED). <insert the HSM-USER iKey specific for this HSM card>Hit enter when done.Enter a new HSM-USER password for card 0: <define an HSM-USER password>Re-enter to confirm:The HSM-USER iKey has been updated.Card 0 successfully initialized.




Step 6 and Step 7 are related to transferring the cluster wrap key onto the two HSM cards in the ASA 310-FIPS you are adding to the cluster. The wrap key is transferred onto each HSM card in two steps, where each half of the cluster wrap key stored on the two black CODE-SO and CODE-USER iKeys is loaded and combined on the HSM card in the new ASA 310-FIPS clus-ter member.

To successfully load and combine the cluster wrap key onto the HSM cards, you need the fol-lowing:

� The two black HSM Code iKeys, labeled “CODE-SO” and “CODE-USER” respectively, that you used when installing the first ASA 310-FIPS in the cluster.

(join setup, continued)Verify that HSM-SO iKey (purple) is inserted in card 1 (with flashing LED). <insert the HSM-SO iKey specific for this HSM card>Hit enter when done.Enter a new HSM-SO password for card 1: <define a new HSM-SO password, or use the same HSM-SO password as for card 0>Re-enter to confirm:The HSM-SO iKey has been updated.Verify that HSM-USER iKey (blue) is inserted in card 1 (with flashing LED). <insert the HSM-USER iKey specific for this HSM card>Hit enter when done.Enter a new HSM-USER password for card 1: <define a new HSM-USER password, or use the same HSM-USER password as for card 0>Re-enter to confirm:The HSM-USER iKey has been updated.Card 1 successfully initialized.



If you have more than one cluster of ASA 310-FIPS units, make sure that you can identify to which cluster the pair of CODE iKeys are associated. The cluster wrap key that is split and stored on the two CODE iKeys is specific for each cluster of ASA 310-FIPS units.


8. If you selected FIPS mode when installing the first ASA 310-FIPS in the cluster, provide the correct passphrase.

If you selected FIPS mode when installing the first ASA 310-FIPS in the cluster (Step 5 on page 44), you will also be asked to provide the passphrase you defined at that time. If you selected Extended Security mode, this step will not appear.

(join setup, continued)Verify that CODE-SO iKey (black) is inserted in card 0 (with flashing LED). <insert the same CODE-SO iKey that you used when installing the first ASA 310-FIPS in the cluster>Hit enter when done.Verify that HSM-USER iKey (blue) is inserted in card 0 (with flashing LED).Hit enter when done.Verify that CODE-USER iKey (black) is inserted in card 0 (with flash-ing LED). <insert the same CODE-USER iKey that you used when installing the very first ASA 310-FIPS in the cluster>Hit enter when done.Wrap key successfully combined to card 0.

(join setup, continued)Verify that CODE-SO iKey (black) is inserted in card 1 (with flashing LED). <insert the same CODE-SO iKey that you used in Step 6>Hit enter when done.Verify that HSM-USER iKey (blue) is inserted in card 1 (with flashing LED).Hit enter when done.Verify that CODE-USER iKey (black) is inserted in card 1 (with flash-ing LED). <insert the same CODE-USER iKey that you used in Step 6>Hit enter when done.Wrap key successfully combined to card 1.

(join setup, continued)Enter the secret passphrase (as given during initialization of the first iSD in the cluster):



9. Wait until the Setup utility has finished.

The setup utility is now finished. The ASA 310-FIPS that has now been added to the cluster will automatically pick up all configuration data from one of the already installed ASA 310-FIPS units in the cluster. After a short while you will get a login prompt.

NOTE – After successfully having initialized the HSM cards, you are automatically logged in to each HSM card as USER. You can verify the current HSM card login status by using the /info/hsm command. After a reboot has occurred (whether intentionally invoked, or due to a power failure), you must manually log in to the HSM cards for the ASA 310-FIPS device to resume normal operations. For more information about logging in to the HSM cards after a reboot, see “An ASA HSM Stops Processing Traffic” on page 126.

If needed, you can now continue with the configuration of the ASA 310-FIPS units using the command line interface (CLI). Log in as the admin user, and the Main menu is displayed. For more information about the CLI, see “The Command Line Interface” on page 111.


login:



Reinstalling the Software

When adding a new ASA to an existing cluster, and the software version on the new ASA is different from the ASAs in the cluster, you will need to reinstall the software. Other-wise, reinstalling the software is seldom required except in case of serious malfunction.

When you log in as the boot user and perform a reinstallation of the software, the ASA is reset to its factory default configuration. All configuration data and current software is wiped out, including old software image versions or upgrade packages that may be stored in the flash memory card or on the hard disk. Also note that a reinstall must be performed on each ASA via a console connection.

NOTE – A reinstall wipes out all configuration data (including network settings). Therefore you should first save all configuration data to a file on a TFTP or FTP server. Using the ptcfg command, installed keys and certificates are included in the configuration data, and can later be restored by using the gtcfg command. For more information about these commands, see the respective command under “Configuration Menu” on page 172. If you would prefer to make backup copies of your keys and certificates separately, you can use the display or export command. For more information about these commands, see the respective command under “Certificate Management Configuration” on page 179.

To reinstall an ASA you will need the following:

� Access to the ASA via a console connection.

� An install image, loaded on a TFTP server or an FTP server on your network.

� The host name or IP address of the TFTP server or FTP server.

� The name of the install image.

� Log in as user: boot, password: ForgetMe

NOTE – Configure DNS parameters if you will be specifying host names. See “DNS Servers Configuration” on page 303.

When performing a reinstallation of the ASA software, access to the ASAs must be accom-plished via the console port.



1. Log in as the boot user and provide the correct password.

2. Confirm the network port setting, and the IP network settings.

NOTE – If the ASA has not been configured for network access previously, or if you have deleted the ASA from the cluster by using the /boot/delete command, you must provide information about network settings such as interface port, IP address, network mask, and gate-way IP address. No suggested values related to a previous configuration will be presented within square brackets.

3. Select a download method, specify the server IP address, and the boot image file name.

NOTE – For some TFTP servers, files larger than 16 MB may cause the update to fail.

login: bootPassword:

*** Reinstall Upgrade Procedure ***If you proceed beyond this point, the active network configuration will be reset, requiring a reboot to restore any current settings. However, no permanent changes will be done until the boot image has been downloaded.Continue (y/n)? [y]: <Press ENTER to continue>

(reinstall procedure, continued)Select a network port (1-2, or i for info) [1]: <Press ENTER if correct, or change to the port you are using for network connectivity>Enter VLAN tag id (or zero for no VLAN tag) [0]: <VLAN tag id or ENTER>Enter IP address for this iSD [192.168.128.185]: <Press ENTER if the IP address displayed within square brackets is correct.>Enter network mask [255.255.255.0]: <Press ENTER if correct.>Enter gateway IP address [192.168.128.1]: <Press ENTER if correct.>

(reinstall procedure, continued)Select TFTP (t) or FTP (f) [t]: <Press ENTER for TFTP>Enter TFTP server address: 10.0.0.1Enter file name of boot image: SSL-4.1.x-boot.imgDownloading boot image...Installing new boot image...Done



4. Log in to the Alteon SSL Accelerator as the admin user, after the device has rebooted on the newly installed boot image.

After the new boot image has been installed, the ASA will reboot and you can log in again when the login prompt appears. This time, log in as the admin user to enter the Setup menu. For more information about the Setup menu, see page 35 and onwards.

(reinstall procedure, continued)Restarting...Restarting system.Alteon WebSystems, Inc. 0005004DBooting...

Login:

212939-F, November 2003

59

CHAPTER 4Upgrading the ASA Software

The Alteon SSL Accelerator (ASA) software image is the executable code running on the ASA. A version of the image ships with the ASA, and comes pre-installed on the device. As new versions of the image are released, you can upgrade the software running on your ASA. Before upgrading, please check the accompanying release notes for any specific actions to take for the particular software upgrade package or install image.

There are three types of upgrades:

� Minor release upgrade: This is typically a bug fix release. Usually this kind of upgrade can be done without the ASA rebooting. Thus, the normal operation and traffic flow is maintained. All configuration data is retained. When performing a minor upgrade, you should connect to the Management IP address of the cluster you want to upgrade.

� Major release upgrade: This kind of release may contain both bug fixes as well as fea-ture enhancements. The ASA may automatically reboot after a major upgrade, since the operating system may have been enhanced with new features. All configuration data is retained. When performing a major upgrade, you should connect to the Management IP address of the cluster you want to upgrade.

Upgrading the software on your ASA requires the following:

� Loading the new software upgrade package or install image onto a TFTP or FTP server on your network.

� Downloading the new software from the TFTP or FTP server to your ASA.


212939-F, November 200360 � Chapter 4: Upgrading the ASA Software

Performing Minor/Major Release Upgrades

The following description applies to a minor or a major release upgrade.

To upgrade the ASA you will need the following:

� Access to one of your ASAs via a remote connection (Telnet or SSH), or a console con-nection.

� The software upgrade package, loaded on a TFTP or FTP server on your network.

� The host name or IP address of the TFTP or FTP server. If you choose to specify the host name, please note that the DNS parameters must have been configured. For more informa-tion, see “DNS Servers Configuration” on page 303.

� The name of the software upgrade package (upgrade packages are identified by the .pkg file name extension).

It is important to realize that the set of installed ASAs you are running in a cluster are cooper-ating to give you a single system view. Thus, when performing a minor or a major release upgrade, you only need to be connected to the Management IP address of the cluster. The upgrade will automatically be executed on all the ASAs in operation at the time of the upgrade. All configuration data is retained. For a minor upgrade, normal operations are usually unaf-fected, whereas a major upgrade may cause the ASA to reboot.

Access to the Management IP address can be accomplished via a Telnet connection or SSH (Secure Shell) connection. Note however that Telnet and SSH connections to the ASA are dis-abled by default, after the initial setup has been performed. For more information about enabling Telnet and SSH connections, see “Connecting to the ASA” on page 112. When you have gained access to the ASA, use the following procedure.

1. To download the software upgrade package, enter the following command at the Main menu prompt. Then select whether to download the software upgrade package from a TFTP or FTP server:

NOTE – For some TFTP servers, files larger than 16 MB may cause the upgrade to fail.

>> Main# boot/software/downloadSelect TFTP or FTP (tftp/ftp) [tftp]:tftp


212939-F, November 2003Chapter 4: Upgrading the ASA Software � 61

2. Enter the host name or IP address of the TFTP or FTP server.

3. Enter the file name of the software upgrade package to download.

The exact form of the name will vary by TFTP server. However, the file location is normally relative to the TFTP directory (usually /tftpboot).

Activating the Software Upgrade PackageThe ASA can hold up to two software versions simultaneously. To view the current software status, use the /boot/software/cur command. When a new version of the software is downloaded to the ASA, the software package is decompressed automatically and marked as unpacked. After you activate the unpacked software version (which may cause the ASA to reboot), the software version is marked as permanent. The software version previously marked as permanent will then be marked as old.

For minor and major releases, the software upgrade will take part synchronously among the set of ASAs in a cluster. If one or more ASAs are not operational when the software is upgraded, they will automatically pick up the new version when they are started.

NOTE – If more than one software upgrade has been performed to a cluster while an ASA has been out of operation, the ASA must be reinstalled with the software version currently in use in that cluster. For more information about how to perform a reinstall, see “Reinstalling the Soft-ware” on page 56.

When you have downloaded the software upgrade package, you can inspect its status with the /boot/software/cur command.

Enter hostname or IP address of server: <TFTP or FTP server host name or IP address>

Enter filename on server: <filename.pkg>Received 10745386 bytes in 12.0 seconds

Unpacking...ok

>> Software Management#



1. At the Software Management# prompt, enter the following command:

The downloaded software upgrade package is indicated with the status unpacked. The soft-ware versions can be marked with one out of four possible status values. The meaning of these status values are:

� unpacked means that the software upgrade package has been downloaded and automati-cally decompressed.

� permanent means that the software is operational and will survive a reboot of the sys-tem.

� old means the software version has been permanent but is not currently operational. If a software version marked old is available, it is possible to switch back to this version by activating it again.

� current means that a software version marked as old or unpacked has been activated. As soon as the system has performed the necessary health checks, the current status changes to permanent.

To activate the unpacked software upgrade package, use the activate command.

2. At the Software Management# prompt, enter:

NOTE – Activating the unpacked software upgrade package may cause the command line interface (CLI) software to be upgraded as well. Therefore, you will be logged out of the sys-tem, and will have to log in again. Wait until the login prompt appears. This may take up to 2 minutes, depending on your type of hardware platform and whether the system reboots.

>> Software Management# curVersion Name Status------- ---- ------4.1 SSL unpacked4.0 SSL permanent

>> Software Management# activate 4.1Confirm action ’activate’? [y/n]: yActivate ok, relogin <you are logged out here>Restarting system.

login:


212939-F, November 2003Chapter 4: Upgrading the ASA Software � 63

3. After having logged in again, verify the new software version:

In this example, version 4.1 is now operational and will survive a reboot of the system, while the software version previously indicated as permanent is marked as old.

NOTE – If you encounter serious problems while running the new software version, you can revert to the previous software version (now indicated as old). To do this, activate the software version indicated as old. When you log in again after having activated the old software version, its status is indicated as current for a short while. After about one minute, when the system has performed the necessary health checks, the current status is changed to permanent.

Upgrading a Mixed ASA Cluster

This section describes how to upgrade from a software version earlier than 3.0 to software ver-sion 4.1 in a cluster where the ASA 310 Fiber NIC model coexists with ASA 310s without Fiber NIC.

The ASA 310 Fiber NIC model uses a different port for the default management network dur-ing the upgrade in order to make use of the built-in 3Com Gigabit fiber-optic NIC. When coex-isting with other ASA models, network connectivity within the cluster will therefore be lost. To successfully upgrade such a mixed cluster and maintain network connectivity after the upgrade is complete, you therefore need to follow the procedure described below.

On subsequent upgrades to software versions later than 4.1, you can safely follow the regular upgrade procedure described in “Performing Minor/Major Release Upgrades” on page 60.

1. Delete all ASA 310 or ASA 410 Fiber NIC devices from the cluster.

To make sure that you specify the correct host number when deleting an ASA 310 Fiber NIC from the cluster, use the /cfg/sys/cluster/cur command to display each device in the cluster by host number, IP address, and number of physical ports.

>> Main# boot/software/curVersion Name Status------- ---- ------4.1 SSL permanent4.0 SSL old

>> Main# cfg/sys/cluster/host 1>> iSD Host 1# delete



Repeat this step until all ASA 310 Fiber NIC devices in the cluster are deleted.

2. Upgrade the remaining ASAs in the cluster to version 4.1.

3. Upgrade the software on the ASA 310 or ASA 410 Fiber NIC device to version 4.1 by fol-lowing the instructions in “Reinstalling the Software” on page 56. Make sure you use a boot image with version number 4.1 or later.

4. Join the upgraded ASA 310 Fiber NIC device to the cluster by following the instructions in “Adding an ASA to an Existing Cluster” on page 39. When asked to specify a port number for the management network, make sure you specify port number 1.

On subsequent upgrades, this port number configuration will be retained.

5. Repeat steps 3 and 4 for each ASA 310 Fiber NIC device that initially was deleted from the cluster.

>> Setup# joinSetup will guide you through the configuration of the iSD.Enter port number for the management network [1-3]: 1

212939-F, November 2003

65

CHAPTER 5Managing Users and Groups

This chapter describes the rules that govern user rights, how to add or delete users from the system, how to set or change group assignments, and how to change login passwords.

User Rights and Group Membership

Group membership dictates user rights, according to Table 5-1. When a user is a member of more than one group, user rights accumulate. The admin user, who by default is a member of all three groups, therefore has the same user rights as granted to members in the certadmin and oper group, in addition to the specific user rights granted by the admin group member-ship. The most permissive user rights becomes the effective user rights when a user is a mem-ber of more than one group. For more information about default user groups and related access levels, see also “Accessing the ASA” on page 116.

Table 5-1 User Rights and Group Membership

GroupAccount

UserAccount

Add User to System

Delete User from System

Add User to Group

Remove User from Group

Change own Password

Change other User’s Password

admin admin Yes Yes Yes, to own group

Yes Yes Yes, if admin is a member of the other user’s first group

certadmin admin No No Yes, to own group

No Yes No

oper operadmin

No No Yes, to own group

No Yes No


212939-F, November 200366 � Chapter 5: Managing Users and Groups

Adding a New User

To add a new user to the system, you must be a member of the admin group. By default, only the admin user is a member of the admin group.

In this configuration example, a Certificate Administrator user is added to the system, and then assigned to the certadmin group. The Certificate Administrator is supposed to specialize in managing certificates and private keys, without the possibility to change system parameters or configure virtual SSL servers. A user who is a member of the certadmin group can there-fore access the Certificate menu (/cfg/ssl/cert), but not the SSL Server menu (/cfg/ssl/server). Access to the System menu (/cfg/sys) is limited, and entails access only to the User Access Control submenu (/cfg/sys/user).

1. Log in to the ASA cluster as the admin user.

2. Access the User Menu.

3. Add the new user and designate a user name.

The maximum length for a user name is 255 characters. No spaces are allowed. Each time the new user logs in to the ASA cluster, the user must enter the name you designate as the user name in this step.

login: adminPassword: (admin user password)

>> Main# /cfg/sys/user

------------------------------------------------------------[User Menu] passwd - Change own password list - List all users del - Delete a user add - Add a new user edit - Edit a user caphrase - Certadmin export passphrase

>> User#

>> User# addName of user to add: cert_admin (maximum 255 characters, no spaces)


212939-F, November 2003Chapter 5: Managing Users and Groups � 67

4. Assign the new user to a user group.

You can only assign a user to a group in which you yourself are a member. When this criteria is met, users can be assigned to one or more of the following three groups:

� oper

� admin

� certadmin

By default, the admin user is a member of all groups above, and can therefore assign a new or existing user to any of these groups. The group assignment of a user dictates the user rights and access levels to the system.

5. Verify and apply the group assignment.

When typing the list command, the current and pending group assignment of the user being edited is listed by index number and group name. Because the cert_admin user is a new user, the current group assignment listed by Old: is empty.

6. Define a login password for the user.

When the user logs in to the ASA cluster the first time, the user will be prompted for the pass-word you define in this step. When successfully logged in, the user can change his or her own password. The login password is case sensitive and can contain spaces.

>> User# edit cert_admin>> User cert_admin# groups/addEnter group name: certadmin

>> Groups# listOld:Pending: 1: certadmin>> Groups# applyChanges applied successfully.

>> Groups# /cfg/sys/user>> User# edit cert_admin>> User cert_admin# passwordEnter admin’s current password: (admin user password)Enter new password for cert_admin: (cert_admin user password)Re-enter to confirm: (reconfirm cert_admin user password)



7. Apply the changes.

8. Let the Certificate Administrator user define an export passphrase.

This step is only necessary if you want to fully separate the Certificate Administrator user role from the Administrator user role. If the admin user is removed from the certadmin group (as in Step 9), a Certificate Administrator export passphrase (caphrase) must be defined.

As long as the admin user is a member of the certadmin group (the default configuration), the admin user is prompted for an export passphrase each time a configuration backup that contains private keys is sent to a TFTP server (command: /cfg/ptcfg). When the admin user is not a member of the certadmin group, the export passphrase defined by the Certifi-cate Administrator is used instead to encrypt private keys in the configuration backup. The encryption of private keys using the export passphrase defined by the Certificate Administrator is performed transparently to the user, without prompting. When the configuration backup is restored, the Certificate Administrator must enter the correct export passphrase.

NOTE – If the export passphrase defined by the Certificate Administrator is lost, configuration backups made by the admin user while he or she was not a member of the certadmin group cannot be restored.

NOTE – When using the /cfg/ptcfg command on an ASA 310-FIPS, private keys are always encrypted using the wrap key that was generated when the first HSM card in the cluster was initialized.

The export passphrase defined by the Certificate Administrator remains the same until changed by using the /cfg/sys/user/caphrase command. For users who are not members of the certadmin group, the caphrase command in the User menu is hidden. Only users who are members of the certadmin group should know the export passphrase. The export passphrase can contain spaces and is case sensitive.

>> User cert_admin# applyChanges applied successfully.

>> User cert_admin# ../caphraseEnter new passphrase:Re-enter to confirm:Passphrase changed.



9. Remove the admin user from the certadmin group.

Again, this step is only necessary if you want to fully separate the Certificate Administrator user role from the Administrator user role. Note however, than once the admin user is removed from the certadmin group, only a user who is already a member of the certadmin group can grant the admin user certadmin group membership anew.

When the admin user is removed from the certadmin group, only the Certificate Adminis-trator user can access the Certificate menu (/cfg/ssl/cert).

NOTE – It is critical that a Certificate Administrator user is created and assigned certadmin group membership before the admin user is removed from the certadmin group. Otherwise there is no way to assign certadmin group membership to a new user, or to restore certadmin group membership to the admin user, should it become necessary.

10. Verify and apply the changes.

>> User# edit admin>> User admin# groups/list 1: admin 2: oper 3: certadmin>> Groups# del 3

>> Groups# listOld: 1: admin 2: oper 3: certadminPending: 1: admin 2: oper>> Groups# apply



Changing a User’s Group Assignment

Only users who are members of the admin group can remove other users from a group. All users can add an existing user to a group, but only to a group in which the “granting” user is already a member. The admin user, who by default is a member of all three groups (admin, oper, and certadmin) can therefore add users to any of these groups.

1. Log in to the ASA cluster.

In this example the cert_admin user, who is a member of the certadmin group, will add the admin user to the certadmin group. The example assumes that the admin user previ-ously removed himself or herself from the certadmin group, in order to fully separate the Administrator user role from the Certificate Administrator user role.


3. Assign the admin user certadmin user rights by adding the admin user to the certadmin group.

NOTE – A user must be assigned to at least one group at any given time. If you want to replace a user’s single group assignment, you must therefore always first add the user to the desired new group, then remove the user from the old group.

login: cert_adminPassword: (cert_admin user password)



>> User#

>> User# edit admin>> User admin# groups/addEnter group name: certadmin




Changing a User’s Password

Changing Your Own PasswordAll users can change their own password. Login passwords are case sensitive and can contain spaces.

1. Log in to the ASA cluster by entering your user name and current password.


>> Groups# listOld: 1: admin 2: operPending: 1: admin 2: oper 3: certadmin>> Groups# apply

login: cert_adminPassword: (cert_admin user password)



>> User#



3. Type the passwd command to change your current password.

When your own password is changed, the change takes effect immediately without having to use the apply command.

Changing Another User’s PasswordOnly the admin user can change another user’s password, and then only if the admin user is a member of the other user’s first group, i.e the group that is listed first for the user with the /cfg/sys/user/edit <username>/groups/list command. Login passwords are case sensitive and can contain spaces.



3. Specify the user name of the user whose password you want to change.

>> User# passwdEnter cert_admin’s current password: (current cert_admin user password)Enter new password: (new cert_admin user password)Re-enter to confirm: (reconfirm new cert_admin user password)Password changed.




>> User#

>> User# editName of user to edit: cert_admin



4. Type the password command to initialize the password change.

5. Apply the changes.

Deleting a User

To delete a user from the system, you must be a member of the admin group. By default, only the admin user is a member of the admin group.

NOTE – Remember that when a user is deleted, that user’s group assignment is also deleted. If you are deleting a user who is the sole member of a group, none of the remaining users on the system can then be added to that group. Existing users can only be added to a group by a user who is already a member of that group. Before deleting a user, you may therefore want to ver-ify that the user is not the sole member of a group.



>> User cert_admin# passwordEnter admin’s current password: (admin user password)Enter new password for cert_admin: (new password for user being edited)Re-enter to confirm: (confirm new password for user being edited)

>> User cert_admin# applyChanges applied successfully.



------------------------------------------------------------[User Menu] passwd - Change own password list - List all users del - Delete a user add - Add a new user edit - Edit a user

>> User#



3. Specify the user name of the user you want to remove from the system configuration.

In this example, the cert_admin user is removed from the system. To list all users that are currently added to the system configuration, use the list command.


The imminent removal of the cert_admin user is indicated as a pending configuration change by the minus sign (-). To cancel a configuration change that has not yet been applied, use the revert command.

>> User# del cert_admin

>> User# list root admin oper -cert_admin>> User# apply

212939-F, November 2003

75

CHAPTER 6Managing Certificates and Client Authentication

This chapter describes common tasks involving certificates and client authentication. The chapter also provides detailed step-by-step instructions for generating certificate signing requests, adding certificates to the ASA, generating and revoking client certificates, as well as configuring the ASA to require client certificates.

The ASA accelerator supports importing certificates in the PEM, NET, DER, PKSCS7, and PKCS12 formats. The certificates must conform to the X.509 standard. You can create a new certificate, or use an existing certificate. The ASA supports using up to 1500 certificates. The basic steps to create a new certificate using the command line interface in the ASA are:

� Generate a Certificate Signing Request (CSR) and send it to a Certificate Authority (CA, such as Entrust or VeriSign) for certification.

� Add the signed certificate to the ASA.

NOTE – Even though the ASA supports keys and certificates created by using Apache-SSL, OpenSSL, or Stronghold SSL, the preferred method from a security point of view is to create keys and generate certificate signing requests from within the ASA by using the command line interface. This way, the encrypted private key never leaves the ASA, and is invisible to the user.


212939-F, November 200376 � Chapter 6: Managing Certificates and Client Authentication

Generating and Submitting a CSR Using the CLI

1. Initiate requesting a certificate signing request (CSR), and provide the necessary information.

NOTE – When specifying a certificate number, make sure not to use a number currently used by an existing certificate. To view basic information about all configured certificates, use the /info/certs command. The information displayed lists all configured certificates by their main attributes, including the certificate number (contained in the Certificate Menu line, such as “Certificate Menu 1:”).

Explanations for the requested units of information:

� Country Name: The two-letter ISO code for the country where the Web server is located. For current information about ISO country codes, visit for example http://www.iana.org

� State or Province Name: This is the name of the state or province where the head office of the organization is located. Enter the full name of the state or province.

� Locality Name: The name of the city where the head office of the organization is located.

� Organization Name: The registered name of the organization. This organization must own the domain name that appears in the common name of the Web server.

Do not abbreviate the organization name and do not use any of the following characters:

< > ~ ! @ # $ % ^ * / \ ( ) ?

>> Main# cfg/ssl/certEnter certificate number (1-): <certificate number>Creating Certificate 1>> Certificate 1# requestThe combined length of the following parameters may not exceed 225 bytes.Country Name (2 letter code):State or Province Name (full name):Locality Name (e.g., city):Organization Name (e.g., company):Organizational Unit Name (e.g., section):Common Name (e.g., your name or your server’s hostname):E-mail Address:Generate new key pair (y/n) [y]:Key size [1024]:Request a CA certificate (y/n) [n]:Specify challenge password (y/n) [n]:


212939-F, November 2003Chapter 6: Managing Certificates and Client Authentication � 77

� Organizational Unit Name: The name of the department or group that uses the secure Web server.

� Common Name: The name of the Web server as it appears in the URL. This name must be the same as the domain name of the Web server that is requesting a certificate. If the Web server name does not match the common name in the certificate, some browsers will refuse a secure connection with your site. Do not enter the protocol specifier (http://) or any port numbers or pathnames in the common name. Wildcards (such as * or ?) and IP address are not allowed.

� E-mail Address: Enter the user’s e-mail address.

� Generate new key pair [y]: In most cases you will want to generate a new key pair for a CSR. However, if a configured certificate is approaching its expiration date and you want to renew it without replacing the existing key, answering no (n) is appropriate. The CSR will then be based on the existing key (for the specified certificate number) instead.

� Key size [1024]: Specify the key length of the generated key. The default value is 1024.

� Request a CA certificate (y/n) [n]: Lets you specify whether to request a CA certificate to use for client authentication. Requesting a CA certificate is appropriate if you plan to issue your own server certificates or client certificates, generating them from the requested CA certificate. The default value is to not request a CA certificate.

� Specify challenge password (y/n) [n]:

2. Generate the CSR.

Press ENTER after you have provided the requested information. The CSR is generated and displayed on screen:

-----BEGIN CERTIFICATE REQUEST-----MIIB+jCCAWMCAQAwgZQxCzAJBgNVBAYTAlNFMRIwEAYDVQQIEwlTdG9ja2hvbG0xDjAMBgNVBAcTBUtpc3RhMREwDwYDVQQKEwhCbHVldGFpbDENMAsGA1UECxMERG9jdTEZMBcGA1UEAxMQd3d3LmJsdWV0YWlsLmNvbTEkMCIGCSqGSIb3DQEJARYVdG9yYmpvcm5AYmx1ZXRhaWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCX2rSY81cgKJODuUreGF3ZnK7RvlRqSV/TIMS4UerqXPKpTjfMAWDjBG77hjIAOOZOFQKFB5x/Zs9kNMBUmPBokA1/GXghomOvBhMIJBZBiUVtJNGmv2sjeqNXxsUg5XfJiwV2LjUvw65EzCLpq5dhq6ZPEx7tAgqB2Wgu8MolwQIDAQABoCUwIwYJKoZIhvcNAQkHMRYTFEEgY2hhbGxlbmdlIHBhc3N3b3JkMA0GCSqGSIb3DQEBBAUAA4GBACemSJr8Xuk9PQZPuIPV7iCDG+eWneU3HH3F3DigW3MILCLNqweljKw5pZdAr9HbDwU+2iQGbTSH0nVeoqn4TJujq96XpIrbiAFdE1tR7Lmf6oGdrwG8ypfRpp3PmfId6lp+HJ2fUGliPYyNtd/94AL6wW8un208+icCHq/S0yjz-----END CERTIFICATE REQUEST-----

Use ’apply’ to store the private key in the iSD untilthe signed certificate is entered.The private key will be lost unless you ’apply’ orsave it elsewhere using ’export’.



3. Apply your changes.

4. Save the CSR to a file.

Copy the entire CSR, including the “-----BEGIN CERTIFICATE REQUEST-----” and “-----END CERTIFICATE REQUEST-----” lines, and paste it into a text editor. Save the file with a .csr extension. The name you define can indicate the server on which the certificate is to be used.

5. Save the private key to a file.

NOTE – Provided you intend to use the same certificate number when adding the certificate returned to you (after the CSR has been processed by a certificate authority), this step is only necessary if you want to create a backup copy of the private key. When generating a CSR, the private key is created and stored (encrypted) on the ASA using the specified certificate num-ber. When you receive the certificate (containing the corresponding public key) and add it to the ASA, make sure you specify the same certificate number that is used for storing the private key. Otherwise, the private key and the public key in the certificate will not match.

>> Certificate 1# applyChanges applied successfully.



Type the display command and press ENTER. Choose to encrypt the private key, and spec-ify a password phrase. Make sure to remember the password phrase.

Copy the private key, including the “-----BEGIN RSA PRIVATE KEY-----” and “-----END RSA PRIVATE KEY-----” lines, and paste it into a text editor. Save the file with a .key extension. Preferably, use the same file name that you defined for the .csr file, so the connection between the two files becomes obvious. The name you define can indicate the server on which the certificate and the corresponding private key is to be used.

NOTE – When using an ASA 310-FIPS, the private key is protected by the HSM card and can-not be exported.

After you have received the processed CSR from a CA, make sure to create a backup copy of the certificate as well.

>> Certificate 1# displayEncrypt private key (yes/no) [yes]: <Press ENTER>Enter export pass phrase:Reconfirm export pass phrase:-----BEGIN RSA PRIVATE KEY-----Proc-Type: 4,ENCRYPTEDDEK-Info: DES-EDE3-CBC,27C89CBC65615F06

5cZBjjKAVoYRdtLYFa0zBpKQhK3yAJ+qSXxkrNCaRlSzuX2iClaAHtsSueGvJg7oHNHcZVZCCxZtSLIsBTvDK0xY5ZomlqAU+JdWn0zc4hilf9KjLRBzk2p7azQUCMqWjVJ5x9oFeuurfm3e6kqdCvnPweYJmZGp5A33Y7EV7TY5v30lZWnZrmD0tTfvljq7rAfavlfWFgeBRG5kcdOgeb1hIHF2X16YMcp7YQUWGBccA1R7FvsVuvFuva9icCN1++bF1GjfIMcSdpFt6Rkyq/CXBy3LVCAX0rfdPjaniO8G6sARa+qbkpnOvsA2eMc4MXDHxc7+EavNBOIxAPL8PXunns53MYiWx5INWiQPh38gkjhi+n+75PJQi/J1Ab5piOpqHDUfcUBwdrkp/+3SKMAbc4VIaBnbGpfv2hNrr0Q/LyJilhjEPX+LIizkhWKoQcdeqY3KyJGDugnqJBfybkNysKpPMDtd5Q7Yki5HdRe1RXenowDpiQlxToLlz9BlXDwFj2Ag7IfUk3Kwin2dn5KKSM35+a6Ateb4WjctIZGRlsi9JqQN8GOZf4uwj/WgnkzQeQ1rExpLbGTfiuRfVAstvo8bUIjm5xDY5HSmKx1FA2O2W2E/mB02Q9ZckG7IhjB3ku2Wnvzv91qiCq6ljPN+hl4/zVmo6c/v2+pzubAxbOF5/NfQWwyogx0quCgN4LaxsUXb0kpak4OLXNoqPVEDysYKD1zGCnrb3rgQ8hyhgoVHcRt6Rtsi4/6UzCkTwtRtiyR96OEmVVA+x/8jsrU3LLCPYsswP0zje87mphh1PwiSRIMB6Q==-----END RSA PRIVATE KEY-----



6. Open and copy the CSR.

In a text editor, open the .csr file you created in Step 4. It should appear similar to the follow-ing:

Copy the entire CSR, including the “-----BEGIN CERTIFICATE REQUEST-----” and “-----END CERTIFICATE REQUEST-----” lines.

7. Submit the CSR to Verisign, Entrust, or any other CA.

The process for submitting the CSR varies with each CA. Use your Web browser to access your CA’s Web site and follow the online instructions. When prompted, paste the CSR into the space provided on the CA’s online request process. If the CA requires that you specify a server software vendor whose software you supposedly used to generate the CSR, specify Apache.

The CA will return the signed certificate for installation. The certificate is then ready to be added into the ASA.

-----BEGIN CERTIFICATE REQUEST-----MIIB+jCCAWMCAQAwgZQxCzAJBgNVBAYTAlNFMRIwEAYDVQQIEwlTdG9ja2hvbG0xDjAMBgNVBAcTBUtpc3RhMREwDwYDVQQKEwhCbHVldGFpbDENMAsGA1UECxMERG9jdTEZMBcGA1UEAxMQd3d3LmJsdWV0YWlsLmNvbTEkMCIGCSqGSIb3DQEJARYVdG9yYmpvcm5AYmx1ZXRhaWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCX2rSY81cgKJODuUreGF3ZnK7RvlRqSV/TIMS4UerqXPKpTjfMAWDjBG77hjIAOOZOFQKFB5x/Zs9kNMBUmPBokA1/GXghomOvBhMIJBZBiUVtJNGmv2sjeqNXxsUg5XfJiwV2LjUvw65EzCLpq5dhq6ZPEx7tAgqB2Wgu8MolwQIDAQABoCUwIwYJKoZIhvcNAQkHMRYTFEEgY2hhbGxlbmdlIHBhc3N3b3JkMA0GCSqGSIb3DQEBBAUAA4GBACemSJr8Xuk9PQZPuIPV7iCDG+eWneU3HH3F3DigW3MILCLNqweljKw5pZdAr9HbDwU+2iQGbTSH0nVeoqn4TJujq96XpIrbiAFdE1tR7Lmf6oGdrwG8ypfRpp3PmfId6lp+HJ2fUGliPYyNtd/94AL6wW8un208+icCHq/S0yjz-----END CERTIFICATE REQUEST-----



Adding Certificates to the ASA

Using the encryption capabilities of the ASA requires adding a key and certificate that con-forms to the X.509 standard to the ASA. If you have more than one ASA in a cluster, the key and certificate need only be added to one of the devices. As with configuration changes, the information is automatically propagated to all other devices in the cluster.

NOTE – When using an ASA 310-FIPS running in FIPS mode, the private key associated with a certificate cannot be imported. All private keys must be generated on the HSM card itself due to the FIPS security requirements.

There are two ways to install a key and certificate into the ASA:

� Copy-and-paste the key/certificate.

� Download the key/certificate from a TFTP/FTP server.

The ASA supports importing certificates and keys in these formats:

� PEM

� NET

� DER

� PKCS7 (certificate only)

� PKCS8 (keys only, used in WebLogic)

� PKCS12 (also known as PFX)

Besides these formats, keys in the proprietary format used in MS IIS 4 can be imported by the ASA, as wells as keys from Netscape Enterprise Server or iPlanet Server. Importing keys from Netscape Enterprise Server or iPlanet Server however, require that you first use a conversion tool. For more information about the conversion tool, contact Nortel Networks. See “How to Get Help” on page 17 for contact information.

When it comes to exporting certificates and keys from the ASA, you can specify to save in the PEM, NET, DER, or PKCS12 format when using the export command. If you choose to use the display command (which requires a copy-and-paste operation), you are restricted to saving certificates and keys in the PEM format only.

NOTE – When performing a copy-and-paste operation to add a certificate or key, you must always use the PEM format.



Using a Copy-and-Paste Operation to Add CertificatesThe following steps demonstrate how to add a certificate using the copy-and-paste method.

NOTE – If you connect to one of the ASAs in the cluster by using a console connection, note that HyperTerminal under Microsoft Windows may be slow to complete copy-and-paste opera-tions. If your security policy permits enabling Telnet or SSH access to the ASA, use a Telnet or SSH client and connect to the Management IP address instead.

1. Type the following command from the Main menu prompt on the ASA to start adding a certificate.

In most cases you should specify the same certificate number as the certificate number you used when generating the CSR. By doing so, you do not have to add the private key because this key remains connected to the certificate number that you used when you generated the CSR.

If you have obtained a key and a certificate by other means than generating a CSR using the request command on the ASA, specify a certificate number not used by a configured certif-icate before pasting the certificate. If the private key and the certificate are not contained in the same file, use the key or import command to add the corresponding private key.

To view basic information about configured certificates, use the /info/certs command. The information displayed lists all configured certificates by their main attributes.

2. Copy the contents of your certificate file.

Open the certificate file you have received from a CA in a text editor and copy the entire con-tents. Make sure the selected text includes the “-----BEGIN CERTIFICATE-----” and “-----END CERTIFICATE-----” lines.

3. Paste the contents of the certificate file at the command prompt.

Now, paste the certificate at the command line interface prompt, press ENTER to create a new empty line, and then type “...” (without the quotation marks). Press ENTER again to com-plete the installation of the certificate.

>> Main# cfg/ssl/certEnter certificate number: (1-) <number of the certificate you want to configure>>> Certificate 1# certPaste the certificate, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate.>



Your screen output should now resemble the following example:

NOTE – Depending on the type of certificate the CA generates (registered or chain), your cer-tificate may appear substantially different from the one shown above. Be sure to copy and paste the entire contents of the certificate file.


If you have used the request command in the ASA to generate a CSR, and have specified the same certificate number as the CSR when pasting the contents of the certificate file, your certificate is now fully installed.

If you have obtained a certificate by other means, however, you must also add the correspond-ing private key.

>> Certificate 1# certPaste the certificate, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate.> -----BEGIN CERTIFICATE-----> MIIDTDCCArWgAwIBAgIBADANBgkqhkiG9w0BAQQFADB9MQswCQYDVQQGEwJzZTEO> MAwGA1UECBMFa2lzdGExEjAQBgNVBAcTCXN0b2NraG9sbTEMMAoGA1UEChMDZG9j> MQ0wCwYDVQQLEwRibHVlMRIwEAYDVQQDEwl3d3cuYS5jb20xGTAXBgkqhkiG9w0B> CQEWCnR0dEBjY2MuZG4wHhcNMDAxMjIyMDkxOTI0WhcNMDExMjIyMDkxOTI0WjB9> MQswCQYDVQQGEwJzZTEOMAwGA1UECBMFa2lzdGExEjAQBgNVBAcTCXN0b2NraG9s> bTEMMAoGA1UEChMDZG9jMQ0wCwYDVQQLEwRibHVlMRIwEAYDVQQDEwl3d3cuYS5j> b20xGTAXBgkqhkiG9w0BCQEWCnR0dEBjY2MuZG4wgZ8wDQYJKoZIhvcNAQEBBQAD> gY0AMIGJAoGBALXym9cIVfHZUZFE1MFi+xefDviIEvilnJAQSSPITnZa69fzGcL3> vpQv0NLxNffs1jEw4RPDMKu2rQ9N02EiiJcrCHnaSNZPdwGoX39IkEUkANzm3mh2> DlP1RfW4ejpNKsG5Tme/e1vFYWXeXXI1oRtdPIaVGxK8pvqBEHDXCcJlAgMBAAGj> gdswgdgwHQYDVR0OBBYEFJBM3K0KB03fpCOVrQCC34hovwM8MIGoBgNVHSMEgaAw> gZ2AFJBM3K0KB03fpCOVrQCC34hovwM8oYGBpH8wfTELMAkGA1UEBhMCc2UxDjAM> BgNVBAgTBWtpc3RhMRIwEAYDVQQHEwlzdG9ja2hvbG0xDDAKBgNVBAoTA2RvYzEN> MAsGA1UECxMEYmx1ZTESMBAGA1UEAxMJd3d3LmEuY29tMRkwFwYJKoZIhvcNAQkB> Fgp0dHRAY2NjLmRuggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEA> m/GKwEyDKCm2qdPt8+pz1znSGNaRTxfK1R0mjtnDGFb0qk+Bv7d9YlX+1QTZhxnZ> Z4JXuWPJS36kAwiirVbOIaIforIVa+IUlo8HUjMvxzIqCYPiiDwBcBi3NsvjlFM7> i24Q+lvDLE/Ko+x/YEnNukfp3SBXiJqZ8WZIvbTCyT4=> -----END CERTIFICATE-----> ...Certificate added.




Using a Copy-and-Paste Operation to Add a Private Key

1. Type the following command from the Main menu prompt on the ASA to start adding a private key.

Make sure you specify the same certificate number as when pasting the certificate.

2. Copy the contents of your private key file.

Locate the file containing your private key. Make sure the key file corresponds with the certif-icate file you have received from a CA. The public key contained in the certificate works in concert with the related private key when handling SSL transactions.

Open the key file in a text editor and copy the entire contents. Make sure the selected text includes the “-----BEGIN RSA PRIVATE KEY-----” and “-----END RSA PRI-VATE KEY-----” lines.

3. Paste the contents of the key file at the command prompt.

Now, paste the private key at the command line interface prompt. Press ENTER to create a new row, and then type “...” (without the quotation marks). Press ENTER again to complete the installation of the key.

You may be prompted for a password phrase after having completed the paste operation. The password phrase you are requested to type is the one you specified when creating (or export-ing) the private key.

>> Main# cfg/ssl/certEnter certificate number: (1-) <number of the certificate you want to configure>>> Certificate 1# keyPaste the key, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate.>



Your screen output should now resemble the following example.


Your certificate and private key is now fully installed and ready to be taken into use by a vir-tual SSL server. To view information about configured certificates and SSL servers, use the /cfg/ssl/cur command.

>> Certificate 1# keyPaste the key, press Enter to create a new line, and then type "..."(without the quotation marks) to terminate.> -----BEGIN RSA PRIVATE KEY-----> Proc-Type: 4,ENCRYPTED> DEK-Info: DES-EDE3-CBC,2C60C89FEB57A853>> MbbLDYlwdbNfXUGHFm10nfRlI+KTnx2Bdx750EaG8HSVV7KrtnsNF/Fsz1jFvO/j> nKhZfs4zsVrsstrVlqfP1uatg19VyJSEug1ZcCamH59Dcy+UNocFWCzR56PHpyZK> GXX66jS+6twYdiXQk58URIudkmGXGTYMvBRuVjV22ZRLyJk41Az5nA6HiDz6GGs6> vkCaPFGm263KxmXjy/okNgSJl9QTqJfSq7Eh1cIslBReAE9HXGl0Eubb6gVJu+sR> mGhS/yGx4vMx98wiMjL37gRtXBfDWlu6u0HOPeJxs6fH05fYzmnpwAHj592TDFds> Ji5pmrY0NhAeXfuG8mF/T9nEz02ZA8iQGJsaUPfkeBxbZS+umY/R65Okwt1k2RN4> RlFnmRWqvhHMrHzJuegez/806YazHBv74sOg3KgETRH92z5yvwbgFwmffgb+hai0> RlRtZgQ4A5kSAFYW37KDq6eJBsZ/m3Que1buMbh8tRxdGpo54+bGqu5b12iLanLn> Rk57ENQGTgzxOD/1RZIJHqObCY7VDLkK7WZM/LPa0k+bTeAysmZa7fu7gvELJF0i> vszs3nzm7zT1y0mJ0QX9u9eoW8wpASCAdCC2r2LZt8o9+IWLSZWh5UCIr8qFKGiL> rUIx8coIhxSpx/PqEV8KhSRV+0taq0N7pJa3TLmO3o80t5966VSFKc3Y35fx9Yk8> G+RlSzo4CxooY4bCKsfchnJ957SJx5vUyh6jjztnuU4iAfeTVCUdF0LXd+NlQ7T7> IMFsjjx9SZuuHPZTF0KD/WYLx7FfIFIBHDumu6scraYZOaWaJKI5Pw==> -----END RSA PRIVATE KEY-----> ...Enter pass phrase:Key added




Using TFTP or FTP to Add Certificates and KeysThe following is an example of how to input a certificate into the ASA using TFTP or FTP.

1. Put the certificate file and key file on your TFTP/FTP server.

NOTE – You may arrange to include your private key in the certificate file. When the specified certificate file is retrieved from the TFTP/FTP server, the ASA software will analyze the con-tents and automatically add the private key, if present (the screen output displays “Certificate added” and “Key added” in this case). If the private key is included, you do not have to per-form step 3.

2. Initiate the process of adding a certificate using TFTP or FTP.

Type the command /cfg/ssl/cert and press ENTER. Specify an unused certificate index number, and then type the command import.

Make sure to specify a certificate number not in use by an existing certificate. To view basic information about all configured certificates, use the /info/certs command.

Provided the operation was successful, your screen output should resemble the following example:

>> Main# cfg/ssl/certEnter certificate number: (1-) <number of the certificate you want to configure>>> Certificate 1# importSelect TFTP or FTP (tftp/ftp) [tftp]: <transfer method>Enter host name or IP address of server: <server host name or IP address>Enter filename on server: <filename.crt>Retrieving filename.crt from server

>> Certificate 1# importSelect TFTP or FTP (tftp/ftp) [tftp]: ftpEnter host name or IP address of server: 192.168.128.58Enter filename on server: VIP_1.crtRetrieving VIP_1.crt from 192.168.128.58Key added.Certificate added.



3. Add your private key using TFTP or FTP.

Type the command import and press ENTER. Provide the required information. You may be prompted for a password phrase (if specified when creating or exporting the private key).

Provided the operation was successful, your screen output should resemble the following example:


Your certificate and private key is now fully installed and ready to be taken into use by a vir-tual SSL server. To view basic information about configured certificates and SSL servers, use the /cfg/ssl/cur command.

>> Certificate 1# importSelect TFTP or FTP (tftp/ftp) [tftp]: <transfer method>Enter host name or IP address of server: <server host name or IP address>Enter filename on server: <filename.key>Retrieving filename.key from serverEnter pass phrase:

>> Certificate 1# importSelect TFTP or FTP (tftp/ftp) [tftp]: ftpEnter host name or IP address of server: 192.168.128.58Enter filename on server: VIP_1.keyRetrieving VIP_1.key from 192.168.128.58Enter pass phrase:Key added.




Update Existing Certificate

Whenever you wish to substitute an existing certificate for a new certificate, you should keep the existing certificate until it is verified that the new certificate works as designed.

Create a New Certificate

1. Check the certificate numbers currently in use.

If e.g. two different certificates exist as Certificate 1 and Certificate 2, create Certificate 3 for your new certificate.

2. Add a certificate with a new certificate number.

3. Add the new certificate according to the instructions in “Adding Certificates to the ASA” on page 81”.

4. Apply the new certificate to the desired servers.

After you have tested that the new certificate works fine on your SSL servers you may delete the old certificate(s).

>> Main# cfg/ssl/>> SSL# cur

>> SSL# certEnter certificate number: (1-1500) 3Creating Certificate 3

>> SSL# serverEnter virtual server number: (1-256) 1>> Server 1# ssl>> SSL Settings# certCurrent value: 2Enter certificate number: (1-1500) 3



Configuring a Virtual SSL Server for Client Authentication

In each ASA cluster, you can create an unlimited number of virtual SSL servers. Each virtual SSL server is mapped to a virtual server on the Alteon Application Switch, and can handle a specific service such as HTTPS, SMTPS, IMAPS, or POP3S. Each virtual SSL server is con-figured to use a server certificate to authenticate itself towards the clients. Besides, a virtual SSL server can be configured to require client certificates in order to authenticate clients before granting access to the requested service.

NOTE – The ASA can also operate in standalone mode, i.e. without being connected to an Alteon Application Switch. For configuration examples, see the Standalone Web Server Accel-erator chapter in the Application Guide.

When a virtual SSL server is set to require client certificates, a CertificateRequest message is sent from the server to the client during the SSL handshake. The client responds by sending its public key certificate in a Certificate message. After that, the client will send a CertificateVerify message to the server. The CertificateVerify message is signed by using the client’s private key, and contains important information about the SSL session known to both the client and the server. Upon receiving the CertificateVerify message, the virtual SSL server will use the public key from the client certificate to authenticate the client’s identity.

The virtual SSL server will also check if the certificate the client presents is signed by an accepted certificate authority. Accepted certificate authorities are defined by the CA certifi-cates you have specified in the virtual SSL server. The certificate you use for generating client certificates must therefore also be specified as a CA certificate in the virtual SSL server.

The virtual SSL server also checks if the client certificate should be revoked, by comparing the serial number of the presented client certificate with entries in the certificate revocation list.

The following steps demonstrate how to configure a virtual SSL server to require client certifi-cates for authentication purposes.

1. Display information about current virtual SSL servers.

This command displays information about all certificates and virtual SSL servers on the ASA, including their current configurations. Based on the information displayed, decide which vir-tual SSL server to configure for client authentication.

>> Main# cfg/ssl/cur



2. Configure the chosen virtual SSL server to require client certificates.

The client must send its client certificate to the virtual SSL server during the SSL handshake. If the client does not have a certificate, the client will respond with a NoCertificateAlert message. At that point, the session will be terminated.

3. Specify which CA certificates to use for client authentication.

Specify which CA certificates you want the virtual SSL server to use for authenticating client certificates. Only those client certificates that are issued by a certificate authority whose CA certificate you specify, will be accepted. Note that the CA certificates you specify by index number must be available on the ASA itself.

In order to authenticate client certificates issued within your own organization, the CA certifi-cate used for generating the issued client certificates must be specified as a CA certificate.

To view basic information about all certificates currently added to the ASA, use the /info/certs command.

4. Apply your settings.

>> SSL# server 1>> Server 1# ssl>> SSL Settings for Server 1# verifyCurrent value: noneCertificate verification (none/optional/require): require

>> SSL Settings for Server 1# cacertsCurrent value: ""Enter certificate numbers (separated by comma): <CA certificates by index number>

>> SSL Settings for Server 1# applyChanges applied successfully.



Generating Client Certificates on the ASA

Before issuing client certificates, you should establish the means of validating the identities of the users. The credentials users need to present in order to obtain a client certificate may vary, depending on the type of service, the size of your organization, etc.

1. Specify a CA certificate by index number to use for generating a client certificate, and generate the client certificate.

In this example certificate number 1 is specified for generating a client certificate. The private key corresponding with the public key in the certificate you specify is used for signing the cli-ent certificate.

To view basic information about all available certificates, use the /info/certs command.

NOTE – Only certificates having the basic constraint CA:TRUE can be used for generating client certificates. When generating a client certificate, the ASA automatically checks that the current certificate has this constraint. To perform this check yourself, use the /cfg/ssl/cert #/show command and look for lines containing the textX509v3 Basic Constraints:CA:TRUE|FALSE in the screen output.

>> Main# cfg/ssl/certEnter certificate number: (1-) 1>> Certificate 1# gensignedType of certificate (server/client) [client]: <press ENTER for client certifi-cate>The combined length of the following parameters may not exceed 225 bytes.Country Name (2 letter code):State or Province Name (full name):Locality Name (e.g., city):Organization Name (e.g., company):Organizational Unit Name (e.g., section):Common Name (e.g., your name or your server’s hostname):Email Address:



2. When prompted, provide the following information about the subject to include in the client certificate:

� Country Name (2 letter code): The two-letter ISO code for the country in which the sub-ject resides. With subject is meant the person for whom the client certificate is created. For current information about ISO country codes, visit for example http://www.iana.org

� State or Province Name (full name): The full name of the state or province in which the subject resides.

� Locality Name (e.g., city): The name of the city or town where the subject resides.

� Organization Name (e.g., company): The registered name of the organization to which the subjects belongs. Do not abbreviate the organization name and do not use the following characters: < > ~ ! @ # $ % ^ * / \ ( ) ?

� Organizational Unit Name (e.g., section): The unit name of the organization to which the subject belongs.

� Common Name (e.g., the subject’s name): The full name of the subject.

� E-mail address: The full e-mail address of the subject.

3. Specify the validity period, key size, and serial number.

After having provided information about the subject, you are now ready to specify information relating to the client certificate itself.

Decide how many days the client certificate should be valid. By default, each new client certif-icate is set to be valid for 365 days.

Decide which key size should be used. The default key size is set to 512 bits, which is appro-priate in most cases. Note that export versions of MS Internet Explorer 4.x (40-bit encryption) and MS Internet Explorer 5 (56-bit encryption) cannot import client certificates with a larger key size than 512.

Assign a serial number to the client certificate, or accept the suggested number. When generat-ing a new client certificate, the lowest available serial number is displayed in square brackets and will be used unless you specify a different number. As you generate more client certifi-cates, the proposed serial number increments automatically.

>> Certificate 1#Valid for days [365]:Key size (512/1024) [512]:Serial number of client certificate [1]:



4. Decide whether to save the client certificate and define a pass phrase for the private key.

>> Certificate 1#Save signed certificate (yes/no) [yes]: (press ENTER to save the certificate)Select cert no. to save to [2]: (press ENTER to accept the suggested certificate index number)Encrypt private key (yes/no) [yes]: (press ENTER to encrypt the private key)Enter export pass phrase: (define a pass phrase to protect the encrypted private key)Reconfirm export pass phrase:Creating new cert 2Use ’apply’ to save signed key and certificate.-----BEGIN RSA PRIVATE KEY-----Proc-Type: 4,ENCRYPTEDDEK-Info: DES-EDE3-CBC,5B2BFB839B4A9524

ErcHmgvzyLuaGn9WXrkZgn/EY6CcrgluO7d4fh/a3YuCBFPgiE5NKs7HtqJ6RPfbK/Uinv7MaRSmRzIIbojOaOk6jZUsP1U7d+60Hy/kgfnMI7mI2oByHFvJ1IfZ5DfsSyJFmbMYSfG7MPtobaUjuTedmBw5Vo5JnpmfYqnd0uvMMT4H8HM6PgEHggJctBoJiaENDtCEbhaUX6B6+7qzXBpcUx6GJoQ3P8b07YrGhkfY9KWGT4DglKBHJiT4Wgua+voUZ2WPebSC5XCfR6bnIFykxNrFPWMV+2FwxNs6to6QPY2sARwym8/pK2CQFW5bmojNTWtW9U9UObAvV1TUCSUauARy3aVAMtY7bi7HX93Yypk5FXFVn75RoTMB7CIZjxwL3R7kZFsEmHe/NE4LkiLHRFd+ZxbbRdNC1Zw47qw=-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----MIIDyjCCAzOgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBqjELMAkGA1UEBhMCVVMxFDASBgNVBAgTC09ha2xhZm9ybmlhMRAwDgYDVQQHEwdUZXN0aW5nMRIwEAYDVQQKEwlUZXN0IEluYy4xEjAQBgNVBAsTCXRlc3QgZGVwdDEgMB4GA1UEAxMXd3d3LmR1bW15c3NsdGVzdGluZy5jb20xKTAnBgkqhkiG9w0BCQEWGnRlc3RlckBkdW1teXNzbHRlc3RpbmcuY29tMB4XDTAxMDIyNzEyMzAzMFoXDTAyMDIyNzEyMzAzMFowgZQxCzAJBgNVBAYTAlNFMRIwEAYDVQQIEwlTdG9ja2hvbG0xDjAMBgNVBAcTBUtpc3RhMREwDwYDVQQKEwhCbHVldGFpbDENMAsGA1UECxMERG9jdTEZMBcGA1UEAxMQd3d3LmJsdWV0YWlsLmNvbTEkMCIGCSqGSIb3DQEJARYVdG9yYmpvcm5AYmx1ZXRhaWwuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALNjbwor//Gz3CsugRPJvcw36tm109BuZ81g2NTahrXJKKotRb947c7YJgTZYFnlaOHV7tpRUnp5yASCzBHBt0MCAwEAAaOCAVYwggFSMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgWgMAsGA1UdDwQEAwIF4DAsBglghkgBhvhCAQ0EHxYdaVNELVNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFDdbxK9VEsti/nS/1cTxp9eMYVfdMIHXBgNVHSMEgc8wgcyAFIZ96B3BhM12d8GJl/GrC+Shs5gtoYGwpIGtMIGqMQswCQYDVQQGEwJVUzEUMBIGA1UECBMLT2FrbGFmb3JuaWExEDAOBgNVBAcTB1Rlc3RpbmcxEjAQBgNVBAoTCVRlc3QgSW5jLjESMBAGA1UECxMJdGVzdCBkZXB0MSAwHgYDVQQDExd3d3cuZHVtbXlzc2x0ZXN0aW5nLmNvbTEpMCcGCSqGSIb3DQEJARYadGVzdGVyQGR1bW15c3NsdGVzdGluZy5jb22CAQAwDQYJKoZIhvcNAQEEBQADgYEAlEIbixeNQqSUIiRJ28ty8vQWTqpEP7B9dGGqPnGXTQQ5QqjHaaGppYDAUZAceFGWHG94fIS7OtRqX40zrsCO51bn2kMMz/XVj78Z3/nr+mv4Rm1ZGXmAEhVo2XjvVFChOF74XcMyAz0Qp3UVvTVsFULKA1qnT20SWno9T8xR0lU=-----END CERTIFICATE-----Use ’apply’ to save incremented certificate serial number.



You should save the client certificate and assign a certificate index number to it. The lowest available index number available is displayed in square brackets and will be used unless you specify a different number. By saving the certificate, you can later easily access the certificate by specifying the assigned index number at the cert prompt. After having specified the assigned index number, you can use the display or export command in order to prepare for the transfer of the client certificate to the subject. To view basic information about all saved certificates, use the /info/certs command.

If you choose to not save the client certificate, you will need to save the private key and the certificate to a file by performing a copy-and-paste operation to a text editor. The private key and the certificate are displayed on screen as soon as you reconfirm the chosen password phrase. The private key and the certificate are combined and saved in the PEM format when using a copy-and-paste operation.

The requested pass phrase is a word or code that you need to define. The pass phrase protects the encrypted key against illegitimate use. When the intended user installs the client certificate into a Web browser or e-mail client, the correct pass phrase (which you defined) is required to unlock the certificate.

5. Verify that the certificate you used for generating the client certificate is specified as a CA certificate for the appropriate virtual SSL server.

In order to successfully validate the client certificate on authentication, you need to verify that the certificate you used for generating the client certificate is also specified as a CA certificate for the appropriate virtual SSL server. In the sample screen output above, the certificate has already been defined as a CA certificate. This is observable by the line Current value: 1, where number 1 is the index number of the certificate that was used when generating the client certificate. If the certificate index number representing the certifi-cate you used when generating client certificates is not listed by Current value:, type the certificate index number and apply your changes.

If the correct certificate index number is already listed by Current value:, press ENTER and answer no to the question if you want to clear the list.

>> Main# cfg/ssl/serverEnter virtual server number: (1-) 1>> Server 1# ssl>> SSL Settings for Server 1# cacertsCurrent value: 1Enter certificate numbers (separated by comma):



6. Transmit the private key and certificate to the user.

Before you transfer the private key and client certificate to the subject, save the key and the certificate to a file using the export or display command on the Certificate menu. The export command is recommended, as this provides you with the option to select the PKCS12 file format (also known as PFX). Most Web browsers accept importing a combined key and certificate file in the PKCS12 format. For more information, see the export and display commands under “Certificate Management Configuration” on page 179.

Transmit the client certificate and the pass phrase protected private key to the user in a secure manner. Never send the password phrase in an e-mail message.

The user will then need to import the received client certificate into his or her Web browser or e-mail program. For more information about importing certificates, refer to the help system of the destination Web browser or e-mail program.

Managing Revocation of Client Certificates

Certificate revocation lists (CRLs) are maintained by certificate authorities to recall client cer-tificates that are no longer considered trustworthy. The reasons for this can be that the client certificate may have been issued by mistake, or that the subject accidentally has revealed the private key.

By keeping a certificate revocation list on your SSL server, client certificates sent to the server are checked against the CRL. If a match is found, the SSL session is terminated. This mode of operation requires, first of all, that you have configured the virtual SSL server to always require client certificates. (For more information, see “Configuring a Virtual SSL Server for Client Authentication” on page 89). You must also regularly check with the certificate authori-ties you trust for their latest CRLs.

Moreover, if you take on the role of a certificate authority by issuing your own client certifi-cates, you will also need to maintain your own certificate revocation lists. This can be done by listing the serial numbers of the client certificates you want to revoke in an ASCII file. You may also specify the serial number of a particular client certificate directly in the command line interface by using the add command in the Revocation menu.



Revoking Client Certificates Issued by an External CA

1. Specify the CA certificate, to which you want to add a CRL.

The certificate you specify must be a CA certificate from the same certificate authority that published the CRL you are about to add. To view basic information about available certifi-cates, use the /info/certs command.

2. Download and add a CRL from a TFTP or FTP server.

Specify the host name or IP address of the TFTP/FTP server, and provide the file name of the CRL. The CRL is retrieved and added to Certificate 1 (used as an example).


>> Main# cfg/ssl/certEnter certificate number: (1-) 1 (example)>> Certificate 1# revoke

>> Revocation# importSelect TFTP or FTP (tftp/ftp) [tftp]: ftpEnter host or IP address of server: 192.168.128.20 (example)Enter name of file on server (PEM, DER or ASCII format): crl.derRetrieving crl.der from 192.168.128.20Received 12628 bytes in 0.1 seconds

Certificate revocation list found in der formatRevocation list added.Use ’apply’ to activate changes.

>> Revocation# applyChanges applied successfully.



Revoking Client Certificates Issued within your Own Organization

1. Specify the CA certificate, to which you want to add a CRL.

Specify the certificate number that represents the CA certificate of the certificate used for gen-erating the client certificate you want to revoke. To view basic information about available cer-tificates, use the /info/certs command.

2. Add the serial number of a specific client certificate to revoke.

Repeat this step for each serial number you want to add. To display the serial number (along with subject information) for a saved client certificate, use the /info/certs command.

Or, download and add your own CRL in ASCII format from a remote machine.

If you have added serial numbers for particular client certificates by using the add command prior to using the import command, you will be asked if you want to merge those serial num-bers to the CRL in ASCII format. If the CRL does not already include those serial numbers, choose to merge them. However, make sure that you update the original CRL with the merged serial numbers before the next download, as you will otherwise lose them. For more informa-tion about how to build your own CRL, see “Creating Your Own Certificate Revocation List” on page 98.

>> Main# cfg/ssl/certEnter certificate number: (1-) 1 (example)>> Certificate 1# revoke

>> Revocation# addEnter serial number to revoke:

>> Revocation# importSelect TFTP or FTP (tftp/ftp) [tftp]: ftpEnter host or IP address of server: 192.168.128.20 (example)Enter name of file on server (PEM, DER or ASCII format): crl.asciiRetrieving crl.ascii from 192.168.128.20Received 12628 bytes in 0.1 seconds

Certificate revocation list found in ascii formatRevocation list added.Use ’apply’ to activate changes.



3. Verify that the serial numbers of the client certificates you want to revoke have been added.


Creating Your Own Certificate Revocation ListYou can easily build and manage certificate revocation lists for client certificates issued within your own organization. The CRL can then be added by using TFTP or FTP. For more informa-tion about how to accomplish this, see “Revoking Client Certificates Issued within your Own Organization” on page 97.

1. Open a text editor and create a new file.

2. Decide if you want to add serial numbers in decimal form, or in hexadecimal form.

If you choose to add serial numbers for client certificates to revoke in decimal form, add a paragraph in the text document that reads:

Or, if you choose to add serial numbers in hexadecimal form, add a paragraph in the text docu-ment that reads:

NOTE – You can add comments to a CRL ASCII file by preceding your comments with the # character. Each new line of comments must begin with the # character. Comments can be used for providing information about the date of issue or last update, for example. You can cancel the revocation of a client certificate by inserting the # character at the beginning of the line containing the desired serial number.

>> Revocation# listRevoked certificates:

>> Revocation# applyChanges applied successfully.

ASCII revocation

HEX ASCII revocation



3. Add the serial numbers of the client certificates you want to revoke.

For a CRL in decimal format, simply list the serial numbers below the ASCII revocation para-graph. For example:

Or, for a CRL in hexadecimal format, list the serial numbers by their hexadecimal values below the HEX ASCII revocation paragraph. For example:

4. Save the file, and upload it to a TFTP or FTP server that can be accessed from your ASA(s).

# CRL for CA certificate 1# Issued first: 2003-01-01# Last update: 2003-02-01

ASCII revocation

500501590

# CRL for CA certificate 1# Issued first: 2003-01-01# Last update: 2003-02-01

HEX ASCII revocation

1F41F524E



212939-F, November 2003

101

CHAPTER 7Using the Quick Server Setup Wizard

The Quick Server Setup Wizard provides a way to quickly configure and enable a working vir-tual SSL server for the service you specify. Before using the Quick Server Setup Wizard, you must have obtained a server certificate in the PEM format that the virtual SSL server can use.

Note that even if the wizard provides an easy way to create and configure a virtual SSL server, you still must configure the Alteon Application Switch accordingly. The extent of configura-tion changes to filters etc. needed on the Alteon Application Switch depend on your current setup and services. For detailed examples of virtual SSL server implementations in conjunc-tion with an Alteon Application Switch, see the Application Guide.

The ASA can also operate in standalone mode, i.e. without being connected to an Alteon Application Switch. For configuration examples, see the Standalone Web Server Accelerator chapter in the Application Guide.

Create an HTTP Server

1. Start the Quick Server Setup Wizard and define the server type.

As the virtual SSL server is created for HTTPS offload purposes in this example, the server type suggested by the wizard ([http]) need not be changed. Simply press ENTER to preserve the server type.

NOTE – When the SSL server type is set to HTTP, the virtual SSL server is automatically con-figured to use built-in features such as automatic SSL redirect and the adding of extra headers. For more information about these advanced HTTP-specific features, see “SSL Server HTTP Settings Configuration” on page 201.

>> Main# cfg/ssl/quickType of server (generic/http/socks/portal) [http]:


212939-F, November 2003102 � Chapter 7: Using the Quick Server Setup Wizard

2. Specify the IP address of an existing virtual server.

Specify the IP address of an existing virtual server on the Alteon Application Switch in order to bind the HTTP virtual SSL server to that virtual server.

3. Set the listen TCP port.

In this example, the virtual SSL server is created for HTTPS offload purposes and the listen TCP port suggested by the wizard ([443]) need not be changed. Simply press ENTER to pre-serve the TCP port value. However, if you want to set up the virtual SSL server to handle IMAPS for example, you would set the listen TCP port to 993.

4. Set the real server IP address.

Sets the IP address of the real server to which the virtual SSL server should connect when ini-tiating requests. When using the ASA in conjunction with an Alteon Application Switch, the real server IP address (RIP) should be the set to 0.0.0.0 (the default setting).

Press ENTER to accept the suggested real server IP address.

5. Set the real server TCP port.

The real server port defines the TCP port to which the virtual SSL server connects. When set-ting up a virtual SSL server for HTTPS offload purposes, the default real server port is 81. The virtual SSL server will use this port to send and receive decrypted HTTP information to and from the real Web servers.

NOTE – The real Web servers must also be configured to listen for ASA traffic on port 81. For security reasons it is also important to define a filter on the Alteon Application Switch that blocks all incoming client traffic destined for port 81.

IP address of SSL server: 192.168.128.100

Listen port of server [443]:

Real server IP [0.0.0.0]:

Real server port [81]:


212939-F, November 2003Chapter 7: Using the Quick Server Setup Wizard � 103

6. Specify whether or not the site should be password protected.

If you choose yes here, a login window will be displayed when the user connects to the HTTP server. The login feature is on top of the SSL encryption, which makes it safe to enter user name and password. For user authentication, you will be prompted to select an existing Xnet domain (if any). The authentication scheme adhering to this Xnet domain will then be used.

7. Specify whether or not the real server is an Outlook Web Access server.

If the real server is an Outlook Web Access server, choose yes, otherwise choose no.

NOTE – Enabling this setting corresponds to enabling the addfront setting on the /cfg/ssl/server #/http menu. For more information about these advanced HTTP-spe-cific features, see “SSL Server HTTP Settings Configuration” on page 201.

8. Choose whether to use an existing certificate or not.

If you wish to use a certificate already present in the ASA configuration, choose the desired certificate by entering the corresponding number, otherwise choose no.

9. If you answered no in step 8, paste the certificate you want the virtual SSL server to use.

Locate the certificate you want to use, make sure the certificate file is in the PEM format (which combines both the private key and the certificate in the same file), open the file in a text editor and copy the entire content. Make sure your text selection includes the “-----BEGIN PRIVATE KEY-----” and “-----END CERTIFICATE-----” lines.

Now, paste the content at the command line interface prompt, press ENTER to create a new empty line, and then type “...” (without the quotation marks). Press ENTER again to com-plete the installation of the certificate. If the private key has been password protected, you will be asked to provide the correct pass phrase.

Should the site be password protected (yes/no) [no]:

Is the real server an Outlook Web Access server (yes/no) [no]:

Use existing certificate (no/1) [no]:

Paste the certificate and key, press Enter to create a new line,and then type "..." (without the quotation marks)to terminate.>



10. Your screen output should now resemble the following example:

Paste the certificate, press Enter to create a new line,and then type "..." (without the quotation marks)to terminate.> -----BEGIN RSA PRIVATE KEY-----> Proc-Type: 4,ENCRYPTED> DEK-Info: DES-EDE3-CBC,A869F45E9CC45F52>> 7Px2H7TG/9omI8juY96FKTY3+8ID6J2KGMMutWBT7ug6dVzKD+K0yd6Lza20xivk> JVWXU7+ry448vcHVw2ApSb3qvlg7FRdN7oFYutZZESozlZrZzbKDxv4LH/lqW2x+> Ngb2qjFsP6jKtlc4TNkdFLYkzVxXC6h+hSdG7C0H4taylxoP1RdY8SZwoT0PLaC6> 8aZGCdfYZ+RsVDoGeP3QyenlXTrMls/d2+SWOG4xjEAfEHunI/z7W1lIBmipmvnz> wjbD2PNmzx2k8JuYA4gclbAfJYKoeT1O4N9tzJrv0GLkG1Hq8XAvHXzs4W8WUfln> sCmu1kKDGCfl6EOCt1le4oDzK8EuBZF2y0ZmQYEXuf9oFUN3xiu/rShzEPFCoADv> a8ZV+jvFH1j/ozvTmRXaNz1I8dHkbrFz8ViELfqXr6k=> -----END RSA PRIVATE KEY----->> -----BEGIN CERTIFICATE-----> MIICXjCCAgigAwIBAgIBADANBgkqhkiG9w0BAQQFADBbMQswCQYDVQQGEwJTRTEK> MAgGA1UECBMBZzEKMAgGA1UEBxMBZzEKMAgGA1UEChMBZzEKMAgGA1UECxMBZzEK> MAgGA1UEAxMBZzEQMA4GCSqGSIb3DQEJARYBZzAeFw0wMDExMTQxNzQ0NTBaFw0w> MTExMTQxNzQ0NTBaMFsxCzAJBgNVBAYTAlNFMQowCAYDVQQIEwFnMQowCAYDVQQH> EwFnMQowCAYDVQQKEwFnMQowCAYDVQQLEwFnMQowCAYDVQQDEwFnMRAwDgYJKoZI> hvcNAQkBFgFnMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMM1w/CGs5lLh3Thrns6> HW2s8YT0ujIq3chDHppNSQQskeM4EN4GIRbBmPmuMmqFzmC1CVARm4wJQu+/Xnnv> s6sCAwEAAaOBtjCBszAdBgNVHQ4EFgQUMeRJwoUki4m4moHPCgvhbNgCgacwgYMG> A1UdIwR8MHqAFDHkScKFJIuJuJqBzwoL4WzYAoGnoV+kXTBbMQswCQYDVQQGEwJT> RTEKMAgGA1UECBMBZzEKMAgGA1UEBxMBZzEKMAgGA1UEChMBZzEKMAgGA1UECxMB> ZzEKMAgGA1UEAxMBZzEQMA4GCSqGSIb3DQEJARYBZ4IBADAMBgNVHRMEBTADAQH/> MA0GCSqGSIb3DQEBBAUAA0EALUQqocsBBMd7Y9b2PnMoc/U9yzcunxH3cwSK+oLE> NuykQRO72vie+n1uztXTJxugTnFO9MGoIxEy19zFklUrLQ==> -----END CERTIFICATE-----> ...Enter pass phrase:Do you require chain certificates (yes/no) [no]:



11. If the server certificate you just added is a chain certificate, add your chain certificate(s) as well.

You need to repeat the pasting of chain certificates until the root CA certificate has been added. This constructs the server certificate chain, which is sent to the client’s browser in addition to the server certificate.

When you have added your root CA certificate, answer no to the question if you require (addi-tional) chain certificates. The following message is then displayed:

12. Apply your settings.

13. Verify your settings.

According to the example above, information relating to the added virtual SSL server and added certificates can be reviewed under the following main entries in the screen output, after you have issued the cur command:

� Certificate 2

� Certificate 3

� Server 2

Do you require more chain certificates (yes/no) [no]: noCreating new server 2Creating new cert 2Server certificate added as cert 2Creating new cert 3Adding chain certificate as cert 3Use apply to activate the new server.

>> SSL# apply

>> SSL# cur



Create a Socks server


When the ASA is used for SSL VPN support, a Socks server is generally not required. Both the Portal and the SSL VPN client work fine with just a Portal server. However, if exclusive sup-port for the SSL VPN client is the desired option (i.e. no SSL VPN Portal interaction), a Socks server must be configured. See the Application Guide for examples of SSL VPN usage.


Specify the virtual IP address (VIP) for the Socks server. This IP address should correspond to the IP address of a virtual server on the Alteon Application Switch. If stand-alone mode is used, specify an IP address here and configure the SSL server later, according to the instruc-tions in the “Stand-Alone Web Server Accelerator” chapter in the Application Guide.


In this example, the virtual SSL server is created for requests through a SOCKS over SSL con-nection. The listen TCP port suggested by the wizard ([1080]) need not be changed. Simply press ENTER to preserve the TCP port value.

NOTE – This is not the RFC standard SOCKS protocol, but an SSL-encrypted version. Other SOCKS clients than the SSL VPN client cannot be used to access this service.

4. Select an Xnet domain to use for authentication.

To be able to use the SSL VPN feature, an Xnet domain has to be configured and associated with the Socks server. Existing Xnet domains (if any) are shown within the parenthesis.

>> Main# cfg/ssl/quickType of server (generic/http/socks/portal) [http]: socks



Select an Xnet domain to use for authentication (1) [1]:



5. Select whether or not to use unqualified domain names.

If you enable use of short names (unqualified domain names) you can specify one or several domain names with which it is sufficient to use a short name when requesting the destination.

6. If you chose to support unqualified domain names, list the desired domains.

For example, if you specify .example.com, the user can use any short name (e.g. www) that is configured in DNS for the specified domains.

7. If the HTTP Proxy feature on the Portal page should be available, enable http proxy.

The HTTP Proxy feature sees to it that intranet web page links embedded in plugins (such as Flash, Shockwave and Java applets) will be redirected to the ASA through a secure connection when executed.

8. Continue with adding certificates according to Step 8 to Step 13 in “Create an HTTP Server” on page 101.

Do you want support for short names (yes/no) [yes]:

Enter comma separated list domains: .example.com, .support.exam-ple.com (examples of list domains)

Enable support for portal http proxy (yes/no) [yes]:



Create a Portal Server


A Portal server is required to generate the SSL VPN Portal page (browser-based mode). The Portal server is also required to be able to download the virtual SSL Socks server configuration settings using the SSL VPN client wizard. See the Application Guide for SSL VPN usage examples.


Specify the virtual IP address (VIP) for the Portal server. This IP address should correspond to the IP address of a virtual server on the Alteon Application Switch. If stand-alone mode is used, specify an IP address here and configure the SSL server later, according to the instruc-tions in the “Stand-Alone Web Server Accelerator” chapter in the Application Guide.


In this example, the virtual SSL server is created for HTTPS requests to the Portal page. The listen TCP port suggested by the wizard ([443]) need not be changed. Simply press ENTER to preserve the TCP port value.

4. Select an Xnet domain to use for authentication.

To be able to use the SSL VPN feature, an Xnet domain has to be configured and associated with the Portal server. Existing Xnet domains (if any) are shown within the parenthesis.

5. Specify whether or not you want support for portal applets and the SSL VPN client.

If you enable support for Portal applets and the SSL VPN client, the features available on the Portal’s Advanced tab will be supported (i.e. HTTP Proxy, Port forwarder, and Telnet/SSH access). Support for SSL VPN client is also added.

>> Main# cfg/ssl/quickType of server (generic/http/socks/portal) [http]: portal



Select an Xnet domain to use for authentication (1) [1]:

Do you want support for portal applets and vpn client (yes/no) [yes]:



6. Select whether or not to use unqualified domain names.

If you enable use of short names (unqualified domain names) you can specify one or several domain names with which it is sufficient to use a short name when requesting the destination.

7. If you chose to support unqualified domain names, list the desired domains.

For example, if you specify .example.com, the user can use any short name (e.g. www) that is configured in DNS for the specified domains.

8. Specify the DNS name of the virtual SSL server.

9. Continue with adding certificates according to Step 8 to Step 13 in “Create an HTTP Server” on page 101.

Do you want support for short names (yes/no) [yes]:

Enter comma separated list domains: .example.com, .support.exam-ple.com (examples of list domains)

Enter the DNS name of the VIP (e.g. www.example.com): vpn.exam-ple.com (example of DNS name)



212939-F, November 2003

111

CHAPTER 8The Command Line Interface

This chapter explains how to access the ASA via the command line interface (CLI).

The ASA version 4.1 software provides means for accessing, configuring, and viewing infor-mation and statistics about the ASA. By using the built-in, text-based command line interface and menu system, you can access and configure the ASA either via a local console connection (using a computer running terminal emulation software), or via a remote session using either a Telnet client or an SSH client.

When using a Telnet client or SSH client to connect to a cluster of ASAs, always connect to the IP address of the MIP (Management IP). Configuration changes are automatically propagated to all members of the cluster. However, when using the halt, reboot, or delete com-mands (available in the Boot menu), you should connect to the IP address of the particular ASA on which you want to perform these commands, or connect to that ASA via a console connection.


212939-F, November 2003112 � Chapter 8: The Command Line Interface

Connecting to the ASA

You can access the command line interface in two ways:

� Using a console connection via the console port

� Using a Telnet connection or SSH connection over the network.

Establishing a Console ConnectionA console connection is required when performing the initial setup, and when reinstalling the ASA software as the boot user. When logging in as root user for advanced troubleshooting pur-poses, a console connection is also required.

Requirements

To establish a console connection with the ASA, you will need the following:

� An ASCII terminal or a computer running terminal emulation software set to the parame-ters shown in the table below:

� A serial cable with a female DB-9 connector. (For more specific information, see the “Connecting to the ASA” chapter in the Alteon SSL Accelerator Hardware Installation Guide.)

Table 8-1 Console Configuration Parameters

Parameter Value

Baud RateData BitsParityStop BitsFlow Control

96008None1None


212939-F, November 2003Chapter 8: The Command Line Interface � 113

Procedure

1. Connect the terminal to the Console port using the correct serial cable.

When connecting to an ASA, use a serial cable with a female DB-9 connector (shipped with the ASA).

2. Power on the terminal.

3. To establish the connection, press ENTER on your terminal.

You will next be required to log in by entering a user name and a password. For more informa-tion on user accounts and default passwords, see “Accessing the ASA” on page 116.

Establishing a Telnet ConnectionA Telnet connection offers the convenience of accessing the ASA from any workstation con-nected to the network. Telnet access provides the same options for user access and administra-tor access as those available through the console port.

To configure the ASA for Telnet access, you need to have a device with Telnet client software located on the same network as the ASA. The ASA must have an IP address and a Manage-ment IP address. If you have already performed the initial setup by selecting new or join in the Setup menu, the assignment of IP addresses is complete.

When making configuration changes to a cluster of ASAs via Telnet, it is recommended that you connect to the IP address of the MIP. However, if you want to halt or reboot a particular ASA in a cluster, or reset all configuration to the factory default settings, you must connect to the IP address of the particular ASA. This also applies when using an SSH connection instead of a Telnet connection. To view the IP addresses of all ASAs in a cluster, use the /info/isdlist command.

Enabling and Restricting Telnet Access

Telnet access to the ASA is disabled by default, for security reasons. However, depending on the severity of your security policy, you may want to enable Telnet access. You may also restrict Telnet access to one or more specific machines.

For more information on how to enable Telnet access, see the telnet command under “Sys-tem Access Configuration” on page 315. For more information on how to restrict Telnet access to one or more specific machines, see the add command under “System Access Configura-tion” on page 315.



Running Telnet

Once the IP parameters on the ASA are configured and Telnet access is enabled, you can access the CLI using a Telnet connection. To establish a Telnet connection with the ASA, run the Telnet program on your workstation and issue the Telnet command, followed by the ASA IP address.

You will then be prompted to enter a valid user name and password. For more information about different user accounts and default passwords, see “Accessing the ASA” on page 116.

Establishing a Connection Using SSH (Secure Shell)When accessing the ASA from a workstation connected to the network using a Telnet connec-tion, it is important to keep in mind that the communication channel is not secure. All data flowing back and forth between the Telnet client and the ASA is sent unencrypted (including the password), and there is no server host authentication.

By using an SSH client to establish a connection over the network, the following benefits are achieved:

� Server host authentication

� Encryption of passwords for user authentication

� Encryption of all traffic that is transmitted over the network when configuring or collect-ing information from the ASA

telnet <IP address>



Enabling and Restricting SSH Access

SSH access to the ASA is disabled by default. However, depending on the severity of your security policy, you may want to enable SSH access. You may also restrict SSH access to one or more specific machines.

For more information on how to enable SSH access, see the ssh command under “System Configuration” on page 299. For more information on how to restrict SSH access to one or more specific machines, see the add command under “System Access Configuration” on page 315.

Running an SSH Client

Connecting to the ASA using a SSH client is similar to connecting via Telnet. As with Telnet, the IP parameters on the ASA need to be configured in advance and SSH access must be enabled. After providing a valid user name and password, the command line interface in the ASA is accessible the same way as when using a Telnet client. However, since a secured and encrypted communication channel is set up even before the user name and password is trans-mitted, all traffic sent over the network while configuring or collecting information from the ASA is encrypted. For information about different user accounts and default passwords, see “Accessing the ASA” on page 116.

During the initial setup of the ASA, you are provided with the choice to generate new SSH host keys. It is recommended that you do so, in order to maintain a high level of security when connecting to the ASA using a SSH client. If you fear that your SSH host keys have been com-promised, you can create new host keys at any time by using the /cfg/sys/adm/gensshkey command. When reconnecting to the ASA after having gen-erated new host keys, your SSH client will display a warning that the host identification (or host keys) has been changed.



Accessing the ASA

To enable better ASA management and user accountability, five categories of users can access the ASA:

� The Operator is only granted read access to the menus and information appropriate to this user access level. The Operator cannot make any changes to the configuration.

� The Administrator can make any changes to the ASA configuration. Thus, the Adminis-trator has read and write access to all menus, information and configuration commands in the ASA.

� A Certificate Administrator is a member of the certadmin group, and has sufficient user rights to manage certificates and private keys on the ASA. By default, only the Administrator user is a member of the certadmin group. To separate the Certificate Administrator user role from the Administrator user role, the Administrator user can add a new user account to the system, assign the new user to the certadmin group, and then remove himself or herself from the certadmin group. For more information, see “Add-ing a New User” on page 66.

� The Boot user can only perform a reinstallation. For security reasons, it is only possible to log in as the Boot user via the console port using terminal emulation software. The Boot user password cannot be changed from the default ForgetMe.

� The Root user is granted full access to the underlying Linux operating system. For security reasons, it is only possible to log in as the Root user via the console port using terminal emulation software. Root user access should mainly be reserved for advanced trouble-shooting purposes, under guidance from Nortel Networks customer support.

For more information, see “How to Get Help” on page 17.

Access to the ASA command line interface and settings is controlled through the use of four predefined user accounts and passwords. Once you are connected to the ASA via a console connection or remote connection (Telnet or SSH), you are prompted to enter a user account name and the corresponding password. The default user accounts and passwords for each access level are listed in Table 8-2 on page 117.

NOTE – The default Administrator user password can be changed during the initial configura-tion (see “Installing an ASA in a New Cluster” on page 36). For the Operator user, the Boot user, and the Root user however, the default passwords are used even after the initial configu-ration. It is therefore recommended that you change the default ASA passwords soon after the initial configuration, and as regularly as required under your network security policies. For more information about how to change a user account password, see “Changing a User’s Password” on page 71.



CLI vs. Setup

Once the Administrator user password is verified, you are given complete access to the ASA. If the ASA is still set to its factory default configuration, the system will run Setup (see “Installing an ASA in a New Cluster” on page 36), a utility designed to help you through the first-time configuration process. If the ASA has already been configured, the Main menu of the CLI is displayed instead.

Table 8-2 User Access Levels

User Account User Group Access Level Description Default Password

oper oper The Operator is allowed read access to some of the menus and information available in the CLI.

oper

admin adminopercertadmin

The Administrator is allowed both read and write access to all menus, information and configuration commands.The Administrator can add users to all groups in which the Administrator himself or herself is a mem-ber. The Administrator can delete a user from any of the three built-in groups.

admin

certadmin By default, only the Administrator is a member of the certadmin group.Certadmin group rights are sufficient for administrat-ing certificates and keys on the ASA. A certificate administrator user has no access to the SSL Server menu, and only limited access to the System menu.

boot The boot user can only perform a reinstallation of the software, and only via a console connection.

ForgetMe

root The root user has full access to the underlying Linux operating system, but only via a console connection.

ForgetMe



The following figure shows the Main menu with administrator privileges.

Figure 8-1 Administrator Main Menu

Command Line History and Editing

For a description of global commands, shortcuts, and command line editing functions, see “ASA Command Reference” on page 141.

Idle Timeout

The ASA will disconnect your local console connection or remote connection (Telnet or SSH) after 10 minutes of inactivity. This value can be changed to a maximum value of 1 hour using the /cfg/sys/adm/clitimeout command.

If you have unapplied configuration changes when automatically disconnected after the speci-fied idle timeout value, the unapplied configuration changes will be lost. Therefore, make sure to save your configuration changes regularly by using the global apply command.

If you have unapplied configuration changes when using the global exit command to log out from the command line interface, you will be prompted to view the pending configuration changes by using the global diff command. After verifying the pending configuration changes, you can either remove the changes or apply them. For more information about pend-ing configuration changes, see “Viewing, Applying and Removing Changes” on page 174.

[Main Menu] info - Information Menu stats - Statistics Menu cfg - Configuration Menu boot - Boot Menu maint - Maintenance Menu diff - Show pending config changes [global command] apply - Apply pending config changes [global command] revert - Revert pending config changes [global command] paste - Restore saved config with key [global command] help - Show command help menu [global command] exit - Exit [global command, always available]

212939-F, November 2003119

CHAPTER 9Troubleshooting the ASA

This chapter provides troubleshooting tips for the following problems:

� Cannot connect to the ASA via Telnet or SSH, on page 120.

� Cannot add the ASA to an existing cluster, on page 122.

� Cannot contact the MIP on page 123.

� The ASA stops responding, on page 124.

� A user password is lost, on page 125.

� An ASA does not process any SSL traffic, on page 126.

� Resetting the HSM cards on the ASA, on page 128.

� An ASA cluster configuration needs to be reconstructed onto new devices, on page 131.

The chapter also provides a section on performing system diagnostics, on page 135.


212939-F, November 2003120 � Chapter 9: Troubleshooting the ASA

Cannot Connect to ASA via Telnet or SSH

Verify the Current ConfigurationConnect via a console connection and check that Telnet or SSH access to the ASA is enabled. By default, remote connections to the ASA are disabled for security reasons. Type the com-mand /cfg/sys/adm/cur to see whether remote access via Telnet or SSH is enabled.

Enable Telnet or SSH AccessIf your security policy affords enabling remote connections to the ASA, type the command /cfg/sys/adm/telnet to enable Telnet access, or the command /cfg/sys/adm/ssh to enable SSH access. Apply your configuration changes.

Check the Access ListIf you find that Telnet or SSH access is enabled but you still can’t connect to the ASA using a Telnet or SSH client, check whether any hosts have been added to the Access List. Type the command /cfg/sys/accesslist/list to view the current Access List.

When Telnet or SSH access is enabled, only those hosts listed in the Access List are allowed to access the ASA over the network. If no hosts have been added to the Access List, this means that any host is allowed to access the ASA over the network (assuming that Telnet or SSH access is enabled).

>> # /cfg/sys/adm/curCollecting data, please wait...Administrative Applications: CLI idle timeout = 1h Telnet CLI access = off SSH CLI access = off

>> # /cfg/sys/adm/sshCurrent value: offAllow SSH CLI access (on/off): on>> Administrative Applications# applyChanges applied successfully.

>> # /cfg/sys/accesslist/list 1: 192.168.128.78, 255.255.255.0


212939-F, November 2003Chapter 9: Troubleshooting the ASA � 121

Check the IP Address ConfigurationIf your host is allowed to access the ASA over the network according to the Access List, check that you have configured the correct IP addresses on the ASA. Make sure you ping the real IP address of the ASA, and not the Management IP (MIP) of the cluster in which the ASA is a member. Type the command /cfg/sys/cluster/cur to view IP address information for all ASAs in the cluster.

If the IP address assigned to the ASA seems to be correct, you may have a routing problem. Try to run traceroute (a global command available at any menu prompt) or the tcpdump command (or some other network analysis tool) to locate the problem. For more information about the tcpdump command, see page 195.

If this does not help you to solve the problem, contact Nortel Networks for technical support. See “How to Get Help” on page 17.

>> # /cfg/sys/cluster/curCluster: Management IP (MIP) address = 192.168.128.211

iSD Host 1: Type of the iSD = master IP address = 192.168.128.210 License = xnet (10), tps (unlimited) Default gateway address = 192.168.128.3 Ports = 1

Host Routes: No items configured

Host Interface 1: IP address = 192.168.128.210 Network mask = 255.255.255.0 VLAN tag id = 0 Mode = failover Primary port = 0

Interface Ports: 1

Host Port 1: Autonegotiation = on Speed = 0 Full or half duplex mode = full



Cannot Add an ASA to a Cluster

When trying to add an ASA to a cluster by selecting join in the Setup menu, you may receive an error message stating that the system is running an incompatible software version. The incompatible software version referred to in the error message is the software that is running on the ASA device you are trying to add to the cluster. This error message is displayed when-ever the ASA you are trying to add has a different software version from the ASA(s) already in the cluster. In this situation you need to do one of the following:

� Adjust the software version on the ASA device you are trying to add to the cluster, to syn-chronize it with the software version running on the ASA(s) already in the cluster. You can verify software versions by typing the command /boot/software/cur, where the active version is indicated as permanent. Adjusting the software version on the ASA device you want to add to the cluster implies either upgrading to a newer software version, or reverting to an older software version. In either case you will need to perform the steps described in “Reinstalling the Software” on page 56. After having adjusted the software version, log in as the Administrator user and select join from the Setup menu.

� Upgrade the software version running on the ASA(s) in the cluster to the same version as running on the ASA you want to add to the cluster. Perform the steps described in “Per-forming Minor/Major Release Upgrades” on page 60. Then add the ASA device by select-ing join from the Setup menu.



Cannot Contact the MIP

When trying to add an ASA to a cluster by selecting join in the Setup menu, you may receive an error message stating that the system is unable to contact the Management IP address (MIP).

This could be the case if you are trying to join an ASA to a cluster and there are existing entries in the Access list. Typically, the Access list contains valid IP addresses for Telnet or SSH man-agement. If the Access list contains entries, you have to add the Interface 1 IP addresses of both ASAs and the Management IP address (MIP) to the Access list before joining the ASA.

If the Access list is empty, communication should be working fine.

Check the Access ListOn the master ASA, check if there are entries in the Access list. Type the command /cfg/sys/accesslist/list to view the current Access list.

Add Interface 1 IP Addresses and MIP to Access ListUse the /cfg/sys/cluster/cur command to view the Host Interface 1 IP address for the existing ASA. Then add this IP address, the intranet IP address you had in mind for the new ASA and the Management IP address (MIP) to the Access list.

To add the IP addresses to the Access list, type the command /cfg/sys/access-list/add.

Try adding the ASA to the cluster using the join command in the Setup menu.

>> # /cfg/sys/accesslist/list 1: 192.168.128.78, 255.255.255.0

>> # /cfg/sys/accesslist/addEnter network address: <IP address>Enter netmask: <network mask>



The ASA Stops Responding

Telnet or SSH Connection to the Management IP AddressWhen you are connected to a cluster of ASAs via a Telnet or SSH connection to the Manage-ment IP address, your connection to the cluster can be maintained as long as at least one master ASA in the cluster is up and running. However, if the particular ASA that currently is in con-trol of the Management IP stops responding while you are connected, you need to close down your Telnet or SSH connection and reconnect to the Management IP address.

After doing so, you can view the operational status of all ASAs in the cluster by typing the command /info/isdlist. If you find that one of the ASA’s operational status is indicated as down, you should reboot that machine. On the ASA 310, press the Power button on the back panel to turn the machine off, wait until the fan comes to a standstill, and then press the Power button again to turn the machine on.

Log in as the Administrator user when the login prompt appears and check the operational sta-tus again.

Console ConnectionIf you are connected to a particular ASA via a console connection, and that ASA stops responding, you should first try pressing the key combination CTRL+ ^ and press ENTER. This will take you back to the login prompt. Log in as the Administrator user and check the operational status of the ASA. Type the command /info/isdlist and see if the opera-tional status is indicated as up. If the operational status is indicated as up, the ASA should continue to process SSL traffic without the need of a reboot.

If the operational status of the ASA is indicated as down, try rebooting the ASA by typing the command /boot/reboot. You will be asked to confirm your action before the actual reboot is performed. Log in as the Administrator user and check if the operational status of the ASA is now up.

If the operational status of the ASA still is down, reboot the machine. On the ASA 310, press the Power button on the back panel to turn the machine off, wait until the fan comes to a stand-still, and then press the Power button again to turn the machine on. Log in as the Administrator user when the login prompt appears.



A User Password is Lost

Administrator User PasswordIf you have lost the Administrator user password there is only one way to regain access to the ASA as the Administrator user: reinstalling the software via a console connection as the Boot user.

For more information, see “Reinstalling the Software” on page 56.

Operator User PasswordIf you have lost the Operator user password, log in as the Administrator user and define a new Operator user password. Only the Administrator user can change the Operator user password.

For more information, see the edit command under “User Access Configuration” on page 327.

Root User Password

If you have lost the Root user password, log in as the Administrator user and define a new Root user password. Only the Administrator user can change the Root user password. For more information, see the edit command under “User Access Configuration” on page 327.

Boot User PasswordThe default Boot user password cannot be changed, and can therefore never really be “lost”. If you have forgotten the Boot user password, see “Accessing the ASA” on page 116.

If the Boot user password could be changed and you have lost both the Administrator password and the Boot user password, the ASA would be rendered completely inaccessible to all users except the Operator, whose access level does not permit any changes being made to the config-uration of the ASA.

The fact that the Boot user password cannot be changed should not imply a security issue, since the Boot user can only access the ASA via a console connection using a serial cable, and the ASA presumably is set up in a server room with restricted access.



An ASA HSM Stops Processing Traffic

Whenever an ASA has undergone a reboot (whether intentionally invoked by the user, or due to a power failure), the device stops processing SSL traffic. This behavior is perfectly normal, and is due to the high security demands placed on the ASA.

To make the ASA start processing SSL traffic again, log in to the HSM cards using the HSM-USER iKey associated to each card. Logging in to the HSM cards will clear the alarms that were set during the reboot, and the ASA will accept SSL traffic again.

Follow these steps to log in to the HSM cards:

1. Log in to the specific ASA that has undergone a reboot as the admin or oper user.

When connecting to the ASA, you can use a console connection, or a remote connection (Tel-net or SSH, if enabled in the system configuration).

NOTE – It is important that you log in to the particular ASA on which a reboot has occurred, and not to the Management IP address (MIP) of the cluster.

login: adminPassword: <enter the admin user password>Alteon iSD SSLSoftware version 4.1



2. Log in to each HSM card consecutively by inserting the correct HSM-USER iKey and providing the associated password.

Remember that each HSM card requires inserting the specific HSM-USER iKey that was used when initializing that particular HSM card. This holds true even if you use the same password for both HSM-USER iKeys.

NOTE – If you enter the wrong password for the HSM-USER fifteen (15) times in a row, the HSM-USER iKey will be rendered unusable. This is due to the strict security specifications placed on the ASA.

3. Verify that the alarms that caused the ASA to stop processing SSL traffic have been cleared.

The hsm_not_logged_in alarms that were triggered during the reboot should now be cleared from the active alarm list, after the successful login to both HSM cards. The ASA is now ready to process SSL traffic again.

>> Main# maint/hsm/loginVerify that HSM-USER iKey (blue) is inserted in card 0 (with flash-ing LED).Hit enter when done.Enter the current HSM-USER password for card 0: <enter the password associ-ated with the HSM-USER iKey for card 0>Successful login on card 0.Verify that HSM-USER iKey (blue) is inserted in card 1 (with flash-ing LED).Hit enter when done.Enter the current HSM-USER password for card 1: <enter the password associ-ated with the HSM-USER iKey for card 1>Successful login on card 1.

>> # /info/events/alarms** (alarm) Active Alarm List ***************************************



Resetting HSM Cards on the ASA 310-FIPS

When removing an ASA 310-FIPS device from a cluster, you have the option to reset (or de-initialize) the HSM cards.

When an ASA 310-FIPS device that has been removed from a cluster is installed in a new clus-ter, or added to an existing cluster, the cards will be initialized again. This is done by perform-ing a series of steps as part of the setup procedure of the ASA device itself. If the Setup utility detects that the cards have not been reset, you will be prompted to reset the HSM cards at that time. The HSM cards must be reset before they can be initialized. You may therefore choose to reset the cards already when removing the ASA device from the cluster. Resetting the HSM cards will clear all sensitive cryptographic information stored on the cards. Until the cards are initialized again, they will remain in that state.

To reset the HSM cards, you need the following:

� The two pairs of HSM-SO and HSM-USER iKeys, where each pair is associated with a particular HSM card on the ASA 310-FIPS device you want to delete from the cluster

� The HSM-SO password associated with each HSM-SO iKey

� Log in as the admin user to the particular ASA 310-FIPS device you want to delete

If the ASA 310-FIPS device will be used in a different department or organization after it has been deleted from the cluster, you may want to change the current password for the HSM-SO iKey and the HSM-USER iKey before you reset the HSM cards. The user who performs the initial setup of the ASA device must then provide the “transient” passwords known by both parties when initializing the HSM cards, but can directly change to new HSM-SO and HSM-USER passwords within the normal initialization procedure.

To change the current password for the HSM-SO iKey before resetting the HSM cards, use the /maint/hsm/changepass command. For more information about this command, see page 340.

NOTE – When moving the ASA 310-FIPS device to a different location, make sure to maintain the connection between each pair of HSM-SO and HSM-USER iKeys and the particular HSM card to which they are associated. To initialize the HSM cards when installing or adding the device in a cluster, the correct HSM-SO and HSM-USER iKeys are required, as well as the corresponding HSM-SO and HSM-USER passwords.



1. Log in to the ASA 310-FIPS that you want to delete from the cluster.

In this step it is important that you connect to the particular ASA 310-FIPS that you want to delete from the cluster. To do that, you can use either a console connection, or a remote con-nection (via Telnet or SSH) using the IP address assigned to the specific ASA 310-FIPS device. Do not connect via a remote connection using the Management IP (MIP) address of the ASA cluster. To view the IP addresses assigned to each ASA 310-FIPS device in the cluster, use the /info/isdlist command.

2. Delete the ASA 310-FIPS (iSD) and choose to reset the HSM cards.

3. Insert the HSM-SO iKey associated with HSM card 0 in the card with flashing LED and provide the correct password.

Remember that each HSM card requires inserting the specific HSM-SO iKey that was used when initializing that particular HSM card. This holds true even if you use the same password for both HSM-SO iKeys that are used on one ASA device.

login: adminPassword: <enter the admin user password>Alteon iSD SSLSoftware version 3.0

>> Main# /boot/deleteAre you sure you want delete the iSD? (y/n) yDo you want to clear the HSM card(s) as well? (y/n) [y]: (press ENTER to accept resetting the HSM cards)

(continued)Verify that HSM-SO iKey (purple) is inserted in card 0 (with flash-ing LED).Hit enter when done.Enter the current HSM-SO password for card 0:



4. Insert the HSM-SO iKey associated with HSM card 1 in the card with flashing LED and provide the correct password.

Again, make sure that you insert the correct HSM-SO iKey, as each HSM card requires the specific iKey that was used when the card was first initialized.

The ASA 310-FIPS device is now removed from the cluster and reset to its factory default set-tings. Both HSM cards are also reset, which means that all sensitive cryptographic information stored on the cards is deleted. The next time a user turns on the ASA device, the Setup menu will be displayed after having logged in as the admin user via a console connection.

When selecting new or join in the Setup menu, you will be prompted to insert the HSM-SO iKey and HSM-USER iKey associated with each HSM card, and provide the current password stored on the respective iKey. This is required to initialize the HSM card anew. After you have provided the correct password for the iKey being requested by the Setup utility, a new pass-words can be defined for that iKey.

For more information about installing and adding ASA 310-FIPS device in a cluster, see “Installing and Adding an ASA 310-FIPS” on page 42.

(continued)Verify that HSM-SO iKey (purple) is inserted in card 1 (with flash-ing LED).Hit enter when done.Enter the current HSM-SO password for card 1:

iSD 192.168.128.185 deleted. Logging out.



An ASA 310-FIPS Cluster Must be Reconstructed onto New Devices

If your cluster of ASA 310-FIPS devices has been damaged beyond repair (by fire, for exam-ple) you can reconstruct the complete cluster, including certificates, private keys, and wrap keys. However, this requires that you have access to the following:

� A new set of ASA 310-FIPS devices, replacing the cluster of damaged devices.

� A backup configuration file, saved to a TFTP server as a precautionary measure by using the /cfg/ptcfg command in the former cluster. For more information about the ptcfg command, see page 173.

� The black CODE-SO and CODE-USER iKeys that were used when the now damaged cluster of ASA devices was first created. The black CODE iKeys are needed to transfer the wrap key used in the former cluster onto the HSM cards in the new ASA 310-FIPS devices, as well as for decrypting private key information in the backup configuration file.

� The secret passphrase that was defined in the former cluster when first initialized (Pro-vided your former cluster was running in FIPS mode).

To reconstruct the cluster configuration, certificates, private keys, and wrap keys used in the former cluster onto a new set of ASA 310-FIPS devices, follow these steps:

1. Install the first ASA 310-FIPS in a new cluster by following the instructions on page 42 up to and including Step 7 on page 46.

NOTE – When asked to use FIPS or Extended Security Mode, select the same mode that was used in the former cluster.

2. When both HSM cards have been initialized, you will be asked if you want to use new or existing HSM-CODE iKeys. Type existing and press ENTER.

(new setup, continued)Card 1 successfully initialized.Should new or existing CODE iKeys be used? (new/existing) [new]: existing



3. Transfer the cluster wrap key from the existing CODE-SO and CODE-USER iKeys to card 0.

Make sure you use the same pair of CODE-SO and CODE-USER iKeys that were used in the former cluster of ASA 310-FIPS devices.

4. Transfer the cluster wrap key from the CODE-SO and CODE-USER iKeys to card 1.

5. If you selected FIPS mode as the security mode, specify the passphrase.

Enter the same secret passphrase as was defined in the former cluster running in FIPS mode. This step only appears if you selected FIPS mode when initializing the HSM cards.

(new setup, continued)Verify that CODE-SO iKey (black) is inserted in card 0 (with flashing LED).Hit enter when done.Verify that HSM-USER iKey (blue) is inserted in card 0 (with flashing LED).Hit enter when done.Verify that CODE-USER iKey (black) is inserted in card 0 (with flash-ing LED).Hit enter when done.Wrap key successfully combined to card 0.

(new setup, continued)Verify that CODE-SO iKey (black) is inserted in card 1 (with flashing LED).Hit enter when done.Verify that HSM-USER iKey (blue) is inserted in card 1 (with flashing LED).Hit enter when done.Verify that CODE-USER iKey (black) is inserted in card 1 (with flash-ing LED).Hit enter when done.Wrap key successfully split combined to card 1.

(new setup, continued)Enter the old secret passphrase (it is used during addition of new iSDs to the cluster): <Enter the same secret passphrase as was used in the former clus-ter.>Re-enter to confirm:



6. Wait for the initial setup of the first ASA 310-FIPS in the cluster to finish.

7. Add an additional ASA to the newly created cluster by following the instructions on page page 49 up to and including Step 5 on page 52.

8. Transfer the cluster wrap key from the CODE-SO and CODE-USER iKeys to card 0.

When asked to insert the CODE-SO and the CODE-USER iKeys, make sure to use the same CODE iKeys as you did in Step 3 and Step 4.

9. Transfer the cluster wrap key to card 1.

(new setup, continued)Initializing system......okSetup successful. Relogin to configure.

login:

(join setup, continued)Verify that CODE-SO iKey (black) is inserted in card 0 (with flashing LED).Hit enter when done.Verify that HSM-USER iKey (blue) is inserted in card 0 (with flashing LED).Hit enter when done.Verify that CODE-USER iKey (black) is inserted in card 0 (with flash-ing LED).Hit enter when done.Wrap key successfully combined to card 0.

(join setup, continued)Verify that CODE-SO iKey (black) is inserted in card 1 (with flashing LED).Hit enter when done.Verify that HSM-USER iKey (blue) is inserted in card 1 (with flashing LED).Hit enter when done.Verify that CODE-USER iKey (black) is inserted in card 1 (with flash-ing LED).Hit enter when done.Wrap key successfully split combined to card 1.



10. If you selected FIPS mode as the security mode, specify the secret passphrase.

Enter the same secret passphrase as you specified in Step 5. This step only appears if you selected FIPS mode when initializing the HSM cards.

If you chose FIPS mode when initializing the first HSM card in the cluster, you will be asked to enter the secret passphrase. Enter the same secret passphrase as when initializing the first HSM card in the cluster.

11. Wait for the setup of the added ASA 310-FIPS to finish.

12. Log in to the ASA 310-FIPS that you are currently connected to and restore the configu-ration file of the former cluster from a TFTP server.

The configuration information is now automatically propagated and applied to all ASA 310-FIPS devices in the cluster. The information includes certificates and encrypted private keys.

(join setup, continued)Enter the secret passphrase (as given during initialization of the first iSD in the cluster): <Enter the same secret passphrase as was used in the former cluster.>


login:

login: adminPassword:Alteon iSD SSLSoftware version 4.1

>> Main# cfg/gtcfgEnter hostname or IP address of TFTP server: <TFTP server>Enter name of file on TFTP server: <name of saved configuration file>Received 4960 bytes in 0.1 secondsPassword for importing private keys in cfg: <password as defined when saving the configuration file to a TFTP server>Configuration loaded.

>> Configuration#



System Diagnostics

A few system diagnostics can be performed on the ASA.

Installed Certificates and Virtual SSL ServersTo view the currently installed certificates, type the following command:

To view detailed information about a specific certificate, access the Certificate menu and spec-ify the desired certificate by its index number:

To view the configured virtual SSL servers, type the following command:

The screen output provides information about which certificate (indicated by certificate index number) is used by each configured SSL server.

Network DiagnosticsTo check various network settings for a specific ASA, access the iSD Host menu by typing the following commands:

The screen output provides information about the type of iSD (master or slave), IP address, network mask, and gateway address for the ASA you have specified (by host number).

To check general network settings related to the cluster to which you have connected, type the following command:

>> # /info/certs

>> # /cfg/ssl/certEnter certificate number: (1-) <certificate number by index>>> Certificate 1# show

>> # /info/servers

>> # /cfg/sys/cluster/hostEnter iSD host number: (1-) <iSD host by index number>>> iSD Host 1# cur

>> # /cfg/sys/cluster/cur



The screen output provides information about the management IP address (MIP) of the ASA cluster, DNS servers, iSD hosts in the cluster, Syslog servers, and NTP servers.

To check if the ASA(s) is getting network traffic, type the following command:

The screen output provides information about currently active request sessions, total com-pleted request sessions, as well as SSL statistics for configured virtual SSL servers.

To check statistics for the local Ethernet network interface card, type the following command::

The screen output provides information about the total number of received and transmitted packets, the number of errors when receiving and transmitting packets, as well as the type of error such as dropped packets, overrun packets, malformed packets, packet collisions, and lack of carrier.

To check if a virtual server (on the Alteon Application Switch) is working, type the following command at any menu prompt:

To capture and analyze TCP traffic sent between a client and a virtual SSL server, type the fol-lowing command (where you replace “#” with the index number of the desired virtual SSL server):

To capture and analyze decrypted SSL traffic sent between a client and a virtual SSL server, type the following command (where you replace “#” with the index number of the desired vir-tual SSL server):

>> # /stats/dump

>> # /info/ethernet

>> # ping <IP address of virtual server>

>> # /cfg/ssl/server #/trace/tcpdump

>> # /cfg/ssl/server #/trace/ssldump



Active Alarms and the Events Log FileTo view an alarm that has been triggered and is active, type the following command:

In the current software version of the ASA, an alarm is only triggered when a hardware failure in an SSL accelerator card is detected.

To save the events log file to a TFTP server, type the following command:

You need to provide the IP address or host name of the TFTP server, as well as a file name. After the events log file has been saved, connect to the TFTP server and examine the contents of the file.

Error Log FilesProvided you have configured the ASA to use a Syslog server, the ASA will send log messages to the specified Syslog server. For more information on how to configure a UNIX Syslog dae-mon, see the Syslog manpages under UNIX. For more information on how to configure the ASA to use a Syslog server, see the “Syslog Servers Configuration” on page 304.

>> # /info/events/alarms

>> # /info/events/download



212939-F, November 2003

Part 2: Command ReferenceThis section provides detailed information about all CLI commands and menu items, organized in the same way as the command line interface itself. The section starts with listing the global commands, which can be used at any menu prompt, and also explains the history and shortcut functions that can be used to navigate more efficiently within the menu system.


212939-F, November 2003140 � Part 2: Command Reference

212939-F, November 2003

141

CHAPTER 10ASA Command Reference

This chapter describes how to use the command line interface on the ASA. The chapter also provides explanations of all available commands.

Menu Basics

The ASA command line interface (CLI) is used for viewing ASA information and statistics. In addition, the administrator can use the CLI for configuring all levels of the ASA.

The various CLI commands are grouped into a series of menus and submenus. Each menu dis-plays a list of commands and/or submenus that are available, along with a summary of what each command will do. Below each menu is a prompt where you can enter any command appropriate to the current menu.

When creating new CLI objects, e.g. a new interface or a new group, you will enter a wizard providing the relevant questions for that object. The regular menu for the object will be dis-played after the wizard is completed.

This chapter describes the Main menu commands, and provides a list of commands and short-cuts that are commonly available from all the menus within the CLI.


212939-F, November 2003142 � Chapter 10: ASA Command Reference

Global Commands

Some basic commands are recognized throughout the menu hierarchy. These commands are useful for obtaining online help, navigating through menus, and for applying and saving con-figuration changes:

Table 10-1 Global Commands

Command Action

help Display a summary of the global commands.

help <command> Displays help on a specific command in the command line interface.

. Display the current menu.

print Display the current menu.

.. Go up one level in the menu structure.

up Go up one level in the menu structure.

/ If placed at the beginning of a command, go to the Main menu. Otherwise, this is used to separate multiple commands placed on the same line.

cd "<menu/path>" Display the menu indicated within quotation marks.Example: Typing cd "/cfg/sys" at any prompt in the CLI will display the System menu. The same result is achieved by only typing /cfg/sys (no quotation marks) at any menu prompt.

pwd Display the command path used to reach the current menu.

apply Apply pending configuration changes.

diff Show any pending configuration changes.

revert Remove pending configuration changes between “apply” commands. Use this command to restore configuration parameters set since last “apply” command.

paste Lets you restore a saved configuration that includes private keys. Before past-ing the configuration, you need to provide the password phrase you specified when selecting to include the private keys in the configuration dump. For more information, see the dump command under “Configuration Menu” on page 172.

exit Terminate the current session and log out. If you have unapplied (pending) configuration changes when using the exit command, you will be notified. If you choose to log out anyhow without using the apply command, your pending configuration changes will be lost.


212939-F, November 2003Chapter 10: ASA Command Reference � 143

quit Same as Exit. If you have unapplied (pending) configuration changes when using the quit command, you will be notified. If you choose to log out any-how without using the apply command, your pending configuration changes will be lost.

CTRL+^ Exit from the command line interface in case the ASA has stopped responding. This command should only be used when connected to a specific ASA via a console connection, not when connected to the Management IP of the cluster via a Telnet or SSH connection.

netstat Use this command to show the current network status of the ASA. The netstat command provides information about active TCP connections, as well as the state of all TCP/IP servers and the sockets used by them.

nslookup Use this command to find the IP address or host name of a machine. In order to use this command, you must have configured the ASA to use a DNS server. If you did not specify a DNS server during the initial setup procedure, you can add a DNS server at any time by using the /cfg/sys/dns/add command.

ping Use this command to verify station-to-station connectivity across the network. The format is as follows:ping <address [tries [delay]]>Where address is the host name or IP address of the device, tries (optional) is the number of attempts (1-32), and delay (optional) is the number of millisec-onds between attempts. The DNS parameters must be configured if specifying host names (see “DNS Servers Configuration” on page 303).

traceroute Use this command to identify the route used for station-to-station connectivity across the network. The format is as follows:traceroute <address [max-hops [delay]]>Where address is the host name or IP address of the target station, max-hops (optional) is the maximum distance to trace (1-16 devices), and delay (optional) is the number of milliseconds for wait for the response. As with ping, the DNS parameters must be configured if specifying host names.

cur Use this command to view all the current settings for the active menu.

curb Use this command for a brief version of the current settings for the active menu.

dump Use this command to dump the current configuration for the active menu. The dumped information can be cut and pasted in to another operator’s CLI at the same menu level.


Command Action



Command Line History and Editing

Using the command line interface, you can retrieve and modify previously entered commands with just a few keystrokes. The following options are available globally at the command line:

lines n Set the number of lines (n) that is displayed on the screen at one time. The default value is 24 lines. When used without a value, the current setting is dis-played.

verbose n Sets the level of information displayed on the screen:0 =Quiet: Nothing appears except errors—not even prompts.1 =Normal: Prompts and requested output are shown, but no menus.2 =Verbose: Everything is shown.The default level is 2. When used without a value, the current setting is dis-played.

slist Use this command to display a list of all Admin user sessions currently run-ning in the cluster.

Table 10-2 Command Line History and Editing Options

Option Description

history Display a numbered list of the last 10 previously entered commands.

!! Repeat the last entered command.

!n Repeat the nth command shown on the history list.

pushd “Bookmarks” your current position in the menu structure. After moving to another level or command in the menu structure, you can easily return to the bookmarked position by typing the popd command.The pushd command can be combined with command stacking, as in this example:>> Information# pushd "/cfg/ssl/server 1/ssl">> SSL Settings#When you issue the popd command, you are immediately taken back to the prompt from where you issued the pushd command, the Information prompt in this example.

popd Takes you back to a position in the menu structure that has been “bookmarked” by using the pushd command.

<Ctrl-p> (Also the up arrow key.) Recall the previous command from the history list. This can be used multiple times to work backward through the last 10 commands. The recalled command can be entered as is, or edited using the options below.


Command Action



<Ctrl-n> (Also the down arrow key.) Recall the next command from the history list. This can be used multiple times to work forward through the last 10 commands. The recalled com-mand can be entered as is, or edited using the options below.

<Ctrl-a> Move the cursor to the beginning of command line.

<Ctrl-e> Move cursor to the end of the command line.

<Ctrl-b> (Also the left arrow key.) Move the cursor back one position to the left.

<Ctrl-f> (Also the right arrow key.) Move the cursor forward one position to the right.

<Backspace> (Also the Delete key.) Erase one character to the left of the cursor position.

<Ctrl-d> Delete one character at the cursor position.

<Ctrl-k> Kill (erase) all characters from the cursor position to the end of the command line.

<Ctrl-l> Rewrites the most recent command.

<Ctrl-c> Abort an on-going transaction. If pressed when there is no on-going transaction, the current menu is displayed.Note: Using <Ctrl-c> will not abort screen output generated from using the cur com-mand. To abort the heavy screen output that may result from using the cur command, press <q>.

<Ctrl-u> Clear the entire line.

Other keys Insert new characters at the cursor position.

Table 10-2 Command Line History and Editing Options

Option Description



Command Line Interface Shortcuts

Command StackingYou can type multiple commands separated by forward slashes (/) on a single line in order to access a submenu and one of the related menu options. Type as many commands as required to access the desired submenu and menu option. For example, the keyboard shortcut to access the list command in the NTP Servers menu from the Main menu prompt is as follows:

You can also use command stacking to go up one or more levels in the menu system, and then go directly to another submenu and one of the related menu options in that submenu. For example, to go up two levels from the NTP Servers menu to the System menu, and from there to the DNS servers menu in which you list the configured DNS servers you would type:

Command AbbreviationMost commands can be abbreviated by entering the first characters which distinguish the com-mand from the others in the same menu or submenu. For example, the command shown in the first example above could also be entered as follows:

Tab CompletionBy typing the first letter of a command at any menu prompt and pressing TAB, all commands in that menu beginning with the letter you typed is displayed. By typing additional letters, you can further refine the list of commands or options displayed. If only one command matches the letter(s) you typed, that command is supplied on the command line when pressing TAB. You can then execute the command by pressing ENTER. If the TAB key is pressed without any input on the command line, the currently active menu is displayed.

>> Main# cfg/sys/time/ntp/list

>> NTP Servers# ../../dns/list

>> Main# c/sy/t/n/l



Using Submenu Name as Command ArgumentTo display the properties related to a specific submenu, you can provide the submenu name as an argument to the cur command (at a menu prompt one level up from the desired submenu information).

For example, to display cluster information at the System menu prompt (/cfg/sys), type the following command:

Without having to descend into the Cluster menu (/cfg/sys/cluster), cluster-specific information only is displayed directly at the System menu prompt. If the cur command had been used without the cluster submenu argument in the example above, information related to both the current System menu and all submenus would have been displayed.

>> System# cur clusterCluster: Management IP (MIP) address = 192.168.128.211

iSD Host 1: Type of the iSD = master IP address = 192.168.128.213 License = xnet (10), tps (unlimited) Default gateway address = 192.168.128.3 Ports = 1 : 2

Host Routes: No items configured

Host Interface 1: IP address = 192.168.128.213 Network mask = 255.255.255.0 VLAN tag id = 0 Mode = failover Primary port = 0

Interface Ports: 1





Using Slashes (/) and Spaces in CommandsIf you need to use a forward slash (/) or a space in a command string, make sure the string con-taining the slash or space is within double quotation marks before you run the command. One example of a command where double quotation marks is required, is when you specify a direc-tory path and file name on the same line as the ftp command in the CLI.

Example:

>> Software Management# ftp 10.0.0.1 “pub/SSL-4.1-upgrade_complete.pkg”



The Main Menu

The Main menu appears after a successful connection and login. Figure 10-1 shows the Main menu as it appears when logged in as Administrator. Note that some of the commands are not available when logged in as Operator.

Figure 10-1 Administrator Main Menu

Menu Summary� Information menu

Provides submenus for displaying information about the current status of the ASA. For more information, see page 150.

� Statistics menu

Provides submenus for displaying ASA performance statistics. For more information, see page 156.

� Configuration menu

Provides submenus for configuring the ASA. Some of the commands in the Configuration menu are available only from the Administrator user login. For more information, see page 172.

� Boot menu

Is used for upgrading ASA software and for rebooting, if necessary. The Boot menu is only accessible when logged in as the Administrator user. For more information, see page 332.

� Maintenance menu

Is used for sending technical support information to a TFTP server. For more information, see page 337.

[Main Menu] info - Information menu stats - Statistics menu cfg - Configuration menu boot - Boot menu maint - Maintenance menu diff - Show pending config changes [global command] apply - Apply pending config changes [global command] revert - Revert pending config changes [global command] paste - Restore saved config with key [global command] help - Show command help [global command] exit - Exit [global command, always available]



/infoInformation Menu

The Information menu is used for viewing information and events for ASAs in a cluster.

[Information Menu] servers - Show configured SSL servers certs - Show configured certificates hsm - Show local HSM information xnet - Show configured Xnets users - Show logged in Xnet users access - Print the access rules of an Xnet user kick - Kick an Xnet user sys - Show system configuration isdlist - Show all iSDs and their operational status local - Show local iSD information ethernet - Show local ethernet status information ports - Show local port(s) information events - Inspect Events menu

Table 10-3 Information Menu Options (/info)

Command Syntax and Usage

servers

Displays the current SSL server settings, including SSL specific settings for each configured vir-tual SSL server.

certs

Displays the certificate name, serial number, expiration date, and key size for each installed certif-icate. Information related to the subject of the certificate is also displayed.

hsm

Displays status information related to the HSM cards on each ASA device in the cluster. Informa-tion about the current security mode (Extended mode or FIPS mode) is displayed, as well as cur-rent login status and login user information (HSM-SO or HSM-USER).

For a sample screen output, see page 155.

Note: HSM information is only displayed when you are using the ASA 310 FIPS model.



xnet

Displays information about the current SSL VPN settings, e.g. login session idle timeout value (shared by all configured Xnet domains), as well as information related to each specific Xnet domain configuration. For each Xnet domain, information about authentication methods, authenti-cation order, user access groups and the access control lists associated with each group is dis-played.

Information about the banner GIF file currently in use on the SSL VPN portal Web page is also shown, as well as company name, portal colors and the static link text displayed on each SSL VPN users home page on the SSL VPN portal.

users <Xnet ID> <prefix>Displays the user name, login time, source IP address, group membership and profile of all SSL VPN users that are currently logged in to an Xnet domain. The user properties are listed per Xnet domain.

The <base> profile refers to data configured directly under the Group menu. Any other profile stated after the group name is an extended profile. For more information about base profiles and extended profiles, see Chapter 14, “Groups, Access Rules and Profiles” in the Application Guide.

You can choose to limit the output of logged in users to a particular Xnet domain by providing the Xnet domain number as a modifier to the users command. To limit the output further, you can also provide one or more initial letters of a user name, directly followed by an asterisk (*).

Examples:>> Information# users 2 All users currently logged in to Xnet domain 2 are listed.

>> Information# users 2 j* Users currently logged in to Xnet domain 2, and whose user name begins with the letter “j”, are listed.

access <Xnet ID> <user name>By specifying an Xnet domain number and a user name following the access command, a detailed view of an SSL VPN user’s access rights is displayed. The information is presented in a table showing the user’s access rights to specific networks, ports, protocols and paths.

kick <Xnet ID> <user name>By specifying an Xnet domain number and a user name following the kick command, a user can be logged out from a session by the ASA operator.

sys

Displays information about the current system configuration, e.g. network mask, default gateway address, static routes, NTP servers, DNS servers, syslog servers, networks, number of ASAs included in the cluster along with IP addresses etc.





isdlist

Displays the IP addresses, master/slave assignments, CPU usage, memory usage, and operational status for all the ASAs in the cluster. An asterisk (*) in the MIP column indicates which ASA in the cluster is currently is control of the Management IP. An asterisk (*) in the Local column indi-cates the particular ASA to which you have connected.


local

Displays the current software version, ASA hardware platform, up time (since last boot), IP address, and Ethernet MAC address for the particular ASA to which you have connected. If you have connected to the MIP address, the information displayed relates to the ASA in the cluster that currently is in control of the MIP.






ethernet

Displays statistics for the Ethernet network interface card (NIC) on the particular ASA host to which you have connected. If you have connected to the MIP address, the information displayed relates to the ASA in the cluster that currently is in control of the MIP. If more than one network is configured in the cluster, ethernet statistics for the respective network is displayed.

� RX packets: the total number of received packets

� TX packets: the total number of transmitted packets

� errors: packets lost due to error

� dropped: error due to lack of resources

� overruns: error due to lack of resources

� frame: error due to malformed packets

� carrier: error due to lack of carrier

� collisions: number of packet collisionsFor a sample screen output, see page 155.

Note: A non-zero collision value may indicate an incorrect configuration of the Ethernet autonego-tiation. For more information, see the autoneg command on page 314.

ports

Displays the status of the physical ports on the Ethernet network interface card (NIC) on the partic-ular ASA host to which you have connected. If you have connected to the MIP address, the infor-mation displayed relates to the ASA in the cluster that currently is in control of the MIP.

For each port, link status (up/down) and the Ethernet autonegotiation setting (on/off) is shown. If the link is up, current values for speed (10/100/1000) and duplex mode (half/full) are also shown. If the link is down and autonegotiation is set to off, the configured values for speed and duplex mode are shown instead.

To change the NIC port settings, see the commands under “Host Ethernet Port Configuration” on page 314.

events

Displays the Events menu. To view menu options, see page 154.





/info/eventsEvents Menu

The Events menu is used for viewing active alarms and events that have been logged.

[Events Menu] alarms - List all pending alarms download - Dump the event log file to a TFTP/FTP server.

Table 10-4 Events Menu Options (/info/events)


alarms

Displays all alarms in the active alarm list by their main attributes: severity level, alarm ID num-ber, date and time when triggered, alarm name, sender, and cause.

download <host name or IP address> <file name on host>Transmits the event log file from the ASA cluster to a file on a TFTP or FTP server. You need to specify the IP address or host name of the TFTP/FTP server, as well as a file name. TFTP is default value.



/info/hsmHSM Command

/info/isdlistiSD List Command

/info/localInformation Local Command

/info/ethernetInformation Ethernet Command

>> Information# hsmiSD IP 192.168.128.185: Mode: Extended HSM card 0: Logged in as HSM-USER HSM card 1: Logged in as HSM-USER

>> Information# isdlistIP addr type MIP local cpu(%) mem(%) op192.168.128.122 master * 1 14 up192.168.128.123 master * 1 14 up192.168.128.124 master 1 14 up192.168.128.125 slave down

>> Information# localAlteon iSD SSLSoftware version 4.1HW platform: iSD410Up time: 5 days 21 hours 40 minutesIP address: 192.168.128.185MAC address: 00:01:02:b1:25:c0

>> Information# ethernetNet 1: RX packets:7553 errors:0 dropped:0 overruns:1 frame:0Net 1: TX packets:87 errors:0 dropped:0 overruns:0 carrier:2 colli-

sions:11



/statsStatistics Menu

The Statistics menu is used for viewing various ASA performance statistics.

[Statistics Menu] server - Cluster SSL Server statistics local - Local statistics for each iSD host clear - Clear all statistics for all IPs activesess - Number of currently active request sessions totalsess - Total completed request sessions sslaccept - Total completed SSL accept sslconnect - Total completed SSL connect tpshisto - Cluster-wide TPS histograms for all servers clihisto - Cluster-wide client data histograms for all servers srvhisto - Cluster-wide server data histograms for all servers aaa - AAA specific statistics dump - Dump all information

Table 10-5 Statistics Menu Options (/stats)


server <virtual SSL server number>Displays the Cluster Wide SSL Statistics menu for the specified virtual SSL server. To view menu options, see page 158.

local

Displays the Local Statistics menu. To view menu options, see page 161.

clear

Resets all statistics to zero.

activesess

Displays the number of currently active request sessions in the cluster.

totalsess

Displays the total number of completed request sessions in the cluster.

sslaccept

Displays the total number of initiated SSL client connections on all virtual SSL servers in the clus-ter.

sslconnect

Displays the total number of established SSL client connections on all virtual SSL servers in the cluster.



tpshisto

Displays histograms of the number of SSL transactions per second, as performed by each virtual SSL server in the cluster. The figures presented are accumulated from all ASA devices in the clus-ter.

clihisto

Displays histograms of data throughput in bytes per second from clients to each virtual SSL server in the cluster. The figures presented are accumulated from all ASA devices in the cluster.

srvhisto

Displays histograms of data throughput in bytes per second from backend servers to each virtual SSL server in the cluster. The figures presented are accumulated from all ASA devices in the clus-ter.

aaa

Displays the AAA Statistics menu. To view menu options, see page 171.

dump

Displays cluster-wide SSL statistics for each virtual SSL server in the cluster, as well as the num-ber of active request sessions, and the total number of completed request sessions. The total num-ber of initiated SSL client connections, and the total number of established SSL client connections as accumulated values for all virtual SSL servers in the cluster are also displayed. Histograms, however, are not included in the output.

Table 10-5 Statistics Menu Options (/stats)




/stats/server <number>Cluster Wide SSL Statistics Server Menu

The Cluster Wide SSL Statistics Server menu is used for viewing various statistics for a virtual SSL server, specified by its index number. The figures presented are accumulated from all ASA devices in the cluster, but specific for the selected virtual SSL server.

[Cluster Wide SSL Stats for Server 1 Menu] accept - SSL accept renegotiat - SSL renegotiate requests handshakeg - SSL handshakes completed cachemisse - SSL cache misses cachetimeo - SSL cache timeout cachefull - SSL cache full cachehits - SSL cache hits sslconnect - SSL connects revocation - Client cert revocations cipherrewr - HTTP weak cipher rewrites http_redir - HTTP redirect rewrites becnctfail - Failed backend server connects tps - SSL transactions/sec tpshisto - Host local TPS histograms for this server clihisto - Host local client byte/s histos for this server srvhisto - Host local server data byte/s histos for this server dump - Dump all stats except histograms

Table 10-6 Cluster Wide SSL Statistics Server Menu Options (/stats/server)


accept

Displays the number of initiated SSL client connections on the current virtual SSL server.

renegotiat

Displays the number of times clients have requested a renegotiation of the SSL connection on the current virtual SSL server.

handshakeg

Displays the number of successfully completed SSL handshakes on the current virtual SSL server.

The number of failed SSL handshakes equals the combined values for SSL accept and SSL renegotiate requests, minus the combined values for SSL handshakes completed and Number of currently active request sessions.

You can view the values mentioned above by using the/stats/dump command.



cachemisse

Displays the number of times clients have made requests to reuse a particular session ID, and that session ID was not found in the SSL cache.

If there is a high number of cache misses in combination with a high value for cachefull, you may consider increasing the SSL cache size of the virtual SSL server. To change the current SSL cache size, use the /cfg/ssl/server command, specify the appropriate virtual SSL server by index number, and then type the command ssl/cachesize. The default SSL cache size is 4000 items.

If there is a high number of cache misses in combination with a low value for cachefull, you may consider increasing the cachettl value. To change the current cachettl value, use the /cfg/ssl/server command, specify the appropriate virtual SSL server by index number, and then type the command ssl/cachettl.

The default SSL cache timeout value is 5 minutes.

cachetimeo

Displays the number of reuse attempts on SSL sessions still in the cache, and whose timeouts were initiated.

If there is a high number of cache timeouts, you may consider increasing the cachettl value for the virtual SSL server. To change the current cachettl value, use the /cfg/ssl/server command, specify the appropriate virtual SSL server by index number, and then type the command ssl/cachettl.


cachefull

Displays the number of times when a new client session could not be cached due to the cache being full. If the cachefull value is high, you may consider increasing the SSL cache size of the vir-tual SSL server.

cachehits

Displays the number of times clients have made requests to reuse a particular session ID, and that session ID was found in the SSL cache.

sslconnect

Displays the number of completed SSL client connections on the current virtual SSL server.

revocation

Displays the number of revoked client certificates.

cipherrewr

Displays the number of HTTP weak cipher rewrites.

http_redir

Displays the number of HTTP redirect rewrites.





becnctfail

Displays the number of failed connections to backend servers.

tps

Displays the number of SSL transactions per second for the specified virtual SSL server, as per-formed on all ASA devices in the cluster.

tpshisto

Displays histograms of the number of SSL transactions per second, as performed by the specified virtual SSL server on all ASA devices in the cluster.

clihisto

Displays histograms of data throughput in bytes per second from clients to the specified virtual SSL server, as performed on all ASA devices in the cluster.

srvhisto

Displays histograms of data throughput in bytes per second from backend servers to the specified virtual SSL server, as performed on all ASA devices in the cluster.

dump

Displays all statistics for the current virtual SSL server, except the histograms.





/stats/localLocal Statistics Menu

The Local Statistics menu is used for viewing histograms of SSL transactions per second, received client data and received backend server data (in bytes per second). Values are pre-sented for each virtual SSL server, on a per ASA device basis. You can therefore easily com-pare the performance of a particular virtual SSL server on different ASA devices in the cluster.

The Local Statistics menu is also used for accessing the Single iSD Stats menu, in which you can view the same histograms as in the Local Statistics menu, with the difference that the histo-grams only pertain to a single ASA device (specified by host index number).

The dump command in the Local Statistics menu displays a number of statistics, where most of them relate to various SSL properties for incoming client connections. These statistics are presented for each virtual SSL server, on a per ASA device basis. Information related to the health check status (of backend servers) and pool status may also be displayed, depending on your virtual SSL server configuration. This information is also displayed on a per ASA device basis, since each ASA performs its own health checking of configured backend servers inde-pendently from other ASAs in the cluster.

Histograms are not included in the output when running the dump command.

[Local Statistics Menu] isdhost - ISD local SSL server statistics menu overview - Overview of isdhost local statistics tpshisto - ISD local TPS histograms for all servers/ISDs clihisto - ISD local client byte/s histos for all servers/ISDs srvhisto - ISD local server data byte/s histos for all servers/ISDs license - ISD local license statistics dump - Dump all information

Table 10-7 Local Statistics Menu Options (/stats/local)


isdhost <ASA host by index number (1-256)>Displays the Single ISD Stats menu, after you have specified the index number of an ASA host in the cluster. To view menu options, see page 163.

To view information about host index numbers for all ASA hosts in the cluster, use the /cfg/sys/cluster/cur command.

overview

Displays the total number of completed request sessions for each virtual SSL server on a per ASA device basis. An overview of the health check status of backend servers and the pool status may also be displayed, depending on your virtual SSL server configuration.



tpshisto

Displays histograms of the number of SSL transactions per second, as performed by each virtual SSL server on a per ASA device basis.

clihisto

Displays histograms of data throughput in bytes per second from clients to each virtual SSL server, on a per ASA device basis.

srvhisto

Displays histograms of data throughput in bytes per second from backend servers to each virtual SSL server, on a per ASA device basis.

license

Displays information about the number of times the tps license has reached the limit.

dump

Displays various SSL properties for incoming client connections, as well as HTTP-related statis-tics. The statistics are presented for each virtual SSL server, on a per ASA device basis. Histo-grams are not included in the output.

Table 10-7 Local Statistics Menu Options (/stats/local)




/stats/local/isdhost <number>Single iSD Statistics Menu

The Single iSD Statistics menu is used for viewing histograms of SSL transactions per second, received client data, and received backend server data (in bytes per second). Values are pre-sented for each virtual SSL server in the cluster, as performed on a single ASA device (speci-fied by host index number when you enter the Single iSD Statistics menu).

The Single iSD Statistics menu is also used for accessing the Single iSD Stats for Server menu, in which you can view various statistics related to one specific virtual SSL server as performed on the currently selected ASA host.

The dump command in the Single iSD Statistics menu displays a number of statistics where most of them are related to various SSL properties for incoming client connections for each virtual SSL server individually, as performed on the selected individual ASA. Histograms are not included in the output when running the dump command.

[Single ISD Stats 1 Menu] server - ISD local SSL server stats tpshisto - ISD local TPS histograms for all servers clihisto - ISD local client byte/s histograms for all servers srvhisto - ISD local server byte/s histograms for all servers dump - Dump all information

Table 10-8 Single iSD Statistics Menu Options (/stats/local/isdhost)


server <virtual SSL server number>Displays the Single iSD Stats for Server # menu. To view menu options, see page 165.

tpshisto

Displays histograms of the number of SSL transactions per second for each virtual SSL server, as performed on the currently specified ASA.

clihisto

Displays histograms of data throughput in bytes per second from clients to each virtual SSL server, as performed on the currently specified ASA.

srvhisto

Displays histograms of data throughput in bytes per second from backend servers to each virtual SSL server, as performed on the currently specified ASA.



dump

Displays various SSL properties for incoming client connections, as well as HTTP-related statis-tics. The statistics are presented for each virtual SSL server in the cluster, but where the figures relate only to the currently specified ASA. Histograms are not included in the output.

Table 10-8 Single iSD Statistics Menu Options (/stats/local/isdhost)




/stats/local/isdhost <number>/server <number>

Single ISD Statistics for Virtual SSL Server Menu

The Single iSD Stats for Server # menu is used for viewing the pool status for backend servers that are load balanced by the specified virtual SSL server. The health check status of backend servers can also be displayed. Remember that each ASA device (or host) performs its own health checks of configured backend servers, which makes the status information unique for the specified ASA.

Other statistics can also be displayed, such as statistics related to SSL properties for incoming client connections handled by the specified virtual SSL server on the currently selected ASA. The values are unique for the selected ASA, because the figures depend on the Alteon Applica-tion Switch load balancing configuration of the server group in which the ASA resides.

The dump command will display all statistics available via the individual commands in the menu, except the health check status, pool status, and histograms.

[Single ISD Stats for Server 1 Menu] healthchec - Display health check status for all loadbalanced RIPs poolstatus - Pool status and statistics accept - SSL accept renegotiat - SSL renegotiate requests handshakeg - SSL handshakes completed cachemisse - SSL cache misses cachetimeo - SSL cache timeout cachefull - SSL cache full cachehits - SSL cache hits sslconnect - SSL connects revocation - Client cert revocations cipherrewr - HTTP weak cipher rewrites http_redir - HTTP redirect rewrites becnctfail - Failed backend server connects tps - SSL transactions/sec tpshisto - isdhost local TPS histograms for this server clihisto - isdhost local client byte/s histos for this server srvhisto - isdhost local server data byte/s histos for this server dump - Dump all information



Table 10-9 Single iSD Statistics Server Menu Options (/stats/local/isdhost/server)


healthchec

Displays the health check status for the backend servers that are load balanced by the current vir-tual SSL server. Because each ASA device (or host) performs its own health checks of configured backend servers, the displayed health check status information is specific not only for the selected virtual SSL server, but also for the selected ASA host.

The following health check properties are displayed:

� BE: Backend servers by index number.

� RIP: Load balanced backend servers listed by IP address and TCP port.

� UP: Lists the current status of backend servers as up or down, where backend servers that passed the health check are indicated as up.

� EXEC: Indicates whether a health check is currently being performed on a backend server.

� FAILS: Indicates the number of times a health check has failed. For more information about script-based health checks, see the “Script-Based Health Checks” chapter in the Alteon SSL Accelerator 4.1.2 Application Guide.

� REASON: States the reason, in clear text, for why a health check failed.Note 1: If you have enabled load balancing of configured backend servers and set the health check method to none, all backend servers will at all times be considered up. Failed connections to backend servers are still logged (as a total) and can be viewed using the /stats/server #/becnctfail command.

Note 2: If you have not added any backend servers to the system configuration, the IP address specified as the Real Server IP (RIP) for the current virtual SSL server is listed under the RIP col-umn. When using the ASA together with an Alteon Application Switch, the RIP typically corre-sponds to 0.0.0.0. By specifying 0.0.0.0 as the Real Server IP address, the SSL server is instructed to use the destination IP address (in the received packets) when initiating requests sent to the vir-tual server. Such a RIP configuration ensures that requests initiated by the virtual SSL server always reach the correct Virtual Server IP address (as configured on the Alteon Application Switch), because the destination IP address in the received packets corresponds to the IP address of the virtual server.




poolstatus

Displays pool status for the backend servers that are load balanced by the current virtual SSL server (where one pool is maintained for each backend server that passed the health check). Because each ASA device (or host) performs its own health checks of configured backend servers, the displayed pool status information is specific not only for the selected virtual SSL server, but also for the selected ASA host.

The following pool status information is displayed:

� BE: Backend servers by index number.

� RIP: Backend servers (listed by IP address), for which a pool is maintained.

� fds: File Descriptors. The number of server-side sockets that are currently in the pool.

� sess: SSL sessions. The number of SSL sessions that are currently in the pool. A pooled SSL session can be reused when setting up a new server-side socket.

� poolcnct: The number of server-side sockets in the pool that have been reused.

� !poolcnct: The number of server-side sockets that have been set up without taking advan-tage of reusing an existing socket.

Note: If you have not added any backend servers to the system configuration, the IP address spec-ified as the Real Server IP (RIP) for the current virtual SSL server is listed under the RIP column. When using the ASA together with an Alteon Application Switch, the RIP typically corresponds to 0.0.0.0. By specifying 0.0.0.0 as the Real Server IP address, the SSL server is instructed to use the destination IP address (in the received packets) when initiating requests sent to the virtual server. Such a RIP configuration ensures that requests initiated by the virtual SSL server always reach the correct Virtual Server IP address (as configured on the Alteon Application Switch), since the desti-nation IP address in the received packets corresponds to the IP address of the virtual server.


accept

Displays the number of initiated SSL client connections on the current virtual SSL server.

renegotiat

Displays the number of times clients have requested a renegotiation of the SSL connection on the current virtual SSL server.

handshakeg

Displays the number of successfully completed SSL handshakes on the current virtual SSL server.

To view the number of failed SSL handshakes, use the /stats/dump command. The number of failed SSL handshakes equals the combined values for SSL accept and SSL renegotiate requests, minus the combined values for SSL handshakes completed and the number of currently active request sessions.





cachemisse

Displays the number of times clients have made requests to reuse a particular session ID, and that session ID was not found in the SSL cache.

If there is a high number of cache misses in combination with a high value for cachefull, you may consider increasing the SSL cache size of the virtual SSL server. To change the current SSL cache size, use the /cfg/ssl/server command, specify the appropriate virtual SSL server by index number, and then type the command ssl/cachesize. The default SSL cache size is 8000 items.

If there is a high number of cache misses in combination with a low value for cachefull, you may consider increasing the cachettl value. To change the current cachettl value, use the /cfg/ssl/server command, specify the appropriate virtual SSL server by index number, and then type the command ssl/cachettl.


cachetimeo

Displays the number of reuse attempts on SSL sessions still in the cache, and whose timeouts were initiated.

If there is a high number of cache timeouts, you may consider increasing the cachettl value for the virtual SSL server. To change the current cachettl value, use the /cfg/ssl/server command, specify the appropriate virtual SSL server by index number, and then type the command ssl/cachettl. For more information, see the cachettl command on page 196.


cachefull

Displays the number of times when a new client session could not be cached due to the cache being full. If the cachefull value is high, you may consider increasing the SSL cache size of the vir-tual SSL server.

cachehits

Displays the number of times clients have made requests to reuse a particular session ID, and that session ID was found in the SSL cache.

sslconnect

Displays the number of completed SSL client connections on the current virtual SSL server.

revocation

Displays the number of revoked client certificates.

cipherrewr

Displays the number of HTTP weak cipher rewrites.

http_redir

Displays the number of HTTP redirect rewrites.





becnctfail

Displays the number of failed connections to backend servers.

tps

Displays the number of SSL transactions per second as performed by the specified virtual SSL server on the currently selected ASA host.

tpshisto

Displays histograms of the number of SSL transactions per second for the specified virtual SSL server, as performed on the currently selected ASA host.

clihisto

Displays histograms of data throughput in bytes per second from clients to the specified virtual SSL server, as performed on the currently selected ASA host.

srvhisto

Displays histograms of data throughput in bytes per second from backend servers to the specified virtual SSL server, as performed on the currently selected ASA host.

dump

Displays all statistics for the specified virtual SSL server on the currently selected ASA host, except the health check status, pool status, and histograms.





/stats/local/isdhost #/server #/healthchec

Single iSD Host SSL Server Healthcheck Command

/stats/local/isdhost #/server #/poolstatus

Single iSD Host SSL Server Poolstatus Command

>> Single ISD Stats for Server 1# healthchecHealthcheck status at ISD number ’1’BE RIP UP EXEC FAILS REASON1 192.168.128.1:80 up no

>> Single ISD Stats for Server 1# poolstatusPoolstatus at ISD number ’1’BE RIP fds sess poolcnct !poolcnct1 192.168.128.1:80 0 0 0 0



/stats/aaaAAA Statistics Menu

The AAA Statistics menu is used for viewing authentication statistics related to the ASA clus-ter as a whole, or to one specific ASA in the cluster.

The number of accepted and rejected authentication requests of VPN users are listed for each configured authentication method and authentication server. For remote authentication meth-ods (RADIUS, LDAP and NTLM), the number of times an authentication request has timed out on a specific server is listed as well. The remote authentication servers are listed by IP address and TCP port number.

Note that authentication statistics for all servers that are configured in the ASA cluster are dis-played, and not only for the servers that are included in the authentication order scheme (by using the /cfg/xnet/domain/authorder command). If the statistics for a certain authentication method always comes down to a row with zeroes, this might be due to the fact that the method is not included in the authentication order scheme.

[AAA Statistics Menu] total - Cluster-wide authentication statistics isdhost - ISD local authentication statistics dump - Dump all information

Table 10-10 Xnet Statistics Menu Options (/stats/aaa)


total

Displays the total authentication statistics for all ASA hosts in the cluster.

isdhost

Displays the AAA settings for the specified ASA host in the cluster.

dump

Dumps all authentication statistics.



/cfgConfiguration Menu

The Configuration menu is used for performing SSL and system-wide configuration, as well as for saving and restoring ASA configurations to and from a TFTP or FTP server.

[Configuration Menu] ssl - SSL offload menu xnet - Xnet menu sys - System-wide parameter menu ptcfg - Backup current configuration to TFTP/FTP server gtcfg - Restore current configuration from TFTP/FTP server dump - Dump configuration on screen for copy-and-paste

Table 10-11 Configuration Menu Options (/cfg)


ssl

Displays the SSL menu. To view menu options, see page 175.

xnet

Displays the Xnet menu. To view menu options, see page 252.

sys

Displays the System Configuration menu. To view menu options, see page 299.



ptcfg <TFTP/FTP server host name or IP address> <destination file name>Saves the current configuration, including private keys and certificates, to a TFTP/FTP server. The configuration can later be restored by using the gtcfg command.

You are required to specify a password phrase before the information is sent to the TFTP/FTP server. If you restore the configuration by using the gtcfg command, you will be prompted for the password phrase you have specified. The password phrase is used to protect the private keys in the configuration.

Note 1: If you have fully separated the Administrator user role from the Certificate Administrator user role, the export passphrase defined by the certificate administrator is used to protect the pri-vate keys in the configuration—transparently to the user. When a configuration backup is restored by using the gtcfg command, the certificate administrator must enter the correct passphrase. For more information on separating the Administrator user role from the Certificate Administrator user role, see “Adding a New User” on page 66.

Note 2: When using the ptcfg command on an ASA FIPS, private keys are encrypted using the wrap key that was generated when the first HSM card in the cluster was initialized.

gtcfg <TFTP/FTP server host name or IP address> <file name> <password phrase>Restores a configuration, including private keys and certificates, from a TFTP/FTP server. You need to provide the password phrase you specified when saving the configuration to the TFTP/FTP server.

Note: If you have fully separated the Administrator user role from the Certificate Administrator user role (by removing the admin user from the certadmin group), the certificate administrator must enter the passphrase that he or she defined by using the /cfg/sys/user/caphrase command.

dump

Dumps the current configuration on screen in a format that allows you to restore the configuration without using a TFTP server. Save the configuration to a text file by performing a copy-and-paste operation to a text editor. The configuration can later be restored by pasting the contents of the saved text file at any command prompt in the command line interface using the global paste command. When pasted, the content is batch processed by the ASA. To view the pending configuration changes resulting from the batch processing, use the diff command. To apply the configuration changes, use the apply command.

If you choose to include private keys in the configuration dump, you are required to specify a password phrase. The password phrase you specify applies to all private keys. When restoring a configuration that includes private keys, use the global paste command. Before pasting the configuration, you will be prompted for the password phrase you have specified.

Note: When using this command on an ASA FIPS, private keys are only displayed for client certificates.

Table 10-11 Configuration Menu Options (/cfg)




Viewing, Applying and Removing ChangesAs you use the configuration menus to set ASA parameters, the configuration changes you make do not take effect immediately. All changes are considered “pending” until you explicitly apply them.

While configuration changes are in the pending state, you can do the following:

� View the pending changes

� Apply the pending changes

� Remove the pending changes

Viewing Pending Changes

You can view all pending configuration changes by using the diff command at the menu prompt.

If you have pending configuration changes when using the exit command to log out from the command line interface, you will be prompted to view the pending changes by using the diff command. You can then either apply the changes, or remove them.

Applying Pending Changes

To make your configuration changes active, you must apply them. To apply pending configura-tion changes, use the apply command at the menu prompt.

Removing Pending Changes

To remove your pending configuration changes before they have been applied, use the revert command at the menu prompt.

NOTE – The diff, apply and revert commands are global commands. Therefore, you can enter these commands at any menu prompt in the command line interface.

>> # diff

>> # apply

>> # revert



/cfg/sslSSL Configuration Menu

The SSL Configuration menu is used for configuring SSL certificates and virtual SSL servers. There are also menu options for viewing the current settings, and for creating a test server and a test certificate.

[SSL Menu] dns - DNS client settings cert - Certificate menu server - SSL server menu test - Create test server and certificate quick - Quick server setup wizard

Table 10-12 SSL Configuration Menu Options (/cfg/ssl)


dns

Displays the DNS client settings menu. To view menu options, see page 177.

cert <certificate index number>Displays the Certificate menu, after you have typed the index number of an existing certificate or a new certificate. To view menu options, see page 179.

server <virtual SSL server index number>Displays the Server menu, after you have typed the index number of an existing virtual SSL server or a new server. To view menu options, see page 190.



test <virtual server IP address of virtual SSL test server><SSL server type [generic|http|socks|portal]>

Creates a test SSL server using the first available virtual SSL index number. The default name of the test server is test_server. A test certificate and key are also created for the test SSL server. When executing the test command, you are asked to specify the IP address of a virtual server (defined on the Alteon Application Switch). The virtual server you specify will then make use of the services the test SSL server provides (HTTPS offload by default).

You also need to specify which type of test SSL server you want to create. Depending on the type you choose to create, you will be prompted for additional related information. Valid SSL server types include the following:

� generic: When selecting the generic SSL server type, you only need to specify a virtual server IP address. A generic SSL server listens on port 443 (HTTPS) and runs in transparent proxy mode. Contents handled by a generic SSL server is treated as generic data and will not be parsed.

� http: When selecting the HTTP SSL server type, you only need to specify a virtual server IP address. A HTTP server shares many of its characteristics with the generic server type, but con-tent is parsed as HTTP requests and responses. This paves the way for using a number of HTTP configuration options on the non-encrypted contents.

� socks: A socks server is only required in configurations supporting the SSL VPN client exclu-sively, i.e. without the need for SSL VPN Portal interaction. To support both the SSL VPN cli-ent and the SSL VPN Portal, a portal server is sufficient.

� portal: A portal server is required to set up an SSL VPN Portal. When selecting the portal SSL server type, you can choose to map the test server to an existing Xnet domain or create a new Xnet domain. If you choose to create a new Xnet domain, you will also be prompted for a user name and password for a test user. The test user is automatically mapped to the test group which the system creates in the new Xnet domain. Members of the test group have unlimited access according to Access rule 1, which is automatically created in the test group. The local authentication mechanism is likewise automatically configured, which means that Portal user authentication is performed against the ASA’s local database where the test user is automatically stored. The test user’s credentials are used to log in to the Portal for testing pur-poses.

For each of the above SSL server types, you have the option to use an existing certificate (if avail-able), identified by the certificate index number, or create a test certificate.

For more information on the characteristics and capabilities of the respective server type, see the type command on page 192.

quick

Starts the Quick Server Setup Wizard. For more information about using the Quick Server Setup Wizard, see “Using the Quick Server Setup Wizard” on page 101.

Note: This command cannot be used on an ASA FIPS running in FIPS mode. Due to FIPS secu-rity requirements, FIPS mode prohibits importing of private keys.

Table 10-12 SSL Configuration Menu Options (/cfg/ssl)




/cfg/ssl/dnsDNS Client Settings Configuration

The DNS Client Settings menu is used for fine tuning DNS settings. The DNS Client settings interact with the DNS servers that are added to the system configuration using the /cfg/sys/dns/add command.

The DNS client settings mainly come into play when name resolution queries that involve HTTP traffic are performed.

[DNS Client Settings Menu] cachesize - Set Local DNS cache size retransmit - Set DNS Retransmit interval timer count - Set DNS Retransmit counter ttl - Set Max TTL health - Set Health check interval hdown - Set Health check down counter hup - Set Health check up counter

Table 10-13 DNS Client Settings Menu Options (/cfg/ssl/dns)


cachesize <number of DNS entries>Sets the maximum number of DNS entries contained in the local DNS cache.

The default DNS cache size is 1000 entries.

retransmit <value in seconds>Sets the interval for retransmitting a DNS query.

The default retransmit value is 2 seconds.

count <integer value>Sets the maximum number of times a DNS query is retransmitted.

The default value is 3.

ttl <integer value>Sets the maximum Time-To-Live for a DNS entry in the cache. If you want to specify a value in minutes, hours or days, enter an integer directly followed by the letter m, h, or d. If you enter an integer not followed by one of these letters, seconds is implied.

The default TTL value is 1 hour (1h).

health <value in seconds>Sets the DNS server health check interval. The ASA will perform a DNS query to each of the DNS servers added to the system configuration at the specified interval to determine the health check status.

The default health check interval is set to 10 seconds (10s).



hdown

Sets the number of times a DNS server health check can time out before the ASA determines the DNS server as down.

The default health check down counter is set to 2.

hup

Sets the number of times a DNS server health check returns a positive response before the ASA determines the DNS server as up.

The default health check up counter is set to 2.

Table 10-13 DNS Client Settings Menu Options (/cfg/ssl/dns)




/cfg/ssl/cert <number>Certificate Management Configuration

The Certificate menu is used for managing private keys and certificates. When accessing the Certificate menu, you are requested to specify the index number of the certificate you want to work with. When adding a new certificate, specify an unused index number. You can add up to 1500 certificates to the ASA. Any unused index number can be assigned to a certificate, including numbers higher than 1500. To view basic information about all certificates added to the ASA, use the /info/certs command.

[Certificate 1 Menu] name - Set certificate name cert - Set certificate key - Set private key revoke - Revocation menu genkey - Generate private key gensigned - Generate signed client/server certificate request - Generate certificate request sign - Sign a certificate request test - Generate test certificate and key import - Import key and certificate from remote machine export - Export certificate and key with TFTP/FTP display - Display certificate and key show - Show certificate information info - Show certificate subject information validate - Check if key and certificate match keysize - Show key size keyinfo - Show how key is stored del - Remove certificate

Table 10-14 Certificate Menu Options (/cfg/ssl/cert)


name <certificate name>Assigns a name to the certificate. The assigned name is mainly for your own reference.



cert

Lets you paste the contents of a certificate file from a text editor. If the certificate file contains both the private key and the certificate, you can paste the entire contents at the menu prompt. In this case, you will not need to paste the private key separately using the key command. If the key has been password protected, you are prompted for the correct password phrase. When using the cert command to add a certificate to the ASA, the certificate (and key, if present) must be in the PEM format.

If a certificate is already installed using the current certificate index number, that certificate will be overwritten by pasting another certificate to the same index number. Use the show command to verify that the current certificate index number is not in use.

Note: This command cannot be used on an ASA FIPS running in FIPS mode, if the certificate file also contains the private key, or if you need to import the private key associated with the public key in the certificate from an external source. Due to FIPS security requirements, FIPS mode pro-hibits importing of private keys.

key

Lets you paste the contents of a key file from a text editor. Make sure the key file corresponds to the public key contained in the related certificate file. If the key has been password protected, you are prompted for the correct password phrase. When using the key command to add a private key to the ASA, the key must be in the PEM format.

If a key is already installed using the current certificate index number, that key will be overwritten by pasting another key to the same index number. Use the keyinfo command to verify that the current certificate index number is not in use.

After you have added the private key you should use the validate command to ensure that the private key matches the public key in the current certificate.

Note: This command cannot be used on an ASA FIPS running in FIPS mode. Due to FIPS secu-rity requirements, FIPS mode prohibits importing of private keys.

revoke

Displays the Revocation menu. To view menu options, see page 185.

genkey <Key size [512|1024|2048]>Generates a PEM (Privacy Enhanced Mail) encrypted private key. After specifying a key length (512, 1024, or 2048 bits, with 1024 bits being the default key length), the key is generated immedi-ately. Note that existing keys in the current certificate number are overwritten when you execute the apply command.

To save the key to a file, use the display command to display the encrypted key on-screen. You can then perform a copy-and-paste operation to a text editor and save the key to a file. When using the display command, you also have the option of protecting the key with a password by speci-fying a password phrase.





gensigned server|client <country code> <state or province> <locality> <organization> <organizational unit> <common name> <e-mail address> <validity period> <key size> <CA cert [true/false]> <serial number> <pass phrase>

Generates a server or client certificate that is signed using the private key associated with the cur-rently selected certificate.

� server: Generates a signed server certificate provided with key use options that are appropriate for server usage. Setting the CA cert value to true is appropriate if you plan to issue your own client certificates or chained server certificates, generating them from the cur-rently generated server certificate. The CA cert value you specify when generating a certificate translates into the X509v3 Basic Constraints property in the generated certificate. The properties of a certificate available on the ASA can be viewed by entering the following com-mand: /cfg/ssl/cert #/show

� client: Generates a client certificate that is signed using the private key associated with the currently selected certificate. In order to authenticate a client that is using the generated client certificate, you must also specify the currently selected certificate as a CA certificate to the vir-tual SSL server handling the authentication for the intended service. Specify the CA certificates used for authenticating client certificates by entering the /cfg/ssl/server command. After specifying the desired SSL server, enter the ssl/cacerts command and specify the desired CA certificate by its index number. For more information about generating client certificates, see “Generating Client Certificates on the ASA” on page 91.

Note: Only certificates that have the basic constraint CA:TRUE can be used to generate server or client certificates. When generating a certificate, the ASA automatically checks that the currently selected certificate has the basic constraint CA:TRUE.

request <country code> <state or province> <locality> <organization> <organizational unit> <common name> <e-mail address> <key size> <request CA certificate>

Generates a certificate signing request (CSR), which can be further processed by a certificate authority (CA) such as VeriSign, Entrust, or any other CA. During the process of generating a CSR, you are asked whether to generate a new private key. The default answer is Yes. However, if you want to generate a CSR using the existing private key, you should answer No. If your existing certificate is reaching its expiration date and you only want to renew it, you should keep using the existing private key and answer No.

For more information about how to generate a CSR, see “Generating and Submitting a CSR Using the CLI” on page 76.





sign <pasted contents of CSR file>Signs a CSR (Certificate Signing Request) by using the private key associated with the currently selected certificate. First, open the CSR file in a text editor and copy the entire contents, including the text “-----BEGIN CERTIFICATE REQUEST-----” and “-----END CERTIFICATE REQUEST-----”. Then, after having issued the sign command, follow the instructions on screen.

Note: This command is primarily intended to be used when you have configured the virtual SSL server to perform end to end encryption, and you want to sign a CSR generated on a backend Web server by using a CA certificate on the ASA. (The signed CSR can then be installed on the backend Web server as a server certificate). In such a configuration, make sure the certificate you used for signing the CSR is specified as a CA certificate on the virtual SSL server. To set a certificate as a CA certificate used by a particular virtual SSL server, enter the command /cfg/ssl/server #/adv/sslconnect/verify/cacerts and specify the index num-ber of the appropriate CA certificate.

test <country code> <state or province> <locality> <organization> <organizational unit> <common name> <e-mail address> <validity period> <key size>

Generates a self-signed certificate and private key for testing purposes. After providing the requested information, the certificate and key are generated immediately. However, to activate the test certificate and key, you need to execute the apply command.

Note: If a certificate and key already exist for the current certificate index number, they are over-written when you execute the apply command. You should therefore always choose an unused certificate index number before creating a test certificate. To check if a certificate and key already exist for the current index number, use the info command.

import <protocol [tftp/ftp]> <server by host name or IP address> <file name>Installs a private key and certificate by downloading it from a TFTP or FTP server. If the private key has been password protected, you are prompted for the correct password phrase.

Keys in the following formats can be imported using the import command: PEM, DER, NET, PKCS8 (used in WebLogic), PKCS12, and keys in the proprietary format used in MS IIS 4. Keys from Netscape Enterprise Server or iPlanet Server can also be imported, but require that you first use a conversion tool. Contact Nortel Networks for more information about the conversion tool.

Certificates in the following formats can be imported using the import command: PEM, DER, NET, PKCS7, and PKCS12.

If a key or certificate is already installed using the current certificate index number, that key/certif-icate will be overwritten by installing another key/certificate to the same index number. Use the keyinfo and show command respectively, to verify that the current certificate index number is not in use.

Note: This command cannot be used on an ASA FIPS running in FIPS mode, if the certificate file also contains the private key, or if you need to import the private key associated with the public key in the certificate from an external source. Due to the FIPS security requirements, FIPS mode prohibits importing private keys.





export <protocol [tftp|ftp]> <server by host name or IP address> <export file format [pem|der|net|pkcs12]>

Exports the current key and certificate to a TFTP or FTP server in the specified format. Keys and certificates can be exported and saved into four different formats: PEM, DER, NET, or PKCS12. These formats have different capabilities regarding private key encryption and the ability to save the private key and the certificate in separate files. Only the DER format does not offer private key encryption. The DER format and the NET format lets you store the private key and the certificate in separate files. The PEM format and the PKCS12 format always combine the private key and the certificate in the same file. Most Web browsers allow importing a combined key and certificate file in the PKCS12 format.

Note: When using this command on an ASA FIPS, you can only export the certificate to a TFTP/FTP server—not the private key. For client certificates however, both the certificate and the private key can be exported to a TFTP/FTP server using the export command.

display <pass phrase>Displays the current key and certificate in the CLI. When executing the display command, you are provided with the option to protect the private key with a password phrase. This adds an extra layer of security and is recommended. You can perform a cut-and-paste operation on the key sec-tion into a text editor, and save the private key to a file with the .PEM extension. Repeat the cut-and-paste operation on the certificate section and save it to a file with the .PEM extension. You may also save both the key and the certificate to the same file, again using the .PEM extension.

If you need to save a certificate and key in another format than the PEM format, use the export command instead.

Note: When using this command on an ASA FIPS, only the certificate section is displayed unless the currently selected certificate is a client certificate. For client certificates, both the certificate section and the private key section are displayed and can be saved into a text editor using a cut-and-paste operation.

show

Displays detailed information related to the certificate, except the certificate name.

info

Displays the serial number, the expiration date, and information related to the subject of the current certificate.

validate

Validates that the private key matches the public key in the current certificate.

keysize

Displays the key size of the private key in the current certificate.





keyinfo

Provides information about how the private key associated to the currently selected certificate is protected.

For the ASA without the HSM card, private keys are protected by the cluster.

For the ASA FIPS, private keys are protected by the HSM card. However, when generating a cli-ent certificate, the associated private key is protected by the cluster and not by the HSM card. This is necessary in order to transfer both the certificate and the private key to the client using the export command.

del

Removes the current certificate and key.





/cfg/ssl/cert <number>/revokeCertificate Revocation Configuration

The Certificate Revocation menu is used for revoking client certificates.

[Revocation Menu] add - Add serial number to revocation list addx - Add serial number to revocation list del - Cancel revocation for a serial number list - List revoked certificates rev - Enter revocation list import - Import revocation list from remote machine automatic - Automatic CRL retrieval menu

Table 10-15 Certificate Revocation Menu Options (/cfg/ssl/cert/revoke)


add <client certificate serial number>Adds a client certificate, specified by its serial number, to the current certificate revocation list.

addx <client certificate serial number in hexadecimal form>Adds a client certificate, specified by its serial number in hexadecimal form, to the current certifi-cate revocation list. When using the list command to view revoked certificates, certificates added by using the hexadecimal form are listed using their decimal form.

del <client certificate serial number>Removes a client certificate, specified by its serial number, from the current certificate revocation list. This will cancel the revocation of the specified certificate.

list

Lists the serial numbers of client certificates that will be revoked on client authentication.

rev

Lets you paste the contents of a certificate revocation list in the PEM or ASCII format from a text editor. The revocation list is used to revoke client certificates issued by a particular certificate authority (CA). The currently selected certificate index number (Cert 1, for example) should hold the CA certificate of the same CA as from which you obtained the certificate revocation list. To view information about the currently selected certificate, use the /cfg/ssl/cert #/show command.

If your organization has issued its own client certificates, it may as well have created its own certif-icate revocation list in ASCII format. Such a list can also be pasted and added to the CA certificate that was used in order to generate the client certificates.



import <protocol [tftp/ftp]> <server by host name or IP address> <file name>Adds a certificate revocation list in PEM, DER or ASCII format by downloading it from a TFTP or FTP server. The revocation list is used to revoke client certificates issued by a particular certificate authority (CA). The currently selected certificate index number (Cert 1, for example) should hold the CA certificate of the same CA as from which you obtained the certificate revocation list. To view information about the currently selected certificate, use the /cfg/ssl/cert #/show command.

If your organization has issued its own client certificates, it may as well have created its own certif-icate revocation list in ASCII format. Such a list can also be downloaded and added to the CA cer-tificate that was used in order to generate the client certificates.

automatic

Displays the Automatic CRL menu. To view menu options, see page 187.

Table 10-15 Certificate Revocation Menu Options (/cfg/ssl/cert/revoke)




/cfg/ssl/cert <number>/revoke/automatic

Automatic CRL Menu

The Automatic CRL menu is used for configuring access to a server containing CRLs (certifi-cate revocation lists), and retrieving such lists at regular intervals in order to automate the task of keeping the CRL up-to-date.

NOTE – When enabling automatic retrieval of certificate revocation lists, any existing revoca-tion list is overwritten.

You can use LDAP, HTTP, or TFTP to retrieve CRLs from the appropriate server (for LDAP, the server must support LDAP v3). When using LDAP, a bind operation to the specified LDAP server is performed each time a CRL retrieval occurs. The bind operation uses the specified distinguished name and password. Directly after a successful bind operation, a search for the CRL attribute specified in the URL is performed on the LDAP server. For more information on the implementation details behind these operations, see RFC 2251.

[Automatic CRL Menu] url - Set URL to retrieve CRL from authDN - Set LDAP DN used for bind/authentication passwd - Set password to use when to authenticate interval - Set refresh interval cacerts - Set list of accepted signers of CRLs ena - Enable automatic retrieval dis - Disable automatic retrieval



Table 10-16 Automatic CRL Menu Options (/cfg/ssl/cert/revoke/automatic)


url <URL with access protocol, server by host name or IP address:TCP port, and path>Sets the complete URL for retrieving a CRL using LDAP, HTTP, or TFTP. If you are not using the default TCP port of the respective protocol, the TCP port number must also be included in the URL.

If you want to retrieve CRLs from an LDAP server, you need to provide the distinguished name of the specific object on the LDAP server, together with the attribute that holds the CRL (all in accor-dance with RFC 2255).Example:ldap://10.42.128.30:389/cn=VeriSign CRL,o=Your Organization?CertificateRevocationList;binary

Using HTTP or TFTP, the URL you specify must include the specific file name you want to access. The recognized URL syntax is a subset of RFC 1738, and can be defined as: <proto>://<host>[:<port>]/<path>.Example:http://10.42.128.30/server.crl

authDN <distinguished name for binding and authentication>Sets the distinguished name used for binding and authenticating the initiated LDAP session on the specified LDAP server. Check your LDAP server documentation for details on binding, authenti-cation, and access control.Example: cn=Bill Smith,o=Your Organization

When using HTTP or TFTP to retrieve a CRL, you don’t need to provide a distinguished name for binding and authentication.

passwd <password for binding and authentication>Sets the password used for binding and authenticating the initiated LDAP session on the specified LDAP server. Check your LDAP server documentation for details on binding, authentication, and access control.

When using HTTP or TFTP to retrieve a CRL, you don’t need to provide a password for binding and authentication.

interval <value in seconds>Sets the time interval for retrieving CRLs from the resource you have specified using the url command. If you want to specify a time interval in minutes, hours or days, enter an integer directly followed by the letter m, h, or d.

The default interval is 1 day (1d). The shortest time interval allowed is 601 seconds (10 minutes and 1 second).



cacerts

Specifies which CA certificates that are valid signers of the certificate revocation lists you retrieve.

To get an overview over all available certificates, enter the /info/certs command.

When specifying more than one certificate, use commas to separate the corresponding index num-bers. Example: 1,2,5

To clear all specified CA certificates, press ENTER when asked to enter certificate numbers, then answer yes to the question if you want to clear the list.

ena

Enables automatic retrieval of CRLs. When using the apply command the first time after having enabled automatic retrieval of CRLs, a first retrieval is invoked immediately. After that, retrievals will occur at the specified time interval (where the default value is once every 24 hours).

dis

Disables automatic retrieval of CRLs. By default, automatic retrieval is disabled.

Table 10-16 Automatic CRL Menu Options (/cfg/ssl/cert/revoke/automatic)




/cfg/ssl/server <number>SSL Server Management Configuration

The SSL Server menu is used for configuring various attributes of a particular virtual SSL server. The number of items available in the menu will vary according to the virtual SSL server type (generic, HTTP, socks, or portal). When accessing the SSL Server menu, you are requested to specify the index number of the virtual SSL server you want to work with. To view information about all configured SSL servers, use the /info/servers command.

[Server 1 Menu] name - Set server name vip - Set IP addr of SSL server iplist - List of IP addresses for this Virtual server port - Set listen port of SSL server rip - Set real server IP addr rport - Set real server port type - Set type (generic/http/socks/portal) dnsname - Set DNS name of server proxy - Set transparent proxy mode (on/off) trace - Traffic trace menu ssl - SSL settings menu tcp - TCP endpoint settings menu http - HTTP settings menu dns - DNS settings menu portal - Portal settings menu socks - Socks settings menu adv - Advanced settings menu del - Remove virtual server ena - Enable virtual server dis - Disable virtual server

Table 10-17 SSL Server Configuration Menu Options (/cfg/ssl/server)


name <SSL server name>Assigns a name to the virtual SSL server. The assigned name is mainly for your own reference.

vip <virtual server IP address>Sets the virtual server IP address (on the Alteon Application Switch), to which the virtual SSL server is mapped.



iplist

The iplist command replaces the vip command when standalone mode is enabled (see the /cfg/ssl/server #/adv/standalone command). Standalone should be enabled when using the ASA as a stand-alone Web server accelerator, without any interoperability with an Alteon Application Switch.

When stand-alone mode is enabled, the SSL server addresses in the IP list will be distributed among the ASAs. If one or several ASAs fail, the SSL server addresses currently held by these ASAs will migrate to functional ASAs. This means that as long as there is one functional ASA in the cluster, all of the SSL server addresses in the list will be available.

port <TCP port number>Sets the TCP port number to which the virtual SSL server listens. The default is port 443 for all virtual SSL servers. The port setting on the ASA must be accompanied by a redirect filter (on the Alteon Application Switch) in which the dport value corresponds to the port value (on the ASA).

rip <real server IP address>Sets the IP address of the real server to which the virtual SSL server should connect when initiating requests. When using the ASA in conjunction with an Alteon Application Switch, the real server IP address (RIP) should be the set to 0.0.0.0 (the default setting). This setting instructs the ASA to use the destination IP address found in the received packets, when initiating requests to the virtual server on the Alteon Application Switch to which the virtual SSL server has been mapped.

When using the ASA as a stand-alone Web server accelerator, without any interoperability with an Alteon Application Switch, the real server IP address (RIP) should be set to the IP address of the (single) server that the ASA offloads.

If you have enabled the built-in load balancing capabilities of the ASA, the rip command is unavailable. Instead, the IP address for each load balanced real server is specified using the /cfg/ssl/server #/adv/loadbalanc/backend #/ip command.

rport <TCP port number>Sets the TCP port to which the virtual SSL server connects. The default rport value for all vir-tual SSL servers that are created is 81. If you are setting up your ASA as a Web server accelerator, the ASA will use this port to send and receive decrypted HTTP information to and from the real Web servers. Note that both the virtual server (on the Alteon Application Switch) and the real serv-ers must also be configured to listen for ASA traffic on port 81.

When using the ASA as a stand-alone Web server accelerator (of a single real Web server) in com-bination with end to end encryption, the rport value should be set to 443. The real Web server must also be configured to listen to TCP port 443.

If you have enabled the built-in load balancing capabilities of the ASA, the rport value is neglected. Instead, the TCP port for each load balanced real server is specified using the /cfg/ssl/server #/adv/loadbalanc/backend #/port command.





type generic|http|socks|portal

Specifies the virtual SSL server type. Valid options are:

� generic: When the server type is set to generic, the contents is treated as generic data and will not be parsed.

� http: When the server type is set to http, the content is parsed as HTTP requests and responses, and you can use the HTTP configuration options on the non-encrypted contents. For more information about HTTP configuration options, see page 201.

� socks: When the server type is set to socks, a socks server is enabled for the current virtual SSL server. A socks server is only required in configurations supporting the SSL VPN client exclusively, i.e. without the need for SSL VPN Portal interaction. To support both the SSL VPN client and the SSL VPN Portal, a portal server is sufficient.

� portal: When the server type is set to portal, the SSL VPN Portal is displayed in the client Web browser when a connection request is made. To configure an ASA for browser-based SSL VPN mode, set the virtual server type to portal. For more information about Portal configura-tion options, see page 217.

The default SSL server type is set to generic.

dnsname <fully qualified domain name registered in DNS for the virtual server IP address>Assigns a DNS name to the current virtual SSL server. The DNS name you assign is used when the SSL VPN feature is deployed for verifying URLs and for creating the links that appear on the Por-tal home page.

When pressing Return after having specified the DNS name, a check will be performed against the DNS server included in the system configuration (see the /cfg/sys/dns command). The sys-tem will verify that the fully qualified domain name you have specified for the virtual server (using the /cfg/ssl/server #/dnsname command) is registered in DNS, and that the resolved IP address corresponds to the virtual server IP address.

Note: The dnsname command is only available for servers of the HTTP or portal type.

proxy on|off

Specifies whether to use Transparent proxy mode. If proxy is set to on, the client’s real IP address is used when the ASA forwards client requests to the real servers. Consequently, it is the client’s IP address that is logged on the real servers, and not the ASA’s IP address (which is “trans-parent” to the real servers). In order to use the Transparent proxy mode, you need to make sure all client traffic is routed back to the clients through the Alteon Application Switch. The ASA real server group defined on the Alteon Application Switch must use the hash algorithm for server load balancing, and FWLB (Firewall Load Balancing) must be enabled in the appropriate redirect filter on the Alteon Application Switch.

If proxy is set to off, the IP address assigned to the ASA is used when client requests are for-warded to the real servers. If a real Web server is logging the client IP address, it will log the ASA’s IP address instead of the real client’s IP address. When proxy is set to off, the ASA works in non-transparent proxy mode, that is. When using non-transparent proxy mode, firewall redirect hash method must not be applied to any real ports on the Alteon Application Switch.

The default proxy mode value is on.





trace

Displays the Trace menu. To view menu options, see page 194.

ssl

Displays the SSL settings menu. To view menu options, see page 196.

tcp

Displays the TCP settings menu. To view menu options, see page 199.

http

Displays the HTTP settings menu. To view menu options, see page 201.

Note: This menu item is only available when the SSL server type is set to http.

dns

Displays the DNS settings menu. To view menu options, see page 210.

Note: This menu item is only available when the SSL server type is set to one of the following: http, socks or portal.

portal

Displays the Portal settings menu. To view menu options, see page 217.

Note: This menu item is only available when the SSL server type is set to portal.

socks

Displays the Socks settings menu. To view menu options, see page 211.

Note: This menu item is only available when the SSL server type is set to socks.

adv

Displays the Advanced settings menu. To view menu options, see page 220.

del

Removes the current virtual SSL server.

ena

Enables the current virtual SSL server.

dis

Disables the current virtual SSL server.





/cfg/ssl/server <number>/traceNetwork Traffic Dump Commands

The Trace menu is used for capturing and analyzing SSL and TCP traffic flowing between cli-ents and the selected virtual SSL server on the ASA. The commands can be useful for debug-ging purposes. The ssldump command will decrypt transmitted data traffic, provided private keys and certificates have been configured properly on the selected virtual SSL server.

The ssldump and the tcpdump commands can be permanently deactivated in the ASA clus-ter. For more information, see the /cfg/sys/distrace command on page page 299.

[Trace Menu] ssldump - Create traffic dump tcpdump - Create traffic dump

Table 10-18 Trace Menu Options (/cfg/ssl/server/trace)


ssldump interactive|tftp|ftp

Creates a dump of the SSL traffic flowing between clients and the currently selected virtual SSL server. The captured information can either be displayed decrypted on screen (the default inter-active output mode), or saved as a file to a TFTP or FTP server. A TFTP or FTP server can be specified using either the host name or the IP address in dotted decimal notation.

If you choose to send the dump as a file to a TFTP server, a number of files will be sent to the server depending on the amount of captured information. A number is appended to the file name given in the CLI, starting at 1 and incremented automatically for additional files. You will be prompted for a destination file name prefix of your own choice.

If you choose to send the dump as a file to an FTP server, you will be prompted for the destination file name, as well as a user name and password valid on the specified FTP server.

For detailed information about the default flags used when issuing the ssldump command, as well as customizing the default filter expression, see the SSLDUMP (1) manual pages under UNIX.



tcpdump interactive|tftp|ftp

Creates a dump of the TCP traffic flowing between clients and the currently selected virtual SSL server. The captured information can either be displayed on screen (the default interactive output mode), or saved as a file to a TFTP or FTP server. A TFTP or FTP server can be specified using either the host name or the IP address in dotted decimal notation. You can read a saved TCP traffic dump file using the TCPDUMP or Ethereal application on a remote machine.

If you choose to send the dump to a TFTP server, a number of files will be saved on the server depending on the amount of captured information. A number is appended to the file name given in the CLI, starting at 1 and incremented automatically for additional files. You will be prompted for a destination file name prefix of your own choice.

If you choose to send the dump as a file to an FTP server, you will be prompted for the destination file name, as well as a user name and password valid on the specified FTP server.

For detailed information about the default flags used when issuing the tcpdump command, as well as customizing the default filter expression, see the TCPDUMP (8) manual pages under UNIX.

Table 10-18 Trace Menu Options (/cfg/ssl/server/trace)




/cfg/ssl/server <number>/sslSSL Settings Configuration

The SSL Settings menu is used for configuring SSL-specific settings for a particular virtual SSL server.

[SSL Settings Menu] cert - Set server certificate cachesize - Set SSL cache size cachettl - Set SSL cache timeout cacerts - Set list of accepted signers of client certificates cachain - Set list of CA chain certificates protocol - Set protocol version verify - Set certificate verification level ciphers - Set cipher list ena - Enable SSL dis - Disable SSL

Table 10-19 SSL Settings Menu Options (/cfg/ssl/server/ssl)


cert <certificate index number>Specifies which server certificate is used by the current virtual SSL server. To view basic informa-tion about available certificates, use the /info/certs command. To add a new certificate, see “Adding Certificates to the ASA” on page 81.

Note that each virtual SSL server may only use one server certificate.

cachesize <number of SSL sessions>Sets the size of the SSL cache. The default value is 4000 cached sessions. If you notice that there are many cache misses, the cachesize value can be increased for better performance.

To view the number of cache misses for a virtual SSL server, use the /stats/server #/cachemisse command (where you replace “#” with the index number of the desired virtual SSL server).

cachettl <maximum Time To Live value in seconds>Sets the maximum Time To Live (TTL) value for items in the SSL cache, before they are dis-carded. The default TTL value is 5 minutes.



cacerts <certificate index number>Specifies which of the available CA certificates to use for client authentication. CA certificates are added the same way as an SSL server certificate—either via a cut-and-paste operation, or via TFTP/FTP from a remote host. Both actions are performed from the Certificate menu. To get an overview over available certificates, enter the /info/certs command.


To clear all specified CA certificates, press ENTER when asked to enter the certificate numbers, then answer yes to the question if you want to clear the list.

Note: If you are using one of the available certificates to generate your own client certificates, you must specify it as a CA certificate in order to successfully authenticate clients. For more informa-tion on client authentication, see “Configuring a Virtual SSL Server for Client Authentication” on page 89.

cachain <certificate index number>Specifies the CA certificate chain of the server certificate. The chain starts with the issuing CA certificate of the server certificate, and can range up to the root CA certificate. This command explicitly constructs the server certificate chain, which is sent to the browser in addition to the server certificate.


To clear all specified chain certificates, press ENTER when asked to enter the certificate numbers, then answer yes to the question if you want to clear the list.

Note: When configuring the virtual SSL server to use chain certificates, the protocol version must be set to SSL3 or SSL23.

protocol ssl2|ssl3|ssl23|tls1

Specifies the protocol to use when establishing an SSL session with a client. Valid options are:

� ssl2: Only accept SSL 2.0.

� ssl3: Accept SSL 3.0 and TLS 1.0.

� ssl23: Accept SSL 2.0, SSL 3.0, and TLS 1.0.

� tls1: Only accept TLS 1.0.The default protocol value is ssl3.

verify none|optional|require

Specifies the level of client authentication to use when establishing an SSL session. Valid options are:

� none: No client certificate is required.

� optional: A client certificate is requested, but the client need not present one.

� require: The client must present a valid certificate in order to establish a session.The default verify value is none.





ciphers <cipher list>Lets you change the default cipher preference list, which corresponds to ALL@STRENGTH.

For more information about cipher lists, see “Cipher List Formats” on page 345.

ena

Enables SSL on the current virtual SSL server. By default, SSL is enabled on all virtual SSL serv-ers.

dis

Disables SSL on the current virtual SSL server.





/cfg/ssl/server <number>/tcpSSL Server TCP Settings Configuration

The TCP Settings menu is used for configuring various TCP timeout and buffer size settings on both the client and the virtual SSL server side.

[TCP Settings Menu] cwrite - Set client TCP write timeout ckeep - Set client TCP keep alive timeout swrite - Set server TCP write timeout sconnect - Set server TCP connect timeout csendbuf - Set client TCP send buffer size crecbuf - Set client TCP receive buffer size ssendbuf - Set server TCP send buffer size srecbuf - Set server TCP receive buffer size

Table 10-20 TCP Settings Menu Options (/cfg/ssl/server/tcp)


cwrite <client write timeout in seconds>Sets the timeout value for how long the virtual SSL server should wait for a write operation towards the client(s) to complete.

The default client write timeout value is 15 minutes (900 seconds).

ckeep <client keep alive timeout in seconds>Sets the timeout value for how long the virtual SSL server should wait before closing an idle session.

The default client keep alive timeout value is 15 minutes (900 seconds).

swrite <server write timeout in seconds>Sets the timeout value for how long the virtual SSL server should wait for a write operation towards the backend server(s) to complete.

The default server write timeout value is 15 minutes (900 seconds).

sconnect <server connect timeout in seconds>Sets the timeout value for how long the virtual SSL server should wait for a server connection when trying to open a TCP connection.

The default server connect timeout value is 10 seconds.

csendbuf auto|<buffer size (0-200000 bytes)>Sets the size of the client TCP send buffer. If you specify a size manually, the buffer size should not be set lower than the normal MTU size which is 1500 bytes.

The default client TCP send buffer setting is auto.



crecbuf auto|<buffer size (0-200000 bytes)>Sets the size of the client TCP receive buffer. If you specify a size manually, the buffer size should not be set lower than the normal MTU size which is 1500 bytes.

The default client TCP receive buffer setting is auto.

ssendbuf auto|<buffer size (0-200000 bytes)>Sets the size of the server TCP send buffer. If you specify a size manually, the buffer size should not be set lower than the normal MTU size which is 1500 bytes.

The default server TCP send buffer setting is auto.

srecbuf auto|<buffer size (0-200000 bytes)>Sets the size of the server TCP receive buffer. If you specify a size manually, the buffer size should not be set lower than the normal MTU size which is 1500 bytes.

The default server TCP receive buffer setting is 6000.

Table 10-20 TCP Settings Menu Options (/cfg/ssl/server/tcp)




/cfg/ssl/server <number>/httpSSL Server HTTP Settings Configuration

The HTTP Settings menu is used for configuring HTTP-specific settings for a particular virtual SSL server.

The HTTP Settings menu is only available if the virtual SSL server has been defined as being of the http or portal type. For more information about virtual SSL server types, see the type command on page page 192.

[HTTP Settings Menu] redirect - Set handle SSL redirect rewrite - SSL triggered rewrite menu sslheader - Set add SSL header addxfor - Set add X-Forwarded-For header addvia - Set add Via header addxisd - Set add HTTP-X-ISD debug header addfront - Set add Front-End-Https header addclicert - Set add Client-Cert as a HTTP header addnostore - Set add no-cache/no-store HTTP header allowimage - Set allow image caching allowdoc - Set allow document caching allowica - Set allow ica file caching cmsie - Set MSIE session termination bug workaround rhost - Set Rewrite host header to default value defaulthos - Set Default host header value auth - User authentication menu maxrcount - Set Max number of persistent client requests maxline - Set Max line length



Table 10-21 HTTP Settings Menu Options (/cfg/ssl/server/http)


redirect on|onpath|off|all|allpath

The redirect function is designed to enhance a Web server’s built-in redirect functionality, as illustrated by the example below.

With redirect set to off, the client request

GET /top_page HTTP/1.0Host: www.testserver.com

may first be redirected by the Web server to

HTTP/1.0 302 Moved TemporarilyDate: Thu, 01 Oct 2003 16:27:51 GMTServer: inets/2.5.3Location: http://www.testserver.com:81/login

� With redirect set to on, the ASA rewrites http:// to https:// according to the following pattern:HTTP/1.0 302 Moved TemporarilyDate: Thu, 01 Oct 2003 16:27:51 GMTServer: inets/2.5.3Location: https://www.testserver.com/login

Before rewriting http:// to https://, the ASA performs a validation of the following cri-teria:

� The protocol must be HTTP.� The domain name in the Host header of the client request must correspond to the domain

name in the Location header of the Web server redirect.� The TCP port in the Web server redirect must correspond to the specified rport value for

the virtual SSL server on the ASA.Other valid options for the redirect command are:

� onpath: An http:// string that is embedded in the path section of an URL is also rewritten to https://, following the same validation criteria as for the on setting.

� off: No Web server redirects are rewritten to https://.

� all: All Web server redirects are rewritten to https://, regardless of the domain name and port in the original client request. Use this setting with caution.

� allpath: An http:// string that is embedded in the path section of an URL is also rewrit-ten to https://, following the same rules as for the all setting.

The default redirect value is on.

Note: When using the redirect feature, the ASA must be configured to use a DNS server, and the responding DNS server must be able to perform reverse DNS lookups. When the ASA per-forms a reverse DNS query of the virtual server IP address (VIP), the resolved name must match the domain name in the Host header of the client request.



rewrite

Displays the Rewrite menu. To view menu options, see page 207.

sslheader on|off|remove

Specifies how the virtual SSL server handles the optional X-SSL header. When added, the X-SSL header contains information about the particular cipher suite that was used during the SSL ses-sion—information that can be logged on the Web servers. The information can also be used for Web application logical decisions concerning which cipher suites should be accepted. Such a deci-sion would then override the default cipher suite setting for a virtual SSL server on the ASA.

Example of an added X-SSL header:X-SSL: decrypted=true, ciphers="TLSv1/SSLv3 RC4-MD5"

In case you have configured the virtual SSL server to require client certificates, information about the certificate issuer, the certificate subject, and the serial number is extracted from the client cer-tificate and added to the encryption information in the X-SSL header.

Valid options for the sslheader command are:

� on: An X-SSL header is added to the client request.

� off: No X-SSL header is added to the client request.

� remove: The X-SSL header is removed, if present, from the current client request.The default value for the sslheader setting is on.

addxfor on|off|anonymous|remove

Specifies how the virtual SSL server handles the optional X-Forwarded-For HTTP header. When added, the X-Forwarded-For header contains information about the peer IP address of the current client connection. This information can be used for enhanced logging purposes.

Valid options for the addxfor command are:

� on: An X-Forwarded-For header is added to the current client request.

� off: No action whatsoever is taken regarding the X-Forwarded-For header.

� anonymous: The peer IP address of the current client connection is hidden.

� remove: The X-Forwarded-For header is removed, if present, from the current client request.The default value for the addxfor setting is off.

Note: If there are more than one ASA in a cluster and transparent proxy is set to off, then firewall load balancing (on the Alteon Application Switch) must also be set to off for the addxfor fea-ture to work.





addvia on|off|anonymous|remove

Specifies how the virtual SSL server handles the Via HTTP header. When added, the Via HTTP header contains information about the IP address of the virtual server on the Alteon Application Switch.

Valid options for the addvia command are:

� on: A Via header is added to the current client request.

� off: No action whatsoever is taken regarding the Via header.

� anonymous: The IP address of the virtual server is hidden.

� remove: The Via header is removed, if present, from the current client request.The default value for the addvia setting is on.

addxisd on|off

Specifies how the virtual SSL server handles the optional HTTP-X-ISD header. This header can be used for debugging purposes when end to end encryption or load balancing of backend servers is performed by the ASA. When added, the extra HTTP-X-ISD header contains information about the IP addresses of both the ASA that initiated the request and the responding backend server, the internal index number of the responding the backend server, whether connection pooling is enabled, the load balancing type and metric, and finally, whether end to end encryption was per-formed.

Example of an added HTTP-X-ISD header:HTTP-X-ISD: 192.168.128.25 192.168.100.1 index=2; pool=on;lb=all-roundrobin; type=http-https

Valid options for the addxisd command are:

� on: An HTTP-X-ISD header is added to the client request.

� off: No HTTP-X-ISD header is added to the client request.The default value for the addxisd setting is off.

addfront on|off|anonymous|remove

Specifies how the virtual SSL server handles the Front-End-HTTPS header. When using Outlook Web Access (OWA) for Microsoft Exchange in combination with the ASA, the virtual SSL server must be configured to add this extra header. The Front-End-HTTPS header enables the receiving OWA server to transform embedded HTTP URLs in a correct manner.

Valid options for the addfront command are:

� on: An extra Front-End-HTTPS header is added to the client request.

� off: No extra Front-End-HTTPS header is added to the client request.

� anonymous: No action whatsoever is taken regarding the Front-End-HTTPS header.

� remove: The Front-End-HTTPS header is removed, if present, from the current client request.The default value for the addfront setting is off.





addclicert on|off

Specifies how the virtual SSL server handles the optional X-Client-Cert HTTP header. When added, the ASA will insert the entire client certificate (in PEM format) as a multiline HTTP header. The backend Web servers can then perform additional user authentication, based on the informa-tion in the client certificate. The backend servers can also make use of any auxiliary fields in the client certificate.

Valid options for the addclicert command are:

� on: An extra X-Client-Cert HTTP header is added to the client request.

� off: No extra X-Client-Cert HTTP header is added to the client request.The default value for the addclicert setting is off.

addnostore on|off

Specifies how the virtual SSL server handles the Cache-Control header in a HTTP 1.1 client con-nection request, or the Pragma header in a HTTP 1.0 client connection request. When added, the inadvertent release or retention of sensitive information is prevented by not allowing any part of the message to be stored in non-volatile storage. Information stored in volatile storage is removed as promptly as possible after having been forwarded.

Valid options for the addnostore command are:

� on: A Cache-Control: no-store general-header is added to a client HTTP 1.1 request, and a Pragma: no-cache general-header is added to a client HTTP 1.0 request.

� off: No Cache-Control or Pragma header is added to the client request.The default value for the addnostore setting is on for all virtual SSL servers of the http type.

allowimage on|off

Specifies whether or not to allow caching of images.

� on: No no-cache/no-store headers for images are added.

� off: No-cache/no-store headers for images are added.

allowdoc on|off

Specifies whether or not to allow caching of PDF, Word and Excel documents when clicking docu-ment links on intranet web pages during a portal session. To be able to open a document via Inter-net Explorer, this setting should be set to on (default value). However, for security reasons you might want to turn caching of documents off. You can still save a document to your computer by right-clicking it and selecting Save target as.

� on: No no-cache/no-store headers for documents are added.

� off: No-cache/no-store headers for documents are added.

allowica on|off

When running Citrix using a web client, caching must be allowed. This setting turns off the no-cache headers for ica files.

� on: No no-cache/no-store headers for ica files are added.

� off: No-cache/no-store headers for ica files are added.





cmsie on|off|shut

Specifies how the virtual SSL server handles the Microsoft Internet Explorer (MSIE) session ter-mination bug workaround.

Valid options for the cmsie command are:

� on: If the client Web browser is MSIE, the virtual SSL server uses the RST (reset) TCP flag instead of the FIN (finish) TCP flag to terminate the client connection.

� off: The virtual SSL server will always use the FIN (finish) TCP flag to decide when to ter-minate a client connection.

� shut: Since terminating the session with RST may cause problems in some network environ-ments, the ASA can be configured to close Windows MSIE SSL sessions with a TCP FIN but without an SSL shutdown, which also circumvents the MSIE SSL session termination bug.

The default value for the cmsie setting is shut.

rhost on|off

Specifies how the virtual SSL server handles the Host header in a HTTP client connection request. The rhost setting is mainly used when configuring the ASA for Global Server Load Balancing in conjunction with the related Alteon WebSwitch settings.

Valid options for the rhost command are:

� on: The Host header contained in a HTTP client connection request is rewritten to the default value that is defined by using the /cfg/ssl/server #/http/defaulthos command. If the client Web browser does not include a Host header in its connection request, the default Host header is added.

� off: No action whatsoever is taken regarding the Host header.The default value for the rhost setting is off.

defaulthos <default host header text string>Assigns a default text string to the Host header contained in a HTTP client connection request. The default host header text string you define is applied to the Host header in incoming HTTP client connections requests only when the rhost setting is set to on.

auth

Displays the WWW-Authenticate Settings menu. To view menu options, see page 208.

maxrcount <numerical value>Sets the maximum number of persistent HTTP client requests allowed at a given time.

The default value for the maxrcount setting is 40.

maxline <numerical value>Sets the maximum length of HTTP headers contained in a HTTP client connection request.

The default value for the maxline setting is 8192.





/cfg/ssl/server <number>/http/rewriteSSL Server HTTP Rewrite Configuration

The Rewrite menu is used for enabling and configuring the HTTP rewrite functionality for a particular virtual SSL server.

[Rewrite Menu] rewrite - Set SSL triggered rewrite ciphers - Set accepted ciphers response - Set source of response URI - Set URI with the weak cipher alert

Table 10-22 Rewrite Menu Options (/cfg/ssl/server/http/rewrite)


rewrite on|off

Enables or disables the rewrite functionality for the current virtual SSL server. When you enable the rewrite functionality, a customized error message can be sent back to the client’s Web browser in case the browser is unable to perform the required cipher strength. If the rewrite functionality is not enabled in such a scenario, the client request is simply rejected during the SSL handshake. For more information about how to configure an SSL server to use the rewrite functionality, see the “Configuring the ASA to Rewrite Client Requests” chapter in your Alteon SSL Accelerator 4.1.2 Application Guide.

The default rewrite setting is off.

ciphers <cipher list>Lets you change the cipher list used when the SSL rewrite function is enabled. The default cipher list used when the rewrite function is not enabled corresponds to ALL@STRENGTH.

When the rewrite function is enabled, the default rewrite cipher list is HIGH:MEDIUM.

If you change the default rewrite cipher list from HIGH:MEDIUM when having the rewrite func-tion enabled, remember that the rewrite cipher strength must always be higher than the cipher strength specified by using the /cfg/ssl/server #/ssl/ciphers command (where the default cipher list is ALL@STRENGTH).

For more information about supported ciphers and cipher list formats, see page 343.

response iSD|WebServer

Specifies whether the iSD (ASA) or a Web server should handle the response message sent back to the client. When response is set to WebServer, use the URI command to point to a resource on a Web server that can provide a customized error message.

The default response setting is iSD.

URI <IP address and path to Web server resource for response message>Sets the URI pointing to a resource on a WebServer that provides the response message (when response is set to WebServer).



/cfg/ssl/server <number>/http/authSSL Server WWW Authentication Settings Configuration

The WWW-Authenticate Settings menu is used for restricting access to internal Web servers whose DNS names corresponds to the virtual server IP (VIP) address assigned to the current SSL server.

Users who try to access the resources included in the WWW authentication scheme need to provide their user name and password. These credentials are then validated against one or more authentication methods and user access groups defined in the Xnet domain that you spec-ify as part of the WWW authentication configuration. In the context of WWW authentication, the significance of the Xnet domain is limited to the authentication method used for validating a user’s credentials, as well as the validation of a user’s group membership and associated access control lists.

The WWW-Authenticate Settings menu is only available if the virtual SSL server has been defined as being of the http type. For more information about virtual SSL server types, see the type command on page 192.

[WWW-Authenticate Settings Menu] mode - Set authentication mode realm - Set realm for authentication xnet - Set xnet domain ena - Enable HTTP User Authentication dis - Disable HTTP User Authentication

Table 10-23 WWW-Authenticate Settings Menu Options (/cfg/ssl/server/http/auth)


mode basic|digest|ntlm|portal

Sets the authentication mode used by the virtual SSL server. Valid options are:

� basic: When using basic authentication mode, a login popup window is displayed when the user tries to access the restricted resource. Use basic mode if you don’t have an SSL VPN portal through which users can be authenticated.

� digest: Not implemented yet.

� ntlm: Not implemented yet.

� portal: When using portal authentication mode, the SSL VPN portal Login page is displayed in the user’s Web browser when trying to access the restricted resource. For an SSL VPN user who already has logged in via the portal page and tries to access a resource restricted by WWW authentication, the login page will not be displayed again.

The default authentication mode is basic.



realm <name of the realm>Assigns a name to the realm. The realm is mainly for the user’s own information, and is displayed in the login popup window (when using basic authentication mode).

The default realm name is Xnet.

xnet <Xnet domain number>Sets the Xnet domain, identified by its domain number. In the context of WWW authentication, the significance of the Xnet domain is limited to applying the authentication methods contained in the Xnet domain configuration.

For basic authentication mode, specify the Xnet domain in which you have defined the user access groups that should be provided access to the restricted resource. Make sure that the access rules allow access to the password restricted resource.

For portal authentication mode, specify the Xnet domain whose SSL VPN portal you want to use for authenticating users who try to access the password restricted resource. As when using basic authentication mode, the Xnet domain you specify must encompass the user access groups that should be provided access to the restricted resource.

ena

Enables HTTP user authentication.

dis

Disables HTTP user authentication.

Table 10-23 WWW-Authenticate Settings Menu Options (/cfg/ssl/server/http/auth)




/cfg/ssl/server <number>/dnsSSL Server DNS Settings Configuration

The DNS Settings menu is used for specifying the default DNS domain name associated with the virtual server IP (VIP) address that is assigned to the current SSL server. The menu is also used for specifying the order in which DNS domain names are searched when an SSL VPN user enters an incomplete URL on the SSL VPN Portal’s Browse Intranet tab.

The DNS Settings menu is only available when the virtual SSL server has been defined as being of the http, socks, or portal type. For more information about virtual SSL server types, see the type command on page 192.

[DNS Settings Menu] domain - Set the default domain for vip search - Set DNS search list

Table 10-24 DNS Settings Menu Options (/cfg/ssl/server/dns)


domain <domain name>Sets the default DNS domain name associated with the virtual server IP (VIP) address that is assigned to the current virtual SSL server. Specifying a default DNS domain name is useful if you want the client Web browser to send the cookie set by the current SSL server to all virtual SSL servers residing in the same domain. This eliminates the need for an SSL VPN user to log in repeatedly when requesting various intranet resources after having logged in to the SSL VPN portal. To enable this feature, the current SSL server must be of the portal type, and the domain setting must be set to on. To change the current domain setting for the SSL server, use the /cfg/ssl/server #/portal/domain command.

Typically, you specify only the second level domain name and the top level domain name.

Example: secondleveldomain.topleveldomain

search <domain names, separated by comma>Sets the search domains, which are automatically appended to the host names an SSL VPN user types in the various address fields in the SSL VPN Portal (if a match is found). For example, if you specify the search domain example.com, an SSL VPN user can access the Web page inside.example.com by only typing inside in the URL field displayed on the Browse Intranet page in the SSL VPN portal.

If you specify more than one domain name, separate the names with comma (,). The domains are searched in the order you specify them, and the search stops when a valid domain name is found.



/cfg/ssl/server <number>/socksSocks Settings Configuration

From SSL VPN version 4.1, SOCKS support is also enabled for portal servers, using the /cfg/ssl/server 1/portal/applet command (enabled by default). The Socks Set-tings menu is still available for backward compatibility and for customers who wants support for the SSL VPN client only (i.e. no SSL VPN Portal support is required).

The Socks Settings menu is only available if the virtual SSL server has been defined as being of the Socks type. For more information about virtual SSL server types, see the type com-mand on page page 192.

[Socks Settings Menu] version - Set socks version methods - Set socks methods commands - Set socks commands xnet - Set xnet domain defgroup - Set default group hproxy - Set support for portal http proxy applet http - HTTP proxy settings menu

Table 10-25 Socks Settings Menu Options (/cfg/ssl/server/socks)


version v4|v5|v45

Sets the Socks protocol version used in the communication between the ASA cluster and SSL VPN socks clients. Valid options are:

� v4: Only protocol version 4 is accepted.

� v5: Only protocol version 5 is accepted, and socks clients using version 4 are rejected.

� v45: Both protocol versions 4 and 5 are accepted, and socks clients using either version are accepted.

The default Socks protocol setting is v45.

Note: Socks version 4 neither supports strong authentication, nor authentication method negotia-tion.



methods user|none

Sets the preferred Socks authentication method(s) for Socks protocol version 5. For clients con-necting with Socks protocol version 4, these settings are ignored since version 4 does not support authentication. The authentication method you set here comes into play when an SSL VPN user connects to the Xnet domain using the SSL VPN client (i.e. not via the SSL VPN Portal).

The available options are:

� user: Username/Password client authentication is required.

� none: No client authentication is required. When setting the Socks authentication method to none, make sure you also specify a default user access group (using the defgroup com-mand).

The default Socks authentication method is set to user.

Note: The Socks authentication method you specify here interacts with the authentication methods defined in the Xnet domain using the /cfg/xnet/domain #auth command. When the Socks method is set to user, an SSL VPN user connecting to the Xnet domain in “transparent mode” is prompted for the user name and password via a pop-up window. These credentials are then verified against one of the authentication methods defined in the Xnet domain. If a match is found, the SSL VPN user is authenticated and the user’s group membership is determined.

commands <connect, bind>Sets the permitted Socks client command(s). If you enter more than one command, separate the entries using comma (,).

The available options are:

� connect: Allows the Socks client to send a CONNECT request to the server when it wants to establish a connection to an application server (the destination host).

� bind: Allows the Socks client to send a BIND request when it wants to prepare for an inbound connection from an application server (the destination host). A client BIND request is only sent after a primary connection to the application server has been established with a CONNECT request.

The default Socks commands are set to connect and bind.

xnet <Xnet domain identified by number)Maps the current socks SSL server to a configured Xnet domain. To get an overview of the avail-able Xnet domains and their respective configurations, use the /cfg/xnet/cur command.





defgroup <default group by name>Sets an existing user access group that has been defined using the /cfg/xnet/domain #/group command as the default user access group.

The default group is applied when an SSL VPN user’s group membership cannot be determined. This typically happens when an SSL VPN user connects to the Xnet domain in “transparent mode”, and the Socks authentication is set to none. In such a case, the non-authenticated SSL VPN user will automatically become a member of the specified default group, and the access con-trol lists associated with the default group will determine which rights are granted to the user.

Note: Because the user to which the default group applies is not authenticated by any means, make sure that the access control lists associated with the group do not grant excessive rights.

hproxy on|off

Enables support for the HTTP proxy Java applet that can run in the client browser when the Xnet domain is configured to run in browser-based mode. As the name implies, the HTTP proxy Java applet acts as an HTTP proxy to the client web browser and tunnels HTTP traffic to the Xnet domain via Socks and SSL. By enabling support for the HTTP proxy Java applet, no URLs in Web pages sent to the client browser will break. However, the user will need to reconfigure the proxy server settings in the browser to access intranet Web servers. Instructions for how to change these settings are provided in a pop-up window on the portal Web page when the SSL VPN user selects a service where the HTTP proxy Java applet is involved.

The default hproxy setting is off.

Note! From version 4.1, support for the HTTP Proxy Java applet is enabled by default for portal servers, with the /cfg/ssl/server 1/portal/applet setting.

http

Displays the HTTP Proxy Settings menu. To view menu options, see page 214.





/cfg/ssl/server <number>/socks/httpHTTP Proxy Settings Configuration

The HTTP Proxy Settings menu is used to specify how the virtual SSL server should handle different types of HTTP headers.

[HTTP Proxy Settings Menu] sslheader - Set add SSL header sslsidhead - Set add SSL SID header addxfor - Set add X-Forwarded-For header addvia - Set add Via header addxisd - Set add HTTP-X-ISD debug header addclicert - Set add Client-Cert as a HTTP header addnostore - Set add no-cache/no-store HTTP header maxrcount - Set Max number of persistent client requests maxline - Set Max line length

Table 10-26 HTTP Proxy Settings Menu Options (/cfg/ssl/server/socks/http)


sslheader on|off|remove

Specifies how the virtual SSL server handles the optional X-SSL header. When added, the X-SSL header contains information about the particular cipher suite that was used during the SSL ses-sion—information that can be logged on the Web servers. The information can also be used for Web application logical decisions concerning which cipher suites should be accepted. Such a deci-sion would then override the default cipher suite setting for a virtual SSL server on the ASA.

Example of an added X-SSL header:X-SSL: decrypted=true, ciphers="TLSv1/SSLv3 RC4-MD5"

In case you have configured the virtual SSL server to require client certificates, information about the certificate issuer, the certificate subject, and the serial number is extracted from the client cer-tificate and added to the encryption information in the X-SSL header.

Valid options for the sslheader command are:

� on: An X-SSL header is added to the client request.

� off: No X-SSL header is added to the client request.

� remove: The X-SSL header is removed, if present, from the current client request.The default value for the sslheader setting is on.



addxfor on|off|anonymous|remove

Specifies how the virtual SSL server handles the optional X-Forwarded-For HTTP header. When added, the X-Forwarded-For header contains information about the peer IP address of the current client connection. This information can be used for enhanced logging purposes.

Valid options for the addxfor command are:

� on: An X-Forwarded-For header is added to the current client request.

� off: No action whatsoever is taken regarding the X-Forwarded-For header.

� anonymous: The peer IP address of the current client connection is hidden.

� remove: The X-Forwarded-For header is removed, if present, from the current client request.The default value for the addxfor setting is off.

Note: If there are more than one ASA in a cluster and transparent proxy is set to off, then firewall load balancing (on the Alteon Application Switch) must also be set to off for the addxfor fea-ture to work.

addvia on|off|anonymous|remove

Specifies how the virtual SSL server handles the Via HTTP header. When added, the Via HTTP header contains information about the IP address of the virtual server on the Alteon Application Switch.

Valid options for the addvia command are:

� on: A Via header is added to the current client request.

� off: No action whatsoever is taken regarding the Via header.

� anonymous: The IP address of the virtual server is hidden.

� remove: The Via header is removed, if present, from the current client request.The default value for the addvia setting is on.

addxisd on|off

Specifies how the virtual SSL server handles the optional HTTP-X-ISD header. This header can be used for debugging purposes when end to end encryption or load balancing of backend servers is performed by the ASA. When added, the extra HTTP-X-ISD header contains information about the IP addresses of both the ASA that initiated the request and the responding backend server, the internal index number of the responding the backend server, whether connection pooling is enabled, the load balancing type and metric, and finally, whether end to end encryption was per-formed.

Example of an added HTTP-X-ISD header:HTTP-X-ISD: 192.168.128.25 192.168.100.1 index=2; pool=on;lb=all-roundrobin; type=http-https

Valid options for the addxisd command are:

� on: An HTTP-X-ISD header is added to the client request.

� off: No HTTP-X-ISD header is added to the client request.The default value for the addxisd setting is off





addclicert on|off

Specifies how the virtual SSL server handles the optional X-Client-Cert HTTP header. When added, the ASA will insert the entire client certificate (in PEM format) as a multiline HTTP header. The backend Web servers can then perform additional user authentication, based on the informa-tion in the client certificate. The backend servers can also make use of any auxiliary fields in the client certificate.

Valid options for the addclicert command are:

� on: An extra X-Client-Cert HTTP header is added to the client request.

� off: No extra X-Client-Cert HTTP header is added to the client request.The default value for the addclicert setting is off.

addnostore on|off

Specifies how the virtual SSL server handles the Cache-Control header in a HTTP 1.1 client con-nection request, or the Pragma header in a HTTP 1.0 client connection request. When added, the inadvertent release or retention of sensitive information is prevented by not allowing any part of the message to be stored in non-volatile storage. Information stored in volatile storage is removed as promptly as possible after having been forwarded.

Valid options for the addnostore command are:

� on: A Cache-Control: no-store general-header is added to a client HTTP 1.1 request, and a Pragma: no-cache general-header is added to a client HTTP 1.0 request.

� off: No Cache-Control or Pragma header is added to the client request.The default value for the addnostore setting is off for all virtual SSL servers of the http type, and on for virtual SSL servers of the socks type where support for HTTP proxy applet has been enabled.

maxrcount <numerical value>Sets the maximum number of persistent HTTP client requests allowed at a given time.

The default value for the maxrcount setting is 40.

maxline <numerical value>Sets the maximum length of HTTP headers contained in a HTTP client connection request.

The default value for the maxline setting is 8192.





/cfg/ssl/server <number>/portalPortal Settings Configuration

The Portal settings menu is e.g. used for mapping the current SSL server to a configured Xnet domain, and to enable a client Web browser sending its authentication cookie to all virtual SSL servers within the same domain. Support for Java applets on the SSL VPN Portal and SOCKS support for the SSL VPN client is enabled using the applet command (enabled by default). The wiper command (also enabled by default) clears the cache following a Portal session.

The Portal Settings menu is only available if the virtual SSL server has been defined as being of the portal type. For more information about virtual SSL server types, see the type com-mand on page 192.

[Portal Settings Menu] authentica - Set User authentication dhost - Set Default backend host dscheme - Set Default backend scheme dgroup - Set default group xnet - Set xnet domain domain - Set add cookie domain using dns/domain applet - Set support for vpn client and portal applets persistent - Set use persistent session cookies wiper - Set use ActiveX component for clearing cache

Table 10-27 Portal Settings Menu Options (/cfg/ssl/server/portal)


authentica on|off

By setting this command to off, the ASA can make use of the VPN functionality to SSL acceler-ate an existing intranet Web site, e.g. a portal. Both relative site links (e.g. /site/file.html) and absolute site links (e.g. http://inside.example.com/site/file.html) will be rewritten to include the ASA rewrite prefix. This cannot be achieved with the traditional SSL off-load mechanism.

The ASA rewrite prefix (boldface) is added to the link properties as shown below:

https://vip.example.com/http/inside.example.com/site/file.html

To access the intranet Web site, the user should enter the SSL VPN Portal’s IP address or host name. The user will then be redirected to the intranet Web site (specified with the dhost com-mand) without first having to log in to the SSL VPN Portal.

If set to off, the dhost, dscheme and dgroup commands will also be displayed on the Portal settings menu (see below).

The default setting is on.



dhost <backend server host name or IP address and path> Sets the backend Web server host address and path (if required) when authentication is disabled.

Example: inside.example.com/portal.html

dscheme http|https

Sets the protocol used to access an intranet Web site when authentication is disabled.

dgroup <group name>Sets the default group in which users will be placed when authentication is disabled.

Users bypassing the SSL VPN Portal this way will automatically be placed in a default group spec-ified with this command. Prior to disabling authentication, configure the default group using the /cfg/xnet/domain #/group command and add the desired access rules for that group.

Note: Be careful when defining the access rules for the default group so that user access is truly limited to the specified intranet Web site and allowed links on that Web site.

xnet <Xnet domain identified by number>Maps the current portal SSL server to a configured Xnet domain. To get an overview of the avail-able Xnet domains and their respective configurations, use the /cfg/xnet/cur command.

domain on|off

When domain is set to on, the cookie used for client authentication (and set by the current SSL server) can be sent from the client Web browser to all virtual SSL servers within the same domain. The domain to which the cookie is sent is specified by using the /cfg/ssl/server #/dns/domain command.

Setting the domain value to on eliminates the need for the SSL VPN user to log in repeatedly when requesting various intranet resources after having logged in to the SSL VPN portal.

The default domain setting is set to off.

applet on|off

� on: Java applets will be supported on the SSL VPN Portal, i.e. when using the Port forwarder, Telnet/SSH access and HTTP Proxy features. SOCKS tunneling using the SSL VPN client will also be supported.

� off: Java applets will not be supported on the SSL VPN Portal. SOCKS tunneling using the SSL VPN client will not be supported.


persistent on|off

By setting this command to on, persistent cookies will be used for the Portal login session. This means that the user will still be logged in to the Portal even if the browser is shut down.

The default setting is off.





wiper

When Internet Explorer is used, some programs (e.g. Microsoft Word) will only be able to display files requested via the Portal if the files are cached.

By setting the wiper command to on, caching will be allowed without leaving sensitive files in the browser cache after a session.

When the user enters the Portal he will be asked to download an ActiveX component, i.e. the Wiper. When the user logs out from the Portal or closes browser window, a message will be dis-played, asking the user whether or not to clear the cache. A second message will also be displayed, asking the user whether or not to clear the browser history (visited URLs).

� on: An ActiveX component will be downloaded to the browser and caching will be allowed. The ActiveX component will clear the cache when the Portal session is terminated or when the browser is closed.

� off: No ActiveX component will be downloaded. To allow caching of documents, use the /cfg/ssl/server #/http/allowdoc/on command. The cache will however not be cleared.


Note: For best performance, the allowdoc command should be set to off when wiper is set to on





/cfg/ssl/server <number>/advAdvanced Settings Menu

The Advanced Settings menu is used for handling the connection pooling, load balancing, and end to end encryption capabilities of the selected virtual SSL server. The number of menu items available in the Advanced Settings menu vary according to the type of virtual SSL server currently selected.

[Advanced Settings Menu] string - String menu blockstrin - Set strings to block pool - Connection pooling menu traflog - UDP syslog Traffic Log menu standalone - Standalone (no switch) menu loadbalanc - Load balancing menu sslconnect - SSL connect menu

Table 10-28 Advanced Settings Menu Options (/cfg/ssl/server/adv)


string

Displays the Load Balancing String menu. To view menu options, see page 222.

Note: The string menu item is only available when the virtual SSL server type is set to the generic or http type.

blockstrin <string numbers>Specifies which of the defined match strings that are used for blocking client requests. If a client request contains data that matches one of the specified string definitions, the client connection request is terminated.

To clear all currently specified blocking strings, press ENTER when asked to enter string numbers, then answer yes to the question if you want to clear the list.

Note: The blockstrin command is only available when the virtual SSL server type is set to the generic or http type.

pool

Displays the Pool Settings menu. To view menu options, see page 225.

Note: The pool menu item is only available when the virtual SSL server type is set to http.

traflog

Displays the Traffic Log Settings menu. To view menu options, see page 226.

Note: The traflog menu item is only available when the virtual SSL server type is set to http or por-tal.



standalone

Displays the Standalone menu. To view menu options, see page 228.

Note: When virtual SSL server type is set to socks, only this menu item is available.

loadbalanc

Displays the Load Balancing Settings menu. To view menu options, see page 232.

Note: The loadbalanc menu item is only available when the virtual SSL server is set to the generic or http type.

sslconnect

Displays the SSL Connect Settings menu. To view menu options, see page 249.

Note: The sslconnect menu item is only available when the virtual SSL server is set to one of the following: generic, http, or portal.

Table 10-28 Advanced Settings Menu Options (/cfg/ssl/server/adv)




/cfg/ssl/server <number>/adv/string <load balancing string number>

Load Balancing Strings Configuration

The LB String menu is used for defining strings matching the specified location in a client request. Resulting matches can then be taken into account in the load balancing configuration of the backend servers. When a backend server is configured to use string as the load balancing type, the backend server is only load balanced if a match of the defined string and location is found in a client request. To access the LB String menu, the selected virtual SSL server must be set to the generic or http type.

[LB String 1 Menu] match - Set string to match location - Set locations to perform the match in icase - Set ignore case in to match negate - Set negate the result of the match del - Remove string

Table 10-29 LB String Menu Options (/cfg/ssl/server/adv/string)


match

Lets you define the string matched against incoming client requests handled by the virtual SSL server. A match string may contain the asterisk (*) wildcard character to represent one or more unspecified characters.Example: *.gif

Note: After having defined a match string, you must also specify the desired match location(s).



location <macro, method, or header>Specifies the client request location(s) to which the match string is mapped. A match only occurs when the match string is found in the specified location. Valid match locations can be the name of a header in an HTTP request (such as User-Agent), or an HTTP method (such as GET).

� Valid match locations are the following special components that may appear in a URL:� Params (object parameters)� Query (query information)

If used, these components appear in the URL in accordance with this generic syntax:<scheme>://<net_loc>/<path>;<params>?<query>#<fragment>

� A valid special string location is:� cookie-override: By default, cookie-based persistence overrides string load balanc-

ing settings. To override persistence for a string, add cookie-override to the loca-tion value for the string. In this way, it is possible to use cookie-based persistence for e.g. all URLs except those ending with *.gif. For a match to occur, you must also specify a valid match location, e.g. URL, cookie-override.

� The valid macro location values are:� url: all of the valid method fields are searched for a match of the defined string. A

match of the defined string will only occur if the match string is found in one of the known methods listed below.

� unknown: unknown method for the ASA. A match will only occur if a method other than the known methods is found. (If you specify url,unknown, as the locations, a match will occur if the match string is found in either a known or unknown method, or both.)

� header: all of the valid header fields are searched for a match of the defined string. A match will only occur if the match string is found in one of the known headers.

� other: unknown header field for the ASA. A match will only occur if a header other than the known headers is found.(If you specify header,other, as the locations, a match will occur if the match string is found in either a known or unknown header, or both.)

� Valid methods are: options, get, head, post, put, delete, trace, and connect.

� Valid headers are: accept, accept-charset, accept-encoding, accept-language, accept-ranges, age, allow, authorization, cache-control, connection, content-base, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, cookie2, date, etag, expires, fragment, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, keep-alive, last-modified, location, max-forwards, params, pragma, pragma, proxy-authenticate, proxy-authorization, proxy-connection, public, query, range, referer, retry-after, server, set-cookie, set-cookie, transfer-encoding, upgrade, user-agent, vary, via, warning, www-authenticate, x-forwarded-for, and x-ssl.

To enter multiple locations, separate the location names with comma (,). To look for a match string in all components of a URL, specify the following as the location: URL,Params,Query.





icase on|off

Specifies whether case should be considered when searching for a match of the defined string in the specified location of a client request. When set to off, a match string defined as *.GIF is considered different data than the *.gif string found in the URI of a client request, and a match will therefore not occur.

The default icase setting is on, which means that case is ignored.

negate on|off

Specifies whether the match string you have defined should be negated when searching for a match in a client request. When set to on, all client requests that do not contain the defined match string in the specified location will induce a match.

The default negate setting is off.

del

Removes the current match string.





/cfg/ssl/server <number>/adv/poolConnection Pooling Configuration

The Pool Settings menu is used for configuring the connection pooling settings of the ASA. Connection pooling provides for the reuse of SSL sessions in order to improve throughput. When the ASA load balances the backend servers, it can pool both encrypted (port 443) and unencrypted (port 81) server side connections. To access the Pool Settings menu, the selected virtual SSL server must be set to the http type.

[Pool Settings Menu] timeout - Set pool age timeout ena - Enable connection pooling dis - Disable connection pooling

Table 10-30 Pool Settings Menu Options (/cfg/ssl/server/adv/pool)


timeout <timeout value in seconds>Sets the time frame during which a client connection can be idle before the client socket is closed. The default value is 15 seconds.

ena

Enables pooling of server side connections for the selected virtual SSL server.

Note: When connection pooling is enabled, transparent proxy mode must be set to off. Transpar-ent proxy mode is configured by using the /cfg/ssl/server #/proxy command. The default proxy mode value is on.

dis

Disables pooling of server side sockets for the selected virtual SSL server.



/cfg/ssl/server <number>/adv/traflogTraffic Syslog Configuration

The Traffic Log Settings menu is used for configuring a syslog server, to which UDP syslog messages for all HTTP requests handled by the currently selected virtual SSL server, can be sent. Enabling traffic logging via syslog messages will generate a substantial amount of net-work traffic, and also place additional CPU load on each ASA device in the cluster. Besides, syslog servers are not generally intended for this type of log messages, and the syslog server might therefore not be able to cope with the amount of syslog messages generated within a cluster of multiple ASA devices. In environments where traffic logging must be performed on the SSL terminating device itself due to laws or regulations, traffic logging via syslog mes-sages can be used. It can also be used temporarily for debugging purposes. This setting will generate traffic; therefore it is recommended that you set up syslog on the backend server if possible.

In general, it is therefore recommended that traffic logging is performed on the backend Web servers instead. The traffic logging performed by backend Web servers can be enhanced by configuring the ASA to add certain HTTP headers. For more information about available extra HTTP headers, see the HTTP Settings menu on page 201.

Below is an example of a syslog message generated on an ASA device:Mar 8 14:14:33 192.168.128.24 <ISD-SSL>:

192.168.128.189 TLSv1/SSLv3 DES-CBC3-SHA "GET / HTTP/1.0"

[Traffic Log Settings Menu] sysloghost - Set syslog host IP udpport - Set syslog portnumber priority - Set syslog priority facility - Set syslog facility ena - Enable traffic UDP syslog logging dis - Disable UDP traffic logging



To access the Traffic Log Settings menu, the selected virtual SSL server must be set to either the http type or the portal type.

Table 10-31 Traffic Log Settings Menu Options (/cfg/ssl/server/adv/traflog)


sysloghost <IP address of syslog server>Specifies the IP address of the syslog server to which syslog messages will be sent using a UDP (User Datagram Protocol) connection.

udpport <UDP port number of syslog server>Specifies the UDP port number of the syslog server.

The default UDP syslog server port number is set to 514.

priority debug|info|notice

Configures the priority level of syslog messages that are sent. Valid priority levels, listed from low to high, are:

� debug: Messages that contain information mainly of use only for debugging purposes.� info: Informational messages.� notice: Conditions that are not error conditions, but should possibly be handled specially.The default priority level is set to info.

facility auth|authpriv|daemon|local0-7

Configures the facility parameter of syslog messages. The facility parameter is used to specify what type of program is logging the message. This lets the configuration file specify that messages from different facilities will be handled differently.

The default facility parameter is set to local4.

ena

Enables traffic logging via syslog messages to the specified syslog server.

dis

Disables traffic logging via syslog messages to the specified syslog server.

Traffic logging via syslog messages is disabled by default.



/cfg/ssl/server <number>/adv/standalone

Standalone Menu

The Standalone menu is used to enable or disable standalone mode for the selected virtual SSL server. The menu is also used to access the IP List menu, in which a set of IP addresses used by the selected virtual SSL server can be specified.

When the ASA is connected to an Alteon Application Switch, the virtual SSL server is always mapped to a virtual server IP address defined on the Application Switch. When the Application Switch receives a client connection request destined for the virtual server, the switch will broadcast an ARP request and redirect the traffic to one particular ASA in the cluster, based on the selected load balancing metric.

When running the ASA in standalone mode—without being connected to an Alteon Applica-tion Switch—each virtual SSL server is still mapped to a virtual server IP address, but the ASA itself must now respond to the ARP requests for incoming client connections destined for the virtual server IP address.

If your particular ASA is equipped with one NIC and you only need to use a maximum of two virtual servers, you can make the ASA broadcast ARP requests by simply assigning the real IP address of the ASA to one virtual server, and the Management IP (MIP) address to the other virtual server. In this case, you don’t have to enable and configure the standalone feature.

If your particular ASA is equipped with dual NICs and you only need to use one virtual server, you can make the ASA broadcast ARP requests by assigning the real IP address of the NIC that faces the Internet side to the virtual server (assuming that the other NIC faces the clean intranet side, and that the MIP can only be reached from within that side). Neither in this case do you have to enable and configure the standalone feature, but you will be restricted to using one sin-gle virtual server IP address.

However, as soon as you need to go beyond these limitations regarding the number of virtual servers, you can use the standalone feature to set up an alias IP address for each virtual server IP address required on the ASA.

[Standalone Menu] iplist - List of IP addresses for this Virtual server ena - Enable Standalone for this server dis - Disable standalone for this server



The standalone feature is also useful when there is more than one ASA in the cluster, and you want to perform load balancing of a virtual SSL server between all the ASAs in the cluster without using an Alteon Application Switch. In such a case you can define a virtual server IP address for each ASA in the cluster and map the virtual server IP addresses to the same virtual SSL server (assuming the virtual server IP addresses use different TCP ports). Provided all vir-tual server IP addresses are associated with the same FQDN and registered in DNS, the DNS server can then be configured to perform round robin DNS. The virtual server IP addresses are automatically brought up as evenly distributed virtual interfaces on the ASAs in the cluster. Moreover, if one ASA device should fail, the virtual server IP address bound to the virtual interface on that device is automatically migrated to another ASA in the cluster. This solves the problem with round robin DNS not having any healthcheck mechanism.

Table 10-32 Standalone Menu (/cfg/ssl/server/adv/standalone)


iplist

Displays the IP List menu. To view menu options, see page page 230.

ena

Enables standalone mode for this virtual SSL server.

dis

Disables standalone mode for this virtual SSL server.

By default, standalone mode for a virtual SSL server is disabled.



/cfg/ssl/server <number>/adv/standalone/iplist

IP List Menu

The IP List menu is used for adding, removing, and listing virtual server alias IP addresses that are used by the current SSL server. For the purpose of load balancing a virtual SSL server between a number of ASA devices in the cluster using round robin DNS, one virtual server alias IP address is added for each ASA device in the cluster.

If you have only one ASA device in the cluster and need to create several virtual servers, you normally add and assign only one virtual server alias IP address to a particular virtual SSL server. Hence, only one IP address is added to the IP list.

NOTE – When standalone mode is enabled, the virtual IP address that may have specified for the SSL server using the /cfg/ssl/server #/vip command is overridden by the virtual standalone IP address added to the IP list. If you add more than one standalone IP address to the list, only the first address in the list will be used for logging the statistics related to the vir-tual SSL server. Bear this in mind when you decide the order of standalone IP addresses in the list.

When configuring standalone mode for the selected SSL server, the virtual server alias IP address(es) added to the list must not be the real IP address of the ASA(s), nor the Manage-ment IP (MIP) address of the ASA cluster.

[IP List Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number



You should also make sure that the alias IP addresses you add to the list are associated with the correct FQDN and registered in DNS.

Table 10-33 IP List Menu (/cfg/ssl/server/adv/standalone/iplist)


list

Lists added values by their index number and IP address.

del <index number>Removes the IP address that is represented by the index number you specify. Use the list com-mand to view all IP addresses and related index numbers currently added to the list.

add <IP address in dotted decimal notation>Adds a virtual server IP address to the list. The virtual server IP address you specify for the virtual SSL server will bind to a virtual interface on the ASA device.

You only need to add more than one IP address to the list when there is more than one ASA device in the cluster and you want to perform load balancing of the selected SSL server using round robin DNS. In this case, add one alias IP address for each ASA device in the cluster.

insert

Lets you assign a specific index number to the virtual server IP address you add. The index number you specify must be in use. IP addresses with an index number higher than (and including) the one you specify will have their current index number incremented by 1.

move

Lets you move a virtual server IP address up or down in the list.

To view all virtual server IP addresses, use the list command.



/cfg/ssl/server <number>/adv/loadbalanc

Load Balancing Settings

The Load Balancing Settings menu is used for configuring the various settings related to per-sistency in client connections, load balancing of backend servers, and health checking of the backend servers. To access the Load Balancing Settings menu, the selected virtual SSL server must be set to the generic or http type.

[Load Balancing Settings Menu] type - Set load balancing type persistenc - Set persistence strategy cookie - Cookie settings menu metric - Set load balancing metric health - Set health check type script - Health check script menu interval - Set health check interval (s) remotessl - Remote SSL connect menu backend - Backend servers menu ena - Enable load balancing dis - Disable load balancing

Table 10-34 Load Balancing Settings Menu Options (/cfg/ssl/server/adv/loadbalanc)


type all|string

Specifies the load balancing type applied to configured backend servers. Valid options are:

� all: All backend servers are load balanced according to the specified load balancing metric. Load balancing strings that may have been defined are ignored.

� string: Only those backend servers for which you have configured one or more match strings are load balanced. Load balancing of these backend servers occur only when a match of the specified string is found in a client request; the load balancing is then performed in accor-dance with the load balancing metric you have specified. To load balance all backend servers when type is set to string, make sure you have configured each backend server to use one or more match strings. Backend servers are configured by using the /cfg/ssl/server #/adv/loadbalanc/backend # command.

Note: When the load balancing type is set to string, persistency options set to cookie or session are ignored.



persistenc none|cookie|session

Specifies the method to use in order to obtain persistency in client connections. When a client ini-tiates a connection request to establish a new session, the connection is issued to a backend server according to the load balancing metric you have specified. For all subsequent client requests within an established session, however, the chosen persistency method comes into play and over-rides the load balancing metric.

Valid options for obtaining persistency in client connections are:

� none: Specifies that no method is used to obtain persistency in client connections.

� cookie: Specifies that persistency in client connections is based on cookie information gen-erated and inserted by the ASA. To successfully use this option, client browsers must accept cookies.

� session: Specifies that persistency in client connections is based on the SSL session infor-mation.

The default persistence method is none. Note that the cookie and session persistency options are ignored when the load balancing type is set to string. For more information on the type command, see page 232.

cookie

Displays the Cookie Settings menu. To view menu options, see page 236.

metric hash|roundrobin|leastconn

Specifies the load balancing metric to use for determining which of the configured backend servers that will be the target of the next client request. Valid options are:

� hash: With this option, a hash metric on the source IP address information in a client connec-tion request is used to select a backend server.

� roundrobin: Round robin. With this option, new client connection requests are issued to each backend server in turn in a continuously repeating sequence.

� leastconn: Least connections. With this option, a new client connection request is issued to the backend server with the fewest current connections. The number of connections currently open on each backend server is measured in real time. The leastconn option is the most self-regulating, with the fastest servers typically getting the most connections over time, due to their ability to accept, process, and shut down connections faster than slower servers.

The default load balancing metric is hash.





health none|tcp|ssl|auto|script

Specifies the health check method the selected virtual SSL server should use when health checking the backend servers. Valid options are:

� none: No health checking of backend servers. If load balancing is enabled, all backend servers are included in the load balancing scheme and the backend servers will at all times be consid-ered as “up”. Failed connections to backend servers are still logged (as a total) and can be viewed using the /stats/server #/becnctfail command.

� tcp: A TCP connection is opened to the backend servers, and is then closed.

� ssl: A TCP connection is opened to the backend servers, and an SSL connection is then established. Thereafter, the SSL connection is shut down and the TCP connection is closed. Using the ssl health check method requires that you have enabled SSL connect for the current virtual SSL server. To view the current SSL connect settings, enter the following command: /cfg/ssl/server #/adv/sslconnect/cur

� auto: The default health check method, which uses a built-in script. For more information about the built-in scripts, see the “Script-Based Health Checks” chapter in the Alteon SSL Accelerator 4.1.2 Application Guide.

� script: Uses a customized health check script, which must first be created by using com-mands available in the Health Check Script menu. For more information about creating custom-ized health check scripts, see the “Script-Based Health Checks” chapter in the Alteon SSL Accelerator 4.1.2 Application Guide.

The default health check method is auto.

script

Displays the Health Check Script menu. To view menu options, see page 240.

interval <health check interval in seconds>Sets the interval in seconds for health checks of the backend servers to occur. The default health check interval is 10 seconds.

Note: Each ASA in the cluster performs its own health checking of backend servers. Therefore, if you set the health check interval to a low value, a considerable amount of network traffic may be generated. The amount of network traffic increases with the number of ASAs in the cluster and the number of backend servers included in the health checking.

remotessl

Displays the Remote SSL Connect Settings menu. To view menu options, see page 243.

backend

Displays the Backend Server menu. To view menu options, see page 246.

ena

Enables load balancing of backend servers.





dis

Disables load balancing of backend servers.





/cfg/ssl/server <number>/adv/loadbalanc/cookie

Cookie Settings Configuration

The Cookie Settings menu is used for configuring the cookie properties used by the selected virtual SSL server when cookie is the selected persistence strategy. The Cookie Settings menu is only available when you have configured the virtual SSL server to use cookie-based persistency. For more information on persistency options, see the persistenc command on page 233.

[Cookie Settings Menu] mode - Set cookie mode name - Set cookie name domain - Set cookie domain expires - Set cookie expires expiresdel - Set cookie expires delta localvips - Configure other local VIPs offset - Set cookie value offset length - Set cookie value length



Table 10-35 Cookie Settings Menu Options (/cfg/ssl/server/adv/loadbalanc/cookie)


mode insert|passive|rewrite

Specifies the mode for cookie-based persistence. The default cookie mode is insert (i).

The following three modes are available:

� insert (i): Insert mode. When a client sends a connection request without a cookie, the backend server responds with the requested data, and the ASA inserts a cookie into the data packet. The ASA then uses this cookie on all subsequent connection requests (within a given session) from the same client to bind to the backend server that was first selected using the cur-rent load balancing metric.

� passive (p): Passive mode. When selecting this mode, the backend server must be config-ured to embed a cookie in the response to the client request. The backend server may be config-ured to embed a cookie that contains either a backend server IP address in hexadecimal form, or a string of characters as the cookie value. The ASA will then look for this cookie in all subse-quent connection requests (within a given session) from the same client, before establishing a connection to a backend server.� If the backend server embeds its own IP address in the cookie, the ASA will use the IP

address information in the cookie to direct all subsequent traffic within a given session to the corresponding backend server.

� If the backend server embeds a string of characters as the cookie value, the ASA will per-form a hash on the cookie value. The ASA will then select a backend server and direct all subsequent traffic within a given session to the same backend server, based on the hashed cookie value.

� rewrite (r): Rewrite mode. When selecting this mode, the backend server must be config-ured to return a special persistence cookie, which the ASA is configured to recognize. When recognized, the ASA intercepts the cookie and rewrites the value to include server-specific information before sending it on to the client. Subsequent connection requests (within a given session) from the same client are sent to the same backend server.

For configuration examples including the three different cookie-based persistence modes, see “Configuring Cookie-Based Persistence” in Chapter 7 of the Alteon SSL Accelerator 4.1.2 Appli-cation Guide.

name <cookie name>Sets a cookie name that can be used to identify the cookie used by the virtual SSL server.

The default cookie name is ISDSSL.



domain <cookie domain name>Sets a domain name that is valid for the cookie, e.g. .example.com. In global server load balancing (GSLB) configurations, the case might be that the client browser returns the cookie to another server than the server from which it was originally sent, if they both respond to the same host name (e.g. www.example.com). Since this other server will not recognize the cookie id, it will forward the cookie to other servers using the domain name specified as cookie domain name.

Only used for Insert mode.

expires <date and time>Sets an absolute expiration date for the cookie. The cookie will be cached on the client’s local disk until the date expires, then it will be deleted automatically.

Enter the date according to one of the following formats:

Sun, 06 Nov 2004 08:49:37 GMT

Sunday, 06-Nov-04 08:49:37 GMT

Sun Nov 6 08:49:37 2004

If no expiration date is set, the cookie will expire as soon as the client Web browser is shut down.


expiresdel <value in seconds>Sets the time frame during which the cookie will be active. When this time has expired, the cookie will be deleted automatically.

If you want to specify a value in hours, enter an integer directly followed by the letter h. If you want to specify a value in minutes, enter an integer directly followed by the letter m. If you enter an integer only, the value in seconds is implied.

To specify a value consisting of hours, minutes and seconds, enter e.g. 12h15m30s.

If no expiration value is set, the cookie will expire as soon as the client Web browser is shut down.


localvips

Configures other local virtual server IP addresses. The local server needs to recognize sessions that belong to the official site virtual server IP address, as well as its own virtual server IP address that is used in a global server load balancing (GSLB) configuration.

offset <cookie offset value in bytes (1-64)>Sets the starting point of the real cookie value within a longer string. The offset value directs the ASA to start looking for the real cookie value at the specified location in the string.

The default cookie offset value is 1 (byte).





length <cookie length value in bytes (0-64)>Sets the number of bytes to extract for the cookie value within a longer string.

� For Passive cookie mode, if you have configured your backend server to use a string of charac-ters that is embedded as the cookie value, you can set the length can be set from 0 to 64 bytes.

� For Insert or Rewrite cookie mode, if you want the ASA to include the IP address of the back-end server in the cookie value, you must set the cookie length to 8. The cookie mode can be set to insert, rewrite, or passive.

� For Insert or Rewrite cookie mode, if you want the ASA to include both the IP address of the backend server and the IP address of the virtual server (the VIP on the Alteon Application Switch) in the cookie value, you must set the cookie length to 16.

The default cookie length value is 8.





/cfg/ssl/server <number>/adv/loadbalanc/script

Health Check Script Configuration

The Health Check Script menu is used for creating a customized script used for health check-ing backend servers that are load balanced by the ASA. The script you create is only applied when you have specified script as the health check method in the menu for “Load Balancing Settings” on page 232 (/cfg/ssl/server #/adv/loadbalanc/health). For detailed information about creating customized health check scripts, see Chapter 8, “Script-Based Health Checks” chapter in the Alteon SSL Accelerator 4.1.2 Application Guide.

[Health Check Script Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number

Table 10-36 Health Check Script Menu Options (/cfg/ssl/server/adv/loadbalanc/script)


list

Lists the current health check script, where each line is a script command and represented by a unique index number. The lines in the script are processed one after the other, starting from the lowest index number and ending with the highest index number.

del <index number>Removes the line in the health check script represented by the index number you specify. Use the list command to view all lines and related index numbers in the current health check script.



add <script command> <timeout in seconds> <argument>Lets you create a customized health check script, line by line, or add a script command to an exist-ing health check script. Each added script line is automatically assigned the next available index number. A customized health check script is only applied when you have selected script as the health check type.

The following script commands are available:

� auto_open: Opens a TCP connection to the backend servers. For those backend servers on which SSL connect is enabled, the command also opens a SSL connection.

� auto_close: Closes the TCP connection that was opened using the auto_open command. In case the auto_open command also established an SSL connection, the SSL connection is shut down prior to closing the TCP connection.

� open: Opens a TCP connection to the specified IP address or backend servers.

� close: Closes the TCP connection that was opened using the open script command.

� ssl_open: Opens a SSL connection to the specified IP address or backend servers. The ssl_open script command must always be preceded by the regular open command. Using the ssl_open command also requires that SSL connect is enabled. You can view the current SSL settings by using the /cfg/ssl/server #/adv/sslconnect/cur command.

� ssl_close: Closes the SSL connection that was opened using the ssl_open command. The ssl_close script command must always be followed by the regular close command.

� send: Sends for example a GET request you specify as an argument to the send command, such as "GET /index.html HTTP/1.0 \r\n\r\n" to the backend servers.

� expect: Specifies the string that is required in the response from the backend servers, in reac-tion to the send argument you specified. An example of an expect argument used with the send argument above could be "^HTTP/1\. [1,0] +200". The expect arguments are based on the usage of extended POSIX regular expressions.

The arguments you can define vary depending on the script command:

� When using the auto_open, open, or the ssl_open script commands, IP address and TCP port is a valid argument. Example: 192.168.128.88:110If you don’t specify an IP address and TCP port as an argument for these script commands, the IP addresses of the load balanced backend servers are implicit.

� When using the auto_close, close, or the ssl_close script commands, you don’t need to repeat the IP address and TCP port given as an argument for the auto_open, open, or ssl_open script commands since the same argument is implicit.

� When using the send script command, a typical HTTP request message can be defined as an argument. Example: "GET /index.html HTTP/1.0 \r\n\r\n"

� When using the expect script command, you can define arguments based on extended POSIX regular expressions. The data received in response to the send command is matched against the string you have defined in the argument for the expect command. If a match is found, the script command is considered successful.





insert <index number> <script command> <timeout in seconds> <argument>Lets you assign a specific index number to the script line you add. The index number you specify must be in use. Script lines with an index number higher than (and including) the one you specify will have their current index number incremented by 1.

move <index number to move> <destination index number>Lets you move a script line up or down in the health check script. The script commands are pro-cessed one after the other, starting from the lowest index number and ending with the highest index number.

To view all lines and script commands in the script, use the list command.





/cfg/ssl/server <number>/adv/loadbalanc/remotessl

Remote SSL Connect Configuration

The Remote SSL Connect Settings menu is used for configuring the SSL protocol, the pre-ferred cipher list, and client authentication for SSL connections between the ASA(s) and the backend servers.

[Remote SSL Connect Settings Menu] protocol - Set protocol version cert - Set client certificate ciphers - Set accepted ciphers for SSL connect verify - Verify server menu

Table 10-37 Remote SSL Connect Settings Menu Options (/cfg/ssl/server/adv/loadbalanc/remotessl)



Specifies the protocol the virtual SSL server should propose when establishing an SSL session with an SSL-enabled backend server. Valid options are:

� ssl2: Propose using only SSL 2.0.

� ssl3: Propose using SSL 3.0 or TLS 1.0.

� ssl23: Propose using any of SSL 2.0, SSL 3.0, or TLS 1.0.

� tls1: Propose using only TLS 1.0.The default protocol value is ssl3.

cert <client certificate by index number>Specifies which client certificate the selected virtual SSL server should present to the backend servers, in case the SSL software on the backend servers is configured to require a client certifi-cate. Client authentication is typically very seldom used for SSL connections between the ASAs and the backend servers, as the client is known in these circumstances.

To view basic information about available certificates, use the /info/certs command. To gen-erate a client certificate, see “Generating Client Certificates on the ASA” on page 91.



ciphers <cipher list format>Specifies the list of preferred ciphers. This information is sent to the backend servers during the SSL handshake. The default cipher list corresponds to EXP-RC4-MD5:ALL!DH, which should be appropriate in most cases. The default cipher list provides for using lighter encryption algo-rithms between the ASAs and the backend servers than what is normally used between Internet cli-ents and the ASAs. This is desirable mainly in terms of SSL performance. Since both the ASAs and the backend servers typically are behind a firewall in physically secured premises, using lighter encryption algorithms on this network segment should not compromise the overall security.

If you change the default list of preferred ciphers, make sure the specified ciphers are included in the backend servers’ list of preferred ciphers as the SSL connection will otherwise be refused.


verify

Displays the SSL Connect Verify Settings menu. To view menu options, see page 251.

Table 10-37 Remote SSL Connect Settings Menu Options (/cfg/ssl/server/adv/loadbalanc/remotessl)




/cfg/ssl/server <number>/adv/loadbalanc/remotessl/verify

Remote SSL Connect Verify Configuration

The Remote SSL Connect Verify Settings menu is used for configuring the desired certificate verification level when backend servers are authenticated. The menu is also used to specify the common name of backend servers, as well as setting the CA certificates used for backend server authentication.

[Remote SSL Connect Verify Settings Menu] verify - Set certificate verification level commonname - Set server common name cacerts - Set list of accepted signers of server’s certificate

Table 10-38 Remote SSL Connect Verify Settings Menu Options (/cfg/ssl/server/adv/loadbalanc/remotessl/verify)


verify none|require

Specifies the authentication level to use when establishing an SSL connection towards a backend server. Valid options are:

� none: No server certificate is required.

� require: The server must present a valid certificate in order for the selected virtual SSL server to establish a session.

The default value is none.

commonname <common name of backend Web server>Specifies the common name used in the backend server’s server certificate. In order to establish an SSL session, the common name you specify must match the common name found in the certificate used by the backend server(s).

The common name found in the server certificate normally corresponds to the name of the Web server as it appears in the URL that is used by Internet clients when accessing the Web server. Do not include the protocol specifier (http://) or any port numbers or pathnames in the common name. Wildcards (such as * or ?) and IP address are not allowed.

cacerts <CA certificate by index number>Specifies which of the available CA certificates to use for backend server authentication. To view basic information about all certificates, use the /info/certs command.

To add a new CA certificate, see “Adding Certificates to the ASA” on page 81.

When specifying more than one certificate, use commas to separate the corresponding index num-ber: Example: 1,2,5



/cfg/ssl/server <number>/adv/loadbalanc/backend <server number)>

Backend Server Configuration

The Backend Server menu is used for configuring backend servers (also known as “real serv-ers”). The virtual SSL server for which the backend server is configured, can then initiate requests to the enabled backend servers. An index number is assigned to each backend server, and you can create up to 256 backend servers. By specifying an unused index number when you enter the Backend Server menu, you create a new backend server which can then be con-figured.

HTTP redirects cannot contain explicit IP addresses since the browser will not be able to verify the server certificates. To solve this problem, one additional virtual server IP (vip) address on each side is introduced. When a client is redirected to the backup site, it is redirected to the name of that local VIP. Each local VIP must have a valid server certificate that matches its name.

To view all backend servers including their current configurations, use the cur command in the Load Balancing Settings menu (/cfg/ssl/server #/adv/loadbalanc).

[Backend Server 1 Menu] ip - Set IP addr of backend server port - Set backend server port sslconnect - Set perform SSL connect if enabled for server remote - Set server is remote rname - Set host name of remote server remotessl - Set remote site is ssl lbstrings - Set load balancing strings lbop - Set string load balancing operation del - Remove backend server ena - Enable backend server dis - Disable backend server

Table 10-39 Backend Server Menu Options (/cfg/ssl/server/adv/loadbalanc/backend)


ip <backend server IP address in dotted decimal notation>Sets the IP address of a backend server to which the virtual SSL server can initiate requests.



port <TCP port number>Sets the TCP port to which the virtual SSL server connects when initiating requests. Note that the backend server(s) must be configured to listen for ASA traffic on the TCP port that you specify with this command.

sslconnect on|off

Enables or disables SSL connect on this particular backend server.

The default setting for sslconnect is on.

remote true|false

Specifies whether the current backend server should be indicated as remote. When set to true, the IP address of the backend server is matched with the virtual server IP (VIP) address contained in incoming cookies.

The default setting for remote is false.

rname (host name of remote server)Specifies the host name of the remote server. The name you specify will be used in the redirect messages.

remotessl true|false

Specifies whether the remote server uses SSL. When the remote server is an HTTPS server, remotessl should be set to true. This will make the generated redirect an HTTPS redirect even if the local server is an HTTP server. This feature can be used for setting up an HTTP to HTTPS redirect service.

The default setting for remotessl is true.

lbstrings <index number of match strings>Specifies which of the load balancing strings you may have defined that should be mapped to the currently selected backend server. If the virtual SSL server is configured to perform load balancing of backend servers, and the load balancing type is set to string, then the specified load balanc-ing metric (Hash, Round Robin, or Least Connections) is applied to the currently selected backend server only for those client requests in which a match of the specified load balancing strings are found.

You can also specify negative index numbers, which indicates that a match of the load balancing string represented by the specified index number must not be found in a client request for the back-end server to be load balanced.





lbop any|all|one|none

Specifies for which of the load balancing strings you have specified (by using the lbstrings command), a match in a client request must be found for the backend server to be load balanced. Valid options are:

� any: A match of one or more of the specified load balancing strings must be found in a client request for the backend server to be load balanced.

� all: Matches of all specified load balancing strings must be found in a client request for the backend server to be load balanced.

� one: A match of one, and only one, of the specified load balancing strings (irrespective which) must be found in a client request for the backend server to be load balanced.

� none: For the backend server to be load balanced, no match of a specified load balancing string must be found in a client request. If any match is found, the backend server is not load balanced.

The default load balancing operation (lbop) is any.

del

Removes the current backend server, including all its configuration. Before removing a backend server, use the /cfg/ssl/server #/adv/loadbalanc/cur command to examine all backend servers by index number and current configuration.

ena

Enables the current backend server. By default, all backend servers are enabled when created.

dis

Disables the current backend server.





/cfg/ssl/server <number>/adv/sslconnect

SSL Connect Configuration

The SSL Connect Settings menu is used for configuring the SSL protocol, the preferred cipher list, and client authentication for SSL connections between the ASA(s) and the backend serv-ers.

[SSL Connect Settings Menu] protocol - Set protocol version cert - Set client certificate ciphers - Set accepted ciphers for SSL connect verify - Verify server menu ena - Enable SSL Connect dis - Disable SSL Connect

Table 10-40 SSL Connect Settings Menu Options (/cfg/ssl/server/adv/sslconnect)



Specifies the protocol the virtual SSL server should propose when establishing an SSL session with an SSL-enabled backend server. Valid options are:

� ssl2: Propose using only SSL 2.0.

� ssl3: Propose using SSL 3.0 or TLS 1.0.

� ssl23: Propose using any of SSL 2.0, SSL 3.0, or TLS 1.0.

� tls1: Propose using only TLS 1.0.The default protocol value is ssl3.

cert <client certificate by index number>Specifies which client certificate the selected virtual SSL server should present to the backend servers, in case the SSL software on the backend servers is configured to require a client certifi-cate. Client authentication is typically very seldom used for SSL connections between the ASAs and the backend servers, as the client is known in these circumstances.

To view basic information about available certificates, use the /info/certs command. To gen-erate a client certificate, see “Generating Client Certificates on the ASA” on page 91.



ciphers <cipher list format>Specifies the list of preferred ciphers. This information is sent to the backend servers during the SSL handshake. The default cipher list corresponds to EXP-RC4-MD5:ALL!DH, which should be appropriate in most cases. The default cipher list provides for using lighter encryption algo-rithms between the ASAs and the backend servers than what is normally used between Internet cli-ents and the ASAs. This is desirable mainly in terms of SSL performance. Since both the ASAs and the backend servers typically are behind a firewall in physically secured premises, using lighter encryption algorithms on this network segment should not compromise the overall security.

If you change the default list of preferred ciphers, make sure the specified ciphers are included in the backend servers’ list of preferred ciphers as the SSL connection will otherwise be refused.


verify

Displays the SSL Connect Verify Settings menu. To view menu options, see page 251.

ena

Enables SSL connections between the selected virtual SSL server and configured backend servers. By default, SSL connect is disabled.

For greater control, you can disallow SSL connections to a particular backend server by using the sslconnect command in the Backend Server menu. For more information, see the sslcon-nect command on page 247.

dis

Disables SSL connections between the selected virtual SSL server and all configured backend servers, irrespective of the SSL connect setting on individual backend servers. SSL connect is dis-abled by default.

Table 10-40 SSL Connect Settings Menu Options (/cfg/ssl/server/adv/sslconnect)




/cfg/ssl/server <number>/adv/sslconnect/verify

SSL Connect Verify Configuration

The SSL Connect Verify Settings menu is used for configuring the desired certificate verifica-tion level when backend servers are authenticated. The menu is also used to specify the com-mon name of backend servers, as well as setting the CA certificates used for backend server authentication.

[SSL Connect Verify Settings Menu] verify - Set certificate verification level commonname - Set server common name cacerts - Set list of accepted signers of server’s certificate

Table 10-41 SSL Connect Verify Settings Menu Options (/cfg/ssl/server/adv/sslconnect/verify)


verify none|require

Specifies the authentication level to use when establishing an SSL connection towards a backend server. Valid options are:

� none: No server certificate is required.

� require: The server must present a valid certificate in order for the selected virtual SSL server to establish a session.

The default value is none.

commonname <common name of backend Web server>Specifies the common name used in the backend server’s server certificate. In order to establish an SSL session, the common name you specify must match the common name found in the certificate used by the backend server(s).

The common name found in the server certificate normally corresponds to the name of the Web server as it appears in the URL used by Internet clients when accessing the Web server. Do not include the protocol specifier (http://) or any port numbers or pathnames in the common name. Wildcards (such as * or ?) and IP address are not allowed.

cacerts <CA certificate by index number>Specifies which of the available CA certificates to use for backend server authentication. To view basic information about all certificates, use the /info/certs command.

To add a new CA certificate, see “Adding Certificates to the ASA” on page 81.

When specifying more than one certificate, use commas to separate the corresponding index num-ber: Example: 1,2,5



/cfg/xnetXnet Menu

Under the Xnet menu you will find options for configuring the ASA for SSL VPN, e.g. authen-tication methods, portal layout and contents, groups, portal links, access rules and more.

The top level of the Xnet menu is used for configuring the idle timeout value for SSL VPN user sessions, as well as for accessing the Xnet Domain submenu.

[Xnet Menu] ttl - Set login session TTL log - Set log settings domain - Xnet domain menu

Table 10-42 Xnet Menu Options (/cfg/xnet)


ttl <value in seconds (s), minutes (m), hours (h) or days (d)>Sets the time-to-live (ttl) period during which an SSL VPN user session can be idle before the con-nection is automatically closed. When closed, the user must provide his or her user name and pass-word to log in again.

When 10% of the portal idle timeout is reached, a logout warning window is displayed. The win-dow warns the user about the upcoming logout and offers to refresh the portal connection. If the portal connection is not refreshed, the user is automatically logged out and the cache wiper is run (see the /cfg/ssl/server #/portal/wiper command).

To specify a value in minutes, hours or days, enter an integer directly followed by the letter m, h, or d, respectively.

If you enter an integer only, the value in seconds is implied.

The default idle timeout value is set to 15 minutes (15m). The maximum ttl period is 31 days.

log <options separated by a comma>Lets you select one or several options, each generating their own set of syslog messages including date, time, type of request, user, source IP address and requested destination.

� login: Logs portal logins and logouts.

� http: Logs http requests made from the portal.

� portal: Logs other portal operations, e.g. ftp and smb file server access.

� reject: Logs rejected requests.

� socks: Logs SOCKS operations, i.e. requests made using the Portal page’s Advanced tab fea-tures (e.g. Telnet sessions) and SSL VPN client requests.

� all: Logs all options: login, http, portal, reject, and socks.

domain

Displays the Xnet Domain menu. To view menu options, see page 253.



/cfg/xnet/domain <number>Xnet Domain Configuration

The Xnet Domain menu is used for configuring the Xnet domain, which is defined by the por-tal Web pages, the authentication method, the access rules (ACLs), and the mapping of user groups to access rules. As a basis for access rules, specific network and service definitions can be created and later be mapped to the access rules of the desired groups.

A specific Xnet domain is then mapped to one or more virtual SSL servers. The virtual SSL server to which you map an Xnet domain can be of the socks or portal type, depending on how you want to deploy the SSL VPN feature. The mapping of a virtual SSL server to a specific Xnet domain is done by using the /cfg/ssl/server #/socks/xnet command (for a server of the socks type), or the /cfg/ssl/server #/portal/xnet command (for a server of the portal type).

[Xnet Domain 1 Menu] quick - AAA setup wizard portal - Portal settings menu auth - Authentication menu authorder - Set Authentication server fallback order network - Network access menu service - Service access menu appspec - Application specific menu filter - Client filter menu group - Group menu defgroup - Set default group radacct - Radius accounting menu del - Remove Xnet domain

Table 10-43 Xnet Domain Menu Options (/cfg/xnet/domain)


quick

Starts the AAA Quick Setup Wizard. The wizard automatically configures 10 default services (see the /cfg/xnet/domain #/service command). A trusted account will also be configured as the trusted group with the first available group index number. The user name and password supplied in the wizard will create a user in the local database that is mapped to the trusted group. Members of the trusted group are authorized to all networks, services and paths.

portal

Displays the Portal menu. To view menu options, see page 256.

auth

Displays the Authentication menu. To view menu options, see page 259.



authorder <authentication ID numbers, separated by comma>Sets the preferred order for which the defined authentication methods are applied when an SSL VPN user logs in to the portal. For example, if you have configured RADIUS authentication under authentication ID 1, LDAP authentication under authentication ID 2, Local database authentication under authentication ID 3, you can specify in which order these authentication methods should be applied. When a match of user name and password is found, the other specified authentication methods are ignored. For best performance, you should therefore specify the authentication ID that represents the method by which the main bulk of users are authenticated as the first number. Also, if you use the Local database for authentication, specify that method first since it is performed extremely fast regardless of the number of users in the database. For other methods, the response times may wary depending on the current network load, server performance, number of users in the database etc.

Example from a CLI session:>> Xnet Domain # authorderCurrent value: 1Enter auth order (comma separated): 3,2,1

Where number 1 = Local Database, number 2 = LDAP, and number 3 = RADIUS in this example.

Note: Even if you have defined only one authentication method, the authentication ID representing that method must be specified using the authorder command. To view which authentication ID number that corresponds to a currently configured authentication method, use the /cfg/xnet/domain #/cur command.

network

Displays the Network menu, after you have typed the index number or name of an existing net-work or the index number of a new network. To view existing network entries, press TAB follow-ing the network command.

To view menu options, see page 274.

service

Displays the Service menu, after you have typed the index number or name of an existing service or the index number of a new service. To view existing service entries, press TAB following the service command.


appspec

Displays the Appspecific menu, after you have typed the index number or name of an existing appspec entry or the index number of a new appspec entry. To view existing appspec entries, press TAB following the appspec command.






filter

Displays the Client Filter menu, after you have typed the index number or name of an existing fil-ter or the index number of a new filter. To view existing filter entries, press TAB following the filter command.


group <group by ID number or name>Displays the Group menu. To view menu options, see page 282.

defgroup <default group by name>Sets an existing user access group that has been defined using the /cfg/xnet/domain/group command as the default user access group.

The default group is applied to an authenticated SSL VPN user whose group membership cannot be determined. This typically happens when a match between the user’s group membership as specified in the authentication mechanism holding the SSL VPN user’s credentials (user name, password, and group membership), and the corresponding group name as specified in the Xnet domain (using the /cfg/xnet/domain/group command) cannot be found.

In such a case, the authenticated SSL VPN user will automatically become a member of the speci-fied default group, and the access control lists associated with the default group will determine which rights are granted to the user.

Note: Because the default group applies to any SSL VPN user whose group membership cannot be determined, make sure that the access control lists associated with the default group do not grant excessive rights.

radacct

Displays the RADIUS Accounting menu.


del

Removes the current Xnet domain configuration.





/cfg/xnet/domain <number>/portalSSL VPN Portal Configuration

The Portal menu is used to customize the default Web page that is displayed in the client’s Web browser after a successful login to the SSL VPN portal. The Web page serves as the user’s por-tal to the services provided.

You can change the banner image and the text that is displayed above the list of links made available for the user. You can also change four of the portal colors and define a company name.

[Portal Menu] import - Import banner image gif restore - Restores default Nortel banner banner - Show installed banner file redirect - Set redirect URL linktext - Set static text on link page companynam - Set company name used on portal pages nortelbran - Set Nortel branding colors - Portal colors menu

Table 10-44 Portal Menu Options (/cfg/xnet/domain/portal)


import <protocol [tftp|ftp]> <server by host name or IP address> <name of GIF file>Downloads a banner file in the GIF format from a TFTP or FTP server. When the download is complete and you apply the changes, the current banner image on the portal Web page is replaced.

Note: Users that are currently logged in will not notice the change unless they reload the portal Web page.

restore

Restores the default Nortel Networks Extranet banner.

banner

Displays the file name of the banner image file currently in use.



redirect <URL, e.g. http:// inside.example.com>Sets the URL (if any) to which users should automatically be redirected after having authenticated on the Portal login page.

To redirect the user to an internal password-protected site without a second login, enter e.g.

http://<user>:<password>@inside.example.com when prompted for the URL.

This requires the user name and password required on the intranet site to be identical with the Por-tal’s user name and password.

Note that the user will not be able to access the Portal tabs.

To remove a previously entered URL, simply press ENTER when prompted for the URL.

For the visitor to be able to logout from the Portal from the internal site, a logout link should be inserted on that page. This is what a logout link in HTML format might look like:

<a href=https://vpn.example.com/logout.yaws> Logout from portal </a>

linktext

Sets the static text that is displayed for all SSL VPN users on the Portal’s Home tab. The text is displayed above the links that are specific for an SSL VPN user, depending on their group mem-bership. The link text can either be typed directly in the CLI, or pasted when prompted. Follow the instructions provided in the CLI when using the linktext command.

The text can also be interspersed with HTML tags to add formatting elements to the text. You can also use the following macros in the link text:

� <user>: This macro automatically replaces <user> with the currently logged in SSL VPN user’s user name.

� <group>: This macro automatically replaces <group> with the name of the group in which the currently logged in SSL VPN user is a member. If the user is a member of more than one group, the name of the primary group is used. The first match between a group name defined in the Xnet domain and any group listed in the authentication mechanism that applies to the user is considered the primary group. When searching for a matching group name, the system starts with group ID 1, then continues with group ID 2 and so on until a match is found.

Chapter 17, “Customize the Portal Page” in the Application Guide includes an example of how to configure group-controlled redirection to internal sites by embedding the <group> macro in a Java-script.

companynam

Sets your own company name. This name will be displayed instead of Nortel Networks Inc. on the portal pages.

nortelbran on|off

By setting this command to off, the Nortel logo displayed bottom left on the SSL VPN Portal will be hidden.

colors

Displays the Portal Colors Menu for you to change any of the four portal colors.

Table 10-44 Portal Menu Options (/cfg/xnet/domain/portal)




/cfg/xnet/domain <number>/portal/colors

Portal Colors Configuration

The Portal Colors menu is used to customize the Portal page with respect to colors.

The color code should be entered as a hexadecimal value and is not case-sensitive. For a list of common colors with their corresponding hexadecimal value, see the “Customize the Portal Page” chapter in the Alteon SSL Accelerator 4.1.2 Application Guide.

NOTE – Users that are currently logged in will notice the change when they reload the Portal Web page.

[Portal Colors Menu] color1 - Set portal color 1 color2 - Set portal color 2 color3 - Set portal color 3 color4 - Set portal color 4 restore - Restore colors to default settings

Table 10-45 Portal Colors Menu Options (/cfg/xnet/domain/portal/colors)


color1 <#hexadecimal color code>Refers to non-active tabs on the Portal page. The default value is #999999 (dark gray).

To change the color, enter the new color as a hexadecimal value, e.g. #FF0000 for red.

color2

Refers to the area where links and input fields are displayed. The default value is #CECECE (light gray).

To change the color, enter the new color as a hexadecimal value, e.g. #F5F5DC for beige.

color3

Refers to headings above the link/input area. The default value is #003399 (dark blue).

To change the color, enter the new color as a hexadecimal value, e.g. #0000CD for medium blue.

color4

Refers to active tabs. The default value is #FF9900 (orange).

To change the color, enter the new color as a hexadecimal value, e.g. #008000 for green.

restore

Restores the default Portal colors.



/cfg/xnet/domain <number>/auth <id>Authentication Configuration

The Authentication menu is used for defining an authentication method that apply to the cur-rent Xnet domain. After having defined the desired authentication method, you can specify in which order the authentication method should be applied when a user logs in to the Xnet domain. Each authentication method you define corresponds to a specific authentication ID (auth id). You are prompted for an authentication ID upon entering the Authentication menu. By providing an authentication ID number not currently used by the system, a new ID is created and you can then configure a new authentication type.

NOTE – Not all menu items appear; the radius, ldap, ntlm and local options each appear only when they are selected as the authentication mechanism.

To view which authentication IDs that are currently in use, press Tab after having typed the /cfg/xnet/domain #/auth command.

[Authentication 1 Menu] type - Set authentication mechanism name - Set server name display - Set server display name radius - RADIUS settings menu ldap - LDAP settings menu ntlm - NTLM settings menu local - Local database menu adv - Advanced settings menu del - Remove Authentication



To set the order in which the authentication methods are applied when an SSL VPN user logs in to the portal Web page, use the /cfg/xnet/domain #/authorder command.

Table 10-46 Authentication Menu Options (/cfg/xnet/domain/auth)


type radius|ldap|ntlm|local

Sets which authentication mechanism you want to configure for the Xnet domain. The mechanism you choose is mapped to the current authentication ID.

name

Lets you specify a name for the authentication server.

This name can e.g. be selected in a client filter to be used as a condition for extended access rights for group members who has authenticated to this server. For more information about client filters, see page 280.

display

Lets you specify a display name for the authentication server. The name is displayed in the Login Service list box on the Portal login page for the user to select a specific authentication server, e.g. for token authentication or direction to a specific Windows domain. If the user selects default in the Login Service list box, authentication will be carried out according to the configured authen-tication order.

radius

Displays the RADIUS menu. To view menu options, see page 261.

Note: The radius menu item is only available when the authentication mechanism is set to radius.

ldap

Displays the LDAP menu. To view menu options, see page 264.

Note: The ldap menu item is only available when the authentication mechanism is set to ldap.

ntlm

Displays the NTLM menu. To view menu options, see page 268.

Note: The ntlm menu item is only available when the authentication mechanism is set to ntlm.

local

Displays the Local database menu. To view menu options, see page 270.

Note: The local menu item is only available when the authentication mechanism is set to local.

adv

Displays the Advanced settings menu. To view menu options, see page 273.

del

Removes all settings for the current authentication ID.



/cfg/xnet/domain <number>/auth <id>/radius

RADIUS Configuration

The RADIUS menu is used for configuring remote authentication of users in the Xnet domain by way of the RADIUS access control protocol. The menu is also used for accessing the Radius Servers menu, where the actual RADIUS servers used for remote authentication of SSL VPN users can be specified.

To access the RADIUS menu, the authentication type for the current authentication ID must be set to radius.

[RADIUS Menu] servers - RADIUS servers menu vendorid - Set vendor id for group attribute vendortype - Set vendor type for group attribute timeout - Set RADIUS server timeout

Table 10-47 RADIUS Menu Options (/cfg/xnet/domain/auth/radius)


servers

Displays the RADIUS Servers menu. To view menu options, see page 263.

vendorid <integer value>Assigns the SMI Network Management Private Enterprise Code—as defined by IANA in the file http://www.iana.org/assignments/enterprise-numbers—to the following vendor specific attribute: Vendor-Id.

The Vendor-Id—represented by the private enterprise number—is one of the RADIUS vendor-spe-cific attributes.

The default vendor-Id is set to 1872 (Alteon).

Note: If another vendor-Id is used by your RADIUS system, you can use the vendorid com-mand to bring the SSL VPN RADIUS configuration in line with the value used by the remote RADIUS system. Contact your RADIUS system administrator for more information.



vendortype <integer value>Assigns a number to the following vendor specific attribute used in RADIUS: Vendor type

Used in combination with the Vendor-Id number, the vendor type number identifies the group in which users who should be allowed access to the Xnet domain via RADIUS authentication are members.

The group name(s) to which the vendor specific attribute points must be defined in the Xnet domain, complete with one or more access control lists. Xnet domain group names and access con-trol lists are defined by using the /cfg/xnet/domain #/group # command.

The default vendor type value is set to 1. The usage of the vendor type attribute conforms to the recommendations in RFC 2865, section 5.26.

Note: If another number for vendor type is used by your RADIUS system, you can use the ven-dortype command to bring the SSL VPN RADIUS configuration in line with the value used by the remote RADIUS system. Contact your RADIUS system administrator for more information.

timeout <value in seconds>Sets a timeout value in seconds for a connection request to a RADIUS server. If the timeout value elapses before a connection is established, the authentication will fail.

The default RADIUS server timeout value is 5 seconds.

Table 10-47 RADIUS Menu Options (/cfg/xnet/domain/auth/radius)




/cfg/xnet/domain <number>/auth <id>/radius/servers

Radius Servers Menu

The RADIUS Servers menu enables you to list the configured RADIUS servers, delete a RADIUS server, or add a new RADIUS server to the Xnet domain configuration.

To enable RADIUS authentication using the servers added to the list, make sure that the authentication ID that represents the RADIUS configuration is specified using the /cfg/xnet/domain #/authorder command.

[RADIUS servers Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number

Table 10-48 RADIUS Servers Menu Options (/cfg/xnet/domain/auth/radius/servers)


list

Displays all RADIUS servers that are added to the RADIUS configuration in the current Xnet domain. The servers are listed by their respective index number, IP address, and shared secret.

del <RADIUS server by index number>Removes the specified server from the Xnet domain configuration. Use the list command to dis-play the index numbers of all added RADIUS servers.

add <IP address of RADIUS server> <TCP port number> <shared secret>Adds a RADIUS server to the Xnet domain configuration. Specify the IP address, a TCP port num-ber, and the shared secret. The next available index number is assigned automatically by the sys-tem. A maximum of three RADIUS servers can co-exist in the configuration.

Note: The default port number used by the RADIUS protocol is 1812.

insert <index number to insert at> <IP address of RADIUS server to add>Assigns a specific index number to the RADIUS server you add. The index number you specify must be in use. RADIUS servers with an index number higher than (and including) the one you specify will have their current index number incremented by 1.

move <index number to move> <destination index number>Moves a RADIUS server up or down in the list of configured servers. The index number you spec-ify must be in use. To view all RADIUS servers currently added to the Xnet domain configuration, use the list command.



/cfg/xnet/domain <number>/auth <id>/ldap

LDAP Configuration

The LDAP menu is used for configuring remote authentication of users in the Xnet domain by way of the Lightweight Directory Access Protocol (LDAP). The menu is also used for access-ing the LDAP Servers menu, where the actual servers used for remote authentication of SSL VPN users can be specified.

To access the LDAP menu, the authentication type for the current authentication ID must be set to ldap.

[LDAP Menu] servers - LDAP servers menu searchbase - Set search base entry groupattr - Set LDAP group attribute userattr - Set LDAP user attribute isdbinddn - Set iSD bind DN isdbindpas - Set iSD bind password enaldaps - Set Enable LDAPS timeout - Set LDAP server timeout

Table 10-49 LDAP Menu Options (/cfg/xnet/domain/auth/ldap)


servers

Displays the LDAP Servers menu. To view menu options, see page 266.

searchbase <searchbase entry>Method 1: Assigns the DN (Distinguished Name) that points to the entry that is one level up from where all user entries are found.

Example: A searchbase value set to ou=People,dc=bluetail,dc=comimplies that authentication will be performed against a DN that corresponds to the following:uid = <user>, ou = People, dc = bluetail, and dc = com(where uid is an example of a user attribute, ou = organization unit, and dc = domain component).

The isdbinddn and isdbindpas commands should not be used.

Method 2: If user entries are located in several different places in the LDAP Dictionary Informa-tion Tree (DIT) or if the user’s login name (used to login to the SSL VPN portal) is different from the user record identifier (RDN), the DIT has to be searched.

The DN assigned here should point to a position in the DIT from where all user records can be found, using a subtree search.

To be able to search the DIT, the ASA must authenticate itself towards the LDAP server, according to the settings made with the isdbinddn and isdbindpas commands.



groupattr <group attribute names, separated by comma>Defines the LDAP attribute that contains the name(s) of the group(s) of which a particular user in the Xnet domain is a member. The group names contained in the LDAP attribute must be defined in the Xnet domain, complete with one or more access control lists. Xnet domain group names and access control lists are defined by using the /cfg/xnet/domain #/group # command.

If you specify more than one group attribute name, separate the names with comma (,).

userattr <user attribute name>Method 1: Defines the LDAP attribute that contains the user name used for authenticating a user in the Xnet domain.

The default user attribute name is uid.

Method 2: If the user’s portal login name is not identical with the user record identifier (RDN), e.g. when using LDAP for authentication towards Active Directory, the LDAP Dictionary Infor-mation Tree (DIT) has to be searched for the user record, using a combination of the user’s login name and a user attribute.

Example: In Active Directory, a user record is defined as the following DN (Distinguished Name): cn=Bill Smith, ou=people, dc=bluetail, dc=com. It also contains the attribute sAMAccountName with the value bill, which corresponds to the user’s login name. Thus, if userattr is defined as sAMAccountName, the user record Bill Smith will be found.

To be able to search the DIT, the ASA must authenticate itself towards the LDAP server, according to the settings made with the isdbinddn and isdbindpas commands.

isdbinddn

Points out an entry in the LDAP server used for authenticating the ASA.

This command is only used with Method 2.

isdbindpas

Sets the password to be used when the ASA authenticates itself to the LDAP entry pointed out with the isdbinddn command.

This command is only used with Method 2.

enaldaps true|false

By setting this command to true, LDAP requests between the ASA and the LDAP server will be made using a secure SSL connection, i.e. LDAPS.

When applying the changes, a warning message will be displayed if the LDAP server ports are not the standard LDAPS ones (i.e. 636).

The default value is false.

timeout <value in seconds>Sets a timeout value in seconds for a connection request to a LDAP server. If the timeout value elapses before a connection is established, the authentication will fail.

The default LDAP server timeout value is 5 seconds.

Table 10-49 LDAP Menu Options (/cfg/xnet/domain/auth/ldap)




/cfg/xnet/domain <number>/auth <id>/ldap/servers

LDAP Servers Menu

The LDAP Servers menu enables you to list the configured LDAP servers, delete an LDAP server, or add a new LDAP server to the Xnet domain configuration.

If you add more than one LDAP server to the list, remember that the first accessible LDAP server in the list will return a reply to the query. This stops the query, regardless of whether a match of the SSL VPN user’s credentials were found. Therefore, the main purpose of adding more than one LDAP server is to provide for redundancy by ensuring that each listed LDAP server contains the same SSL VPN user database.

If you for some reason would like to disperse your SSL VPN users in different LDAP server databases, you can configure another LDAP server using a different authentication ID. By including both authentication IDs in the Xnet domain authentication order, each LDAP server could then be used for authenticating different groups of SSL VPN users.

To enable LDAP authentication using the servers added to the list, make sure that the authenti-cation ID that represents the LDAP configuration is included in the authentication order you have specified for the Xnet domain. To view the current authentication order in the Xnet domain, use the /cfg/xnet/domain #/authorder command.

[LDAP servers Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number

Table 10-50 LDAP Servers Menu Options (/cfg/xnet/domain/auth/ldap/servers)


list

Displays all LDAP servers that are added to the LDAP configuration in the current Xnet domain. The servers are listed by their respective index number and IP address.

del <LDAP server by index number>Removes the specified LDAP server from the Xnet domain configuration. Use the list com-mand to display the index numbers of all added LDAP servers.



add <IP address of LDAP server> <TCP port number>Adds an LDAP server to the Xnet domain configuration. Specify the IP address of the LDAP server, and a TCP port number. The next available index number is assigned automatically by the system. A maximum of three LDAP servers can co-exist in the configuration.

Note: The default port number used by the LDAP protocol is 389.

insert <index number to insert at> <IP address of LDAP server to add>Assigns a specific index number to the LDAP server you add. The index number you specify must be in use. LDAP servers with an index number higher than (and including) the one you specify will have their current index number incremented by 1.

move <index number to move> <destination index number>Moves an LDAP server up or down in the list of configured servers. The index numbers you spec-ify must be in use. To view all LDAP servers currently added to the system configuration, use the list command.

Table 10-50 LDAP Servers Menu Options (/cfg/xnet/domain/auth/ldap/servers)




/cfg/xnet/domain <number>/auth <id>/ntlm

NTLM Configuration

The NTLM menu is used for accessing the NTLM Servers menu, where the actual servers used for remote authentication of SSL VPN users can be specified. The menu also includes a com-mand for placing SSL VPN users whose NTLM password has expired in a predefined group.

To access the NTLM menu, the authentication type for the current authentication ID must be set to ntlm.

[NTLM Menu] servers - NTLM servers menu exp - Set password expired group

Table 10-51 NTLM Menu Options (/cfg/xnet/domain/auth/ntlm)


servers

Displays the NTLM Servers menu. To view menu options, see page 269.

exp <group name>Sets the group in which the SSL VPN user should automatically be placed if the user’s NTLM password has expired.

Before using this command, define a user group in the Local database. As the only group link, define a link to a site where the user can change his NTLM password. Also remember to configure an access rule restricting access to the specified site.

Group configuration is described on page 282.



/cfg/xnet/domain <number>/auth <id>/ntlm/servers

NTLM Servers Menu

The NTLM Servers menu enables you to list the configured NTLM servers, delete an NTLM server, or add a new NTLM server to the Xnet domain configuration.

To enable NTLM authentication using the servers added to the list, make sure that the authenti-cation ID that represents the NTLM configuration is specified using the /cfg/xnet/domain #/authorder command.

[NTLM servers Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number

Table 10-52 NTLM Servers Menu Options (/cfg/xnet/domain/auth/ntlm/servers)


list

Displays all NTLM servers that are added to the NTLM configuration in the current Xnet domain. The servers are listed by their respective index number and IP address.

del <NTLM server by index number>Removes the specified NTLM server from the Xnet domain configuration. Use the list com-mand to display the index numbers of all added NTLM servers.

add <IP address of NTLM server>Adds an NTLM server to the Xnet domain configuration. Specify the IP address of the NTLM server in dotted decimal notation. The next available index number is assigned automatically by the system. A maximum of three NTLM servers can co-exist in the configuration.

insert <index number to insert at> <IP address of NTLM server to add>Assigns a specific index number to the NTLM server you add. The index number you specify must be in use. NTLM servers with an index number higher than (and including) the one you specify will have their current index number incremented by 1.

move <index number to move> <destination index number>Moves an NTLM server up or down in the list of configured servers. The index numbers you spec-ify must be in use. To view all NTLM servers currently added to the Xnet domain configuration, use the list command.



/cfg/xnet/domain <number>/auth <id>/local

Local Database Configuration

The Local database menu is used for managing the authentication of users in the Xnet domain locally, where users are added to a local database in the ASA cluster. The ASA can perform authentication for users and authorization to resources in the Xnet domain in parallel with remote authentication methods such as RADIUS, LDAP or NTLM. Configuring the ASA to perform authentication of users in the Xnet domain is mainly useful in the following scenarios:

� Quickly adding a limited number of Xnet domain users.

� Providing a group of users, such as a project group for example, access to the Xnet domain for a limited time.

� For testing purposes.

[Local database Menu] add - Add/edit user in local database del - Delete user from local database list - List users in local database import - Import database from TFTP/FTP server export - Export database to TFTP/FTP server



Note: When using the /cfg/dump or /cfg/ptcfg commands to create a backup of the current configuration, users that have been added to the local database are not included in the configuration output. To create a backup of the local user database, use the /cfg/xnet/domain #/auth #/local/export command instead.

Table 10-53 Local database Menu Options (/cfg/xnet/domain/auth/local)


add <user name> <user password> <group name>Adds a user to the local authentication database. You need to provide the user name and password for the user, as well as the group(s) in which the user is a member. The user name must be unique. When the user attempts to log in to the Xnet domain, the user is prompted for the user name and password you define here.

The group name is used for authorization, controlling access to resources by checking the specified group name against one or more access rules associated with the group. The group name you spec-ify when adding a user must therefore exist in the current Xnet domain configuration, along with one or more access rules valid for the group.

To view which group names and associated access rules that are currently defined in the Xnet domain configuration, use the /cfg/xnet/domain #/cur command.

Note: If a user is authenticated by a remote server (such as a RADIUS or LDAP server), and that server cannot be configured to return a list of group names upon authentication, the local database can be used for authorization only. To achieve such a “division of labor”, provide the user name and group name(s) when prompted, but substitute the actual password for the specified user name with an asterisk (*).

Example from CLI session:>> Local database# addEnter user name: johnEnter passwd: *Enter group names (comma separated): staff

For instructions on how to configure the ASA to perform remote server authentication in conjunc-tion with local database authorization, see the groupauth command on page 273.

del <user by name>Deletes the specified user from the local user database.

list

Lists all users added to the local database by user name, password (in plain text), and group mem-bership. The maximum number of entries in the database that can be displayed simultaneously using the list command is limited to 100. If there are more than 100 entries in the database, you can narrow your search by modifying the list command using a string of characters directly fol-lowed by an asterisk (*).

Example: The command list jo* will display all entries with user names that start with the let-ters jo.



import <protocol [tftp|ftp]> <server host name or IP address> <file name>Imports a populated database from a TFTP or FTP server. The file you import must be in ASCII format and contain row entries with the required values separated by colon (:).

Example: username:password:group1,group2,group3

Note: Existing entries in the local database will be overwritten by the imported database.

export <protocol [tftp|ftp]> <server host name or IP address> <destination file name>Exports the local database in ASCII format to a TFTP or FTP server.

Table 10-53 Local database Menu Options (/cfg/xnet/domain/auth/local)




/cfg/xnet/domain <number>/auth <id>/adv

Advanced Settings Configuration

The Advanced Settings menu is used for configuring the current authentication method to retrieve user group information from other authentication schemes besides the current one.

[Advanced Menu] groupauth - Set Authentication server list for group information

Table 10-54 Advanced Settings Menu Options (/cfg/xnet/domain/auth/adv)


groupauth <authentication ID numbers, separated by comma>By referencing a previously defined authentication ID here, the system will retrieve the SSL VPN user’s group information from the corresponding authentication scheme.

Example: The user logs in via RADIUS but the user groups are stored in an LDAP database.

By entering a list of authentication IDs separated by comma (e.g. 1,3,2), the system will check each corresponding authentication scheme to see if the user name can be matched against user groups defined in these authentication databases. All user groups found in the referenced authenti-cation scheme(s) will be maintained during the SSL VPN user’s login session.

Note: Group information can only be retrieved from the Local database and LDAP databases. If user groups exist in the current authentication scheme, these will be added to the user groups found in the referenced authentication scheme(s).

For instructions on how to add users to the Local database for authorization only, i.e. when authen-tication is performed by a remote server, see the add command on page 271.



/cfg/xnet/domain <number>/network <id>Network Access Configuration

The Network menu is used to add network definitions, where each network definition may contain an optional number of subnet definitions. The network name, including registered sub-nets, can later be referenced in one of the access rules pertaining to a specific group, where access to the network can be set to be either accepted or rejected.

When an SSL VPN user requests a resource over the Internet, the user’s group membership and access rules will determine which networks and services the user is authorized to.

See Chapter 14, “Groups, Access Rules and Profiles” in the Application Guide for a full expla-nation of groups, access rules and profiles.

[Network 1 Menu] name - Set network name subnet - Subnet menu comment - Set comment del - Remove network

Table 10-55 Network Menu Options (/cfg/xnet/domain/network)


name

Assigns a name to the current network. This name can later be referenced as one of the access rules for a specific user group, using the cfg/xnet/domain #/group #/access #/network command.

A network definition can also be referenced in a client filter to shape the access rights to intranet resources according to the SSL VPN user’s source network or IP address. To reference the network definition in a client filter, use the cfg/xnet/domain #/filter command.

subnet

Displays the Subnet menu where several subnet entries (each defining a network address and net-mask) can be configured. To view menu options, see page 275.

comment

Lets you enter a comment for the current network definition, e.g. a text explaining which network segment(s) the entry refers to.

del

Removes the network definition from the current configuration.



/cfg/xnet/domain <number>/network <id >/subnet < id>

Subnet Access Configuration

The Subnet menu is used to configure an optional number of subnet entries, each defining hosts, networks or network ranges to be included in the current network definition.

[Network Subnet 1 Menu] host - Set Host Name net - Set network address mask - Set network mask del - Remove subnet

Table 10-56 Subnet Menu Options (/cfg/xnet/domain/network/subnet)


host<host name>

Sets a specific host, or all hosts within a subdomain or second level domain. The host name can be specified as a fully qualified domain name (FQDN) to target a specific host. To specify all hosts within a second level domain or subdomain, you can use an asterisk (*) as a wildcard.

Example: *.secondleveldomain.topleveldomainOr*.subdomain.secondleveldomain.topleveldomain

Note: You can use either the host command to specify a host (or a range of hosts using an aster-isk), or a combination of network address and subnet mask (using the net and mask commands). If you specify hosts using both the host command and the net/mask commands, you will receive an error message in the CLI when applying the changes.

net <network address>Defines the hosts that together with the subnet mask (see below) make up one of the subnet defini-tions for the current network.

The default net address is set to 0.0.0.0.

mask <network mask>Sets the subnet mask for the network address, limiting the validity to a specific host or range of hosts. The other settings in the access rule thereby only apply to the specified range.

The default subnet mask is set to 255.255.255.255. Combined with the default network address of 0.0.0.0, the default subnet mask mean that no hosts can be accessed.

Note that the subnet mask can be entered in number of bits, e.g. 32 instead of 255.255.255.255.

del

Removes the subnet from the current network definition.



/cfg/xnet/domain <number>/service <id>Service Access Configuration

The Service menu is used to specify the services (ports and protocols) to which members of a specific user group should be authorized when requesting a resource. The name of the service (as specified using the name command) can later be referenced to make up one of the access rules for a specific user group.


[Service 1 Menu] name - Set service name protocol - Set allowed protocols ports - Set allowed port comment - Set comment del - Remove Service

Table 10-57 Service Menu Options (/cfg/xnet/domain/service)


name

Assigns a name to the current service definition. This name should be referenced when configuring the access rules for a specific user group, using the cfg/xnet/domain #/group #/access #/service command.

When running the AAA Quick Setup wizard, the following service definitions will be created automatically.

� http. Uses TCP port 80.

� https. Uses TCP port 443.

� web. Uses TCP ports 20, 21, 80 and 443.

� smtp. Uses TCP port 25.

� pop3. Uses TCP port 110.

� imap. Uses TCP port 143.

� email. Uses TCP ports 25, 110 and 443.

� telnet. Uses TCP port 23.

� ssh. Uses TCP port 22.

� ftp. Uses TCP ports 20 and 21.

protocol <protocols, separated by comma (,)>Sets the allowed protocols for the configured ports. Available protocols are tcp and udp. To allow several protocols, enter the desired protocols separated by comma.



ports <port numbers, separated by comma (,)>Sets the allowed port numbers for the current service definition. You can specify single port num-bers (separated by comma) or a range of port numbers, or both.

Example: 80,443Or25,80,443,1000-2000Or0 (meaning all ports)

comment

Lets you enter a comment for the current service, e.g. a text explaining which services the current service definition refers to.

del

Removes the service from the current configuration.

Table 10-57 Service Menu Options (/cfg/xnet/domain/service)




/cfg/xnet/domain <number>/appspec <id>Application Specific Menu

The Appspec menu is used to specify a path to an intranet resource, e.g. to a file in a subdirec-tory on a specific host. The name of the appspec entry (as specified using the name command) can later be referenced to make up one of the access rules for a specific user group.

The appspec definition identifies a path, e.g. /public. Combined with a host identified by a network reference in the same access rule, the group members can be granted (or denied) access to a specific subdirectory on that host.


[AppSpecific 1 Menu] name - Set appspec name path - Set path comment - Set comment del - Remove AppSpec

Table 10-58 Appspec Menu Options (/cfg/xnet/domain/appspec)


name

Assigns a name to the current appspec entry. This name should be referenced when configuring the access rules for a specific user group, using the cfg/xnet/domain #/group #/access #/appspec command.

path <protocols, separated by comma (,)>Defines the path to a file, subdirectory or resource found on the host(s) identified by the network reference selected for the current access rule. The path denotes the part of the URL that follows the IP address of hosts included in the network reference.

Example: Suppose the IP address (e.g. 192.168.128.10) specified as one of the subnets in a network definition identifies a web server with the domain name www.example.com. By speci-fying /public as the path, an SSL VPN user who tries to access the following URL will create a match: www.example.com/public.

The default path setting is left blank, which means there are no restrictions whatsoever to paths valid in the specified domain.

Note: When running the Xnet domain in browser-based mode, the path setting is checked for the following protocols: HTTP, HTTPS, FTP and SMB.



comment

Lets you enter a comment for the current appspec entry, e.g. a text explaining which paths the cur-rent appspec entry refers to.

del

Removes the appspec entry from the current configuration.

Table 10-58 Appspec Menu Options (/cfg/xnet/domain/appspec)




/cfg/xnet/domain <number>/filter <id>Client Filter Configuration

The Client Filter menu is used to specify different client filters. A client filter can identify the method by which a user authenticates to the ASA (authserver) or the source network from which a user tries to request intranet resources (clientnet).

The purpose of creating client filters is to define suitable access rights depending on whether the user requests a resource from an approved network (e.g. a branch office) or an unapproved network (e.g. an Internet café) or if the user authenticates via a secure authentication method (e.g. token authentication) or a less secure authentication method (e.g local database authenti-cation).

Client filters are used in conjunction with extended profiles. An extended profile can be added to a user group to limit or extend the group’s access rights, depending on the user’s authentica-tion method or source network. This is done by referencing the client filter (e.g. branchof-fice) in the extended profile.

For examples on how to apply client filters and extended profiles, see Chapter 14, “Groups, Access Rules and Profiles” in the Application Guide.

[Client Filter 1 Menu] name - Set filter name authserver - Set authentication servers clientnet - Set client network reference comment - Set comment del - Remove client filter

Table 10-59 Client Filter Menu Options (/cfg/xnet/domain/filter)


name

Assigns a name to the current client filter. This name should later be referenced in a user group’s extended profile, using the cfg/xnet/domain #/group #/extend #/filter command.

authserver <authentication server names, separated by comma (,)>Specifies which authentication server or servers that are used for client authentication. To view available authentication servers, press TAB following the authserver command.

Example: A server used for token authentication is considered more secure. The access rights specified for an extended profile using a client filter whose authentication server id refers to token authentication could be more generous.



clientnet

Lets you reference a previously created network definition identifying a client network. To create a network definition, use the /cfg/xnet/domain #/network command.

comment

Lets you enter a comment for the current client filter.

del

Removes the client filter from the current configuration.

Table 10-59 Client Filter Menu Options (/cfg/xnet/domain/filter)




/cfg/xnet/domain <number>/group <id>Group Configuration

The Group menu is used to define the CLI user groups.

When a user logs in to the SSL VPN Portal, or logs in via the SSL VPN client, the system tries to determine the user’s group membership. This is done by searching for a match between a group name defined in the CLI, and a group name associated with the user’s credentials in the authentication mechanism by which the user was authenticated (RADIUS, LDAP, NTLM, or Local database). To find a match, the system starts with applying group 1 (as defined in the CLI), then continues with group 2 and so on until all matches are found. The user is now authenticated and mapped to one or several groups.

Links and User Type

Any links associated with the user’s different groups are displayed together on the Portal’s Home tab. If different user types are defined for the different groups, the best user type will be used. If different bandwidth policies are defined, the best policy will be applied.

Access Rules

When the user request a resource, the system tries to find a match between the requested resource and the access rules specified for the group(s). This done by checking each group in sequence according to the CLI order. Thus, the system starts by checking group 1’s access rules in sequential order, i.e. first Access rule 1, then Access rule 2 and so on. As soon as a match is found, the action (accept or reject) specified for the access rule is performed and any access rules or groups with higher numbers are ignored. If no match can be found in any access rule, the users request is rejected.

NOTE – To shape a user’s access rights depending on source network or authentication method, extended profiles can be used. See Chapter 14, “Groups, Access Rules and Profiles” in the Application Guide for a full explanation of groups, access rules and profiles.

[Group 1 Menu] name - Set group name access - Access rule menu print - Print access rules usertype - Set portal user type link - Portal link menu extend - Extended profiles menu comment - Set comment del - Remove group



Table 10-60 Group Menu Options (/cfg/xnet/domain/group)


name

Assigns a name to the current user access group. When you have defined a name for the group, you can access the Group menu by specifying the group name instead of the group ID.

The name you assign to the user group depends on which type of authentication mechanism you deploy.

� RADIUS: When using RADIUS for remote authentication, the name you assign to the group must correspond to an existing name defined in the vendor-specific attribute used by the RADIUS server. Contact your RADIUS system administrator for information.

� LDAP: When using LDAP for remote authentication, the name you assign to the group must correspond to an existing name defined in the LDAP group attribute used by the LDAP server. Contact your LDAP system administrator for information.

� NTLM: When using NTLM for remote authentication, the name you assign to the group must correspond to an existing group name in the Windows domain to which the user belongs. Con-tact your Windows system administrator for more information.

� Local: When using the local database for authentication, you can assign any name to the group. The group name is only used internally for controlling access to intranet resources via the asso-ciated access control list(s). When adding a user to the local database, you map the user to one or more of the defined user access groups.

Note: After you have assigned a name to the user access group, you must also define the access rules associated with the group. This must be done regardless of the authentication mechanism(s) that is used in the Xnet domain.

access

Displays the Access Rule menu. To view menu options, see page 285.

print

Displays an easy-to-read table overview of the access rules pertaining to the group. The table includes the Network, Ports, Proto (Protocol), Path and Action headings.

usertype

Sets the user type for the current group. The user type determines which tabs will be available on the SSL VPN portal. Available user types are:

� advanced: Displays all tabs on the Portal.

� medium: Displays all tabs but the Advanced tab.

� novice: Limits display to the Home tab (containing group links) and the Logout tab.

link

Displays the Link List menu. To view menu options, see page 287.



extend

Displays the Extended profile menu, after you have typed the index number or name of an existing profile or the index number of a new profile. To view existing profiles, press TAB following the extend command.


comment

Lets you enter a comment for the current group.

del

Removes the user access group from the current Xnet domain configuration.

Note: All access rules associated with the current group ID will be deleted as well.

Table 10-60 Group Menu Options (/cfg/xnet/domain/group)




/cfg/xnet/domain <number>/group <id>/access <rule number>

Access Rule Configuration

The Access rule menu is used to specify what action should be taken when the user tries to access a specific host, network or subnet, using a specific port, protocol or path.

When the user request a resource, the system tries to find a match between the requested resource and the access rules specified for the group. As soon as a match is found, the action (accept or reject) specified for the access rule is performed and any access rules or groups with higher numbers are ignored. If no match can be found in any access rule, the users request is rejected.

Since the access rules are applied in sequential order, the order in which the access rules are configured could be important. For example, if a network definition is used to deny access to a specific host on a network, this access rule should be configured with a lower sequence num-ber than an access rule allowing access to that network.


[Access rule 1 Menu] network - Set network reference service - Set service reference appspec - Set application specific reference action - Set action comment - Set access rule comment del - Remove access rule

Table 10-61 Access Rule Menu Options (/cfg/xnet/domain/group/access)


network

Lets you reference a previously configured network definition (which may contain several host and subnet definitions).

To view existing network definitions, press TAB following the network command.

Example: To restrict access to a specific subnet, reference the network name whose definition cor-responds to that subnet.

To configure a network definition, use the /cfg/xnet/domain #/network command.



service

Lets you reference a previously configured service definition (which may contain several port and protocol definitions).

To view available services, press TAB following the service command.

Example: To restrict access to a specific application, reference the service name whose definition corresponds to that application’s well-known port number.

To configure a service, use the /cfg/xnet/domain #/service command.

appspec

Lets you reference a previously configured appspec definition. An appspec definition identifies a path, e.g. /public.

To view available appspec entries, press TAB following the appspec command.

Example: To restrict access to a specific subdirectory on a host, reference the appspec entry that identifies the desired path.

To configure an appspec definition, use the /cfg/xnet/domain #/appspec command.

action accept|reject

Sets the action that is triggered when an SSL VPN user’s request results in a match.

� accept: The user’s request is accepted, and access to the resource is granted.

� reject: The user’s request is rejected, and the browser displays an error message.

The default action setting is reject.

del

Removes the current access rule from the group.

Table 10-61 Access Rule Menu Options (/cfg/xnet/domain/group/access)




/cfg/xnet/domain <number>/group <id>/link <id>

Link Configuration

The Link menu is used for creating the links displayed on the SSL VPN Portal Home tab. Any links created on the Link menu are automatically associated with the selected group. Users who are members of the selected group (identified by the group ID) will have access to the links. Users who are members of several groups will have access to all the links defined for the various groups.

Make sure that access to the resource provided via the link is not contradicted by any access rules that apply to the group(s) in which the user is a member.

Links can also be specified for extended profiles. See Chapter 14, “Groups, Access Rules and Profiles” in the Application Guide for a full explanation of groups, access rules and profiles. .

[Link 1 Menu] text - Set link text smb - Create SMB link ftp - Create FTP link proxy - Create HTTP Proxy link forwarder - Port forwarder menu terminal - Create terminal link external - Create a link to an external website internal - Create a link to an internal website eauto - Create external auto login link iauto - Create intranet auto login link del - Remove link

Table 10-62 Link Menu Options (/cfg/xnet/domain/group/link)


text <link text as displayed on SSL VPN user’s Home tab>Specifies the link text that appears on the Web page automatically displayed after an SSL VPN user successfully logs in to the portal.

Note: The user will only see the link text, not the URL contained in the link. It is therefore recom-mended that you define a descriptive link text that clearly indicates the provided resource.



smb <SMB host by IP address or host name> <workgroup> <name of shared network folder>Creates a link to a Windows file server, or a Samba server. By specifying the name of a workgroup (optional) and shared network folder (optional), that folder’s content is listed right away when the SSL VPN user clicks the link.

When prompted for the name of a shared network folder, you can use the following macros:

� <user> This macro automatically replaces <user> with the currently logged in SSL VPN user’s user name, and thereby provides access to that user’s home directory.

� <group> This macro automatically replaces <group> with the name of the group in which the currently logged in SSL VPN user is a member. If the user is a member of more than one group, the name of the primary group is used. The first match between a group name defined in the Xnet domain and any group listed in the authentication mechanism that applies to the user is considered the primary group. When searching for a matching group name, the system starts with applying group ID 1, then continues with group ID 2 and so on until a match is found.

The <group> macro can be used to provide access to a project folder or other folder shared by a group of users. If a shared network folder with a name that corresponds to the name of the primary group exists, that folder is displayed for all logged in users who are members of the related group.

ftp <FTP server by IP address or host name> <initial path>Creates a link to an FTP server. By specifying an initial path, a specific directory can be listed right away when the user accesses the link. To specify the logged in user’s home directory, enter the fol-lowing value as the initial path: /!

When creating an FTP link, you can use the same macros in the initial path as in the name of a shared network folder when creating an SMB link. The syntax is slightly different for an FTP link:

� home/share/<user>: When used, this macro automatically replaces <user> with the cur-rently logged in SSL VPN user’s user name, and thereby provides access to that user’s home directory.

� home/share/<group>: When used, this macro automatically replaces <group> with the name of the group in which the currently logged in SSL VPN user is a member. If the user is a member of more than one group, the name of the primary group is used. The first match between a group name defined in the Xnet domain and any group listed in the authentication mechanism that applies to the user is considered the primary group. When searching for a matching group name, the system starts with applying group ID 1, then continues with group ID 2 and so on until a match is found.

The <group> macro can be used to provide access to a project folder or other folder shared by a group of users. If a shared network folder with a name that corresponds to the name of the primary group exists, that folder is displayed for all logged in users who are members of the related group.

Note: If an initial path is not specified, the FTP server’s root directory is implied.





proxy

Creates an HTTP proxy link to enable display of complex intranet web pages. If a web page con-tains plugins like Flash, Shockwave and Java applets, which, in their turn may include embedded links to other intranet pages, the http request might not reach the ASA and, consequently, will never be redirected to its destination.

To solve this problem, the HTTP Proxy feature downloads a Java applet to the client. After click-ing the link, the user should change his browser configuration to have all HTTP and HTTPS requests – also embedded ones – routed via this Java applet. The Java applet tunnels all traffic via SOCKS and SSL to the ASA’s proxy server, where it is unpacked and redirected to its destination.

Instructions for how to reconfigure the client browser is provided in the Java applet window.

Note: Outlook Port forwarder links (if configured) or Outlook Port forwarder portal sessions (Advanced tab) will not work if a proxy server is configured in the client browser.

forwarder

Displays the Forwarder menu used to create Port forwarder links. To view menu options, see page 292.

terminal <remote host by IP address or name> <port number [22|23]> <protocol [telnet|ssh]> <keymap URL> <HTTP proxy host and port (optional)>

Creates a direct link to a terminal server on the intranet using Telnet or SSH. When the SSL VPN user clicks the link, a terminal window is opened in a new browser window by way of a Tel-net/SSH terminal Java applet.

� Keymap URL (optional). If a keymap URL is specified, the user’s keyboard mappings can be configured via an external configuration file located on the specified web server. This is for users with non-standard keyboards.Example: When prompted for a keymap URL, enter the URL, path (if any) and finally the name of the keyboard mapping file, e.g. http://inside.example.com/keyCodes.at386.

Documentation describing the configuration file properties can be found in Appendix F, “Defi-nition of Key Codes” on page 381.

HTTP Proxy host/port (optional). If users are working from a location requiring traffic to pass through an intermediate intranet HTTP Proxy server, enter the IP address (or domain name) and port of that proxy server. Skipping the prompt means that all applet traffic is tunneled straight to the ASA.

external <method [http|https]> <external web server by IP address or host name> <path>Creates a link to an external Web page or Web resource, accessed by using HTTP or HTTPS. A path must always be specified, where a single backslash (/) indicates the web server’s document root.

The external link directs the HTTP request straight to the specified resource via a clear-text con-nection, i.e. without adding the ASA rewrite prefix (compare to the internal command below).





internal <method [http|https]> <internal web server by IP address or host name> <path>Creates a link to an internal Web page or Web resource, accessed by using HTTP or HTTPS. A path must always be specified, where a single backslash (/) indicates the web server’s document root.

To create a link to the currently logged in SSL VPN user’s home page on the intranet, you can use the following macro when prompted for the path:

� /<user>: When used, this macro automatically replaces <user> with the currently logged in SSL VPN user’s user name, and thereby provides access to that user’s home page.

Note: Depending on how the intranet Web server is configured, you may need to insert an addi-tional character to specify the correct path. Example: /~<user>.

The internal link directs the HTTP request to the ASA, where the ASA rewrite prefix (boldface) is added to the link.

Example: https://vip.example.com/http/inside.example.com/

This way, the HTTP request is sent through a secure connection via SSL.

eauto <method [http|https]> <external host by IP address or host name> <path> <add NTLM domain yes/no>

Creates a link to an external resource, and automatically includes the <user> and <password> macros in the URL. The macros replace <user> and <password> with the credentials the SSL VPN user provided when logging in to the SSL VPN portal. The credentials are transferred to the external resource specified in the host name and path, and the user can thus be automatically logged in to that resource.

To view the resulting syntax of a link created by using the eauto command, use the cur com-mand.

The eauto link directs the HTTP request straight to the specified resource via a clear-text connec-tion, i.e. without adding the ASA rewrite prefix (compare to the iauto command below).

Note: When configuring automatic login links to external web sites, the Portal user name and pass-word may leak outside the protected intranet. Use this feature with great caution.





iauto <method [http|https]> <internal host by IP address or host name> <path>Creates a link to an internal resource, and automatically includes the <user> and <password> macros in the URL. The macros replace <user> and <password> with the credentials the SSL VPN user provided when logging in to the SSL VPN portal. The credentials are transferred to the internal resource specified in the host name and path, and the user can thus be automatically logged in to that resource.

This feature is useful when a resource on the intranet explicitly requires user authentication, such as a server providing Outlook Web Access.

To view the resulting syntax of a link created by using the iauto command, use the cur com-mand.

The iauto link directs the HTTP request to the ASA, where the ASA rewrite prefix (boldface) is added to the link.

Example: https://user:[email protected]/https/inside.exam-ple.com/

This way, the HTTP request is sent through a secure connection via SSL.

del

Removes the current link from the SSL VPN configuration.





/cfg/xnet/domain <number>/group <id>/link <id>/forwarder

Port Forwarder Link Configuration

The Forwarder menu includes the following Port forwarder link commands:

[Forwarder Menu] custom - Create custom port forwarding link outlook - Create Microsoft Outlook port forwarding link

Table 10-63 Forwarder Link Menu (/cfg/xnet/domain/group/link/forwarder)


custom <executable> <arguments to executable> <text to be displayed in applet window> <HTTP proxy host and port> <source IP> <source port> <host alias> <destination host> <desti-nation port>

Creates a port forwarder link for running a client application towards a remote server on the intra-net. When the user clicks the link, a SOCKS tunnel (encapsulated in SSL) is instantly created between the user’s local machine and the ASA. The ASA relays data to and from the remote host by setting up a socket to the remote TCP port. A SOCKS tunnel set up this way can be used for running a number of TCP-based applications.

If you expect the connection to include more than 15 minutes of inactivity, increase the TCP con-nection idle timeout value, using the /cfg/ssl/server #/tcp/ckeep command.

� Executable (optional). Defines the application to be started (e.g. explorer.exe) when the user clicks the link. The ASA must be able to find the executable either via the PATH variable or in the registry (on Windows), i.e. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Win-dows\CurrentVersion\App Paths. If you are in doubt, specify the full path to the executable after the prompt, e.g. C:\Program Files\Citrix\ICA Client\pn.exe. If no executable is specified, the user can start the application manually. In this case, user instructions can be provided following the Paste text... prompt (see below). If browser is entered as executable, the user’s default browser will be started.

� Arguments (optional). Defines the command-line argument to be used by the application, e.g. http://127.0.0.1:5025 if the executable is browser. Note that each application has its own set of arguments. See below for description of selected IP address and port number.

� Text. Replaces the standard text in the Java applet window, i.e. more user-friendly instructions can be supplied. Having entered the text, press ENTER and type three periods (...). Finally press ENTER once again. To keep the standard text (information about host file mappings and opened sockets), type three periods and press ENTER.

� HTTP proxy host/port. If users are working from a location requiring traffic to pass through an intermediate intranet HTTP Proxy server, enter the IP address (or domain name) and port of that proxy server. Skipping the prompt means that all applet traffic is tunneled straight to the ASA.

Continued on next page.



custom (continued)

� Source IP. Sets the IP address associated with the client computer, e.g. 127.0.0.1 or any other IP address in the 127.x.y.z range.

� Source port. Arbitrary local port number. Ports just above 5000 are usually free to use.

� Host alias. Can be specified if the user should start the application using this alias, i.e. no exe-cutable has been specified. This requires the alias to be mentioned in the Java applet text. It also requires the user to have administrator privileges on the client computer or have write access enabled for hosts and lmhosts files. Hosts and lmhosts files are located in %windir%\hosts on Windows 98 and ME and in %windir%\system32\drivers\etc\hosts on NT, XP and Windows 2000.

� Destination host. Sets the IP address or host name of the remote application server, e.g. www.example.com.

� Destination port. Sets the application-specific port number of the application server, e.g. 80.

For further examples, see Chapter 15 in the Application Guide.

outlook <source IP> <Exchange server FQDN> <start client yes/no> <argument to Outlook cli-ent> <text to be displayed in applet window>

Creates a Port forwarder link for starting Microsoft Outlook towards a Microsoft Exchange server on the intranet. Services provided by the Exchange server (mail, calendar, address book etc.) may be distributed between different Exchange servers. If this is the case, you have the option to create several Outlook port forwarders where the relevant Exchange servers can be specified.

IMPORTANT: The following prerequisites must be fulfilled for the Outlook Port forwarder to work:

� The Exchange servers’ domain name suffixes, e.g. example.com if the FQDN is exchange.example.com, must be configured using the /cfg/ssl/server #/dns/search command.

� The user must have administrator’s rights on his/her computer or have write access enabled for hosts and lmhosts files. Hosts and lmhosts files are located in %windir%\hosts on Windows 98 and ME and in %windir%\system32\drivers\etc\hosts on NT, XP and Win-dows 2000).

� The user’s client machine must be of the Hybrid or Unknown node type. The node type can be checked by entering ipconfig /all at the DOS prompt. To change the node type to Hybrid (if needed), go to the registry editor folder HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters. If not already present, add a new DWORD Value called NodeType. Double-click NodeType and enter 8 in the Value Data field. Click OK and restart the computer.

� The Outlook Port forwarder link is meant to be used by clients connecting to the ASA from out-side the intranet. If the client has direct connectivity to the intranet, the Port forwarder will fail. If the client has access to intranet DNS servers, communication will fail as well.

Continued on next page.





outlook <continued>

� To test DNS resolution, the ASA should be able to ping the Exchange server from the CLI, using the fully qualified domain name (FQDN).

� The Outlook Port forwarder link will not work if a proxy server is configured in the client browser. This also means that a HTTP Proxy link or HTTP Proxy portal session cannot be active at the same time as the Outlook Port forwarder.

� The users Outlook account must be hosted on the Exchange server(s) specified in the Port for-warder.

� To ensure proper operation, specify the DNS name of the portal server, using the /cfg/ssl/server #/dnsname command.

� If you expect the connection to include more than 15 minutes of inactivity, increase the TCP connection idle timeout value, using the /cfg/ssl/server #/tcp/ckeep command.

� If a firewall exists between the ASA and the Exchange server, the firewall settings must allow traffic to the required Exchange server ports. Note that these may vary with your environment. More information can be found on http://support.microsoft.com, e.g. Knowledge Base Articles 280132, 270836, 155831, 176466, 148732, 155831, 298369, 194952, 256976, 302914, 180795 and 176466.

Command syntax and usage:

� Source IP. Sets the IP address associated with the client computer, e.g. 127.0.0.1 or any other IP address in the 127.x.y.z range. If several port forwarders are required, note that each port forwarder must have a unique source IP address. A new source IP address is automatically suggested by the system if you choose to add another port forwarder.

� Exchange server. Sets the fully qualified domain name (FQDN) of the Exchange server, e.g. exchange.example.com. If mailboxes, calendars, address books etc. are delegated to several Exchange servers, you have the option to create additional Port forwarders where the relevant Exchange server FQDNs can be specified.

� Start Outlook client. Enter yes if the Microsoft Outlook client should be started automatically when the user clicks the link. If not, user instructions can be supplied in the Java applet window by entering a custom text (see below).

� Argument to Outlook client. Example: /Profile myprofile. For a reference to available Outlook executable arguments, see Microsoft Knowledge Base Article no 296192 available on http://support.microsoft.com/?kbid=296192.

� Text. Replaces the standard text in the Java applet window, e.g. if more user-friendly instruc-tions should be supplied. Having entered the text, press ENTER and type three periods (...). Finally press ENTER once again. To keep the standard text (information about host file map-pings and opened sockets), type three periods and press ENTER.

For further examples, see Chapter 15 in the Application Guide.



http://support.microsoft.com/?kbid=296192

http://support.microsoft.com



/cfg/xnet/domain <number>/group <id >/extend <id>

Extended Profile Configuration

Specifying access rules on Group level is sufficient to have a working AAA system. However, if security considerations in your company require more fine-grained authorization control, one or more extended profiles can be added to a user group.

All the data that can be defined for a group on Group level (access rules, links, user type etc.) can also be defined for an extended profile. Data defined on Group level, i.e. directly under the Group menu, adhere to the group’s base profile. Data defined on the Extended profile menu adhere to the group’s extended profile.

Apart from links and access rules, a previously defined client filter should be referenced in an extended profile. The client filter identifies a client network (e.g. a branch office network) and/or an authentication method (e.g. RADIUS).

When the user’s source network or authentication method matches the client filter referenced in the extended profile, the extended profile’s data is applied.

For examples on how to apply client filters and extended profiles, see Chapter 14, “Groups, Access Rules and Profiles” in the Application Guide.

[Extended Profile 1 Menu] filter - Set client filter reference access - Access rule menu print - Print access rules usertype - Set portal user type link - Portal link menu del - Remove profile



Table 10-64 Extended Profile Menu Options (/cfg/xnet/domain/group/extend)


filter <reference to previously defined client filter>Lets you reference a previously defined client filter to be used in the current extended profile. Whenever a match is found between a user’s source network or authentication method and the source network or authentication method used by the client filter, the extended profile’s data is applied.

To view available client filters, press TAB following the filter command.

Example: You have previously defined a client filter identifying a client network, called bran-choffice. By referencing this client filter, the extended profile will be applied when the group member accesses the ASA from that branch office.

To configure a client filter, use the cfg/xnet/domain #/filter command.

access

Displays the Access rule menu, after you have typed the index number of an existing access rule or a new access rule. To view existing access rules, press TAB following the access command.

To view menu options, see page 285. The Access rule menu options for extended profiles are the same as for base profiles, i.e. data specified directly under the Group menu.

print

Displays an easy-to-read table overview of the access rules pertaining to the extended profile. The table includes the Network, Ports, Proto (Protocol), Path and Action headings.

usertype

Sets the user type for the current extended profile. The user type determines which tabs will be available on the SSL VPN Portal. Available user types are:

� advanced: Displays all tabs on the Portal.

� medium: Displays all tabs but the Advanced tab.

� novice: Limits display to the Home tab (containing group links) and the Logout tab.

link

Displays the Link menu, after you have typed the index number of an existing link or a new link. To view existing links, press TAB following the link command.

To view menu options, see page 287. The Link menu options for extended profiles are the same as for base profiles, i.e. data specified directly under the Group menu.

del

Removes the current extended profile from the group.



/cfg/xnet/domain <number>/radacctRADIUS Accounting Configuration

The RADIUS Accounting menu is used to enable or disable RADIUS accounting and to dis-play the RADIUS accounting servers menu, where one or more RADIUS accounting servers can be added to the current Xnet domain. With a RADIUS accounting server configured, an accounting request start packet will be sent to the accounting server for each user that success-fully authenticates to the ASA. The start packet contains the following information:

� Client user name

� ASA IP address

� Session ID

When a user session is terminated, an accounting request stop packet is sent to the accounting server containing the following information:

� Session ID

� Session time

� Cause of termination

The RADIUS server should be configured according to the recommendations in RFC 2866.

NOTE – Using the /cfg/xnet/log command, the ASA can be configured to generate detailed log messages concerning user Portal activities, e.g. URLs visited, rejects etc. This information will however only be generated to a configured syslog server, not a RADIUS accounting server.

[Radius Accounting Menu] servers - Radius Accounting Servers Menu ena - Enable server dis - Disable server

Table 10-65 RADIUS Accounting Menu Options (/cfg/xnet/domain/radacct)


servers

Displays the RADIUS accounting servers menu. To view menu options, see page 298.

ena

Enables RADIUS accounting.

dis

Disables RADIUS accounting.



/cfg/xnet/domain <number>/radacct/servers

RADIUS Accounting Servers Configuration

The RADIUS Accounting Servers menu is used to add one or more RADIUS accounting serv-ers to the current configuration.

[Radius Accounting Servers Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number

Table 10-66 RADIUS Accounting Servers Menu Options (/cfg/xnet/domain/radacct/servers)


list

Lists the IP addresses of currently configured RADIUS accounting servers, along with their corre-sponding index numbers.

del

Removes the specified RADIUS accounting server from the configuration. Use the list com-mand to display the index numbers of all added RADIUS accounting servers.

add <IP address> <TCP port number> <shared secret>Adds a RADIUS accounting server to the configuration. Specify the IP address, a TCP port num-ber, and the shared secret. The next available index number is assigned automatically by the sys-tem.

Note: The default port number used for RADIUS accounting is 1813.

insert <index number to insert at> <IP address of RADIUS accounting server to add>Assigns a specific index number to the RADIUS accounting server you add. The index number you specify must be in use. RADIUS accounting servers with an index number higher than (and including) the one you specify will have their current index number incremented by 1.

move <index number to move> <destination index number>Moves a RADIUS accounting server up or down in the list of configured servers. The index num-bers you specify must be in use. To view all servers currently added to the configuration, use the list command.



/cfg/sysSystem Configuration

The System menu is used for configuring system-wide parameters on a per cluster basis.

[System Menu] distrace - Disable tracing with tcpdump/ssldump routes - Routes menu time - Date and time menu dns - DNS servers menu syslog - Syslog servers menu cluster - Cluster menu accesslist - Access list menu adm - Administrative applications menu user - User Access Control menu

Table 10-67 System Menu Options (/cfg/sys)


distrace

Permanently disables the usage of the ssldump and tcpdump commands in the Trace menu (/cfg/ssl/server #/trace/ssldump|tcpdump). This command is used to improve security and cannot be reversed by other means than a boot install.

routes

Displays the Routes menu. To view menu options see page 300.

time

Displays the Date and Time menu. To view menu options, see page 301.

dns

Displays the DNS Servers menu. To view menu options, see page 303.

syslog

Displays the Syslog Servers menu. To view menu options, see page 304.

cluster

Displays the Cluster menu. To view menu options, see page 305.

accesslist

Displays the Access List menu. To view menu options, see page 315.

adm

Displays the Administrative Applications menu. To view menu options, see page 316.

user

Displays the User menu. To view the options, see page 327.



/cfg/sys/routesCluster Wide Routes Configuration

The Routes menu is used for managing static routes on a cluster-wide level when more than one interface is configured. To configure static routes for a specific host, use the cfg/sys/cluster/host #/routes command.

[Routes Menu] list - List all values del - Delete a value by number add - Add a new value

Table 10-68 Routes Menu Options (/cfg/sys/routes)


list

Lists all configured static routes by their index number and IP address information.

del <static route by index number>Removes the specified static route from the system configuration. Use the list command to dis-play the index numbers of all added static routes.

add <destination IP address> <subnet mask> <gateway IP address>Adds a static route to the system configuration. Specify the destination IP address, the subnet mask, and the gateway IP address.



/cfg/sys/timeDate and Time Configuration

The Date and Time menu is used for setting system date and system time. It is also used for changing the time zone, and for accessing the NTP Servers menu.

[Date and Time Menu] date - Set system date time - Set system time tzone - Set Timezone ntp - Configure NTP servers

Table 10-69 Date and Time Menu Options (/cfg/sys/time)


date <date (YYYY-MM-DD)>Sets the system date according to the specified format.

time <time (HH:MM:SS)>Sets the system time using a 24-hour clock format.

tzone

Sets the time zone. Select a continent or ocean, a country, and a region (if applicable).

ntp

Displays the NTP Servers menu. To view menu options, see page 302.



/cfg/sys/time/ntpNTP Servers Configuration

The NTP Servers menu enables you to list the configured NTP servers, delete an NTP server, or add a new NTP server to the configuration.

[NTP Servers Menu] list - List all values del - Delete a value by number add - Add a new value

Table 10-70 NTP Servers Menu Options (/cfg/sys/time/ntp)


list

Lists all configured NTP servers by their index number and IP address.

del <NTP server by index number>Removes the specified NTP server from the system configuration. Use the list command to dis-play the index numbers of all added NTP servers.

add <IP address of NTP server>Adds an NTP server to the system configuration. The NTP server you add is used by the NTP cli-ent on the ASA to synchronize its clock. NTP should have access to a number of servers (at least three) in order to compensate for any discrepancies in the servers.



/cfg/sys/dnsDNS Servers Configuration

The DNS Servers menu enables you to list the configured DNS servers, delete a DNS server, or add a new DNS server to the configuration.

[DNS Servers Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number

Table 10-71 DNS Servers Configuration Menu Options (/cfg/sys/dns)


list

Displays all configured DNS servers by their index number and IP address.

del <DNS server by index number>Removes the specified DNS server from the system configuration. Use the list command to dis-play the index numbers of all added DNS servers.

add <IP address of DNS server>Adds a DNS server to the system configuration. The DNS servers you add will be used for all name resolution queries performed in the ASA cluster.

You can add up to 3 DNS servers to the configuration.

insert <index number to insert at> <IP address of DNS server to add>Assigns a specific index number to the DNS server you add. The index number you specify must be in use. DNS servers with an index number higher than (and including) the one you specify will have their current index number incremented by 1.

move <index number to move> <destination index number>Moves a DNS server up or down in the list of configured servers. The index numbers you specify must be in use.

To view all DNS servers currently added to the system configuration, use the list command.



/cfg/sys/syslogSyslog Servers Configuration

The Syslog Servers menu is used to configure syslog servers. The ASA software can send log messages to the specified syslog hosts. For a list of all log messages that ASA can send to a syslog server, see “List of Syslog Messages” on page 353.

[Syslog Servers Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number

Table 10-72 Syslog Servers Configuration Menu Options (/cfg/sys/syslog)


list

Displays all configured syslog servers by their index number, IP address, and facility number.

del <index number>Removes the specified syslog server from the system configuration. Use the list command to display the index numbers of all added syslog servers.

add <IP address of syslog server> <local facility number>Adds a syslog server to the system configuration.

When adding a syslog server you will be prompted for both the IP address and the local facility number. The local facility number can be used to uniquely identify syslog entries. For more infor-mation, see the manual page for syslog.conf under UNIX.

insert <index number to insert at> <IP address of syslog server to add> <local facility number>Assigns a specific index number to the syslog server you add. The index number you specify must be in use. Syslog servers with an index number higher than (and including) the one you specify will have their current index number incremented by 1.

move <index number to move> <destination index number>Moves a syslog server up or down in the list of configured servers. The index numbers you specify must be in use.

To view all syslog servers currently added to the system configuration, use the list command.



/cfg/sys/clusterCluster Management Configuration

The Cluster menu is used to set the Management IP (MIP) address, and to access the iSD Host menu.

[Cluster Menu] mip - Set management IP (MIP) address host - iSD host menu

Table 10-73 Cluster Menu Options (/cfg/sys/cluster)


mip <Management IP address>Sets the Management IP (MIP) address. The MIP address identifies the cluster, and each MIP address must be unique on the network. For more information about clusters and MIP addresses, see “Clusters” on page 33.

host

Displays the iSD Host menu. To view menu options, see page 306.



/cfg/sys/cluster/host <number>iSD Host Configuration

The iSD Host menu is used for configuring basic TCP/IP properties for a particular ASA (iSD=ASA) in a cluster, as well as setting the ASA host type to either master or slave. You can also halt, reboot or delete an ASA host remotely via the iSD Host menu. To view the host num-ber, type, and IP address for each ASA in the cluster, use the /cfg/sys/cluster/cur command.

[iSD Host 1 Menu] type - Set type of the iSD ip - Set IP address license - Set License gateway - Set default gateway address routes - Routes menu interface - iSD host interface menu port - iSD port configuration menu ports - Display physical ports halt - Halt the iSD reboot - Reboot the iSD delete - Remove iSD Host



.

Table 10-74 iSD Host Menu Options (/cfg/sys/cluster/host)


type master|slave

Defines the currently selected ASA host as a master or slave. When installing an ASA in a new cluster (by selecting new in the Setup menu), it is automatically configured as master. When add-ing up to three additional ASAs to the same cluster (by selecting join in the Setup menu), you are provided with the option to configure them as either master or slave. The default setting, however, for up to three additional ASAs in one given cluster is master. This means that in a cluster contain-ing four ASAs, all four are configured as masters provided you accepted the default settings during the initial setup.

When adding one or more ASAs to a cluster that already contains four master ASAs, the added ASAs are automatically configured as slaves (without the option to change this during the initial setup).

The ASA software supports clustering over multiple subnets. If more than one ASA is required and the ASA you wish to join to the cluster is installed in a different subnet, the new ASA must be configured as a slave. Master ASAs cannot exist on different intranet subnets.

Normally, you will only need to change the type configuration when you have removed one or more master ASAs in a cluster, in which there are also ASAs configured as slaves. In this case, you may want to promote one of the slaves to become a master. Depending on the total number of ASAs in a cluster and the desired level of redundancy, it is recommended that 2-4 ASAs are con-figured as masters.

To view the status and current master/slave configuration of the ASAs in a cluster, use the /info/isdlist command. To view the host number of each ASA in a cluster, use the /cfg/sys/cluster/cur command.

ip <iSD host IP address>Sets the IP address of the currently selected ASA host. Changing the IP address of a specific ASA host does not affect the Management IP address (which defines the cluster itself, and not an indi-vidual ASA host). A change of host IP address using this command always applies to a host in net-work 1.

Note that you will be logged out when you apply the new IP address.

license

Lets you paste the license key for an extended number of SSL VPN users. To obtain a license key, find out the MAC address of the ASA(s) on which you wish to install the license, using the /info/local command. Next, contact Nortel Networks Alteon Support, provide the MAC address and you will be given the license key for the desired number of users.

To ensure even load balancing, an SSL VPN license (preferably with the same number of users) should be installed on each ASA in the cluster.

Note: When pasting the license key, include the BEGIN LICENSE and END LICENSE lines.

gateway

Sets the default gateway address of the selected ASA host.



routes

Displays the Host Routes menu. To view menu options, see page 310.

interface <iSD host interface number>Displays the Host Interface menu. To view menu options, see page 311.

port

Displays the Host Port menu. To view menu options, see page 314.

ports

Lists the number of physical ports on the selected ASA host. If there are more than one physical port, the ports that can exist on the same network (for failover or trunking) are grouped together, separated by comma (,). A port that cannot exist on the same network as other listed ports will appear after a colon (:).

Example output of the command: Ports = 1, 2 : 3

halt

Stops the currently selected ASA host. Always use this command before turning off the device. If the ASA host you want to halt has become isolated from the cluster, you will receive an error mes-sage when performing the halt command. You can then try logging in to the ASA via a console connection (or a Telnet or SSH connection to the ASA’s individually assigned IP address) and use the halt command in the Boot menu (/boot/halt).

reboot

Reboots the currently selected ASA. If the ASA you want to reboot has become isolated from the cluster, you will receive an error message when performing the reboot command. You can then try logging in to the ASA via a console connection (or a Telnet or SSH connection to the ASA’s individually assigned IP address) and use the reboot command in the Boot menu (/boot/reboot).





delete

Removes the currently selected ASA “cleanly” from the cluster, and resets the removed ASA to its factory default configuration. Other ASA hosts in the cluster are unaffected. To ensure that you remove the intended ASA host, view the current settings by using the cur command. To view the host number, ASA type (master or slave), and IP address for all ASAs in a cluster, use the /cfg/sys/cluster/cur command.

After having removed an ASA from the cluster, you can only access the device via a console con-nection. Log in as the admin user with the admin password to enter the Setup menu.

Note 1: You cannot delete an ASA that is included in the cluster configuration of other ASAs if the ASA you want to delete is the only machine in the cluster with the status up. If that is the case you will receive an error message when performing the delete command. To delete an ASA host from the cluster while all the other ASA cluster members are down, log in to the ASA via a con-sole connection (or via a Telnet or SSH connection using the ASA host’s individually assigned IP address) and use the delete command in the Boot menu (/boot/delete). After having deleted the ASA using the /boot/delete command, and the remaining cluster members have regained the status up, you should also connect to the MIP address via Telnet or SSH and delete the ASA from the cluster configuration by using the delete command in the iSD Host menu.

Note 2: If you are using the ASA 310 FIPS model and you want to reset the HSM cards when removing the ASA FIPS host from the cluster, you must use the /boot/delete command. For more information about resetting the HSM cards, see page 128.





/cfg/sys/cluster/host <id>/routesHost Routes Configuration

The Routes menu is used for managing static routes for a specific host when more than one interface is configured. To configure static routes on a cluster-wide level, use the /cfg/sys/routes command.

[Host Routes Menu] list - List all values del - Delete a value by number add - Add a new value

Table 10-75 Routes Menu Options (/cfg/sys/cluster/host/routes)


list

Lists all configured static routes by their index number and IP address information.

del <static route by index number>Removes the specified static route from the host configuration. Use the list command to display the index numbers of all added static routes.

add <destination IP address> <subnet mask> <gateway IP address>Adds a static route to the host configuration. Specify the destination IP address, the subnet mask, and the gateway IP address.



/cfg/sys/cluster/host <id>/interface <id>

Interface Configuration

The Interface menu is used for configuring an IP interface and assigning physical ports to the this interface. If you add more than one port to an interface, the ports can be used in two differ-ent modes: failover or trunking.

To configure a new interface (in addition to the default Interface 1), enter an unused interface index number. To change the configuration of an existing interface, enter the corresponding interface index number. To get an overview of all configured interfaces, use the /cfg/sys/cluster/host #/cur interface command.

To configure an interface to use more than one port, or to configure more than one interface in your cluster of ASAs, the ASA devices in the cluster must be equipped with more than one physical port.

[Host Interface 1 Menu] ip - Set IP address netmask - Set network mask vlanid - Set VLAN tag id mode - Set mode ports - Interface ports menu primary - Set primary port delete - Remove Host Interface

Table 10-76 Network Menu Options (/cfg/sys/cluster/host/interface)


ip <network IP address>Sets the network address for the currently selected network.

netmask <subnet mask>Sets the subnet mask for the currently selected network.

vlanid

Sets the desired VLAN tag id. Used if packets received by the currently selected interface are tagged with a specific VLAN tag id, e.g. by a connected switch.



mode failover|trunking

Specifies the mode of operation for the port numbers you have configured for use in a single IP network.

� failover: In this mode, only one link is active at any given time. If a link is active on a port that fails, the active link is immediately switched over to one of the other configured ports. When selecting failover mode, you are also provided with the option to specify a primary port.

� trunking: In this mode, active links are sustained on all configured ports simultaneously in order to increase network throughput.

The default mode is failover.

ports

Displays the Interface Ports menu. To view menu options, see page 313.

primary <primary port by number>Specifies which of the configured ports that should always be used as the primary port, on which the active link is set up. If a failure of the active link occurs on the primary port, the active link is immediately transferred to a remaining (secondary) port. As soon as the primary port regains func-tionality, the active link will be transferred back to that port.

The default primary port value is 0 (zero). The default value indicates that the currently active link remains in use until the port fails, when the link is transferred to the other port. The link will remain active on the port to which it was transferred, even if the port that failed regains functional-ity.

The primary port setting only has effect when more than one port is configured in the selected net-work, and the mode is set to failover.

delete

Removes the current network from the system configuration.

Table 10-76 Network Menu Options (/cfg/sys/cluster/host/interface)




/cfg/sys/cluster/host <id>/interface <id>/ports

Interface Ports Configuration

The Interface Ports menu is used for listing the ports currently assigned to the selected inter-face. The menu is also used for adding or deleting ports to the selected interface. The interface ports configuration is only applied to those ASA devices in the cluster that are equipped with the physical port represented by the port number you specify.

To view the available port numbers on a particular ASA device in the cluster, use the /cfg/sys/cluster/host #/ports command. This command also provides informa-tion about which port numbers that can be assigned to the same interface for failover or trunk-ing.

[Interface Ports Menu] list - List all values del - Delete a value by value add - Add a new value

Table 10-77 Interface Ports Menu Options (/cfg/sys/cluster/host/interface/ports)


list

Displays all ports that are assigned to the currently selected interface.

del <port by number>Removes the specified port, currently assigned to the selected interface.

add <port by number>Adds a port to be used in the currently selected interface.



/cfg/sys/cluster/host <id>/port <number>

Host Ethernet Port Configuration

The Host Port menu is used for specifying the properties of a port, with reference to autonego-tiation, speed and mode.

[Host Port 1 Menu] autoneg - Set autonegotiation speed - Set Speed mode - Set full or half duplex mode

Table 10-78 Host Port Menu Options (/cfg/sys/cluster/host/port)


autoneg on|off

Sets Ethernet autonegotiation to on or off for the currently selected host and NIC port. The default and recommended setting is on. Make sure that the device the port is connected to uses the same Ethernet autonegotiation settings.

Note: When autonegotiation is set to on, the settings for speed and (duplex) mode are ignored.

speed <port speed in Mbits per second [10|100|1000]>Sets the speed for the currently selected host and NIC port when autonegotiation is set to off.

mode full|half

Sets the duplex mode for the currently selected host and NIC port when autonegotiation is set to off.

The default duplex mode is set to full.



/cfg/sys/accesslistSystem Access Configuration

The Access List menu is used for controlling Telnet and SSH access to the ASA host.The access control rules can be applied to individual machines, or to all machines on aspecific network

NOTE – If you are about to join one or more ASAs to the cluster, the IP address of Interface 1 for all ASAs in the cluster and the Management IP address (MIP) must be added to the Access list, before joining the new ASA. Otherwise the ASAs will not be able to communicate. This is however required only if the Access list consists of other entries, i.e. IP addresses for control of Telnet and SSH access.

[Access List Menu] list - List all values del - Delete a value by number add - Add a new value

Table 10-79 Access List Menu Options (/cfg/sys/accesslist)


list

Displays all entries in the access list by index number, network address, and network mask.

del <index number>Removes an entry in the access list, specified by index number.

add <host IP address> <subnet mask>Adds a single machine, or a range of machines on a specific network, to the access list. Only those machines listed will be allowed to access the ASA via a Telnet or SSH connection (assuming that Telnet or SSH connections, or both, are enabled).

To enable Telnet or SSH connections, see the telnet and ssh commands under “Administrative Applications Configuration” on page 316.



/cfg/sys/admAdministrative Applications Configuration

The Administrative Applications menu is used to configure the CLI timeout value, enable or disable Telnet and SSH access via the CLI, as well as for generating new SSH host keys.

[Administrative Applications Menu] snmp - SNMP Menu clitimeout - Set CLI idle timeout audit - Audit Settings Menu telnet - Set telnet CLI access ssh - Set SSH CLI access http - HTTP access menu https - HTTPS access menu gensshkeys - Generate new SSH host keys

Table 10-80 Administrative Applications Menu Options (/cfg/sys/adm)


snmp

Displays the SNMP menu. To view menu options, see page 318.

clitimeout <timeout value in seconds [300-3600]>Sets the time frame of user inactivity for the automatic logout from the CLI to occur. The default idle timeout value is 600 seconds (10 minutes), and the maximum value is 3600 seconds (1 hour). Note that a changed time-out value does not take effect until the next login.

If you have unapplied configuration changes when automatically logged out from the CLI, the unapplied configuration changes will be lost. Make sure to save your configuration changes regu-larly by using the global apply command.

audit

Displays the Audit settings menu. To view menu options, see page 322.

telnet on|off

Enables or disables Telnet access. When set to on and not having added machine(s) to the access list, all Telnet connections are allowed.

When set to on and having added machine(s) to the access list, only the specified machine(s) are allowed Telnet access.

When set to off, all Telnet connections are rejected, including connections from machine(s) added to the access list.

To view Access List menu options, see page 315.

The default Telnet setting is off.



ssh on|off

Enables or disables SSH access. When set to on and not having added machine(s) to the access list, all SSH connections are allowed.

When set to on and having added machine(s) to the access list, only the specified machine(s) are allowed SSH access.

When set to off, all SSH connections are rejected, including connections from machine(s) added to the access list.

To view Access List menu options, see page 315.

The default SSH setting is off.

gensshkeys

Generates new SSH host keys. After having generated new SSH host keys, activate the new keys by using the apply command.

http

Displays the HTTP access menu. To view menu options, see page 325.

https

Displays the HTTPS access menu. To view menu options, see page 326.

Table 10-80 Administrative Applications Menu Options (/cfg/sys/adm)




/cfg/sys/adm/snmpSNMP Management Configuration

The SNMP menu is used for configuring the network monitoring of your ASAs.

[SNMP Menu] snmpv2-mib - SNMPv2-MIB menu community - SNMP community menu target - Notification target menu

Table 10-81 SNMP Menu Options (/cfg/sys/adm/snmp)


snmpv2-mib

Displays the SNMPv2-MIB menu. To view menu options, see page 319.

community

Displays the SNMP Community menu. To view menu options, see page 320.

target

Displays the Notification Targets menu. To view menu options, see page 321.



/cfg/sys/adm/snmp/snmpv2-mibSNMPv2-MIB Configuration

The SNMPv2-MIB menu is used for configuring parameters in the standard SNMPv2 Manage-ment Information Base (MIB) for the system.

[SNMPv2-MIB Menu] sysDescr - Set sysDescr sysContact - Set sysContact sysName - Set sysName sysLocatio - Set sysLocation snmpEnable - Set snmpEnableAuthenTraps

Table 10-82 SNMPv2-MIB Menu Options (/cfg/sys/adm/snmp/snmpv2-mib)


sysDescr

Adds a textual description of the managed ASA cluster.

sysContact

Designates a contact person for the managed ASA cluster, together with information on how to contact this person.

sysName

Assigns an administratively-assigned name to the managed ASA cluster.

sysLocatio

Adds a description of the physical location of the managed ASA cluster.

snmpEnable disabled|enabled

Enables or disables generating authentication failure traps.

The default snmpEnable value is disabled.



/cfg/sys/adm/snmp/communitySNMP Community Configuration

The SNMP Community menu is used for configuring the community aspects of the SNMP monitoring.

[SNMP Community Menu] read - Set Read Community String write - Set Write Community String trap - Set Trap Community String

Table 10-83 SNMP Community Menu Options (/cfg/sys/adm/snmp/community)


read

Specifies the monitor community name that grants read access to the Management Information Base (MIB). If no monitor community name is specified, read access is not granted.

The default monitor community name is public.

write

Specifies the control community name that grants read and write access to the Management Infor-mation Base (MIB). If no control community name is specified, neither write nor read access is granted.

trap

Specifies the trap community name that accompanies trap messages sent to the SNMP manager. If no trap community name is specified, the sending of trap messages is disabled.

The default trap community name is trap.



/cfg/sys/adm/snmp/target <notification target number>

SNMP Notification Target Configuration

The SNMP Notification Target menu is used for configuring the notification target aspects of SNMP monitoring.

[Notification Target 1 Menu] ip - Set target IP address port - Set target port vsn - Set SNMP version del - Remove Notification Target

Table 10-84 SNMP Notification Target Menu Options (/cfg/sys/adm/snmp/target)


ip <SNMP manager IP address>Sets the IP address of the SNMP manager, to which trap messages are sent.

port <TCP port [162]>Sets the TCP port used by the SNMP manager.

The default value is port number 162.

vsn v1|v2c

Specifies the SNMP version used by the SNMP manager.

The default SNMP version is v2c.

del

Removes the current SNMP manager from the configuration.



/cfg/sys/adm/auditAudit Configuration

The Audit menu is used for configuring a RADIUS server to receive log messages about com-mands executed in the CLI or the Web User Interface. If auditing is enabled but no RADIUS server is configured, events will still be generated to the event log and any configured syslog servers.

An event is generated whenever a user logs in/logs out or issues a command from a CLI ses-sion. The event contains information about user name and session id as well as the name of executed commands. This event is optionally sent to a RADIUS server for audit trail logging according to RFC 2866 (RADIUS Accounting).

For instructions on how to configure a RADIUS accounting server for logging SSL VPN Por-tal user sessions, see page 297.

[Audit Menu] servers - Radius Servers Menu vendorid - Set vendor id for group attribute vendortype - Set vendor type for audit attribute ena - Enable server dis - Disable server

Table 10-85 Audit Menu Options (/cfg/sys/adm/audit)


servers

Displays the RADIUS Audit Servers menu. To view menu options, see page 324.

vendorid

Assigns the SMI Network Management Private Enterprise Code—as defined by IANA in the file http://www.iana.org/assignments/enterprise-numbers—to the following vendor specific attribute: Vendor-Id.

The Vendor-Id—represented by the private enterprise number—is one of the RADIUS vendor-spe-cific attributes.

The default vendor-Id is set to 1872 (Alteon).

Note: If another vendor-Id is used by your RADIUS system, you can use the vendorid com-mand to bring the RADIUS configuration in line with the value used by the remote RADIUS sys-tem. Contact your RADIUS system administrator for more information.



vendortype

Assigns a number to the following vendor specific attribute used in RADIUS: Vendor type

Used in combination with the Vendor-Id number, the vendor type number identifies the audit attribute which will contain the audit information.

The default vendor type value is set to 2.

Tip! Finding audit entries in the RADIUS server’s log can be made easier by defining a suitable string in the RADIUS server’s dictionary (e.g. Alteon-SSL-Audit-Trail) and mapping this string to the vendor type value.

Note: If another number for vendor type is used by your RADIUS system, you can use the ven-dortype command to bring the RADIUS configuration in line with the value used by the remote RADIUS system. Contact your RADIUS system administrator for more information.

ena

Enables auditing, which means that CLI or Web User Interface login, logout and update events are sent to the event log, any configured syslog servers and to a RADIUS audit server. The RADIUS server must however be configured on the ASA (see page 324).

dis

Disables auditing, which means that no audit events will be generated.

Table 10-85 Audit Menu Options (/cfg/sys/adm/audit)




/cfg/sys/adm/audit/serversRADIUS Audit Server Configuration

The RADIUS Audit servers menu is used for adding, modifying and deleting information about RADIUS audit servers.

[Radius Audit Servers Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number

Table 10-86 Radius Audit Servers Menu Options (/cfg/sys/adm/audit/servers)


list

Lists the IP addresses of currently configured RADIUS audit servers, along with their correspond-ing index numbers.

del

Removes the specified RADIUS audit server from the configuration. Use the list command to display the index numbers of all added RADIUS audit servers.

add <IP address> <TCP port number> <shared secret>Adds a RADIUS audit server to the configuration. Specify the IP address, a TCP port number, and the shared secret. The next available index number is assigned automatically by the system.

For backup purposes, several RADIUS audit servers can be added. The ASA will contact the server with lowest index number first. If contact could not be established, the ASA will try to con-tact the server with the next index number in sequence and so on.

Note: The default port number used for RADIUS audit is 1813.

insert <index number to insert at> <IP address of RADIUS audit server to add>Assigns a specific index number to the RADIUS audit server you add. The index number you specify must be in use. RADIUS audit servers with an index number higher than (and including) the one you specify will have their current index number incremented by 1.

move <index number to move> <destination index number>Moves a RADIUS audit server up or down in the list of configured servers. The index numbers you specify must be in use. To view all servers currently added to the configuration, use the list command.



/cfg/sys/adm/httpBrowser-Based Management Configuration

The HTTP menu is used for enabling/disabling browser-based configuration of your ASA. To access the Web User Interface, enter the Management IP address assigned to your ASA cluster in your web browser.

[HTTP Menu] port - Set HTTP Server port ena - Enable server dis - Disable server

Table 10-87 HTTP Menu Options (/cfg/sys/adm/http)


port

Sets the port number to be used for browser-based ASA configuration using the Web User Inter-face.

The default port number is 80.

ena

Enables the HTTP server used for browser-based configuration on the ASA.

dis

Disables the HTTP server used for browser-based configuration on the ASA.



/cfg/sys/adm/httpsBrowser-Based Management Configuration with SSL

The HTTPS menu is used for enabling/disabling browser-based configuration of your ASA through a secure SSL tunnel. To access the Web Graphical User Interface, enter the Manage-ment IP address assigned to your ASA cluster in your web browser.

[HTTPS Menu] port - Set HTTPS Server port ena - Enable server dis - Disable server

Table 10-88 HTTPS Menu Options (/cfg/sys/adm/https)


port

Sets the port number to be used for browser-based ASA configuration from the Web Graphical User Interface using SSL.

The default port number is 443.

ena

Enables the HTTPS server used for browser-based configuration on the ASA using SSL.

dis

Disables the HTTP server used for browser-based configuration on the ASA using SSL.



/cfg/sys/userUser Access Configuration

The User menu is used to change the password for the currently logged in user, add a new user account, or delete an existing user account. By using the edit menu option, you can also change the password and group assignment for a specified user account. Only users with Administrator rights can add or delete user accounts, or change the password of another user account.

The password for the boot user cannot be changed. The reason for this is that if you would lose both the admin password and the boot password, the default passwords could not be restored even by performing a reinstallation of the software (only the boot user can do this). For more information about default user accounts and related access levels, see “Accessing the ASA” on page 116.

[User Menu] passwd - Change own password expire - Set password expire time interval list - List all users del - Delete a user add - Add a new user edit - Edit a user caphrase - Certadmin export passphrase

Table 10-89 User Menu Options (/cfg/sys/user)


passwd <own login password> <new password> <confirm new password>Lets you change your current login password. The password can contain spaces and is case sensi-tive.

expire <time in days, e.g. 10d for 10 days>Sets an expiration time for system operator passwords. The time applies to all system users. The counter starts at the time when the new expiration time is set. The first time the operator logs on after the specified time has expired, he or she is prompted for a new password.

The default expiration time is 0, i.e. no expiration time.

list

Lists all user accounts. The three built-in users are always listed: admin, oper, and root.

del <username>Removes the specified user account from the system. Of the three built-in users (admin, oper, and root) only the oper user can be deleted. Only users with Administrator rights can delete user accounts.



add <username>Adds a user account to the system. After having added a user account, you must also assign the user account to a group. See the groups command on page 329 for more information. Only users with Administrator rights can add user accounts.

edit <username>Displays the User <username> menu. To view menu options, see page 329.

caphrase <cert admin export passphrase> <confirm cert admin export passphrase>Sets the certificate administrator’s passphrase for encrypted private keys in a configuration backup. As long as the admin user is a member of the certadmin group (the default setting), the admin user is prompted for an export passphrase to protect the private keys in the configura-tion dump each time the /cfg/ptcfg command is used.

A certificate administrator export passphrase need only be defined if the admin user has removed himself or herself from the certadmin group, and added a certificate administrator user with certadmin group rights. The certadmin export passphrase will then automatically be used (with-out prompting the user) to protect the encrypted private keys in the configuration backup when the /cfg/ptcfg command is performed. Upon restoring a configuration backup from a TFTP/FTP server (/cfg/gtcfg), the user will be prompted for the correct certadmin passphrase as defined using the caphrase command.

Note: The caphrase menu command is only displayed when the logged in user is a member of the certadmin group.

Table 10-89 User Menu Options (/cfg/sys/user)




/cfg/sys/user/edit <username>Edit User Menu

The User <username> menu is used to set or change the login password for a specified user. Only users with Administrator rights can perform this tasks, and then only if the admin user is a member of the same group as the other user. The groups menu option gives access to the Groups menu, in which the group assignment for the specified users is set.

[User <username> Menu] password - Login password groups - Groups menu cur - Display current setting

Table 10-90 User <username> Menu Options (/cfg/sys/user/edit)


password <own login password> <login password for user> <confirm login password for user>Sets the login password for the specified user. The password can contain spaces and is case sensi-tive.

groups

Displays the Groups menu. To view menu options, see page 330.

cur

Displays the current group settings for the specified user.



/cfg/sys/user/edit <username>/groupsUser Access Groups Menu

The Groups menu is used to set or change the group assignment for a user. Whenever a new user account is added, the new user must be assigned to a group. Only the Administrator user can add a new user account to the system, but any user can grant an existing user membership in a group in which the granting user is already a member. By default, the Administrator user is a member of all three built-in groups and can therefore add a new user to any of these groups. A certificate administrator however, which presumably is a member of the certadmin group, can only add an existing user to the certadmin group.

[Groups Menu] list - List all values del - Delete a value by number add - Add a new value

Table 10-91 Groups Menu Options (/cfg/sys/user/edit/groups)


list

Lists the current group assignment of the specified user.

del <group by index number>Removes the user from the specified group. Only users with Administrator rights can remove other users from groups.

add <group name [admin|oper|certadmin]>Assigns the specified user to one of the built-in groups: admin, oper, or certadmin.



/cfg/sys/curCurrent System Configuration

System: Routes: No items configured Date and Time: System date = 2003-10-27 System time = 12:42:17 Timezone = Europe/Stockholm NTP Servers: 1: 192.168.128.3 DNS Servers: 1: 192.168.128.1 Syslog Servers: No items configured Cluster: Management IP (MIP) address = 192.168.128.211 iSD Host 1: Type of the iSD = master IP address = 192.168.128.213 License = xnet (10), tps (unlimited) Default gateway address = 192.168.128.3 Ports = 1 : 2 Host Routes: No items configured Host Interface 1: IP address = 192.168.128.213 Network mask = 255.255.255.0 VLAN tag id = 0 Mode = failover Primary port = 0 Interface Ports: 1 Host Port 1: Autonegotiation = on Speed = 0 Full or half duplex mode = full Host Port 2: Autonegotiation = on Speed = 0 Full or half duplex mode = full iSD Host 2: Type of the iSD = master IP address = 192.168.128.210 License = xnet (10), tps (unlimited) Default gateway address = 192.168.128.3



/bootBoot Menu

The Boot menu is used for managing software versions, and to shutdown, reboot, or reset the configuration of a particular ASA. To use the Boot menu, you must be logged in as the Admin-istrator user.

During normal operations, when you are connected via Telnet or SSH to the Management IP (MIP) address, all ASAs in the cluster are up, and cluster communications are working as expected, you can halt, reboot, or delete an ASA using the commands in the iSD Host menu. For more information on iSD Host menu options, see page 306.

If the ASA you want to halt, reboot, or delete has become isolated from the cluster, you can connect to that particular ASA either via Telnet or SSH (using the ASA’s individually assigned IP address), or use a console connection to perform the halt, reboot, or delete com-mands from the Boot menu instead. To view the operational status of each ASA in the cluster, use the command /info/isdlist.

[Boot Menu] software - Software management menu halt - Halt the iSD reboot - Reboot the iSD delete - Delete the iSD

Table 10-92 Boot Menu Options (/boot)


software

Displays the Software Management menu. To view menu options, see page 334.

halt

Stops the particular ASA to which you have connected via Telnet, SSH, or a console connection. Always use this command before turning off the device. If you are connected via Telnet or SSH to the Management IP address (MIP), use the halt command in the iSD Host menu (/cfg/sys/cluster/host #) instead.

reboot

Reboots the particular ASA to which you have connected via Telnet, SSH or a console connection. If you are connected via Telnet or SSH to the Management IP address (MIP), use the reboot command in the iSD Host menu (/cfg/sys/cluster/host #) instead.



delete

Resets the particular ASA to which you have connected via Telnet, SSH, or a console connection, to its factory default configuration (all IP configuration is lost). The software itself will remain intact. After having performed a delete, you can only access the device via a console connec-tion. Log in as the admin user with the admin password to enter the Setup menu.

Note 1: If you receive a warning saying that the ASA you are trying to delete has no contact with any (other) master ASA in the cluster, you should also connect to the MIP address via Telnet or SSH and delete the ASA from the cluster by using the delete command in the iSD Host menu (/cfg/sys/cluster/host #).

The /boot/delete command is primarily intended for situations when you want to delete an ASA that has either become isolated from the cluster, or has been physically removed from the cluster without first performing the delete command from the iSD Host menu (for more infor-mation about the iSD Host menu options, see page 306). In these situations, you must use the /boot/delete command to present the Setup menu, from which you can perform the new and join commands.

Note 2: When using the /boot/delete command on the ASA 310 FIPS model, you also have the option to reset the HSM cards on the particular ASA 310 FIPS to which you have connected. For detailed information about resetting the HSM cards, see page 128.

Table 10-92 Boot Menu Options (/boot)




/boot/softwareSoftware Management Menu

The Software Management menu is used to show the current software status of the particular ASA to which you have connected. The menu is also used to download software upgrade pack-ages via TFTP or FTP, as well as activating or deleting a software upgrade package.

[Software Management Menu] cur - Display current software status activate - Select software version to run download - Download a new software package via TFTP/FTP del - Remove downloaded (unpacked) releases

Table 10-93 Software Management Menu Options (/boot/software)


cur

Displays the software status of the particular ASA to which you have connected via Telnet, SSH, or a console connection. For a sample screen output, see page 336.

activate <software version as listed when using the cur command>Activates a downloaded software upgrade package indicated as unpacked (when using the cur command). If serious problems occur while running the new software version, you may switch back to the previous version by activating the software version indicated as old (when using the cur command). Note that you will be logged out upon confirming the activate command.



download tftp|ftp

Downloads a new software package by TFTP or FTP.

� tftp: Downloads a software upgrade package from a TFTP server, in order to perform a minor or major upgrade. You need to provide the host name or IP address of the TFTP server, as well as the file name of the software upgrade package. Software upgrade packages typically have the .pkg file name extension.

� ftp: Downloads a software upgrade package from an FTP server, in order to perform a minor or major upgrade. You need to provide the host name or IP address of the FTP server, as well as the file name of the software upgrade package. Software upgrade packages typically have the .pkg file name extension.

If you include a directory path and file name (separated by a forward slash (/)) on the same line as the FTP server host name or IP address when you run the command, make sure you put the combined directory path and file name string within double quotation marks.

Example:>> Software Management# download ftp 10.0.0.1 "pub/SSL-4.1.0-upgrade_complete.pkg"The FTP server must support anonymous user mode, where the following string is used as the password (for logging purposes):admin@’hostname’.isd

del

Removes a software upgrade package that has been downloaded by using the tftp or ftp com-mand, in case you do not want to activate the unpacked software upgrade package. Only software versions whose status is indicated as unpacked (using the cur command) can be removed.

Table 10-93 Software Management Menu Options (/boot/software)




/boot/software/curCurrent Software Status Command

This command displays information about the software version that is currently operational (permanent), and the software version that preceded the currently operational software ver-sion (old). If you have downloaded a software upgrade package and not yet activated it, the software upgrade package is indicated as unpacked. After activating a software version indi-cated as either unpacked or old, that version’s status is propagated to permanent (after the ASA has performed a reboot).

>> Software Management# curVersion Name Status------- ---- ------4.1 SSL permanent4.0 SSL old



/maintMaintenance Menu

The commands in the Maintenance menu are used to send log file information, or information about the current system internal status, collected from one or all ASAs, to a TFTP or FTP server for technical support purposes.

NOTE – The HSM menu is only accessible for ASA 310 FIPS devices.

[Maintenance Menu] hsm - HSM menu dumplogs - Tech support dump log files to TFTP/FTP server dumpstat - Tech support dump current status to TFTP/FTP server starttrace - Start Trace stoptrace - Stop Trace

Table 10-94 Maintenance Menu Options (/maint)


hsm

Displays the HSM menu. To view menu options, see page 339.

dumplogs <TFTP or FTP server host name or IP address> <destination file name>Collects system log file information from the ASA you are connected to (or optionally, all ASAs in the cluster) and sends the information to a file in the gzip compressed tar format on the TFTP or FTP server you have specified. The information can then be used for technical support purposes.

The file sent to the TFTP or FTP server does not contain any sensitive information related to the system configuration, such as certificates, private keys, and so on.

dumpstat <TFTP or FTP server host name or IP address> <destination file name>Collects current system internal status from the ASA you are connected to (or optionally, all ASAs in the cluster) and sends the information to a file in the gzip compressed tar format on the TFTP or FTP server you have specified. The information can then be used for technical support purposes.



starttrace interactive|tftp|ftp

Logs certain information pertaining to a user’s login session to the Portal, e.g. cipher, authentica-tion mechanism, user name, group and profile. The trace feature can be used as a debugging tool, e.g. to find out why authentication fails.

If set to interactive, the information will be logged directly in the CLI when a user authenti-cates to the Portal. By selecting tftp or ftp, the output can instead be logged on a TFTP or FTP server.

Note: Only one operator can use the trace feature at a time. If another operator enables tracing, the output will be sent to that operator’s CLI session or TFTP/FTP server.

stoptrace

Stops tracing. If interactive output mode is selected and information has been logged to the CLI, press ENTER to redisplay the CLI prompt.

Table 10-94 Maintenance Menu Options (/maint)




/maint/hsmHardware Security Module Menu

The HSM menu is used for logging in to the HSM card on a local ASA 310 FIPS device after a reboot has occurred. It is also used for splitting the wrap key onto a set of HSM-CODE iKeys. Note that the HSM menu is only accessible if you are using the ASA 310 FIPS model.

[HSM Menu] login - Login to HSM cards on local iSD splitkey - Split a wrap key onto CODE iKeys changepass - Change iKey password

Table 10-95 HSM Menu Options (/maint/hsm)


login <HSM-USER password for the currently inserted HSM-USER iKey>Lets you log in to a HSM card, using the HSM-USER iKey and the correct password.

After a reboot has occurred (whether intentionally invoked by the user, or due to a power failure for example), the affected ASA 310 FIPS device will not process any SSL traffic until you first log in to the ASA 310 FIPS (with administrator or operator privileges), and then issue the login command to log in to the HSM cards. You will then be requested to insert the card-specific HSM-USER iKey, and provide the password that is associated with the inserted HSM-USER iKey.

When you have inserted the requested HSM-USER iKeys and provided the associated passwords, alarms that were set during the reboot are cleared. The ASA 310 FIPS device can then start pro-cessing SSL traffic again. For detailed information on how to perform this operation, see page 126.

splitkey

Splits the wrap key used by the hardware security module onto the two black CODE iKeys. Prior to performing a split of the wrap key, you are recommended to label the two black CODE iKeys “CODE-SO” and “CODE-USER” respectively, if not already done. When adding an ASA 310 FIPS device to an existing cluster (by selecting join in the Setup menu), you will always be asked to insert the CODE-SO and CODE-USER iKeys, in turns, in the HSM cards of the ASA 310 FIPS device you are adding.

When installing the very first ASA 310 FIPS device in a new cluster (by selecting new in the Setup menu), you are required to split the wrap key onto the CODE-SO and CODE-USER iKeys. However, should you ever need to split the same wrap key onto a new pair of CODE iKeys (to cre-ate backup iKeys for example), you can use the splitkey command.

Note: When the splitkey command is used, both the HSM-SO iKey and the HSM-USER iKey that are associated with HSM card 0 are required to perform the operation.



changepass <card number [0|1]> <iKey [HSM-SO|HSM-USER]> <current password for the selected iKey> <new password for the selected iKey>

Sets the password for a HSM-SO or a HSM-USER iKey. After you have specified the desired HSM card and iKey user role, insert the correct iKey in the USB port on the HSM card to which the iKey is associated. Then follow the onscreen instructions. An HSM-SO or a HSM-USER iKey password must be at least 4 characters long and is case sensitive. Spaces are not allowed.

Note: It is extremely important that you insert the correct HSM iKey when prompted, as the HSM card may otherwise be rendered unusable. Take steps to ensure that the iKey you insert a) belongs to the correct HSM card, and b) corresponds with the iKey user role you specified when prompted.

The HSM-SO iKey is purple and embossed with “HSM-SO”, while the HSM-USER iKey is blue and embossed with “HSM-USER”.

Also note that when the HSM-SO iKey password is changed, the HSM-USER is logged out from the HSM card. To resume normal operations after the HSM-SO iKey password has been changed, you will therefore be prompted to insert the HSM-USER iKey and specify the associated HSM-USER password.

Table 10-95 HSM Menu Options (/maint/hsm)


212939-F, November 2003

Part 3: AppendicesThis section contains the following topics:

� Appendix A, “Supported Ciphers

� Appendix B, “The ASA SNMP Agent

� Appendix C, “Syslog Messages

� Appendix D, “License Information

� Appendix E, “HSM Security Policy


212939-F, November 2003342 � Part 3: Appendices

212939-F, November 2003

343

APPENDIX ASupported Ciphers

The ASA supports SSL version 2.0, SSL version 3.0, and TLS version 1.0. All ciphers covered in these versions of SSL are supported, except the IDEA ciphers and the FORTEZZA ciphers.

Table A-1 Supported Ciphers

Cipher Name SSL Protocol

Key Exchange Algorithm, Authentication

Encryption Algorithm

MAC Digest Algorithm

DHE-DSS-RC4-SHA SSLv3 DH, DSS RC4(128) SHA1

EXP1024-DHE-DSS-RC4-SHA

SSLv3 DH (1024), DSS RC4(56) SHA1 EXPORT

EXP1024-RC4-SHA SSLv3 RSA(1024), RSA RC4 (56) SHA1 EXPORT

EXP1024-DHE-DSS-DES-CBC-SHA

SSLv3 DH (1024), DSS DES (56) SHA1 EXPORT

EXP1024-DES-CBC-SHA SSLv3 RSA (1024), RSA DES (56) SHA1 EXPORT

EXP1024-RC2-CBC-MD5 SSLv3 RSA (1024), RSA RC2 (56) MD5 EXPORT

EXP1024-RC4-MD5 SSLv3 RSA (1024), RSA RC4 (56) MD5 EXPORT

EDH-RSA-DES-CBC3-SHA

SSLv3 DH, RSA 3DES(168) SHA1

EDH-RSA-DES-CBC-SHA SSLv3 DH, RSA DES (56) SHA1

EXP-EDH-RSA-DES-CBC-SHA

SSLv3 DH (512), RSA DES (40) SHA1 EXPORT

EDH-DSS-DES-CBC3-SHA

SSLv3 DH, DSS 3DES (168) SHA1

EDH-DSS-DES-CBC-SHA SSLv3 DH, DSS DES (56) SHA1

EXP-EDH-DSS-DES-CBC-SHA

SSLv3 DH (512), DSS DES (40) SHA1 EXPORT


212939-F, November 2003344 � Appendix A: Supported Ciphers

DES-CBC3-SHA SSLv3 RSA, RSA 3DES (168) SHA1

DES-CBC-SHA SSLv3 RSA, RSA DES (56) SHA1

EXP-DES-CBC-SHA SSLv3 RSA (512), RSA DES (40) SHA1 EXPORT

EXP-RC2-CBC-MD5 SSLv3 RSA (512), RSA RC2 (40) MD5 EXPORT

RC4-SHA SSLv3 RSA, RSA RC4 (128) SHA1

RC4-MD5 SSLv3 RSA, RSA RC4 (128) MD5

EXP-RC4-MD5 SSLv3 RSA (512), RSA RC4 (40) MD5 EXPORT

ADH-DES-CBC3-SHA SSLv3 DH, NONE 3DES (168) SHA1

ADH-DES-CBC-SHA SSLv3 DH, NONE DES (56) SHA1

EXP-ADH-DES-CBC-SHA SSLv3 DH (512), None DES (40) SHA1 EXPORT

ADH-RC4-MD5 SSLv3 DH, None RC4 (128) MD5

EXP-ADH-RC4-MD5 SSLv3 DH (512), None RC4 (40) MD5 EXPORT

RC4-64-MD5 SSLv2 RSA, RSA RC4 (64) MD5

DES-CBC3-MD5 SSLv2 RSA, RSA 3DES (168) MD5

DES-CBC-MD5 SSLv2 RSA, RSA DES (56) MD5

RC2-CBC-MD5 SSLv2 RSA, RSA RC2 (128) MD5

EXP-RC2-CBC-MD5 SSLv2 RSA (512), RSA RC2 (40) MD5 EXPORT

RC4-MD5 SSLv2 RSA, RSA RC4 (128) MD5

EXP-RC4-MD5 SSLv2 RSA (512), RSA RC4 (40) MD5 EXPORT

Table A-1 Supported Ciphers

Cipher Name SSL Protocol

Key Exchange Algorithm, Authentication

Encryption Algorithm

MAC Digest Algorithm


212939-F, November 2003Appendix A: Supported Ciphers � 345

Cipher List Formats

The cipher list you specify for a virtual SSL server consists of one or more cipher strings sepa-rated by colons (e.g. RC4:+RSA:+ALL:!NULL:!DH:!EXPORT@STRENGTH). Lists of ciphers can be combined using a logical and operation (+) (e.g. SHA1+DES represents all cipher suites containing the SHA1 and the DES algorithms).

In the colon-separated list, any cipher string can be preceded by the characters !, - or +. These characters serve as modifiers, with the following meanings:

� ! permanently deletes the ciphers from the list (e.g. !RSA).

� - deletes the ciphers from the list, but the ciphers can be added again by later options.

� + moves the ciphers to the end of the list. This option doesn’t add any new ciphers it just moves matching existing ones.

� @STRENGTH is placed at the end of the cipher list, and sorts the list in order of encryption algorithm key length.

The default cipher list used for all virtual SSL servers in the ASA is ALL@STRENGTH.

A cipher list consisting of the string RC4:ALL:!DH translates into a preferred list of ciphers that begins with all ciphers using RC4 as the encryption algorithm, followed by all cipher suites except the eNULL ciphers (ALL). The final !DH string means that all cipher suites con-taining the DH (Diffie-Hellman) cipher are removed from the list. (None of the major Web browsers support these ciphers.)

Modifying a Cipher List

Starting from the RC4:ALL:!DH cipher list, an example of a slightly modified cipher list can be: RC4:ALL:!EXPORT:!DH

This example will remove all EXPORT ciphers, besides the DH related cipher suites. Remov-ing the EXPORT ciphers means that all ciphers using either 40 or 56 bits symmetric ciphers are removed from the list. This means that browsers running export controlled crypto software cannot access the server.



Using the OpenSSL command line tool (on a UNIX machine), it is possible to check which cipher suites a particular cipher list corresponds to. The example above yields the following output:

# openssl ciphers -v ’RC4:ALL:!EXPORT:!DHRC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-64-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(64) Mac=MD5 RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5


212939-F, November 2003Appendix A: Supported Ciphers � 347

Supported Cipher Strings and Meanings

The table below lists each supported cipher string alias and its significance.

Table A-2 Cipher Strings and Meanings

Cipher String Aliases Meaning

DEFAULT The default cipher list, which corresponds to ALL@STRENGTH.

ALL All cipher suites except the eNULL ciphers, which must be explicitly enabled.

HIGH Cipher suites with key lengths larger than 128 bits.

MEDIUM Cipher suites using 128 bit encryption.

LOW Includes cipher suites using 64 or 56 bit encryption, but excludes export cipher suites.

EXPORT Includes cipher suites using 40 and 56 bit encryption.

EXPORT40 Cipher suites using 40 bit export encryption only.

EXPORT56 Cipher suites using 56 bit export encryption only.

eNULL, NULL Cipher suites that do not offer any encryption at all. Since the use of such ciphers pose a security threat, they are disabled unless explicitly included.

aNULL Cipher suites that do not offer authentication, like anonymous DH algorithms. The use of such cipher suites is not recom-mended, since they facilitate man-in-the-middle attacks.

kRSA, RSA Cipher suites using RSA key exchange.

kEDH Cipher suites using ephemeral Diffie-Hellman key agreement.

aRSA Cipher suites using RSA authentication, which implies that the certificates carry RSA keys.

aDSS, DSS Cipher suites using DSS authentication, which implies that the certificates carry DSS keys.

SSLv3, SSLv2 SSL version 3.0 and SSL version 2.0 cipher suites, respectively.

DH Cipher suites using DH encryption algorithms, including anony-mous DH.

ADH Cipher suites using anonymous DH encryption algorithms.

3DES Cipher suites using triple DES encryption algorithms.



Cipher String Aliases Meaning

DES Cipher suites using DES encryption algorithms, but not triple DES.

RC4 Cipher suites using RC4 encryption algorithms.

RC2 Cipher suites using RC2 encryption algorithms.

MD5 Cipher suites using MD5 encryption algorithms.

SHA1, SHA Cipher suites using SHA1 encryption algorithms.

Table A-2 Cipher Strings and Meanings

212939-F, November 2003

349

APPENDIX BThe ASA SNMP Agent

There is one SNMP agent in each ASA cluster, and the agent listens to the Management IP address (MIP) of the cluster. The SNMP agent supports SNMP version 1 and version 2c. Noti-fication targets (the SNMP managers receiving trap messages sent by the agent) can be config-ured to use either SNMP v1 or SNMP v2c (with the default being SNMP v2c). Users may specify any number of notification targets on the ASA.

For more information on the commands used to configure the SNMP agent in a cluster, see “SNMP Management Configuration” starting on page 318.

For detailed information about the MIB (Management Information Base) definitions that are currently implemented for the ASA SNMP agent, contact Nortel Networks customer support (see “How to Get Help” on page 17).


212939-F, November 2003350 � Appendix B: The ASA SNMP Agent

Supported MIBs

The ASA supports the following MIBs:

� SNMPv2-MIB

� ALTEON-ISD-PLATFORM-MIB

� ALTEON-ISD-SSL-MIB

The SNMPv2 MIBThe SNMPv2-MIB is a standard MIB which all agents implements, and it contains the follow-ing groups and objects:

� System group, which is a collection of objects common to all managed systems.

� SNMP group, which is a collection of objects providing basic instrumentation and control of an SNMP entity.

The Alteon iSD Platform MIBThe ALTEON-ISD-PLATFORM-MIB contains the following groups and objects:

� Cluster group, whose objects provide information about the operational status of each ASA, IP address assignment, master/slave assignment, and the iSD host number.

� Performance group, whose objects provide information about CPU and memory utiliza-tion.

� Current Alarm group, whose objects provide information about the number of active alarms, alarm IDs, alarm severity levels, alarm cause, and the time when the alarm was triggered.

� Event group, whose objects provide information about the time when the event was gener-ated, as well as a description of the event.


212939-F, November 2003Appendix B: The ASA SNMP Agent � 351

The Alteon iSD-SSL MIBThe ALTEON-ISD-SSL-MIB contains objects for monitoring the SSL gateways. The objects provide information about the following:

� Number of SSL transactions per second.

� Number of initiated client SSL connections.

� Number of renegotiated client SSL connections.

� Number of successfully completed SSL handshakes.

� Number of client requests for a session ID found in the SSL cache.

� Number of client requests for a session ID not found in the SSL cache.

� Number of times a session ID could not be cached because the SSL cache was full.

� Number of client requests for a session ID that was found in the SSL cache, but inaccessi-ble due to the fact that the Time To Live value for the session was exceeded.

Supported Traps

The following SNMP traps are supported by the ASA:

Table B-1 Traps Supported by the ASA

Trap Name Description

alteonISDSSLHwFail Signifies that the SSL accelerator hardware failed. The ASA will con-tinue to handle traffic, but with severely degraded performance.

alteonISDDown Signifies that an ASA in the cluster is down and out of service.

alteonISDSingleMaster Signifies that only one master ASA in the cluster is up and operational. Only having one master in a cluster means that the fault tolerance level is severely degraded—if the last master fails, the system cannot be recon-figured.This trap is only sent if more than two ASAs in the cluster defined as masters.


212939-F, November 2003352 � Appendix B: The ASA SNMP Agent

212939-F, November 2003

353

APPENDIX CSyslog Messages

This appendix contains a list of the syslog messages that are sent from the ASA to a Syslog server (when added to the system configuration). Syslog servers are added to the system con-figuration by using the menu options in the Syslog Servers menu. To view the menu options, see page 304.

List of Syslog Messages

The following Syslog messages can be sent from ASA to a configured Syslog server. The mes-sages are listed in order of the message log-level severity.

� EMERG

� “Root filesystem corrupt”

� “Failed to write to config filesystem”

� “Config filesystem corrupt beyond repair”

� CRIT

� “Hard disk unusable”

� “Hard disk init failed:” $out

� “/var filesystem mounted on RAM”

� “Config filesystem re-initialized - reinstall required”

� “Application filesystem corrupt - reinstall required”

� ERR

� “Hard disk re-initialized”

� “Config filesystem corrupt”

� “Logs filesystem re-initialized”


212939-F, November 2003354 � Appendix C: Syslog Messages

� “Missing files in config filesystem”

� “Root filesystem repaired - rebooting”

� “Config filesystem restored from backup”

� “Rebooting to revert to permanent OS version”

� WARNING

Warnings are divided into two subcategories: events and alarms. Both events and alarms are stored in the event log file, which can be accessed by typing the /info/events/download command.

Active alarms can be viewed by typing the /info/events/alarms command.

EVENTS

Events are formatted according to the following pattern:Name = ”$Name”Sender = ”$Sender”Extra = ”$Extra”

� Name = ssi_mipishereSender = ssiExtra = $IP

Tells that the MIP is now located at the $IP (real IP) ASA.

� Name = software_configuration_changedSender = systemExtra = software release version $VSN $Status

Indicates that release $VSN has been $Status (unpacked/installed/permanent).

� Name = software_release_copyingSender = $NODEExtra = copy software release $VSN from $ONODE

Indicates that $NODE is copying the release $VSN from $ONODE.

� Name = software_release_rebootingSender = $NODEExtra = reboot with release version $VSN

Indicates that an ASA ($NODE) is rebooting on a new release (i.e. an ASA that was not up and running during the normal installation is now catching up).


212939-F, November 2003Appendix C: Syslog Messages � 355

� Name = clear_alarmSender = $IDExtra =

The alarm with $ID has been cleared.

� Name = auditSender = CLIExtra = Start/Stop/Update#CLI#cli_3148@a<WSS IP address>#<user>#<command>

Sent when a CLI system administrator enters, exits or updates the CLI.

ALARMS

Alarms are formatted according to the following pattern:Name = ”$Name”Id = $ID (where $ID is the alarm number)Sender = ”$Sender”Cause = $CauseExtra = ”$Extra”

� Name = isd_downSender = $NODECause = downExtra =

This alarm has severity level CRITICAL.

� Name = single_masterSender = systemCause = downExtra =

This alarm has severity level WARNING. The alarm indicates that only one master ASA in the cluster is up and running.

� Name = log_open_failedSender = {$NODE, event}Cause and Extra are explanations of the fault.

This alarm has severity level MAJOR. The alarm indicates that the event log (where all events and alarms are stored) could not be opened.

� Name = make_software_release_permanent_failedSender = $NODECause = file_error | not_installedExtra = “Detailed info”

This alarm has severity level CRITICAL.


212939-F, November 2003356 � Appendix C: Syslog Messages

� Name = copy_software_release_failedSender = $NODECause = copy_failed | bad_release_package | no_release_package | unpack_failedExtra = “Detailed info”

This alarm has severity level CRITICAL. Indicates that an ASA failed to install a software release while trying to install the same version as all other ASAs in the clus-ter.

� Name = licenseSender = license_server

Cause = license_not_loaded

Extra = “All iSDs do not have the same license loaded”

This alarm has severity level WARNING. Indicates that one or several ASAs in the cluster do not have the same SSL VPN license (with reference to number of concur-rent users). This could have a negative effect on load balancing.

� INFO

� “System started [SSL-$VSN]”

� “Xnet Login: failed - client ip: (IP address) user: (user name) error: bad user”

� “Xnet Login: succeeded - client ip: (IP address) user: (user name) groups: (user groups)”

� “Xnet Logout: (user name)

� “PORTAL User=(user name), Proto=(protocol, e.g. SMB), Host=(host id), Share=(home share folder), Path=(path to files)

� “SOCKS User=(user name), SrcIP=(source IP address), Request=(CONNECT IP address:port no)” This message refers to the portal’s Port forwarder function.

� “SOCKS User=(user name), SrcIP=(source IP address), Request=(CONNECT www.example.com:0)” This message refers to the portal’s HTTP Proxy function.

� “HTTP User=(user name), SrcIP=(source IP address), Request=(GET inside.com-pany.com/)”

� “HTTP Rejected User=(user name), SrcIP=(source IP address), Request=(GET secret.company.com/)”

� DEBUG

� “/var filesystem re-initialized”

� “Local disk filesystem re-initialized”

212939-F, November 2003

357

APPENDIX DLicense Information

OpenSSL License Issues

The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Both licenses are actually BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact [email protected].

OpenSSL License Copyright © 1998-1999 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions, and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software must display the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)”

4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected].

5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in their names with-out prior written permission of the OpenSSL Project.

6. Redistributions of any form whatsoever must retain the following acknowledgment: “This product includes soft-ware developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)”

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS” AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABIL-ITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPE-CIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCURE-MENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This product includes cryptographic software written by Eric Young ([email protected]). This product includes soft-ware written by Tim Hudson ([email protected]).

Original SSLeay License

Copyright © 1995-1998 Eric Young ([email protected]) All rights reserved. This package is an SSL implementation written by Eric Young ([email protected]). The implementation was written so as to conform with Netscape SSL. This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson ([email protected]). Copyright remains Eric Young's, and as such, any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution


212939-F, November 2003358 � Appendix D: License Information

as the author of the parts of the library used. This can be in the form of a textual message at program startup or in doc-umentation (online or textual) provided with the package. Redistribution and use in source and binary forms, with or without modification, are permitted, provided that the following conditions are met:

1. Redistributions of source code must retain the copyright notice, this list of conditions, and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software must display the following acknowledgement: “This product includes cryptographic software written by Eric Young ([email protected])”. The word “crypto-graphic” can be left out if the routines from the library being used are not cryptographic related.

4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code), you must include an acknowledgement: “This product includes software written by Tim Hudson ([email protected])”.

THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED WARRAN-TIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFT-WARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The licence and distribution terms for any publicly available version or derivative of this code cannot be changed. That is, this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.]

GNU General Public License

Version 2, June 1991

Copyright © 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.

GNU GENERAL PUBLIC LICENSE

TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

0. This License applies to any program or other work that contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The “Program,” below, refers to any such program or work. A “work based on the Program” means either the Program or any derivative work under copyright law: that is, a work contain-ing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term “modification.”) Each licensee is addressed as “you.”

Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents consti-tute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does.

1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, pro-vided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.

You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.

2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1, above, provided that you also meet all of these conditions:

a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change.


212939-F, November 2003Appendix D: License Information � 359

b) You must cause any work that you distribute or publish in whole or in part that contains or is derived from the Pro-gram or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.

c) If the modified program normally reads commands interactively when run, you must cause it (when started running for such interactive use in the most ordinary way) to print or display an announcement, including an appropriate copy-right notice and a notice that there is no warranty (or else, saying that you provide a warranty), and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: If the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.)

These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Pro-gram and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose per-missions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.

Thus, it is not the intent of this section to claim rights or contest your rights to the work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.

In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.

3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2, above, provided that you also do one of the following:

a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

b) Accompany it with a written offer, valid for at least three years, to give any third party (for a charge no more than your cost of physically performing source distribution) a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2, above, on a medium customarily used for software interchange; or,

c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alter-native is allowed only for noncommercial distribution and only if you received the program in object code or execut-able form with such an offer, in accordance with Subsection b, above.)

The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface defini-tion files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as dis-tribution of the source code, even though third parties are not compelled to copy the source along with the object code.

4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permis-sion to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modify-ing the Program or works based on it.

6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute, or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients’ exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.



7. If, as a consequence of a court judgment, or allegation of patent infringement, or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the con-ditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to sat-isfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.

It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest valid-ity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system. It is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.

8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.

9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new prob-lems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and “any later version,” you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not spec-ify a version number of this License, you may choose any version ever published by the Free Software Foundation.

10. If you wish to incorporate parts of the Program into other free programs in which distribution conditions are different, write to the author for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.

NO WARRANTY

11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PRO-GRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING, THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIM-ITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PUR-POSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVIC-ING, REPAIR, OR CORRECTION.

12. IN NO EVENT, UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING, WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PRO-GRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPE-CIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INAC-CURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

END OF TERMS AND CONDITIONS.


212939-F, November 2003Appendix D: License Information � 361

Apache Software License, Version 1.1

Copyright (c) 2000 The Apache Software Foundation. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-lowing conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-claimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. The end-user documentation included with the redistribution, if any, must include the following acknowledgment: “This product includes software developed by the Apache Software Foundation (http://www.apache.org/)”. Alter-nately, this acknowledgment may appear in the software itself, if and wherever such third-party acknowledgments nor-mally appear.

4. The names “Apache” and “Apache Software Foundation” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected].

5. Products derived from this software may not be called “Apache”, nor may “Apache” appear in their name, without prior written permission of the Apache Software Foundation.

THIS SOFTWARE IS PROVIDED ̀ `AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PAR-TICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEM-PLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUB-STITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABIL-ITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This software consists of voluntary contributions made by many individuals on behalf of the Apache Software Foun-dation. For more information on the Apache Software Foundation, please see <http://www.apache.org/>.

Portions of this software are based upon public domain software originally written at the National Center for Super-computing Applications, University of Illinois, Urbana-Champaign.



212939-F, November 2003

363

APPENDIX EHSM Security Policy

All information in this Appendix is Copyright 2001 Rainbow Technologies.

Rainbow Technologies CryptoSwift® HSM Cryptographic Accelerator

FIPS 140-1 Non-Proprietary Cryptographic Module Security Policy Hardware P/N 107316 Firmware version 5.6.27 Ver 25 7/29/01for Level 3 Overall Level 4 for Self-Test Validation

1.0 ScopeThis document describes the security policy for the HSM cryptographic accelerator. It is to be used for the FIPS 140-1 validation process. The board is designed to attain a level 3 overall validation and a level 4 validation in the area of Self-Test. The following table describes the compliance level for each section of the FIPS 140-1 specification:

If changes are made to the design of the HSM, this document should be updated to incorporate the changes and reviewed by an NVLAP-accredited CMT lab.

Cryptographic Modules: Level 3

Module Interfaces: Level 3

Roles and Services: Level 3

Finite State Machine Model: Level 3

Physical Security: Level 3

Software Security: Level 3

Operating System Security: Level N/a

Cryptographic Key Manage-ment:

Level 3

Cryptographic Algorithms: Level 3

EMI/EMC: Level 3

Self-Tests: Level 4


212939-F, November 2003364 � Appendix E: HSM Security Policy

2.0 Applicable Documents

FIPS PUB 140-1 Federal Information Processing Standard, Security Requirements for Crypto-graphic Modules. January, 11, 1994, U.S. Department of Commerce, National Institute of Standards and Technology

Derived Test Requirements for FIPS PUB 140-1, Security Requirements for Cryptographic Modules. FINAL, March 1995, Mitre for NIST Contract 50SBNIC6732

FIPS PUB 46-3 and FIPS PUB 81, for information on the Data Encryption Standard (DES), and Triple DES algorithm. U.S. Department of Commerce, National Institute of Standards and Technology

FIPS PUB 180-1, Secure Hash Algorithm (SHA-1), U.S. Department of Commerce, National Institute of Standards and Technology. ANSI Standard X9.17-1995, Financial Institution Key Management (Wholesale), American Banking Association, X9 Financial Services, American National Standards Institute

PKCS #1 RSA Cryptography Standard, Version 2.0, http://www.rsasecurity.com/rsalabs/pkcs/pkcs-1/index.htmlRSA Security Inc.

3.0 OverviewThe HSM is a cryptographic module which is used to accelerate cryptographic processing for network based electronic commerce and other network based applications. The board has two modes. These are the non-FIPS140-1 mode and the FIPS140-1 mode. In the FIPS140-1 mode, the board can be used in servers to improve the performance associated with high rate signing operations. In the non-FIPS140-1 mode, the board can be used to accelerate RSA operations for SSL connections on web servers. Other uses are limited only by the creativity of applica-tions developers who can write to standard API’s such as Cryptoki (PKCS#11).The HSM is a PCI card. It has a serial port, a Universal Serial Bus (USB) port, and an LED. The board is shipped with four tokens. These tokens plug into the USB port. The first token is used for authenticating the Security Officer to the HSM. The second token is used to for authenticating the User. The third and fourth tokens are called “code tokens.” One of these is held (controlled) by the Security Officer. The other held by the User. The code keys are used to move key parts (also known as “key shares”) between two HSM boards. Key parts transferred by this mechanism are combined within the destination boards so that a shared secret can exist on one or more boards without having existed in plaintext outside of a family of HSM boards. The shared secret is a Key-Wrapping-Key. When two or more boards contain the same Key-Wrapping-Key, they are said to be in the same family. The Key-Wrapping-Key is used to encrypt other keys. These encrypted keys can then be transmitted between boards over untrusted paths under the control of a Rainbow Technologies key management utility. This allows boards to share keys as would be appropriate for load distribution or redundancy needs.

http://www.rsasecurity.com/rsalabs/pkcs/pkcs-1/index.html


212939-F, November 2003Appendix E: HSM Security Policy � 365

The key wrapping key also makes it possible for keys to be stored in encrypted form on backup tapes or hard drives for archival purposes. The keys encrypted with the Key-Wrapping-Key need never exist in plaintext form outside of an HSM.When an operator uses an HSM, he will be assisted by a key management utility. This utility will prompt the operator when it is time to plug a particular token into a particular HSM. A particular host system may contain one or more HSM’s. So that there is no confusion, the key management utility will control an LED on each HSM to alert the operator to know where to insert a particular token.1. The HSM can detect attempts to penetrate its cryptographic envelope. If it detects a tamper attempt, the HSM will erase all of the critical security parameters that it contains.The HSM is controlled via its PCI interface. Commands are entered via the PCI bus, and status is read from the PCI bus. Also, both plaintext and encrypted data is transmitted over the PCI interface. The serial port is disabled in the production version of the HSM. A primary function of the HSM is to securely generate, store, and use private keys (particularly for signing opera-tions).

4.0 CapabilitiesThe HSM is capable of performing a wide variety of cryptographic calculations including DES, SHA-1, DSA, 3DES, RSA exponentiation, RC4 and HMAC. When in the FIPS 140-1 mode, the board can perform DES, 3DES, RSA Signatures, RSA Signature Verifications and SHA-1 functions. When in the non-FIPS 140-1 mode, the board can also perform the RSA exponentiation, RC4, MD5, HMAC (SHA-1 and MD5) and DSA.The RSA signature and verification implementation is compliant with the PKCS #1 standard.The following table describes how each cryptographic algorithm is used by our module while operating in the FIPS 140-1 Mode:



Algorithm How it is used by the HSM module Used in FIPS 140-1 Mode?

DES The module provides services for encryption/decryption. As currently implemented, the plaintext key must be input via the PCI interface. Therefore, this algorithm is not acces-sible in the FIPS 140-1 Mode. The self-tests perform a known answer test on this algo-rithm in FIPS 140-1 Mode.

No

3DES Used to generate Pseudo-random numbers using the X9.17 Appendix C PRNG algo-rithm for the purposes of key generation of RSA and 3DES keys.Encryption/decryption of every key stored in persistence storage within the module using the Master Key. Wrapping (encryption) of Private RSA Keys using the Key-Wrap-ping-Key for archival purposes. Unwrapping (decryption) of Private RSA Keys using the Key-Wrapping-Key for the purpose of restoring an archived key. Note: The 3DES Encrypt and Decrypt services are not available for this algorithm in FIPS mode because keys are entered in plaintext.

Yes

RSA Signature/Verification

Generation and verification of digital signatures using the RSA algorithm, in accordance with the PKCS #1 specification. Keys pairs of modulus size in the range 192 through 1024 bits, in 64 bit increments. Note: The message digest operation of the digital signa-ture and verification function is performed outside of the cryptographic boundary for performance reasons. After the digest is computed outside the module, the module for-mats and pads the message digest according to the PKCS #1 standard and then uses the RSA algorithm to compute the digital signature.

Yes

SHA-1 Hashing of host-provided data. Hashing for the purpose of verifying the RSA digital sig-nature of a firmware image. Hashing a 3DES key for the purpose of checking its integ-rity after it is split and then the corresponding shares combined.

Yes

MD5 The module provides services to compute an MD5 message digest. As this algorithm is not FIPS-approved, the corresponding services are not available in the FIPS 140-1 Mode.

No

HMAC (SHA-1)

The module provides a service to compute HMAC using SHA-1. As currently imple-mented, the service requires the MAC key to be input unencrypted via the PCI interface, and therefore this service is not available in the FIPS 140-1 Mode.

No

HMAC (MD5) The module provides a service to compute HMAC using MD5. Since MD5 is not a FIPS-approved algorithm, this service is not available in the FIPS 140-1 Mode.

No

RC4 The module provides services for encryption/decryption with RC4. Since RC4 is not a FIPS-approved algorithm, the corresponding services are not available in the FIPS 140-1 Mode.

No

DSA The module provides services for generating and verifying DSA signatures. As currently implemented, the private key for signature generation must be input via the PCI inter-face. Therefore, this algorithm is not available in the FIPS 140-1 Mode. Keys pairs of modulus size in the range 512 through 1024 bits, in 64 bit increments.

No



5.0 Physical SecurityThe board is designed to detect tampering attempts and will zeroize critical security parameters under a variety of prescribed circumstances. These circumstances include penetration of the module’s cryptographic envelope. The cryptographic envelope consists of an opaque tamper resistant lid and circuit board, and will provide clear visual evidence of tampering. The lid and circuit board are joined to form a contiguous perimeter. This perimeter encloses module com-ponents responsible for the creation, storage and processing of critical security parameters. The boundary contains intricate serpentine patterns that are used to detect tamper attempts associ-ated with a breach of the cryptographic envelope by drilling, sawing or removal of the tamper lid.

6.0 Module Interfaces

6.1 USB (Universal Serial Bus) InterfaceThis is the trusted interface of the HSM. It is used for communicating with iKey1000 tokens.Four tokens are shipped with each HSM. One will contain a pin used to authenticate the Secu-rity Officer. One will contain a pin used to authenticate the User. One will contain a key-part to be controlled by the Security Officer.One will contain a key-part to be controlled by the user. No secrets, key-parts or critical secu-rity parameters are contained within any of the tokens or within the HSM when these items are shipped from Rainbow Technologies.

6.2 Status LED (Light Emitting Diode) InterfaceThe LED can be in four possible states. These are off, green, orange and red. The meaning associated with each LED state is as follows:

The true state of the HSM will be obtainable from the status register which is read by the host over the PCI interface.

6.3 Serial InterfaceThe serial interface is disabled in the production version of the HSM board.

6.4 PCI InterfaceThis interface is used to provide data and commands to the HSM board. It is also used to read data and status from the HSM.

LED State Meaning

Off Power off

Green Board is on but idle

Orange Board is in the self-test state or performing a crypto function

Red Board is in the error state



6.5 Backup Battery InterfaceThe Backup Battery Interface is used to provide backup power to the HSM. This gives the HSM the capability to maintain and protect secrets should PCI power become unavailable. The battery is continuously monitored by the HSM for a voltage low condition. This makes it pos-sible to alert an operator. The operator may then replace the battery. This can be done without loss of critical security parameters as long as the battery is replaced when PCI power is present. If the battery is removed while PCI power is absent, all critical security parameters contained within the HSM will be erased.

6.6 PCI Power InterfaceThe PCI Power Interface will provide the power necessary to perform all other HSM functions.

7.0 Components

7.1 Bulk CryptoThis component performs cryptographic hashing and symmetric cryptographic operations.

7.2 Power Management and Tamper DetectThis component monitors battery voltage and the security envelope to detect conditions that will result in the zeroization of critical security parameters. Battery voltage is also monitored to determine when it is necessary to replace the battery.

7.3 FastMap ProcessorThis component contains a processor and internal SRAM. The processor executes the software that initially resides in Flash memory and is eventually loaded into the external SRAM (exter-nal to the FastMap Processor yet still within the cryptographic boundary). The FastMap Pro-cessor also contains large accumulators and a random number generator. The accumulators are necessary for the acceleration of public key cryptographic operations. The random number generator generates truly random numbers through a stochastic process. The output of this ran-dom number generator is used only for seeding the FIPS-approved ANSI X9.17 Appendix C pseudo-random number generator (PRNG). The output of the PRNG is used for generating 3DES and RSA keys, as well as outputting random numbers requested via the Generate Ran-dom Number service.

7.4 FlashThis component is non-volatile memory. The contents of Flash will maintain its state after PCI power and Battery power have been removed. The Flash contains the firmware that controls processing within the HSM. It also contains public keys and other information that are not con-sidered dangerous if exposed (certificates, public keys, encrypted data, encrypted keys and hash values used for authentication).

7.5 SRAMSRAM is Static Random Access Memory. This memory will be used to store plaintext data, ciphertext data, symmetric keys, asymmetric keys, intermediate values, and firmware after it has been loaded from Flash.



7.6 Real Time Clock/Battery Powered RAM (RTC/BBRAM)This component is used to store values that are to be retained when PCI power is removed. This includes the master key (MK) that can be used to decrypt encrypted private keys and sym-metric keys stored in Flash. The RTC is used to provide input to the key generation process so that it is consistent with FIPS 140-1 key generation requirements.

7.7 Programmable Logic Device (PLD)This component embodies all additional logic necessary to interface components contained within the security envelope.

7.8 USB (Universal Serial Bus) ControllerThis component allows the board to communicate with an iKey. The iKey is used to store a Personal IdentificationNumber PIN that allows for user authentication, or to store key parts for moving keys from one HSM to another HSM.

7.9 Universal Asynchronous Receiver Transmitter (UART)This component is disabled in the production version of the HSM board.

7.10 33MHz ClockThis circuitry generates a square wave to provide the primary system clock and to synchronize the various components of the HSM with the operation of the FastMap chip.

8.0 Definition of Security Relevant Data ItemsThe following are the security relevant data items contained in this module:Master Key (MK) = The 3DES3KEY key which encrypts all non-volatile critical security parameters that are stored within the module (in the flash). The master key is stored in the BBRAM, and is destroyed when power is removed from both the PCI interface and the battery, and by the tamper detection circuitry whenever tampering is detected. The master key is ran-domly generated when the board is initialized (the Security Officer role is created). Security Officer role PIN (SOPIN) = The SO role PIN is generated randomly when the board is initial-ized. It is written to an iKey token via the trusted USB interface. Please refer to section 9.2 below for a description of how this PIN is used for authentication.User Role PIN (UserPIN) = The User Role PIN is generated randomly when the SO invokes the Create User service. It is written to an iKey token via the trusted USB interface. Please refer to section 9.2 below for a description of how this PIN is used for authentication.Key-Wrapping-Key (KWK) = A 3DES3KEY key created by either the SO or User role for the purpose of wrapping private RSA keys. The Key-Wrapping-Key may be randomly gener-ated using the Generate Key service, or may be entered into the module using the Combine Key service, which combines two key shares entered via the trusted USB interface. In the non-FIPS 140-1 mode, the Key-Wrapping-Key may also be created via the Derive Key service.



PRNG3DES Key (PRNGKey)= This 3DES2Key is used for seeding the X9.17 Pseudo-ran-dom Number Generator (PRNG). The PRNG 3DES Key is generated randomly using the hard-ware random number generator (RNG) within the FastMap processor. This key is generated every time a random number is needed for key generation or as a direct request via the Gener-ate Random Number service. The PRNG 3DES EDE Key is destroyed after each PRNG is generated.RSA Public and Private Key Pair (SPK, VPK)= This RSA key pair is generated by either the SO or User role for the purpose generating RSA digital signatures via the RSA Sign ser-vice, or for verifying the same via the RSA Verify service. A key pair which is designated by the user who created it cannot be used for any other purpose such as key exchanges or encryp-tion/decryption of data. The user may specify via Boolean attributes whether the private key may be used for Signature Generation and/or Data Decryption, and whether the public key may be used for Signature Verification and/or Data Encryption. Hence, a given key pair may be used for both signatures/verifications as well as data encryption/decryption. In FIPS 140-1 Mode, data encryption/decryption is not available.RSA Encryption/Decryption Public and Private Key Pair (EPK, DPK)= This key pair is generated by either the SO or User role for the purpose of encrypting and decrypting data. When creating this key pair, the user may specify via Boolean attributes whether the private key may be used for Signature Generation and/or Data Decryption, and whether the public key may be used for Signature Verification and/or Data Encryption. Hence, a given key pair may be used for both signatures/verifications as well as data encryption/decryption. Note that in the FIPS 140-1 Mode, although Encryption/Decryption key pairs may be generated, the RSA Encrypt and RSA Decrypt services are not available, and therefore, such keys are not usable in this mode.Key-Wrapping-Key Share (KWKShare) = Key share obtained by splitting the KWK into two shares with the Split Key service. Two corresponding shares may be combined with the Combine Key service to enter the KWK into the module.

9.0 Roles & Services

9.1 RolesThe HSM supports two roles. These are the User role and the Security Officer role. Each role has a username and an iKey ID that are selectable by the security officer. The module must be handled in a secure manner prior to initialization because authentication is not required to ini-tialize the module. Cryptographic keys and user-defined data which is created by a specific authenticated user cannot be deleted or modified by another user, regardless of the role. For example, a specific user of the User role may not delete or modify keys or data created by a different user of either the User or SO roles. The SO and User roles cannot operate simulta-neously. Only one authenticated user is allowed at a time.



9.1.1 UserThe User role can perform cryptographic operations using private keys which are encrypted and stored in flash. The User role cannot create a user.

9.1.2 Security OfficerThe Security Officer role can also perform cryptographic operations using private keys which are encrypted and stored in flash. Additionally, the Security Officer may create a user, update the HSM firmware, or command the HSM to “uninitialize.”

9.2 AuthenticationThe HSM uses identity-based authentication to allow subjects to assume one of the two roles. Usernames are transmitted to the HSM over the PCI interface to identify the user. A corre-sponding personal identification number (SOPIN or UserPIN as described in section 8.0 above) is input to the HSM from an iKey token over the trusted USB interface. This PIN is hashed and compared with a hash value which is stored in flash and associated with the user’s name on the HSM. If the two hash values match, the user is authenticated and assigned a role that is associated with the user’s name. To increase security in case the iKey token is compro-mised, an iKey ID is used to unlock the plaintext PIN that is stored in the iKey. This plaintext iKey ID is input into the module in plaintext as part of the Login service. The module provides a SHA-1 of this iKey ID to the iKey token in order to unlock the PIN. Since the iKey ID does not authenticate the user to the module, but rather unlocks the plaintext PIN from the iKey, the iKey ID is not an SRDI.

9.3 InitializationThe HSM is shipped in an un-initialized state. At this point, it contains no private or secret keys. The Security Officer initializes the board. Performing this function generates an inter-nally stored master key, and generates a random PIN, which is stored in the Security Officer’s iKey token. Initialization also creates the Security Officer account and associates the SHA-1 hash of the random PIN with the Security Officer account.

9.4 User CreationOnce the board has been initialized, the Security Officer can create a User account. Creating the User account generates a random PIN, which is stored in the User’s iKey token. The SHA-1 hash of this random PIN is associated with the User account.



9.5 ServicesThe following table describes which services can be performed by which role, and the SRDI(s) which each service accesses.

Service FIPS140-1 Level 3 Mode Non- FIPS140-1 Mode

Not authenticated

User Role

SO Role

Not authenticated

User Role

SO Role

SRDIs Accessed

Modular Exponentiation using CRT (note 3)

YES YES YES YES YES Yes None

Modular Exponentiation (note 3)

YES YES YES YES YES YES None

RSA Encrypt (note 8) NO NO NO NO YES YES EPK (use)

RSA Decrypt (note 8) NO NO NO NO YES YES DPK (use)

Digital Signature Standard Sign (note 1)

NO NO NO YES YES YES None

Digital Signature Standard Verification (note 1)


Self-test YES YES YES YES YES YES None

Firmware Update NO NO YES NO NO YES None

Generate Random Number YES YES YES YES YES YES PRNGKey (cre-ate, destroy)

Get Configuration YES YES YES YES YES YES None

Get Status YES YES YES YES YES YES None

Verify Firmware Image NO NO YES NO NO YES

SHA1 Hash NO YES YES YES YES YES None

SHA1 HMAC (note 1) NO NO NO YES YES YES None

MD5 Hash NO NO NO YES YES YES None

MD5 HMAC (note 1) NO NO NO YES YES YES None

DES Encrypt (note 1) NO NO NO YES YES YES None

DES Decrypt (note 1) NO NO NO YES YES YES None

Triple DES Encrypt (note 1) NO NO NO YES YES YES None

Triple DES Decrypt (note 1) NO NO NO YES YES YES None

RC4 Encrypt (note 1) NO NO NO YES YES YES None

RC4 Decrypt (note 1) NO NO NO YES YES YES None

Encrypt SHA1 Hash (DES) (note 1)


Decrypt SHA1 Hash (DES) (note 1)


Encrypt SHA1 Hash (3DES) (note 1)




Decrypt SHA1 Hash (3DES) (note 1)


Encrypt MD5 Hash (RC4) (note 1)


Decrypt MD5 Hash (RC4) (note 1)


Generate and Return RSA Key Pair (note 4)


Generate and Store RSA Key Pair

NO YES YES NO YES YES PRNGKey (cre-ate and destroy), and create either or both of the following pairs: (SPK, VPK) or (EPK, DPK)

Store Public Object (Public RSA Key, user data object)

NO YES YES NO YES YES Enter and store: EPK or VPK

Store Vendor-Defined Data Object


Store Private Object (Private RSA Key) (note 4)

NO NO NO NO YES YES Enter and Store: SPK or DPK

Get Public Object (RSA pub-lic key, user-defined data object)

NO YES YES NO YES YES Read: SPK or DPK

Get Vendor-Defined Data Object


Get Object Information by Object ID


Get Object Count YES YES YES YES YES YES None

Get Object Information by Index


Get RSA Key Information by ID (modulus, exponent)

NO YES YES NO YES YES Read: VPK or EPK

Get RSA Key Information by Index (modulus, exponent)

NO YES YES NO YES YES Read: VPK or DPK

Change Object ID NO YES YES NO YES YES None


Not authenticated

User Role

SO Role

Not authenticated

User Role

SO Role

SRDIs Accessed



Delete Object NO YES YES NO YES YES Destroy selected key: KWK, SPK, VPK, EPK, DPK.

Delete All Objects NO YES YES NO YES YES Destroy all keys: KWK, SPK, VPK, EPK, DPK

Initialize Card YES NO NO YES NO NO MK (create), SOPIN (create and write to trusted path)

Uninitialize Card (note 7) NO NO YES NO NO YES Destroy all of the following: MK, SOPIN, User-PIN, KWK, SPK, VPK, EPK, DPK

User Login/Change PIN (note 5)

YES NO NO YES NO NO UserPIN (read from trusted interface)

Create User NO NO YES NO NO YES UserPIN (create, write to trusted interface) inter-face)

User Logout NO YES YES NO YES YES None

Derive Key (note 2) NO NO NO NO NO YES KWK (create)

Wrap Key (note 4) NO YES YES NO YES YES KWK (use), Wrap: SPK, DPK

Unwrap Key (note 4) NO YES YES NO YES YES KWK (use), Unwrap: SPK, DPK

Modify Object NO YES YES NO YES YES None

RSA Sign (note 4) NO YES YES NO YES YES SPK (use)

RSA Verify NO YES YES NO YES YES VPK (use)


Not authenticated

User Role

SO Role

Not authenticated

User Role

SO Role

SRDIs Accessed



Note 1 = The key for these commands is input via the PCI bus (data input interface)Note 2 = This is a PKCS 12 method for deriving a 3DES key from a password, salt and iteration count.Note 3 = The Exponentiation Using CRT and Exponentiation functions are generic math functions; all parameters

are input via the PCI interface (data input interface).Note 4 = When operating in the FIPS140-1 mode, it is not possible for secret keys, private keys or critical security

parameters to cross the PCI bus without being wrapped (encrypted) using the Key-Wrapping Key.Note 5 = User Login is the process that takes the board from an unauthenticated state to the authenticated state. Only

one user may be authenticated at a particular time. Consequently, the User Login process cannot be started from the authenticated state. Nonetheless, the User Login process cannot be completed successfully without authentication.

Note 6 = This command is used for generating the key-wrapping-key.Note 7 = When the board is in the zeroized state, it is possible to for an unauthenticated user to uninitialize the board.Note 8 = These operations must access stored cryptographic keys. The keys may not be input via the PCI interface.

Generate Key (note 6) NO YES YES NO YES YES KWK (create)

Split Key NO YES YES NO YES YES KWK (split), PRNGKey (cre-ate, destroy), Two KWK-Shares (created and written to trusted interface)

Combine Key NO YES YES NO YES YES KWK (created), two KWK-Shares (read from trusted interface)

Set LED State YES YES YES YES YES YES None.


Not authenticated

User Role

SO Role

Not authenticated

User Role

SO Role

SRDIs Accessed



10.0 Key Management

10.1 Key GenerationRandom number generation for key generation is accomplished using the algorithm described by appendix C of ANSI standard X9.17. This algorithm will use a seed value V (from appendix C) that is generated by the random number generator contained in the FastMap chip. Using this algorithm ensures that the keys generated will be consistent with the requirements of FIPS 140-1. Performing the key generation in this manner will ensure that the generated keys will be random and that the process used for their construction will be compatible with FIPS 140-1 requirements. Continuous random number testing is performed on the output of the hardware RNG (in the Fastmap chip) as well as on the output of the FIPS-approved ANSI X9.17 PRNG which is seeded by the RNG. For both continuous tests, the block size of 64 bits.

10.2 Key StoragePrivate keys, symmetric keys and other critical security parameters will be stored in plaintext within the security envelope in RAM. Private and symmetric keys may also be stored in Flash, but only when first 3DES3KEY encrypted with the Master Key (MK) of the board. BBRAM is used to store the Master Key.

10.3 Key Entry and OutputWhen in the FIPS 140-1 mode, private keys and symmetric keys can only cross the crypto-graphic boundary when 3DES3KEY encrypted with a Key-Wrapping-Key. The Key-Wrap-ping-Key is generated when the “Generate Key” command is received by the HSM. The command that is used to encrypt and output a private or symmetric key is the “Wrap Key” command. The command that is used to enter and decrypt a private or symmetric key is the “Unwrap Key” command.

10.4 Key DistributionTo distribute a Key-Wrapping-Key between devices, it is split into two parts. The two parts, when exclusively ORed together, generate the Key-Wrapping-Key. The key splitting occurs when the “Write Key Split” command is first issued by the Security Officer. This command will cause one of the key parts to be written to an iKey controlled by the Security Officer. The second key part is written to an iKey controlled by the User. The Security Officer must logout and the User must login before the second “Write Key Split” can be performed. The two iKey tokens used for carrying key parts are labeled with the word “CODE”. The two key parts are then physically carried by separate trusted individuals to another device. If this device is also an HSM, the two parts may loaded into it using the “Read Key Split” command. Similarly, this command must be issued twice, once for the Security Officer and once for the User. Separate authentications are required for each “Read Key Split” command. After the second “Read Key Split” command has been successfully completed the destination device will contain the same Key-Wrapping-Key as the originating device. Once two or more devices that contain the same Key-Wrapping-Key, they are said to be in the same family. Devices in the same family may



share other secrets. Secrets are moved between devices under the control of a Rainbow Tech-nologies key management utility. The key management utility runs on the host, and uses “Wrap Key” and “Unwrap” commands to move wrapped keys between devices in the same family.

10.5 Key DestructionCritical security parameters including plaintext private keys, symmetric keys and intermediate values will be zeroized according to various conditions as described in Table E-1 on page 377. It is also possible for the security officer to command the board to un-initialize, which causes the data stored in RAM, FLASH and BBRAM to be erased.

10.6 Key ArchivingUnder the control of the Rainbow Technologies key management utility, it is also possible to archive keys. This may be done so that keys may be stored on backup media such as tape or hard drives. The Rainbow Technologies key management utility utilizes the “Wrap Key” com-mand to perform key archival. All archived keys are 3DES3KEY encrypted. Keys may only be archived and restored between devices in the same family.

Table E-1 Key Destruction

Tamper Detected

Voltage Applied Storage

Battery PCI BRAM RAM and Other

Flash

NO YES YES Retained Retained Retained

NO YES NO Retained Erased Retained

NO NO YES Retained Retained Retained

NO NO NO Erased Erased Retained

YES YES YES Erased Erased Retained

YES YES NO Erased Erased Retained

YES NO YES Erased Erased Retained

YES NO NO Erased Erased Retained



11.0 ModesThe HSM has two operating modes. These are the FIPS140-1 mode and the non-FIPS140-1 mode. Before the HSM is initialized with the “Initialize Card” command, it is in the non-FIPS140-1 mode. This command has an input parameter that specifies the mode of the card after initialization. Once initialized, the board remains in one of the two modes. If one wishes to change the operating mode of the card, the card must first be uninitialized using the “Unini-tialize Card” command. Then, the card can be initialized with a different operating mode. Uninitializing the card removes all secrets from the card.

11.1 FIPS 140-1 ModeIn the FIPS 140-1 mode, the board may only perform FIPS approved algorithms.These are as follows:DES3DES **SHA-1RSA SignRSA VerifySee the table in services section to identify the conditions necessary for performing various HSM commands in the FIPS140-1 mode.No plaintext private or symmetric keys can cross the cryptographic boundary when the HSM is in the FIPS140-1 mode.**The 3DES algorithm is used to secure private or symmetric keys stored in flash and for the key wrapping and unwrapping functions.

11.2 Non-FIPS 140-1 ModeIn the non-FIPS140-1 mode, the user has greater flexibility in the types of algorithms that can be performed and the manner that keys are handled. For example, in the non-FIPS140-1 mode, the board can perform all the functions of the FIPS140-1 mode plus other functions like MD5 and RC4. In the non-FIPS140-1 mode, keys may cross the cryptographic boundary in plaintext form for certain operations (e.g. DES, RSA CRT exponentiation). It is still possible to store keys on the board so that they cannot be extracted. These non-extractable keys will be erased if a tamper attempt is detected. See the table in services section to identify the conditions neces-sary for performing various HSM commands in the non-FIPS140-1 mode.



12.0 Self-TestsThe following table describes all of the cryptographic self-tests performed by the HSM mod-ule. The following abbreviation is used:KAT = Known Answer Test

Self-Test FIPS 140-1 Mode

Non-FIPS 140-1 Mode

When performed

RSA Encrypt/Decrypt and Sign/Verify KATs

Yes Yes Power-up, Self-Test Service (ondemand)

DES KAT Yes Yes Power-up, Self-Test Service (ondemand)

3DES KAT Yes Yes Power-up, Self-Test Service (ondemand)

SHA-1 KAT Yes Yes Power-up, Self-Test Service (ondemand)

DSA KAT No Yes Power-up, Self-Test Service (ondemand)

MD5 KAT No Yes Power-up, Self-Test Service (ondemand)

RC4 KAT No Yes Power-up, Self-Test Service (ondemand)

RSA Key Generation Pairwise Consistency Test

Yes Yes Generate And Store RSA Key Pair Service, Generate And Return RSA Key Pair Service

Statistical Random Number Generator Tests (Monobit, Poker, Runs, Long Run)

Yes Yes Power-up, Self-Test Service (ondemand)

Continuous Random Number Generator Test

Yes Yes Whenever a pseudorandom number is generated: key gener-ation, Generate Random Num-ber Service

Firmware RSA Signa-ture Verification Test

Yes Yes Power-up, Self-Test Service (ondemand), Firmware Update, Verify Firmware Image Service



13.0 ConclusionThe HSM provides FIPS 140-1 Level 3 cryptographic processing, acceleration and security for RSA signing and verifying functions. In the non-FIPS140-1 mode, it can also bulk data crypto-graphic algorithms for PKI certificate server, firewall and web server equipment. It is suitable for use in applications requiring up to 200 public key transactions per second where protecting critical security parameters is a high priority. Industries requiring this high level of perfor-mance and security include (but are not limited to) banking, telecommunications, e-commerce, and medical services. In the area of self-test, the HSM provides capabilities consistent with FIPS 140-1 Level 4.

212939-F, November 2003

381

APPENDIX FDefinition of Key Codes

Syntax Description

If your application uses a different keyboard layout than the standard VT320, a key code defi-nition file can be created. Almost all special keys can be defined according to the following syntax rule:

[SCA] KEY=STRING

The characters enclosed in [ and ] are optional. Only one of the characters ’S’ (SHIFT), ’C’ (CTRL) or ’A’ (ALT) may appear before KEY, which is a textual representation of the key you wish to redefine (F1, PGUP etc.).

The new STRING to be sent when pressing the key should come after the equals character (=). Hash marks (#) in the file declare the line as a comment and will be ignored. The examples below explain the syntax in more detail:

Send the string "test" when pressing the F1 key:

F1 = test

On pressing Control + PGUP, send the string "pgup pressed":

CPGUP = pgup pressed

Redefine the key Alt + F12 to send an escape character:

AF12 = \\e

As can be seen, the string may contain special characters which may be escaped using the backslash (\).


212939-F, November 2003382 � Appendix F: Definition of Key Codes

Allowed Special Characters

The table below includes allowed special characters:

NOTE – For some of the escape codes you need two backslashes, as these are specific javassh definitions not known by the Java Property mechanism.

Table F-1 Allowed Special Characters

Special Character Explanation

\\b Backspace. This character is usually sent by the <- key (Backspace key).

\\e Escape. This character is usually sent by the Esc key.

\n Newline. This character will move the cursor to a new line. On UNIX systems, it is equivalent to carriage return + newline. Usu-ally the Enter key send this character.

\r Carriage Return. This key moves the cursor to the beginning of the line. In conjunction with Newline, it moves the cursor to the begin-ning of a new line.

\t Tabulator. The tab character is sent by the TAB key and moves the cursor to the next tab stop defined by the terminal.

\\v Vertical Tabulator. Sends a vertical tabulator character.

\\a Bell. Sends a terminal bell character which should make the terminal sound its bell.

\\number Inserts the character that is defined by this number in the ISO Latin1 character set. The number should be an octal value.


212939-F, November 2003Appendix F: Definition of Key Codes � 383

Redefinable KeysThe following table explains which keys may be redefined. As explained earlier, each of the keys may be prefixed by a character defining the redefinition that occurs if it is pressed in con-junction with the SHIFT, CONTROL or ALT keys.

Table F-2 Redefinable Keys

Key Representation Remarks

F1-F20 The Function keys, i.e. F1, F2 etc. up to F20.

PGUP The Page Up key.

PGDOWN The Page Down key.

END The End key.

HOME The Home (Pos 1) key.

INSERT The Insert key.

REMOVE The Remove key.

UP The Cursor Up key.

DOWN The Cursor Down key.

LEFT The Cursor Left key.

RIGHT The Cursor Right key.

NUMPAD0-NUMPAD9 The numbered Numeric keypad keys.

ESCAPE The Escape key.

BACKSPACE The Backspace key.

TAB The Tab key.


212939-F, November 2003384 � Appendix F: Definition of Key Codes

Example of a Key Code Definition FileBelow is an example of the keyCodes.at386 key code definition file, created for an AT-386 Terminal.

#F1=\\eOPF2=\\eOQF3=\\eORF4=\\eOSF5=\\eOTF6=\\eOUF7=\\eOVF8=\\eOWF9=\\eOXF10=\\eOYF11=\\eOZF12=\\eOA## Shift F1 thru F10#SF1=\\eOpSF2=\\eOqSF3=\\eOrSF4=\\eOsSF5=\\eOtSF6=\\eOuSF7=\\eOvSF8=\\eOwSF9=\\eOxSF10=\\eOySF11=\\eOzSF12=\\eOa## Other cursor movement keys#UP=\\e[ADOWN=\\e[BRIGHT=\\e[CLEFT=\\e[D#INSERT=\\e[@# REMOVE=\\177 #( hex 7F / Decimal 127 / Octal 177 / DEL Key)#HOME=\\e[HPGDOWN=\\e[UPGUP=\\e[VEND=\\e[Y#

212939-F, November 2003

385

Glossary

Access Rules Applies to the SSL VPN feature. When a user tries to log in to the virtual SSL VPN server, either via the Portal page or via the SSL VPN client, his or her group membership determines the access rights to different servers and applications on the intranet. This is done by associating one or more access rules (each con-taining parameters such as allowed network, ports and paths) with a group.

Base Profile Refers to links and access rules specified for a user group directly under the Group level. If extended profiles are used, the base profile’s links and access rules will be appended to the extended profile’s links and access rules.

CA (Certificate Authority)

A trusted third-party organization or company that issues digital certificates. The role of the CA in this process is to guarantee that the entity granted the unique certificate is, in fact, who he or she claims to be.

CLI (Command Line Interface)

The text-based interface on the ASA, presented to the user after having logged in. The CLI can be accessed via a console con-nection or remote connection (Telnet or SSH). The CLI is used for collecting ASA information and configuring the ASA.

Cluster (of ASAs) A cluster is a group of ASAs that share the same configuration parameters. There can be more than one ASA cluster in the net-work, each with its own set of parameters and services to be used with different real servers. Every cluster has a Management IP address (MIP), which is an IP alias to one of the master ASAs in the cluster.

Console Connection A connection to the ASA established via the console port.


212939-F, November 2003386 � Glossary

CRL (Certificate Revocation List)

A list containing the serial numbers of revoked client certifi-cates. Each CA issues and maintains their own CRLs. If you generate client certificates on the ASA, you can also create your own CRL.

CSR (Certificate Signing Request)

A request for a digital certificate, sent to a CA. On the ASA, you can generate a CSR from the command line interface by using the request command.

DCE (Data Communicatons Equipment)

A device that communicates with a Data Terminal Equipment (DTE) in RS-232C communications.

DER (Distinguished Encoding Rules)

A process for unambiguously converting an object specified in ASN.1 (such as an X.509 certificate, for example) into binary values for storage or transmission on a network.

Digital Certificate The digital equivalent of an ID card used in conjunction with a public key encryption system. Digital certificates are issued by trusted third parties known as certificate authorities (CAs), after verifying that a public key belongs to a certain owner. The certi-fication process varies depending on the CA and the level of cer-tification.

Digital Signature A digital guarantee that a document has not been altered, as if it were carried in an electronically-sealed envelope. The "signa-ture" is an encrypted digest of the text that is sent with the text message. The recipient decrypts the signature digest and also recomputes the digest from the received text. If the digests match, the message is proved intact and tamper free from the sender.

A digital signature ensures that the document originated with the person signing it and that it was not tampered with after the sig-nature was applied. However, the sender could still be an imper-sonator and not the person he or she claims to be. To verify that the message was indeed sent by the person claiming to send it requires a digital certificate (digital ID) which is issued by a cer-tification authority.

DIP (Destination IP) Address

The destination IP address of a frame.

DPort (Destination Port)

The destination port number, linking the incoming data to the correct service. For example, port 80 for HTTP, port 443 for HTTPS, port 995 for POP3S.


212939-F, November 2003Glossary � 387

DTE (Data Terminal Equipment)

A device that controls data flowing to or from a computer. The term is most often used in reference to serial communications defined by the RS-232C standard. This standard defines the two ends of the communication channel as being a DTE and DCE device. However, using a null-modem cable, a DTE to DTE communication channel can also be established between, for example, two computers.

Extended Profile Extended profiles can be defined for a user group if other links and access rules should apply when the user authenticates by means of a specific authentication method or when connecting from a specific IP address or network.

GSLB (Global Server Load Balancing)

An Alteon Application Switch feature that allows you to balance server traffic load across multiple physical sites. The Alteon GSLB implementation takes into account an individual site’s health, response time, and geographical location to smoothly integrate the resources of the dispersed server sites for complete global performance.

HTTP Proxy Applies to the SSL VPN feature. Java applet accessible on the Portal page’s Advanced tab, enabling links executed on complex intranet Web pages (containing plugins like Flash, Shockwave and Java applets) to be sent through a secure connection to the SSL server for redirection.

IP Interface IP interfaces are defined on the Alteon Application Switch and are used for defining the subnets to which the switch belongs. Up to 256 IP interfaces can be configured on an Alteon Applica-tion Switch. The IP address assigned to each IP interface pro-vides the switch with an IP presence on your network. No two IP interfaces can be on the same IP subnet. The IP interfaces can be used for connecting to the switch for remote configuration, and for routing between subnets and VLANs (if used).

Master ASA An ASA in a cluster that is in control of the MIP address, or can take over the control of the MIP address should another master fail. Configuration changes in the cluster are propagated to other members through the master ASAs.

MIB (Management Information Base)

An SNMP structure that describes which groups and objects can be monitored on a particular device.

MIP (Management IP) Address

An IP address that is an IP alias to a master ASA in a cluster of ASAs. The MIP address identifies the cluster and is used when making configuration changes via a Telnet or SSH connection.



Nslookup A utility used to find the IP address or host name of a machine on a network. In order to use the nslookup command on the ASA, the ASA must have been configured to use a DNS server.

NTP (Network Time Protocol)

A protocol used to synchronize the real-time clock in a com-puter. There are numerous primary and secondary servers on the Internet that are synchronized to the Coordinated Universal Time (UTC) via radio, satellite or modem.

Passphrase Passphrases differ from passwords only in length. Passwords are usually short, from six to ten characters. Short passwords may be adequate for logging onto computer systems that are pro-grammed to detect a large number of incorrect guesses, but they are not safe for use with encryption systems. Passphrases are usually much longer—up to 100 characters or more. Their greater length makes passphrases more secure.

PEM (Privacy Enhanced Mail)

A standard for secure e-mail on the Internet. It supports encryp-tion, digital signatures and digital certificates as well as both pri-vate and public key methods. Keys and certificates are often stored in the PEM format.

Ping (Packet INternet Groper)

A utility used to determine whether a particular IP address is online.

PKCS12 A standard for storing private keys and certificates.

PKI (public key infrastructure)

Short for public key infrastructure, a system of digital certifi-cates, Certificate Authorities, and other registration authorities that verify and authenticate the validity of each party involved in an Internet transaction. PKIs are currently evolving and there is no single PKI nor even a single agreed-upon standard for setting up a PKI. However, nearly everyone agrees that reliable PKIs are necessary before electronic commerce can become wide-spread.

A PKI is also called a trust hierarchy.

Portal Applies to the SSL VPN feature. The Portal page is displayed following a successful login to a virtual SSL VPN server config-ured as a portal server. The Portal contains five different tabs from where the user can access various intranet resources such as web, mail and file servers.



Port Forwarder Applies to the SSL VPN feature. Java applet accessible on the Portal page’s Advanced tab, enabling transparent access to applications through a secure connection. By specifying an arbi-trary port number on the client along with the desired intranet host and port number, the user can access an intranet application by connecting to localhost on the specified port number.

Real Server Group A group of real servers that are associated with a virtual server IP address (VIP) or filter on an Alteon Application Switch.

RIP (Real Server IP) Address

A real server IP address that the Alteon Application Switch load balances to when requests are made to a virtual server IP address (VIP).

RPort (Real Server Port)

The real server port, which a virtual SSL server on the ASA uses when sending and receiving information to and from the real servers.

Setup Utility When starting an ASA the very first time, you enter the Setup utility automatically. The Setup utility is used for performing a basic configuration of the ASA. The Setup utility first presents you with the choice of setting up the ASA as a single device, or to add the ASA to an existing cluster.

If you perform a reinstallation of the ASA software, you will also enter the Setup Utility after the ASA has rebooted.

SIP (Source IP) Address

The source IP address of a frame.

Slave ASA An ASA that depends on a master ASA in the same cluster for proper configuration.

SNMP (Simple Network Management Protocol)

A network monitoring and control protocol. Data is passed from SNMP agents, which are hardware and/or software processes reporting activity in each network device (an ASA, for exam-ple), to the workstation console (or SNMP manager) used to oversee the network. The SNMP agents return information con-tained in a MIB (Management Information Base), which is a data structure that defines what information is obtainable from the device.



SOCKS A generic, proxy protocol for TCP/IP-based networking applica-tions. The SOCKS protocol provides a flexible framework for developing secure communications by easily integrating other security technologies, e.g. SSL.

SOCKS includes two components, the SOCKS server and the SOCKS client. The SOCKS server is implemented at the appli-cation layer, while the SOCKS client is implemented between the application and transport layers. The basic purpose of the protocol is to enable hosts on one side of a SOCKS server to gain access to hosts on the other side of a SOCKS server, with-out requiring direct IP reachability.

SPort (Source Port) The source destination port, linking the incoming data to the correct service. For example, port 80 for HTTP, port 443 for HTTPS, port 995 for POP3S.

SSH (Secure Shell) A program to log into another computer over a network, to exe-cute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over insecure channels.

SSL (Secure Sockets Layer) Protocol

The SSL protocol is the leading security protocol on the Inter-net. It runs above the TCP/IP protocol and below higher-level protocols such as HTTP or IMAP. SSL uses TCP/IP on behalf of the higher-level protocols and, in the process, allows an SSL-enabled server to authenticate itself to an SSL-enabled client.

SSL VPN Feature allowing remote access to intranet resources (such as applications, mail, files, intranet web pages) via a secure con-nection. The underlying protocol used for these sessions is SSL.

With the SSL VPN feature enabled, mobile workers, telecom-muters and partners can access information and/or applications on the intranet, either via the SSL VPN Portal Page (browser-based mode) or by using the SSL VPN SOCKS client software (transparent mode). What information should be accessible to the user is determined via access control lists access rules.

SSL VPN client Windows application with SOCKS support. When installed on a user’s computer, transparent access (not via the Portal page) to intranet applications is enabled. Requires a SOCKS server to be configured on the ASA.



STP (Spanning Tree Protocol)

An algorithm used in transparent bridges that dynamically deter-mines the best path from source to destination. It avoids bridge loops (two or more paths linking one segment to another), which can cause the bridges to misinterpret results. The algorithm cre-ates a hierarchical “tree” that “spans” the entire network includ-ing all switches. It determines all redundant paths and makes only one of them active at any given time.

TLS (Transport Layer Security)

The TLS protocol provides communications privacy over the Internet. The protocol allows client/server applications to com-municate in a way that is designed to prevent eavesdropping, tampering, or message forgery.

Traceroute A utility used to identify the route used for station-to-station connectivity across the network.

Trap If a trap is defined in the MIB, a trap message is sent from the SNMP agent to the SNMP manager when the trap is triggered. A trap can for example define a hardware failure in a monitored device.

URI (Uniform Resource Identifier)

The addressing technology from which URLs are created. Tech-nically, URLs such as HTTP:// and FTP:// are specific subsets of URIs, although the term URL is mostly heard.

VIP (Virtual Server IP) Address

An IP address that the switch owns and uses to load balance par-ticular service requests (like HTTP) to other servers.

Virtual Router A shared address between two devices utilizing VRRP, as defined in RFC 2338. One virtual router is associated with an IP interface defined on the Alteon Application Switch. All IP inter-faces on an Alteon Application Switch must be in a VLAN. If there is more than one VLAN defined on the Application Switch, then the VRRP broadcast will only be sent out on the VLAN to which the associated IP interface has been added.

Virtual SSL Server A virtual SSL server handles a specific service on the ASA, such as HTTPS, SMTPS, IMAPS, or POP3S. You can create an unlimited number of virtual SSL servers per ASA cluster, and each virtual SSL server is mapped to a virtual server on the Alteon Application Switch. In order to authenticate itself towards clients making requests for the specified service, the virtual SSL server is configured to use a digital certificate.



VLAN (Virtual Local Area Network)

VLANs are commonly used to split up groups of network users into manageable broadcast domains, to create logical segmenta-tion of workgroups, and to enforce security policies among logi-cal segments. Up to 246 VLANs are supported on an Alteon Application Switch running Web OS.

VRRP (Virtual Router Redundancy Protocol)

A protocol similar to Cisco’s proprietary HSRP address-sharing protocol. The reason for both of these protocols is to ensure devices have a next hop or default gateway that is always avail-able. For example, two or more devices sharing an IP interface are either advertising or listening for advertisements. These advertisements are sent via a broadcast message to address 224.0.0.18.

With VRRP, one switch is considered the master and the other is the backup. The master is always advertising via the broadcasts. The backup switch is always listening for the broadcasts. Should the master stop advertising, the backup will take over ownership of the VRRP IP and MAC addresses as defined by the specifica-tion. The switch announces this change in ownership to the devices around it by way of a gratuitous ARP and advertise-ments. If the backup switch didn’t do the gratuitous ARP, the Layer 2 device attached to the switch would not know that the MAC address had moved in the network. For a more detailed description, refer to RFC 2338.

X.509 A widely-used specification for digital certificates that has been a recommendation of the ITU since 1988.

212939-F, November 2003393

Index

Symbols/ ....................................................................... 142? (help)............................................................. 142[ ]....................................................................... 16

Aabbreviating commands (CLI) ............................ 146aborting commands (CLI) .................................. 145accept

Cluster Wide SSL Statistics Server menu command158

Single iSD Statistics Server menu command .. 167access

Extended Profile menu command ................. 296Group menu command ................................ 283Information menu command ........................ 151

access groups .................................................... 282access levels

Administrator user ...................................... 116Boot user ................................................... 116Operator user ............................................. 116Root user ................................................... 116

Access List menu .............................................. 315Access Rule menu ............................................. 285action, Access Rule menu command ................... 286activate

Software Management menu command ......... 334

software upgrade package .............................. 61software version............................................ 61

activesess, Statistics menu command ................... 156add

Access List menu command ......................... 315certificate using copy-and-paste ...................... 82certificate using TFTP ................................... 86DNS Servers menu command ....................... 303Health Check Script menu command ............. 241Host Routes menu command ........................ 310Interface Ports menu command ..................... 313LDAP Servers menu command..................... 267Local Database menu command.................... 271NTLM Servers menu command .................... 269NTP Servers menu command ....................... 302portal links ................................................. 287private key using copy-and-paste..................... 84private key using TFTP.................................. 86RADIUS Accounting Servers menu command 298RADIUS Audit Server menu command ......... 324RADIUS Servers menu command .................263Revocation menu command ......................... 185Routes menu command................................ 300Syslog Servers menu command..................... 304User menu command................................... 328


394 � Index212939-F, November 2003

addclicert, HTTP Settings menu command ...........205addfront, HTTP Settings menu command .............204addnostore, HTTP Settings menu command..........205addvia, HTTP Settings menu command................204addx, Revocation menu command........................185addxfor, HTTP Settings menu command ..............203addxisd, HTTP Settings menu command ..............204Administrative Applications menu .......................316Administrator user, access level...........................116adv, Authentication menu command ....................260adv, Server menu command ................................193Advanced Settings menu.....................................220alarms and events ...............................................154alarms, Events menu command............................154allowdoc, HTTP Settings menu command ............205allowica, HTTP Settings menu command .............205allowimage, HTTP Settings menu command.........205Apache software license......................................361applet, Portal settings menu command..................218apply (global command) .....................................174applying configuration changes ...........................174appspec

Access Rule menu command ........................286Xnet Domain menu command.......................254

Appspec menu ...................................................278ASCII terminal ..................................................112Audit menu........................................................322auth, Xnet Domain menu command .....................253authDN, Automatic CRL menu command ............188authentica, Portal settings menu command............217Authentication menu ..........................................259authorder, Xnet Domain menu command..............254authserver, Client Filter menu command ..............280Automatic CRL menu.........................................187

BBackend Server menu.........................................246banner, Portal menu command.............................256base profiles ......................................................295baud rate, console connection ..............................112becnctfail


Single iSD Statistics Server menu command ...169blockstrin, Advanced Settings menu command .....220Boot menu.........................................................332Boot user

access level.................................................116

software reinstall........................................... 56

Ccacerts

Automatic CRL menu command................... 189SSL Connect Verify Settings menu command 245,

251SSL Settings menu command ....................... 197

cachain, SSL Settings menu command................. 197cache

specify SSL cache size................................. 196specify SSL cache Time To Live value .......... 196

cachefullCluster Wide SSL Statistics Server menu command

159Single iSD Statistics Server menu command .. 168

cachehitsCluster Wide SSL Statistics Server menu command


cachemisseCluster Wide SSL Statistics Server menu command


cachesize, SSL Settings menu command.............. 196cachetimeo


Single iSD Statistics Server menu command .. 168cachettl, SSL Settings menu command ................ 196cert

Certificate menu command........................... 180SSL Connect Settings menu command .. 243, 249SSL menu command ................................... 175SSL Setttings menu command ...................... 196

certificate formats................................................ 81Certificate menu ................................................ 179certificate revocation list (CRL)

add by using FTP or TFTP ........................... 186automatic retrieval of................................... 187revoke certificates issued by CA ..................... 96revoke certificates issued by own organization.. 97

certificate signing request (CSR)generate ............................................... 76, 181submit ......................................................... 76

certificatesadd using copy-and-paste............................... 82add using TFTP ............................................ 86


Index � 395212939-F, November 2003

add using TFTP/FTP................................... 182automatic revocation ................................... 187client........................................................... 91create self-signed test .................................. 182display....................................................... 183export........................................................ 183managing..................................................... 75remove ...................................................... 184Revocation menu........................................ 185revoke client certificates ................................ 95specify CA certificate chain ......................... 197specify CA certificate for client authentication 197specify server certificate .............................. 196view installed certificates............................. 135

certs, Information menu command ...................... 150chain certificates

clear all...................................................... 197specify CA chain of server certificate ............ 197

changepass, HSM menu command ...................... 340cipherrewr


Single iSD Statistics Server menu command .. 168ciphers

list formats................................................. 345meaning of string aliases.............................. 347Rewrite menu command .............................. 207specify default preference list ....................... 198specify default rewrite cipher list .................. 207SSL Connect Settings menu command .. 244, 250SSL Settings menu command....................... 198string aliases............................................... 347strings ....................................................... 345supported................................................... 343supported strings......................................... 347

ckeep, TCP Settings menu command................... 199clear, Statistics menu command .......................... 156CLI, see command line interfaceclient authentication

configure SSL server for ................................ 89generate client certificates .............................. 91managing..................................................... 75revoke client certificates ................................ 95specify CA certificate.................................. 197specify level of ........................................... 197

client certificatesgenerate............................................... 91, 181list revoked ................................................ 185revoke ......................................................... 95

revoke by serial number ............................... 185unrevoke by serial number ........................... 185

Client Filter menu.............................................. 280clientnet, Client Filter menu command.................281clihisto


Local Statistics menu command .................... 162Single iSD Statistics Server menu command... 169Single iSD Stats menu command................... 163Statistics menu command............................. 157

clitimeout, Administrative Applications menu com-mand ......................................................... 316

clusteradd ASA 310-FIPS device to existing cluster.... 49add ASA device to existing cluster .................. 39general information ....................................... 33install first ASA 310-FIPS in new cluster ......... 43install first device in new cluster ..................... 36networks within a cluster................................ 34unable to join.............................................. 122

Cluster menu ..................................................... 305Cluster Wide SSL Statistics Server menu ............. 158cmsie, HTTP Settings menu command.................206color1-4, Portal Colors menu commands.............. 258colors, Portal menu command ............................. 257command line interface ...................................... 141

global commands ........................................ 142history and editing....................................... 144shortcut commands...................................... 146timeout value.............................................. 316

commandsabbreviating ............................................... 146aborting ..................................................... 145conventions used in this manual ...................... 16global ........................................................142shortcut...................................................... 146stacking ..................................................... 146tab completion ............................................ 146using forward slash...................................... 148using spaces ............................................... 148using submenu name as argument .................147

commentAppspec menu command ............................. 279Client Filter menu command......................... 281Group menu command................................. 284Network menu command ............................. 274Service menu command ............................... 277



commonname, SSL Connect Verify Settings menucommand ...........................................245, 251

companynam, Portal menu command...................257configfuration

NTLM authentication...................................268configuration

access rules.................................................285apply changes .............................................174automatic certificate revocation .....................187backend servers ...........................................246certificate main menu...................................179certificate revocation....................................185CLI idle timeout ..........................................316cluster-wide routes.......................................300connection pooling settings ...........................225cookie settings.............................................236DNS client settings ......................................177DNS servers................................................303DNS settings for virtual SSL server ...............210dump on screen ...........................................173enhanced redirect.........................................202extended profiles .........................................295health check scripts......................................240host interfaces .............................................311HTTP settings .............................................201iSD host .....................................................306LDAP authentication ...................................264load balancing settings .................................232load balancing strings...................................222local database authentication .........................270main menu..................................................172management IP address in cluster ..................305master ............................................41, 50, 307Network Time Protocol (NTP) ......................302parameters ....................................................33physical ports on interface ............................313portal links..................................................287RADIUS accounting ....................................297RADIUS auditing ........................................322RADIUS authentication................................261require client authentication ............................89restore from TFTP server..............................173revert changes .............................................174save to TFTP server .....................................173slave ..............................................41, 50, 307SNMP........................................................318SNMP community .......................................320SNMP Management Information Base ...........319SNMP notification target ..............................321

SSL connect settings ........................... 243, 249SSL connect verify settings .................. 245, 251SSL main menu .......................................... 175SSL server ................................................. 190syslog servers ............................................. 304system access via Telnet and SSH................. 315system date and time ................................... 301TCP timeout and buffer size ......................... 199Telnet and SSH access................................. 316traffic log settings ....................................... 226user access ................................................. 327user access groups....................................... 282view pending changes.................................. 174

Configuration menu ........................................... 172connect

via console ................................................. 112via Secure Shell .......................................... 114via Telnet................................................... 113

console portcommunication settings ............................... 112connecting ................................................. 112

Cookie Settings menu ........................................ 236create

certificate signing request (CSR)................... 181client certificate .......................................... 181self-signed test certificate............................. 182server certificate ......................................... 181test SSL virtual server.................................. 176

crecbuf, TCP Settings menu command ................ 200CRL, see certificate revocation listcsendbuf, TCP Settings menu command .............. 199CSR, see certificate signing requestCTRL, ^ (global command) ................................ 143cur (global command) ........................................ 143curb (global command) ...................................... 143custom, Forwarder menu command..................... 292cwrite, TCP Settings menu command .................. 199

Ddatabase, replicated.............................................. 33date

Date and Time menu command .................... 301specify system ............................................ 301

Date and Time menu.......................................... 301defgroup, Xnet Domain menu command.............. 255del

Access List menu command ......................... 315Access Rule menu command........................ 286



Appspec menu command............................. 279Authentication menu command .................... 260Backend Server menu command................... 248Certificate menu command .......................... 184Client Filter menu command ........................ 281DNS Servers menu command....................... 303Extended Profile menu command ................. 296Group menu command ................................ 284Health Check Script menu command............. 240Host Routes menu command........................ 310Interface Ports menu command..................... 313LDAP Servers menu command..................... 266Link menu command................................... 291Load Balancing String menu command ......... 224Local database menu command .................... 271Network menu command............................. 274Network Subnet menu command .................. 275Notification Target menu command .............. 321NTLM Servers menu command.................... 269NTP Servers menu command ....................... 302RADIUS Accounting Servers menu command 298RADIUS Audit Server menu command ......... 324RADIUS Servers menu command................. 263Revocation menu command ......................... 185Routes menu command ............................... 300Server menu command ................................ 193Service menu command............................... 277Software Management menu command ......... 335Syslog Servers menu command .................... 304User menu command................................... 327Xnet Domain menu command ...................... 255

deleteBoot menu command .................................. 333certificate and key....................................... 184Host Interface menu command ..................... 312iSD Host menu command ............................ 309iSD-SSL host ............................................. 309virtual SSL server ....................................... 193

dgroup, Portal settings menu command ............... 218dhost, Portal settings menu command.................. 218diff (global command) ....................................... 174dis

Audit menu command ................................. 323Automatic CRL menu command................... 189Backend Server menu command................... 248HTTP menu command ................................ 325HTTPS menu command .............................. 326

Load Balancing Settings menu command ....... 235Pool Settings menu command....................... 225RADIUS Accounting menu command ...........297Server menu command ................................ 193SSL Connect Settings menu command...........250SSL Settings menu command ....................... 198Traffic Log Settings menu command ............. 227

disableautomatic retrieval of CRLs.......................... 189backend server............................................ 248connection pooling for virtual SSL server....... 225load balancing of backend servers .................235SSL connections to backend servers .............. 250SSL on virtual SSL server ............................198traffic logging via syslog messages................ 227virtual SSL server........................................ 193

displayCertificate menu command........................... 183key and certificate ....................................... 183

display, Authentication menu command............... 260dns

Server menu command ................................ 193SSL menu command ................................... 175

DNS Client Settings menu ..................................177DNS servers

add to configuration..................................... 303list configured.............................................303remove configured ...................................... 303

DNS Servers menu ............................................ 303DNS Settings menu............................................ 210dnsname, Server menu command ........................ 192documentation

other ASA manuals ....................................... 13domain

Cookie Settings menu command ................... 238Portal settings menu command...................... 218Xnet menu command................................... 252

downloadEvents menu command................................ 154Software Management menu command.......... 335

dumpCluster Wide SSL Statistics Server menu command

160Local Statistics menu command .................... 162Single iSD Statistics Server menu command... 169Single iSD Stats menu command................... 164Statistics menu command............................. 157



dump (global command) .....................................143dump configuration on screen..............................173dumplogs, Maintenance menu command ..............337dumpstat, Maintenance menu command ...............337

Eeauto, Link menu command ................................290ena

Audit menu command ..................................323Automatic CRL menu command ...................189Backend Server menu command....................248HTTP menu command .................................325HTTPS menu command ...............................326Load Balancing Settings menu command .......234Pool Settings menu command .......................225RADIUS Accounting menu command............297Server menu command.................................193SSL Connect Settings menu command ...........250SSL Settings menu command........................198Traffic Log Settings menu command..............227

enableautomatic retrieval of CRLs ..........................189backend server ............................................248connection pooling for virtual SSL server .......225load balancing of backend servers..................234SSH access .................................................115SSL connections to backend servers...............250SSL on virtual SSL server.............................198Telnet access...............................................113traffic logging via syslog messages ................227virtual SSL server ........................................193

enaldps, LDAP menu command...........................265error log files .....................................................137ethernet

Information menu command .........................153Events menu ......................................................154events, Information menu command.....................153exit (global command) ........................................142exp, NTLM menu command................................268expire, User menu command ...............................327expires, Cookie Settings menu command..............238expiresdel, Cookie Settings menu command .........238export

Certificate menu command ...........................183key and certificate........................................183Local database menu command .....................272

extend, Group menu command ........................... 284Extended Profile menu....................................... 295extended security mode

on the ASA 310-FIPS.................................... 28external, Link menu command............................ 289

Ffacility, Traffic Log Settings menu command....... 227factory default configuration

after reinstalling software............................... 56initial setup ................................................ 117

feature summary.................................................. 22ASA31-FIPS ................................................ 27software features........................................... 22

filterExtended Profile menu command.................. 296Xnet Domain menu command ...................... 255

FIPS security modeon the ASA 310-FIPS.................................... 28specification ................................................. 29the ASA 310-FIPS ........................................ 27

first-time configuration ...................................... 117Forwarder menu ................................................ 292forwarder, Link menu command ......................... 289FTP server

download certificate from ............................ 182export key and certificate to.......................... 183

ftp, Link menu command ................................... 288

Ggateway, iSD Host menu command ..................... 307generate

certificate signing request (CSR)................... 181client certificates................................... 91, 181self-signed test certificate............................. 182server certificate ......................................... 181

generic SSL virtual server type ........................... 192genkey, Certificate menu command..................... 180gensigned, Certificate menu command ................ 181gensshkeys, Administrative Applications menu com-

mand......................................................... 317global commands

apply ......................................................... 174CTRL, ^ .................................................... 143cur ............................................................ 143curb........................................................... 143diff............................................................ 174



dump......................................................... 143exit ........................................................... 142help........................................................... 142history ....................................................... 144lines .......................................................... 144netstat........................................................ 143nslookup.................................................... 143paste ......................................................... 142ping .......................................................... 143popd.......................................................... 144pushd ........................................................ 144pwd........................................................... 142quit ........................................................... 143revert......................................................... 174slist ........................................................... 144traceroute................................................... 143up ............................................................. 142verbose...................................................... 144

GNU general public license................................ 358Group menu...................................................... 282group, Xnet Domain menu command .................. 255groupattr, LDAP menu command........................ 265groupauth, Advanced menu command ................. 273groups, User menu command............................. 329gtcfg, Configuration menu command................... 173

Hhalt

Boot menu command .................................. 332iSD Host menu command ............................ 308

handshakegCluster Wide SSL Statistics Server menu command


hardware security moduleASA310-FIPS .............................................. 27iKey authentication ....................................... 29

headeradd Front-End-HTTPS HTTP header ............ 204add Via HTTP header.................................. 204add X-Client-Cert HTTP header ................... 205add X-Forwarded-For HTTP header.............. 203add X-ISD HTTP header ............................. 204add X-SSL HTTP header ............................. 203

Health Check Script menu ..................................240health, Load Balancing Settings menu command .. 234healthchec, Single iSD Statistics Server menu com-

mand ......................................................... 166help (global command)....................................... 142history (global command) ................................... 144history functions, command line.......................... 144Host Routes menu.............................................. 310HSM

iKey authentication ....................................... 29the ASA 310-FIPS ........................................ 27wrap key ...................................................... 30

HSM menu........................................................339hsm, Information menu command ....................... 150HSM-SO

iKey ............................................................ 29HSM-USER ........................................................ 29http

Administrative Applications menu command.. 317HTTP header

add Front-End-HTTPS header ...................... 204add Via header............................................ 204add X-Client-Cert header ............................. 205add X-Forwarded-For header........................ 203add X-ISD header ....................................... 204add X-SSL header ....................................... 203

HTTP redirect to HTTPS.................................... 202http server

create......................................................... 175quick setup wizard....................................... 101

HTTP Settings menu.......................................... 201HTTP virtual SSL server type ............................. 192http_redir


Single iSD Statistics Server menu command... 168https, Administrative Applications menu command.....

317

Iiauto, Link menu command ................................ 291icase, Load Balancing String menu command....... 224idle timeout, command line interface ................... 118iKey ................................................................... 29

authentication ............................................... 29HSM-CODE................................................. 30HSM-SO...................................................... 29HSM-USER ................................................. 29



required iKey for specific operation .................31iKey, change user password ................................340import

add certificate revocation list by importing fromFTP or TFTP server..............................186

Certificate menu command ...........................182Local database menu command .....................272Portal menu command..................................256

info, Certificate menu command..........................183Information menu...............................................150insert

DNS Servers menu command .......................303Health Check Script menu command .............242LDAP Servers menu command .....................267NTLM Servers menu command.....................269RADIUS Accounting Servers menu command 298RADIUS Audit Server menu command..........324RADIUS Servers menu command .................263Syslog Servers menu command .....................304

install optionsadding ASA 310-FIPS device to existing cluster49adding ASA device to existing cluster ..............39first ASA 310-FIPS in new cluster ...................43first device in new cluster ...............................36

Interface menu ...................................................311Interface Ports menu...........................................313interface, iSD Host menu command .....................308internal, Link menu command .............................290interval

Automatic CRL menu command ...................188Load Balancing Settings menu command .......234

ipBackend Server menu command....................246iSD Host menu command .............................307Notification Target menu command...............321

ip, Host Interface menu command........................311iSD host

halt ............................................................332reboot.........................................................332reset to factory default settings ......................333

iSD Host menu...................................................306isdbinddn, LDAP menu command .......................265isdbindpas, LDAP menu command ......................265isdlist, Information menu command .....................152iSD-SSL host

remove .......................................................309specify IP address ........................................307

Kkey

Certificate menu command........................... 180split HSM wrap key .................................... 339

key code definition file....................................... 381key formats ......................................................... 81keyinfo, Certificate menu command .................... 184keys

display....................................................... 183display size ................................................ 183export........................................................ 183validate...................................................... 183

keysize, Certificate menu command .................... 183kick, Information menu command....................... 151

Llbop, Backend Server menu command ................. 248lbstrings, Backend Server menu command ........... 247LDAP Menu ..................................................... 264Ldap Servers menu ............................................ 266ldap, Authentication menu command................... 260length, Cookie Settings menu command .............. 239license

Local Statistics menu command.................... 162license information

Apache software license............................... 361GNU general public license.......................... 358OpenSSL ................................................... 357SSLeay license ........................................... 357

license, iSD Host menu command ....................... 307lines (display option) ......................................... 144link

Extended Profile menu command.................. 296Link menu ........................................................ 287link, Group menu command ............................... 283linktext, Portal menu command........................... 257list

Access List menu command ......................... 315DNS Servers menu command....................... 303Health Check Script menu command............. 240Host Routes menu command ........................ 310Interface Ports menu command..................... 313LDAP Servers menu command..................... 266Local database menu command .................... 271NTLM Servers menu command.................... 269NTP Servers menu command ....................... 302RADIUS Accounting Servers menu command 298



RADIUS Audit Server menu command ......... 324RADIUS Servers menu command................. 263Revocation menu command ......................... 185Routes menu command ............................... 300Syslog Servers menu command .................... 304User menu command................................... 327

Load Balancing Settings menu............................ 232Load Balancing String menu .............................. 222local

Authentication menu command .................... 260Information menu command ........................ 152

Local database authentication ............................. 270Local Database menu......................................... 270Local Statistics menu ......................................... 161localvips, Cookie Settings menu command .......... 238location, Load Balancing String menu command .. 223log files

send system log files to TFTP server ............. 337log, Xnet menu command................................... 252login, HSM menu command ............................... 339

MMain menu ....................................................... 149Maintenance menu ............................................ 337major release upgrade .......................................... 60Management IP ................................................... 33

cannot contact ............................................ 123change address ........................................... 305

managingcertificates ................................................... 75client authentication ...................................... 75

manual style conventions ..................................... 16mask, Network Subnet menu command ............... 275master

ASA host type ............................................ 307configuration.................................... 33, 41, 50

match, Load Balancing String menu command..... 222menu system ..................................................... 141metric, Load Balancing Settings menu command.. 233minor release upgrade .......................................... 60mip, Cluster menu command .............................. 305MIP, see Management IPmode

Cookie Settings menu command................... 237Host Interface menu command ..................... 312

moveDNS Servers menu command ....................... 303Health Check Script menu command ............. 242LDAP Servers menu command..................... 267NTLM Servers menu command ............ 269, 273RADIUS Accounting Servers menu command 298RADIUS Audit Server menu command ......... 324RADIUS Servers menu command .................263Syslog Servers menu command..................... 304

Nname

Appspec menu command ............................. 278Authentication menu command..................... 260Certificate menu command........................... 179Client Filter menu command......................... 280Cookie Settings menu command ................... 237Group menu command................................. 283Network menu command ............................. 274Server menu command ................................ 190Service menu command ............................... 276

negate, Load Balancing String menu command..... 224net, Network Subnet menu command................... 275netmask

Host Interface menu command...................... 311netstat (global command) ................................... 143network

Access Rule menu command ........................ 285diagnostics ................................................. 135multiple ports on same network....................... 34separate networks in cluster ............................ 34SNMP monitoring....................................... 318Xnet Domain menu command ...................... 254

Network menu...................................................274Network Subnet menu........................................ 275non-transparent proxy mode ............................... 192nortelbran, Portal menu command ....................... 257nslookup (global command)................................ 143NTLM Menu..................................................... 268NTLM Servers menu ......................................... 269ntlm, Authentication menu command .................. 260NTP servers

add to configuration..................................... 302list configured.............................................302remove configured ...................................... 302



NTP Servers menu .............................................302

Ooffset, Cookie Settings menu command................238online help.........................................................142OpenSSL license issues ......................................357Operator user, access level ..................................116outlook, Forwarder menu command .....................293overview, Local Statistics menu command ...........161

Ppasswd

Automatic CRL menu command ...................188User menu command ...................................327

password, User menu command..........................329passwords..........................................................116

change for HSM-SO or HSM-USER..............340regain access after losing ..............................125

paste (global command) ......................................142path

Appspec menu command..............................278pending changes

applying .....................................................174reverting.....................................................174viewing ......................................................174

persistenc, Load Balancing Settings menu command ...233

persistent, Portal Settings menu command ............218ping (global command) .......................................143Pool Settings menu.............................................225poolstatus, Single iSD Statistics Server menu command

167popd (global command) ......................................144port

Backend Server menu command....................247HTTP menu command .................................325HTTPS menu command ...............................326Notification Target menu command...............321Server menu command.................................191

portalServer menu command.................................193Xnet Domain menu command.......................253

Portal Colors menu ............................................ 258portal links........................................................ 287Portal menu....................................................... 256portal server

create ........................................................ 175quick setup wizard ...................................... 101

portsHost Interface menu command ..................... 312Information menu command......................... 153iSD Host menu command ............................ 308on ASA 310 multi NIC.................................. 34Service menu command............................... 277

primary, Host Interface menu command .............. 312print

Extended Profile menu command.................. 296Group menu command ................................ 283

priority, Traffic Log Settings menu command ...... 227private key

add using copy-and-paste............................... 84add using TFTP ............................................ 86display....................................................... 183display key size .......................................... 183export........................................................ 183generate ..................................................... 180show information........................................ 184validate...................................................... 183

protocolService menu command............................... 276specify SSL version..................................... 197SSL Connect Settings menu command .. 243, 249SSL Settings menu command ....................... 197

proxyLink menu command................................... 289Server menu command ................................ 192

proxy modenon-transparent........................................... 192transparent ................................................. 192

ptcfg, Configuration menu command................... 173pushd (global command) .................................... 144pwd (global command) ...................................... 142

Qquick

SSL menu command ................................... 176Xnet Domain menu command ...................... 253



quick AAA setup wizard .................................... 253quick server setup wizard ................................... 101quiet (screen display option)............................... 144quit (global command) ....................................... 143

Rradacct, Xnet domain menu command ................. 255RADIUS Accounting menu ................................ 297RADIUS Accounting Servers menu .................... 298RADIUS Audit Server menu .............................. 324Radius menu ..................................................... 261Radius Servers menu ......................................... 263radius, Authentication menu command ................ 260read, SNMP Community menu command ............ 320reboot

ASA indicated as down ............................... 124Boot menu command .................................. 332iSD Host menu command ............................ 308

redirectHTTP Settings menu command .................... 202Portal menu command................................. 257

reinstalling software ............................................ 56remove

certificate and key....................................... 184iSD-SSL host ............................................. 309virtual SSL server ....................................... 193

renegotiatCluster Wide SSL Statistics Server menu command


request, Certificate menu command..................... 181reset iSD host to factory default settings .............. 333response, Rewrite menu command ...................... 207restore

Portal Colors menu command....................... 258Portal menu command................................. 256

restrictSSH access ................................................ 115Telnet access.............................................. 113

rev, Revocation menu command ......................... 185revert

configuration changes.................................. 174global command ......................................... 174

revocationCluster Wide SSL Statistics Server menu command


Revocation menu ............................................... 185revoke

cancel revocation of client certificate ............. 185certificates issued by external CA.................... 96certificates issued by own organization ............ 97client certificate by serial number .................. 185manage client revocation................................ 95

rewriteredirects to HTTPS...................................... 202Rewrite menu command .............................. 207weak cipher client requests ........................... 207

Rewrite menu .................................................... 207rip, Server menu command ................................. 191Root user, access level ....................................... 116routes

iSD Host menu command............................. 308Routes menu ..................................................... 300rport, Server menu command .............................. 191

Ssconnect, TCP Settings menu command............... 199searchbase, LDAP menu command ..................... 264Secure Shell (SSH)

connect using.............................................. 114enable access ...................................... 115, 317generate host keys ....................................... 317restrict access ..................................... 115, 315unable to connect using................................ 120

security modes on the ASA 310 ............................ 28server

create......................................................... 176create from SSL menu ................................. 175disable virtual SSL server............................. 193enable virtual SSL server ............................. 193quick setup wizard....................................... 101remove virtual SSL server ............................193specify server certificate............................... 196specify virtual server IP address .................... 190SSL menu command ................................... 175

server certificategenerate ..................................................... 181

Server menu ...................................................... 190servers

Audit menu command..................................322Information menu command......................... 150LDAP menu command ................................ 264NTLM menu command ............................... 268RADIUS Accounting menu command ...........297



RADIUS menu command.............................261service

Access Rule menu command ........................286Xnet Domain menu command.......................254

Service menu .....................................................276setup

quick server setup wizard..............................101shortcuts, in command line interface ....................146show, Certificate menu command ........................183sign, Certificate menu command..........................182Single iSD Statistics menu ..................................163Single iSD Statistics Server menu........................165slash, in commands (CLI) ...................................148slave

ASA host type.............................................307configuration.....................................33, 41, 50

slist (global command)........................................144smb, Link menu command ..................................288SNMP

add name for managed cluster .......................319agent..........................................................349describe physical location of managed cluster .319disable authentication failure traps .................319enable authentication failure traps ..................319remove manager from configuration ..............321SNMPv2-MIB menu....................................319specify contact person for managed cluster .....319specify control community name ...................320specify IP address of manager .......................321specify monitor community name..................320specify TCP port used by manager.................321specify trap community name........................320specify version used by manager ...................321supported MIBs...........................................350supported traps ............................................351textual description of managed cluster ............319

SNMP Community menu....................................320SNMP menu ......................................................318SNMP Notification Target menu .........................321snmpEnable, SNMPv2-MIB menu command........319SNMPv2-MIB menu ..........................................319socks server

create .........................................................175quick setup wizard .......................................101

socks, Server menu command..............................193software

activate downloaded upgrade package..............61activate upgrade package ..............................334features in this version....................................22

minor or major release upgrade....................... 60reinstall........................................................ 56remove downloaded upgrade package............ 335version handling when upgrading.................... 61

Software Management menu .............................. 334space, in commands (CLI).................................. 148split HSM wrap key ........................................... 339splitkey, HSM menu command ........................... 339srecbuf, TCP Settings menu command................. 200srvhisto


Local Statistics menu command.................... 162Single iSD Statistics Server menu command .. 169Single iSD Stats menu command .................. 163Statistics menu command............................. 157

ssendbuf, TCP Settings menu command .............. 200ssh, Administrative Applications menu command. 317SSH, see Secure ShellSSL

add extra HTTP header ................................ 203assign virtual server name ............................ 190create self-signed test certificate.................... 182create test virtual server ............................... 176disable virtual server ................................... 193enable virtual server .................................... 193quick server setup wizard............................. 101remove virtual server................................... 193server HTTP rewrite menu ........................... 207Server menu............................................... 190specify default cipher list ............................. 198specify protocol version ............................... 197specify SSL cache size................................. 196specify TCP listen port ................................ 191ssldump command ...................................... 194view configured servers ............................... 135virtual server type ....................................... 192

sslConfiguration menu command...................... 172Server menu command ................................ 193

SSL Connect Settings menu........................ 243, 249SSL Connect Verify Settings menu ............. 245, 251SSL menu......................................................... 175SSL Settings menu ............................................ 196SSL VPN

configure access groups ............................... 282configure authentication method ................... 259configure domain........................................ 253configure portal .......................................... 256



license ....................................................... 307log ............................................................ 252portal colors ............................................... 258portal links................................................. 287time to live................................................. 252Xnet menu ................................................. 252

sslaccept, Statistics menu command .................... 156sslconnect

Backend Server menu command................... 247Cluster Wide SSL Statistics Server menu command

159Single iSD Statistics Server menu command .. 168Statistics menu command............................. 156

ssldump, Trace menu command .......................... 194SSLeay license.................................................. 357sslheader, HTTP Settings menu command ........... 203stacking commands (CLI) .................................. 146starting device, first time ...................................... 35starttrace, Maintenenance menu command ........... 338Statistics menu .................................................. 156status

send current iSD status to TFTP server .......... 337stoptrace, Maintenenance menu command ........... 338submenu name as argument, in commands (CLI).. 147subnet

Network menu command............................. 274supported

certificate formats ......................................... 81ciphers....................................................... 343key formats .................................................. 81

swrite, TCP Settings menu command .................. 199sys

Configuration menu command ..................... 172Information menu command ........................ 151

sysContact, SNMPv2-MIB menu command ......... 319sysDescr, SNMPv2-MIB menu command............ 319sysLocatio, SNMPv2-MIB menu command ......... 319syslog messages, list of ...................................... 353syslog servers

add to configuration .................................... 304error log files.............................................. 137list configured ............................................ 304remove configured ...................................... 304

Syslog Servers menu.......................................... 304sysloghost, Traffic Log Settings menu command.. 227sysName, SNMPv2-MIB menu command............ 319system date, specify........................................... 301system diagnostics

active alarms .............................................. 137

error log files on Syslog server...................... 137events log file .............................................137network diagnostics..................................... 135

System menu..................................................... 299system time, specify........................................... 301system timezone, specify .................................... 301

Ttab completion (CLI).......................................... 146TCP Settings menu ............................................ 199tcpdump, Trace menu command.......................... 195Telnet

enable access ...................................... 113, 316establish connection .................................... 113restrict access ..................................... 113, 315unable to connect using................................ 120

telnetAdministrative Applications menu command.. 316

terminal emulation .............................................112terminal, Link menu command............................289test

Certificate menu command........................... 182SSL menu command ................................... 176

text conventions, in this manual ............................ 16text, Link menu command ..................................287TFTP server

download certificate from............................. 182export key and certificate to.......................... 183restore configuration from ............................173save configuration to ................................... 173

timeDate and Time menu command..................... 301specify system ............................................ 301

timeoutLDAP menu command ................................ 265Pool Settings menu command....................... 225Radius menu command................................ 262

timeout value, command line interface.................118timezone, specify system.................................... 301totalsess, Statistics menu command ..................... 156tps


Single iSD Statistics Server menu command... 169tpshisto


Local Statistics menu command .................... 162



Single iSD Statistics Server menu command ...169Single iSD Stats menu command...................163Statistics menu command .............................157

Trace menu........................................................194traceroute (global command) ...............................143Traffic Log Settings menu...................................226transparent proxy mode.......................................192trap, SNMP Community menu command .............320troubleshooting

ASA 310-FIPS cluster needs to be reconstructed ...131

ASA stops responding..................................124Cannot contact MIP .....................................123lost passwords.............................................125network diagnostics .....................................135unable to add to cluster.................................122unable to connect via SSH ............................120unable to connect via Telnet..........................120view certificates and SSL servers...................135

ttl, Xnet menu command.....................................252type

Authentication menu command .....................260iSD Host menu command .............................307Load Balancing Settings menu command .......232Server menu command.................................192

typographic conventions, in this manual .................16tzone, Date and Time menu command..................301

Uudpport, Traffic Log Settings menu command.......227up (global command)..........................................142upgrade

activate software package ...............................61from software version in mixed cluster .............63handling software versions..............................61minor or major release upgrade .......................60

upgrade packageactivate.......................................................334remove downloaded.....................................335

URI, Rewrite menu command .............................207url, Automatic CRL menu command....................188user

access levels ...............................................116add to local database ....................................270Boot user for reinstall.....................................56categories ...................................................116change own password ..................................327

change user password .................................. 329passwords .................................................. 116

User (username) menu ....................................... 329User menu ........................................................ 327userattr, LDAP menu command .......................... 265users, Information menu command...................... 151usertype

Extended Profile menu command.................. 296Group menu command ................................ 283

Vvalidate, Certificate menu command.................... 183vendorid

Audit menu command ................................. 322RADIUS menu command ............................ 261

vendortypeAudit menu command ................................. 323RADIUS menu command ............................ 262

verbose (display option) ..................................... 144verify

SSL Connect Verify Settings menu command 245, 251

SSL Settings menu command ....................... 197version

specify SNMP ............................................ 321specify SSL protocol ................................... 197

viewactive alarms .............................................. 154event log file .............................................. 154pending configuration changes...................... 174

vip, Server menu command ................................ 190virtual server IP, specify address ......................... 190vsn, Notification Target menu command.............. 321

WWeb User Interface

disable http server ....................................... 325disable https server...................................... 326enable http server........................................ 325enable https server....................................... 326

wiper, Portal settings menu command.................. 219wizard

quick AAA setup ........................................ 253wizard, quick server setup .................................. 101wrap key

generation of ................................................ 30



write, SNMP Community menu command........... 320

Xxnet

Configuration menu command ..................... 172

Information menu command......................... 151Portal Settings menu command ..................... 218

Xnet Domain Configuration menu....................... 253Xnet menu ........................................................252

