Configuring SSL for Mobile Controllers : Configuring SSL for Mobile Controllers
  
Configuring SSL for Mobile Controllers
Each Mobile Controller is manufactured with its own self-signed certificate and private key that uniquely identifies that Mobile Controller.
For detailed information about SSL, see the SteelHead User Guide.
The Mobile Controller provides you with these SSL options.
SSL task
Reference
Enable SSL in Mobile Controller policies
You can enable SSL in your SteelHead Mobile polices. For details, see Configuring SSL for policies.
Create SSL peering relationships
You can create peering relationships between the Mobile Controller and the SteelHeads in your network. You must have a trusted peer relationship to create Mobile Controller clusters. For details about Mobile Controller clusters, see To configure SSL Peering.
View Mobile Controller certificate details
You can view the current Mobile Controller certificate details. For details, see To view signing CA details.
Add chain certificates
If your organization uses internal CAs to sign its SSL server certificates, you must import each of the certificates (in the chain) onto the Mobile Controller. For details, see To add a chain certificate.
View certificates in Privacy Enhanced Mail (PEM) format
You can view the certificate in Privacy Enhanced Mail (PEM) format. For details, see To view a CA in PEM format.
Replace (import) certificates
By default, the Mobile Controller ships with a default peer certificate. We recommend that you replace the default peer certificate with a certificate with a matching common name and security parameters (key length). For details, see To replace a Mobile Controller signing CA.
Export certificates
You can export the signing CA of the Mobile Controller to the peer SteelHead and then import it to establish the peer relationship. For details, see To export an existing certificate.
Generate certificate signing requests (CSR)
You can generate a CSR for the current private key. For details, see To generate a CSR.
Basic steps for configuring SSL
These tables describe the basic steps for configuring SSL in the Mobile Controller and the SteelHead.
This table lists the tasks to be completed at the Mobile Controller, along with the section where you can find details about the task.
Mobile Controller task
Reference
1. Add the root CA to the CAs.
Choose Administration > SSL: Certificate Authorities. For details, see To add SSL certificate authorities.
2. Add the signing CA.
Choose Administration > SSL: Signing CA. For details, see To view signing CA details.
3. Add the root CA as a chain certificate.
Choose Administration > SSL: Signing CA. For details, see To add a chain certificate.
This table lists the tasks to be completed at the SteelHead, along with the section where you can find details about the task.
SteelHead task
Reference
1. Add the root CA to the CA list.
Choose Configure > Optimization: Certificate Authorities. For details, see the SteelHead User Guide.
2. Create a trust relationship with the root CA.
Choose Configure > Optimization: Secure Peering. Make sure that you select Trust Existing CA and select the root CA from the drop-down list. For details, see the SteelHead User Guide.
3. Add the signing CA to the Mobile Controller trust list.
Choose Configure > Optimization: Secure Peering. Make sure that you select Add a New Mobile Entity and navigate to the local file. For details, see the SteelHead User Guide.
4. Add the server certificate.
Choose Configure > Optimization: SSL Main Settings. Make sure that you select Import Existing Private Key and CA-Signed Public Certificate. For details, see the SteelHead User Guide.
Basic steps for configuring SSL proxy support
These tables describe the basic steps for configuring SSL proxy support in the Mobile Controller and the SteelHead.
This table lists the tasks to be completed at the Mobile Controller, along with the section where you can find details about the task.
Mobile Controller task
Reference
1. Enable the SSL proxy support feature.
Choose Manage > Services: Policies. Click the policy name and select the SSL tab. Then select the Enable SSL Optimization check box and the Enable SSL Proxy Support check box. For details, see Configuring SSL for policies.
2. Add the in-path rules for the SSL proxy.
Choose Manage > Services: Policies and select the In-Path Rules tab. Add an in-path rule that applies SSL preoptimization to all connections going through the SSL proxy. For details, see Configuring in-path optimization rules for policies.
When non-SSL connections go through the SSL proxy, the in-path rule is applied and the connections are included in the SSL connection totals.

However, since the connection is a non-SSL connection, it is considered an unsuccessful SSL connection and is reflected as such on the Status display for the SteelHead as shown in the example below:

SSL Connections (Successful/Total): 25675/50624

The unsuccessful connections (that is, the non-SSL connections) will also be reflected in the SSL endpoint reports on the Mobile Controller (Reports > Endpoints: SSL).
3. Export the Mobile Controller certificate to the SteelHead.
Complete this step at the SteelHead.
At the SteelHead, choose Optimization: SSL: Secure Peering. For details, see the SteelHead User Guide.
4. Import the SteelHead certificate to the Mobile Controller.
Choose Administration > SSL: Peering > Add a New Trusted Entity. For details, see Configuring Mobile Controller peering.
This table lists the tasks to be completed at the SteelHead, along with the section where you can find details about the task.
SteelHead task
Reference
1. Enable the SSL proxy support feature.
Choose Optimization > SSL: Advanced Settings. Be sure to select the Enable SSL Proxy Support check box. For details, see the SteelHead User Guide.
2. Create the server certificate on the SteelHead.
Choose Optimization > SSL: SSL Main Settings > SSL Server Certificates. For details, see the SteelHead User Guide.
3. Import the Mobile Controller certificate to the SteelHead.
This step consists of two parts, one completed at the Mobile Controller and one completed at the SteelHead.
On the Mobile Controller, choose Administration > SSL: Signing CA. For details, see, To configure SSL Peering.
On the SteelHead, choose Optimization > SSL: Secure Peering (SSL) > Mobile Trust. For details, see the SteelHead User Guide.
Basic steps for configuring SNI support
Server name indication (SNI) is a transport layer security extension to the SSL protocol. With SNI, the first SSL client hello handshake message sent to the HTTPS server includes the requested virtual hostname to which the client is connecting. Because the server is aware of the hostname, it returns a host-specific security certificate.
To enable SNI optimization on SteelHead Mobile 6.0 and later, the server-side SteelHeads must be running RiOS 9.7 or later.
This table lists the tasks to be completed at the Mobile Controller and the SteelHead, along with the section where you can find details about the task.
Task
Reference
1. On the Mobile Controller, enable SSL Optimization.
Choose Manage > Services: Policies. Click the policy name and select the SSL tab. Under General SSL Settings, select Enable SSL Optimization. For details, see Configuring SSL for policies.
2. On the SteelHead, enable SNI.
Choose Optimization > SSL: Advanced Settings. Under TLS Settings, select Enable SNI. For details, see the SteelHead User Guide.