About SSL/TLS optimization
SSL/TLS optimization is required for SaaS acceleration, and you need to generate a certificate authority (CA) certificate before you can configure applications for SaaS acceleration.
TLS replaces SSL in SteelHead appliances running version 9.14.1 and later. If you are using version 9.14.1 or later SteelHeads, or have enabled TLS on earlier version SteelHeads, ensure that you open port 7881 on your firewall for outbound TCP traffic to the SaaS Accelerator endpoint IP address for each deployed application. SAM users with read-only permissions are not allowed to generate certificates or configure SaaS acceleration.
SAM uses the CA certificate to automatically generate proxy certificates, which SAM pushes to the SaaS service cluster. Your client systems must establish a trust relationship with the proxy certificates.
You can configure two types of CA certificates:
• Riverbed managed—Use the Riverbed-managed CA to generate a root certificate authority (RCA) certificate. You must download or copy the certificate and deploy it to the Trusted Root Certification Authorities certificate store on your client systems. After the RCA certificate is deployed, the RCA then automatically generates trusted certificates to sign optimized SSL/TLS traffic. See
Configuring SSL/TLS optimization with a root CA certificate. This is the default configuration.
• Customer managed—Use SAM to generate a certificate signing request (CSR), which you use to obtain an intermediate certificate authority (ICA) certificate. After your organization’s CA signs the ICA, upload it to SAM. Your client systems should already have an established trust relationship with your CA. See
Configuring SSL/TLS optimization using your organization’s CA. We recommend this configuration if your organization has its own internal CA.
Only one certificate can be active at any given time. If you have multiple certificates, however, you can switch between them. You need to deactivate the active certificate to generate new certificates.
When generating a certificate, you’ll need to supply the following information:
Field | Description |
Common name | Specify a common name for the root CA certificate. |
Organization | Optionally, specify the organization name (for example, the company). |
Organizational unit | Optionally, specify the organizational unit name (for example, the section or department). |
Locality | Optionally, specify the city. |
State | Optionally, specify the state. |
Country | Optionally, specify the country (2-letter code only). |
Email address | Optionally, specify the email address of the contact person. |
RSA cipher bits | Select the key length from the drop-down list. The default value is 2048. |
Validity period (RCA only) | Specify how many days the root CA certificate is valid. The default value is 730 days (two years). |