Basic steps for configuring SSL

2. Set the SSL secure vault password on the client-side appliance and server-side SteelHead.

3. Optionally, enable the appliance to reuse the client-side SSL session. This is a client-side setting that improves connection setup performance. Both the client-side appliance and the server-side SteelHead must be running RiOS 6.0 or later. Enabling this option requires an optimization service restart. Client-side session reuse is enabled by default.

4. On the server-side SteelHead, configure a proxy certificate and private key for the SSL back-end server.

This step enables the server-side SteelHead to act as a proxy for the back-end server, which is necessary to intercept the SSL connection and to optimize it.

In-path configurations—Create a client-side in-path rule with the Preoptimization Policy = SSL. If you want to enable the HTTP latency optimization module for connections to this server, you add a corresponding in-path rule with Latency Optimization Policy = HTTP.

Out-of-path configurations—On the client-side appliance, add a new in-path rule to identify which connections are to be intercepted and applied to SSL optimization. Use these property values:

– Destination Subnet/Port—We recommend that you specify the exact SSL server IP address (for example, 10.11.41.14/32) and the default SSL port 443.

– Latency Optimization Policy—HTTP (Latency optimization is not always HTTP, especially for applications that use the SSL protocol but are not HTTP based. In such cases, specify None for the latency optimization.)

Neural Framing Mode—Always.

6. Configure mutual peering trusts so the server-side SteelHead trusts the client-side appliance and vice versa. Use one of these approaches:

Use the secure inner channel and peering lists:

– To automatically discover appliances using self-signed certificates, open your secure application to send some traffic through the appliances. The connection is passed through to the server without optimization, but the appliances will automatically discover the peers and place them in the self-signed peer gray list.

– Manually move the peers from the gray list to the trusted white list by simply marking them as trusted. The connections are not optimized until after you move the peers to the white list.

Add CA-signed peer certificates:

– Add the PEM certificate of the designated CA as a new trusted entity to the peering trust list for each appliance.

– For production networks with multiple appliances, use the SCC or the bulk import and export feature to simplify configuring trusted peer relationships. For details, see the SteelCentral Controller for SteelHead User Guide or Performing bulk imports and exports.

Your organization can choose to replace all of the default self-signed identity certificates and keys on their appliances with those certificates signed by another CA (either internal to your organization or an external well-known CA). In such cases, every appliance must simply have the certificate of the designated CA (that signed all those appliance identity certificates) added as a new trusted entity.

7. If your organization uses internal CAs to sign their SSL server certificates you must import each of the certificates (in the chain) on to the server-side SteelHead.

You must perform this step if you use internal CAs because the SteelHead default list of well-known CAs (trusted by our server-side SteelHead) does not include your internal CA certificate. To identify the certificate of your internal CA (in some cases, the chain of certificate authorities) go to your web browser repository of trusted-root or intermediate CAs: for example, Internet Explorer > Tools > Internet Options > Certificates.

8. On the client-side appliance and server-side SteelHead, restart the optimization service.