Configuring SSL for Client Accelerators
  
Configuring SSL for Client Accelerators
This chapter describes how to configure SSL support for the Client Accelerator. It includes these sections:
Configuring SSL for Client Accelerators
Configuring Client Accelerator peering
Modifying SSL server certificate settings
Configuring SSL certificate authorities
Configuring SSL bulk import and export
Configuring SSL for Client Accelerators
Each Client Accelerator is manufactured with its own self-signed certificate and private key that uniquely identifies that Client Accelerator.
For detailed information about SSL, see the SteelHead User Guide.
The Client Accelerator provides you with these SSL options.
SSL task
Reference
Enable SSL in Client Accelerator policies
You can enable SSL in your Client Accelerator policies. For details, see Configuring SSL for policies.
Create SSL peering relationships
You can create peering relationships between the Client Accelerator and the SteelHeads in your network. You must have a trusted peer relationship to create Client Accelerator clusters. For details about Client Accelerator clusters, see To configure SSL Peering.
View Client Accelerator certificate details
You can view the current Client Accelerator certificate details. For details, see To view signing CA details.
Add chain certificates
If your organization uses internal CAs to sign its SSL server certificates, you must import each of the certificates (in the chain) onto the Client Accelerator. For details, see To add a chain certificate.
View certificates in Privacy Enhanced Mail (PEM) format
You can view the certificate in Privacy Enhanced Mail (PEM) format. For details, see To view a CA in PEM format.
Replace (import) certificates
By default, the Client Accelerator ships with a default peer certificate. We recommend that you replace the default peer certificate with a certificate with a matching common name and security parameters (key length). For details, see To replace a Client Accelerator signing CA.
Export certificates
You can export the signing CA of the Client Accelerator to the peer SteelHead and then import it to establish the peer relationship. For details, see To export an existing certificate.
Generate certificate signing requests (CSR)
You can generate a CSR for the current private key. For details, see To generate a CSR.
Basic steps for configuring SSL
These tables describe the basic steps for configuring SSL in the Client Accelerator and the SteelHead.
This table lists the tasks to be completed at the Client Accelerator, along with the section where you can find details about the task.
Client Accelerator task
Reference
1. Add the root CA to the CAs.
Choose Administration > SSL: Certificate Authorities. For details, see To add SSL certificate authorities.
2. Add the signing CA.
Choose Administration > SSL: Signing CA. For details, see To view signing CA details.
3. Add the root CA as a chain certificate.
Choose Administration > SSL: Signing CA. For details, see To add a chain certificate.
This table lists the tasks to be completed at the SteelHead, along with the section where you can find details about the task.
SteelHead task
Reference
1. Add the root CA to the CA list.
Choose Configure > Optimization: Certificate Authorities. For details, see the SteelHead User Guide.
2. Create a trust relationship with the root CA.
Choose Configure > Optimization: Secure Peering. Make sure that you select Trust Existing CA and select the root CA from the drop-down list. For details, see the SteelHead User Guide.
3. Add the signing CA to the Client Accelerator trust list.
Choose Configure > Optimization: Secure Peering. Make sure that you select Add a New Mobile Entity and navigate to the local file. For details, see the SteelHead User Guide.
4. Add the server certificate.
Choose Configure > Optimization: SSL Main Settings. Make sure that you select Import Existing Private Key and CA-Signed Public Certificate. For details, see the SteelHead User Guide.
Basic steps for configuring SSL proxy support
These tables describe the basic steps for configuring SSL proxy support in the Client Accelerator and the SteelHead.
This table lists the tasks to be completed at the Client Accelerator, along with the section where you can find details about the task.
Client Accelerator task
Reference
1. Enable the SSL proxy support feature.
Choose Manage > Services: Policies. Click the policy name and select the SSL tab. Then select the Enable SSL Optimization check box and the Enable SSL Proxy Support check box. For details, see Configuring SSL for policies.
2. Add the in-path rules for the SSL proxy.
Choose Manage > Services: Policies and select the In-Path Rules tab. Add an in-path rule that applies SSL preoptimization to all connections going through the SSL proxy. For details, see Configuring in-path optimization rules for policies.
When non-SSL connections go through the SSL proxy, the in-path rule is applied and the connections are included in the SSL connection totals.

However, since the connection is a non-SSL connection, it is considered an unsuccessful SSL connection and is reflected as such on the Status display for the SteelHead as shown in the example below:

SSL Connections (Successful/Total): 25675/50624

The unsuccessful connections (that is, the non-SSL connections) will also be reflected in the SSL endpoint reports on the Client Accelerator (Reports > Endpoints: SSL).
3. Export the Client Accelerator certificate to the SteelHead.
Complete this step at the SteelHead.
At the SteelHead, choose Optimization: SSL: Secure Peering. For details, see the SteelHead User Guide.
4. Import the SteelHead certificate to the Client Accelerator.
Choose Administration > SSL: Peering > Add a New Trusted Entity. For details, see Configuring Client Accelerator peering.
This table lists the tasks to be completed at the SteelHead, along with the section where you can find details about the task.
SteelHead task
Reference
1. Enable the SSL proxy support feature.
Choose Optimization > SSL: Advanced Settings. Be sure to select the Enable SSL Proxy Support check box. For details, see the SteelHead User Guide.
2. Create the server certificate on the SteelHead.
Choose Optimization > SSL: SSL Main Settings > SSL Server Certificates. For details, see the SteelHead User Guide.
3. Import the Client Accelerator certificate to the SteelHead.
This step consists of two parts, one completed at the Client Accelerator and one completed at the SteelHead.
On the Client Accelerator, choose Administration > SSL: Signing CA. For details, see, To configure SSL Peering.
On the SteelHead, choose Optimization > SSL: Secure Peering (SSL) > Mobile Trust. For details, see the SteelHead User Guide.
Basic steps for configuring SNI support
Server name indication (SNI) is a transport layer security extension to the SSL protocol. With SNI, the first SSL client hello handshake message sent to the HTTPS server includes the requested virtual hostname to which the client is connecting. Because the server is aware of the hostname, it returns a host-specific security certificate.
To enable SNI optimization on Client Accelerator 6.0 and later, the server-side SteelHeads must be running RiOS 9.7 or later.
This table lists the tasks to be completed at the Client Accelerator and the SteelHead, along with the section where you can find details about the task.
Task
Reference
1. On the Client Accelerator, enable SSL Optimization.
Choose Manage > Services: Policies. Click the policy name and select the SSL tab. Under General SSL Settings, select Enable SSL Optimization. For details, see Configuring SSL for policies.
2. On the SteelHead, enable SNI.
Choose Optimization > SSL: Advanced Settings. Under TLS Settings, select Enable SNI. For details, see the SteelHead User Guide.