How do I use an nCipher nFast Ultra card with ZXTM?

SSL Decryption can be offloaded from ZXTM to an nFast Ultra PCI cards from nCipher, to increase SSL performance even further. This article explains how to configure ZXTM and the nCipher cards in a cluster of ZXTM servers such that failover works correctly.


Overview of the nFast Ultra PCI card

The nFast Ultra is a PCI card with one physical network interface port. It presents two network interfaces to the operating system:

  • Host Server Port: A conventional interface, which receives the network traffic from the physical cable connected to the the port. SSL traffic received by this interface, on the IPs and ports configured as SSL proxies will be decrypted by the card.
  • Host Management Interface: An interface used by the nfultra program to manage the SSL card. Typically, it will be configured with the IP 10.100.0.1/24.

These interfaces will both have MAC addresses beginning 00:07:AE. The Host Server Port will be the one with the lowest MAC address.

To configure the nFast Ultra cards, an SSL private key and certificate are created or imported, and an SSL Proxy is defined for each IP address for which decryption is required. The proxy configuration defines:

  • Server IP Settings: The IP address (which must be on the Host Server Port) and TCP port to which the decrypted traffic will be sent.
  • Proxy/key name: The SSL key to use
  • Client port: The TCP port to listen on for SSL connections from clients

Note that the nFast Ultra card listens for connections from browsers on the IP address specified in "Server IP Settings", and the TCP port specified in Client Port. The decrypted traffic appears to applications running on the server on the IP address and port specified in "Server IP settings".

Preparation

Before you begin, you should plan your network.

You will require one Traffic IP for each SSL site. This is the public facing IP that will be published in DNS for the site, and will receive all traffic for it. The Traffic IP is a floating IP, managed by ZXTM. It must not be configured to be brought up automatically by the operating system - ZXTM will bring it up when required. It is the IP which will be configured as an nFast Ultra Server IP.

Each ZXTM server will require a fixed front-end IP address, which is an address that is used by other ZXTM servers in the cluster to communicate with the server. It does not ordinarily receive any traffic from the outside world. The front-end IP address must be in the same subnet as the Traffic IP, and should be brought up on the Host Server Port on the nFast Ultra card.

Optionally, each server may have a back-end IP address raised on a separate port and subnet for talking to the backends.

Note that when using the nFast Ultra card, each SSL enabled site must be brought up in active/passive mode (that is, each SSL enabled site can be active on only one ZXTM server at a time). Should one of the ZXTM servers fail, the other will take over from it. It is not possible to run SSL sites in active/active mode using the nFast Ultra, since it will only permit one IP address to be associated with an SSL certificate/key pair.

Configuring the fixed IP addresses

On each of the ZXTM servers, you should configure your operating system to bring up the front-end IP address on the Host Server Port of the nFast Ultra card. The Host Server Port is the lowest numbered of the interfaces whose MAC addresses begin 00:07:AE.

If you are using separate back-end interfaces, you should also configure these.

You should also configure your operating system to bring up the nFast Ultra Host Management Interface, as explained in the nFast Ultra Administration Guide.

Installing SSL keys and certificates

If you haven't already done so, install the nCipher software on each of the ZXTM servers, as explained in the nFast Ultra administration guide.

Then, use the nCipher menu tool (/opt/nfast/bin/nfultra) to create SSL keys and certificates for each of your SSL sites. (You will need one key for each SSL site). Alternatively, if you have existing keys, you may import them. See the nFast Ultra Administration Guide for instructions on creating and importing keys and certificates.

(Note, you may need to set your terminal type to VT100 before the nfultra command will work: export TERM=vt100)

You should copy the keys to each of your ZXTM servers, as explained in the nFast Ultra Administration Guide under the section "Cloning Keys" in Chapter 6.

Configuring the SSL Proxy

On each of the ZXTM servers, set up an SSL Proxy for each SSL site as follows:

Run the nfultra tool and select "Create a new proxy". Select the certificate/key pair you want to use for this site.

When prompted for the server IP address and port number, set the IP to the Traffic IP address for this site, and the port to the port that ZXTM will listen on for the decrypted (plain text) traffic - typically 80.

  Please enter the server IP address and port number

Status: Gathering new configuration settings
Please enter new IP:PORT setting: 10.100.59.216:80

Set the client port to the port that external clients will connect to (usually 443).

Select the protocols you want to decrypt, and enable SSL session resumption.

Repeat this procedure for each SSL site you wish to host.

Configuring ZXTM

Configuring Traffic IPs

You should create a new Traffic IP group for each SSL Site, containing the single Traffic IP for that site. This is done from the Services -> Traffic IP Groups page.

Configuring Pools

Create a pool containing all the backend-nodes that requests for this site should be sent to (Services -> Pools). You may chose to have different pools for each site, or create a single pool that will be used for all SSL sites.

Configuring the Virtual Server

Create one virtual server for each pool you have created (Services -> Virtual Servers). The virtual server should be set to listen on port 80 (or whichever port you set in the SSL Proxy configuration), using the HTTP protocol. Edit your newly created virtual server and associate it with the appropriate Traffic IP for the site it is managing.

If you have chosen to use a single pool for all your sites, configure the virtual server to listen on all the traffic IPs you have created.

Testing

Finally, start your virtual servers from the front page of the ZXTM admin server, and then use a browser to make HTTPS requests from each of the Traffic IPs in turn. Your SSL enabled sites should now be working correctly.

Julian [Zeus Dev Team] 22 May 2006  Permalink  
Leave a comment ...
Your email address will not be displayed.
Your URL will be displayed.
This public messageboard is not a forum for technical support. To report technical support problems, please contact our dedicated Support team using the instructions at the bottom of this page.
Options:
 
(Line breaks become <br />)
(Set cookies for name, email & url)
Download Free ZXTM Desktop Edition

Recent Articles

Other Resources



www.zeus.com

powered by
b2evolution
About this site. The ZXTM KnowledgeHub service is provided without warranty, and articles and comments may not reflect the views of Zeus Technology. For technical support queries, please contact Zeus Technical Support. Disclaimer and Privacy statement.