Product Documentation

Use Case 1: Configuring SSL Offloading with End-to-End Encryption

Aug 09, 2017

A simple SSL offloading setup terminates SSL traffic (HTTPS), decrypts the SSL records, and forwards the clear text (HTTP) traffic to the back-end web servers. However, the clear text traffic is vulnerable to being spoofed, read, stolen, or compromised by individuals who succeed in gaining access to the back-end network devices or web servers.

You can, therefore, configure SSL offloading with end-to-end security by re-encrypting the clear text data and using secure SSL sessions to communicate with the back-end Web servers.

Additionally, you can configure the back-end SSL transactions so that the NetScaler appliance uses SSL session multiplexing to reuse existing SSL sessions with the back-end web servers, thus avoiding CPU-intensive key exchange (full handshake) operations. This reduces the overall number of SSL sessions on the server, and therefore accelerates the SSL transaction while maintaining end-to-end security.

To configure SSL Offloading with end-to-end encryption, add SSL based services that represent secure servers with which the NetScaler appliance will carry out end-to-end encryption. Then create an SSL based virtual server, and create and bind a valid certificate-key pair to the virtual server. Bind the SSL services to the virtual server to complete the configuration.

For details on adding SSL based services, see Configuring Services.

For details on adding an SSL virtual server, see Configuring an SSL Based Virtual Server.

For details on creating a certificate-key pair, see Adding a Certificate-Key Pair.

For details on binding a certificate-key pair to a virtual server, see Binding the Certificate Key Pair to the SSL Based Virtual Server.

For details on binding services to a virtual server, see Binding Services to the SSL Based Virtual Server.

To configure an end-to-end encryption deployment, perform the following steps:

  • Create SSL services
  • Create an SSL virtual server
  • Add a certificate-key pair
  • Bind the certificate-key pair to the SSL virtual server
  • Bind the services to the SSL virtual server

Sample values used in the configuration are listed in the table.

Entity Name IP Address Port

SSL service

service-ssl-1

198.51.100.5

443

SSL service

service-ssl-2

198.51.100.10

443

SSL virtual server

vserver-ssl

203.0.113.5

443

SSL certificate-key pair

certkey-1

-

-

Example Copy

add service service-ssl-1 198.51.100.5 SSL 443

add service service-ssl-2 198.51.100.10 SSL 443

add lb vserver vserver-ssl SSL 203.0.113.5 443

add ssl certKey certkey-1 -cert server_rsa_1024.pem -key server_rsa_1024.ky

bind ssl vserver vserver-ssl -certkeyName certkey-1

bind lb vserver vserver-ssl service-ssl-1

bind lb vserver vserver-ssl service-ssl-2