Filter
Top Products
184 ServerIron ADX Security Guide
53-1002440-03
Configuration Examples for SSL Termination and Proxy Modes
6
Define client Iinsertion mode and prefix
The client certificate insertion mode and prefix can be optionally configured within a CSW policy as
described in the following. To configure the client insertion mode, use the default rewrite
request-insert command as shown.
ServerIronADX(config)# csw-policy cswp1
ServerIronADX(config-csw-cswp1)# default rewrite request-insert client-cert
Syntax: [no] default rewrite request-insert client-cert [entire-chain | leaf-cert | wellknown-fields]
Selecting the entire-chain parameter directs the ServerIron ADX to insert the entire chain including
the leaf certificate in BASE64 encoded form. This is the default mode.
Selecting the leaf-cert parameter directs the ServerIron ADX to insert only the leaf certificate in
BASE64 encoded form, even though the certificate chain is present.
If the wellknown-fields parameter is selected the important information of the client certificate is
retrieved and inserted as the HTTP headers, in plain text. If this mode is chosen, the following
headers are inserted: "Client-Cert-Version", "Client-Cert-Serial", "Client-Cert-Start", "Client-Cert-End",
"Client-Cert-Subject", "Client-Cert-Subject-CN", "Client-Cert-SubjectAlt-CN", "Client-Cert-Issuer" and
"Client-Cert-Issuer-CN".
You can add a prefix to the default HTTP names using the default rewrite request-insert
certheader-prefix command. In the following example, the prefix "SSL" added to the HTTP header
"Client-Cert" would become "SSL-Client-Cert".
ServerIronADX(config)# csw-policy cswp1
ServerIronADX(config-csw-cswp1)# default rewrite request-insert client-cert
certheader-prefix "SSL"
Syntax: [no] default rewrite request-insert client-cert certheader-prefix <prefix>
The value specified by the <prefix> variable is added to the default HTTP name.
The HTTP header names are shown in Table 18.
Other protocols supported for SSL
SSL acceleration support is provided to other popular protocols such as LDAPS, POP3S, and IMAPS.
Configuration of SSL acceleration support for these protocols is shown the following example.
TABLE 18 HTTP Header Names and Descriptions
Header Names Descriptions
Client-Cert The entire client certificate chain or the leaf certificate.
Client-Cert-Version Version of the client certificate.
Client-Cert-Serial Serial number of the client certificate.
Client-Cert-Start Date certificate not valid before.
Client-Cert-End Date certificate not valid after.
Client-Cert-Subject Subject's distinguished name.
Client-Cert-Subject-CN Subject's common name.
Client-Cert-Subject-Alt-CN Subject's alternative name.
Client-Cert-Issuer Issuer's distinguished name.
Client-Cert-Issuer-CN Issuer's common name.