SSL Task | Reference |
Enable SSL in Mobile Controller policies | You can enable SSL in your SteelHead Mobile polices. For details, see Configuring SSL for Policies. |
Create SSL peering relationships | You can create peering relationships between the Mobile Controller and the SteelHeads in your network. You must have a trusted peer relationship to create Mobile Controller clusters. For details about Mobile Controller clusters, see To configure SSL Peering. |
View Mobile Controller certificate details | You can view the current Mobile Controller certificate details. For details, see To view signing CA details. |
Add chain certificates | If your organization uses internal CAs to sign its SSL server certificates, you must import each of the certificates (in the chain) onto the Mobile Controller. For details, see To add a chain certificate. |
View certificates in Privacy Enhanced Mail (PEM) format | You can view the certificate in Privacy Enhanced Mail (PEM) format. For details, see To view a CA in PEM format. |
Replace (import) certificates | By default, the Mobile Controller ships with a default peer certificate. Riverbed recommends that you replace the default peer certificate with a certificate with a matching common name and security parameters (key length). For details, see To replace a Mobile Controller signing CA. |
Export certificates | You can export the signing CA of the Mobile Controller to the peer SteelHead and then import it to establish the peer relationship. For details, see To export an existing certificate. |
Generate certificate signing requests (CSR) | You can generate a CSR for the current private key. For details, see To generate a CSR. |
Mobile Controller Task | Reference |
1. Add the root CA to the CAs. | Choose Configure > SSL > Certificate Authorities. For details, see To add SSL certificate authorities. |
2. Add the signing CA. | Choose Configure > SSL > Signing CA. For details, see To view signing CA details. |
3. Add the root CA as a chain certificate. | Choose Configure > SSL > Signing CA. For details, see To add a chain certificate. |
SteelHead Task | Reference |
1. Add the root CA to the CA list. | Choose Configure > Optimization > Certificate Authorities. For details, see the SteelHead Management Console User’s Guide. |
2. Create a trust relationship with the root CA. | Choose Configure > Optimization > Secure Peering. Make sure that you select Trust Existing CA and select the root CA from the drop-down list. For details, see the SteelHead Management Console User’s Guide. |
3. Add the signing CA to the Mobile Controller trust list. | Choose Configure > Optimization > Secure Peering. Make sure that you select Add a New Mobile Entity and navigate to the local file. For details, see the SteelHead Management Console User’s Guide. |
4. Add the server certificate. | Choose Configure > Optimization > SSL Main Settings. Make sure that you select Import Existing Private Key and CA-Signed Public Certificate. For details, see the SteelHead Management Console User’s Guide. |
Mobile Controller Task | Reference |
1. Enable the SSL proxy support feature. | Choose Manage > Policies > SSL. Select the policy. Then select the Enable SSL Optimization check box and the Enable SSL Proxy Support check box. For details, see Configuring SSL for Policies. |
2. Add the in-path rules for the SSL proxy. | Choose Manage > Policies > In-Path Rules. Add an in-path rule that applies SSL preoptimization to all connections going through the SSL proxy. For details, see Configuring In-Path Optimization Rules for Policies. Caution: When non-SSL connections go through the SSL proxy, the in-path rule is applied and the connections are included in the SSL connection totals. However, since the connection is a non-SSL connection, it is considered an unsuccessful SSL connection and is reflected as such on the Status display for the SteelHead as shown in the example below: SSL Connections (Successful/Total): 25675/50624 The unsuccessful connections (that is, the non-SSL connections) will also be reflected in the SSL endpoint reports on the Mobile Controller (Reports > Endpoints > SSL). |
3. Export the Mobile Controller certificate to the SteelHead. Note: Complete this step at the SteelHead. | At the SteelHead, choose Optimization > SSL: Secure Peering. For details, see the SteelHead Management Console User’s Guide. |
4. Import the SteelHead certificate to the Mobile Controller. | Choose Configure > SSL > Peering > Add a New Trusted Entity. For details, see Configuring Mobile Controller Peering. |
SteelHead Task | Reference |
1. Enable the SSL proxy support feature. | Choose Optimization > SSL: Advanced Settings. Be sure to select the Enable SSL Proxy Support check box. For details, see the SteelHead Management Console User’s Guide. |
2. Create the server certificate on the SteelHead. | Choose Optimization > SSL: SSL Main Settings > SSL Server Certificates. For details, see the SteelHead Management Console User’s Guide. |
3. Import the Mobile Controller certificate to the SteelHead. Note: This step consists of two parts, one completed at the Mobile Controller and one completed at the SteelHead. | • At the Mobile Controller, choose Configure > SSL > Signing CA. For details, see, To configure SSL Peering. • At the SteelHead, choose Optimization > SSL: Secure Peering (SSL) > Mobile Trust. For details, see the SteelHead Management Console User’s Guide. |