Product Documentation

Use Case 6: Configuring SSL Monitoring when Client Authentication is Enabled on the Backend Service

Sep 01, 2016

Consider a scenario in which you need to load balance servers that require SSL client certificates to validate clients. For this deployment, you need to create an SSL service on the NetScaler appliance, add an HTTPS monitor, add a certificate-key pair, bind this certificate-key pair to the SSL service, and then bind the https monitor to this service. You can use this https monitor to perform health checks on the backend services.

To configure SSL monitoring with client certificate

  1. Open an SSH connection to the appliance by using an SSH client, such as PuTTY.
  2. Log on the appliance by using the administrator credentials.
  3. Add an SSL service. At the command prompt, type:

    add service <name> <serverName> <serviceType> <port>

  4. Add an https monitor. At the command prompt, type:

    add lb monitor <name> <type>

  5. Add the certificate-key pair that is going to be used as the client cert for that SSL service. At the command prompt, type:

    add ssl certKey <certkeyName> -cert <string> -key <string>

  6. Bind this certkey to the SSL service. At the command prompt, type:

    bind ssl service <serviceName> -certkeyName <string>

  7. Bind the https monitor to the SSL service. At the command prompt, type:

    bind lb monitor <monitorName> <serviceName>

Now, when the appliance tries to probe the backend service on which client authentication is enabled, the backend service will request a certificate as part of the SSL handshake. When the appliance returns the certificate-key bound in step 6 above, the monitor probe will succeed.

Example

 add service svc_k 10.102.145.30 SSL 443 
 add lb monitor sslmon HTTP -respCode 200 -httpRequest "GET /testsite/file5.html" -secure YES 
 add ssl certKey ctest -cert client_rsa_2048.pem -key client_rsa_2048.ky 
 bind ssl service svc_k -certkeyName ctest 
 bind lb monitor sslmon svc_k 
 > show service svc_k 
       svc_k (10.102.145.30:443) - SSL 
       State: UP 
       Last state change was at Tue Jan 10 13:12:24 2012 
       Time since last state change: 0 days, 00:09:37.890 
       Server Name: 10.102.145.30 
       Server ID : 0 Monitor Threshold : 0 
       Max Conn: 0 Max Req: 0 Max Bandwidth: 0 kbits 
       Use Source IP: NO 
       Client Keepalive(CKA): NO 
       Access Down Service: NO 
       TCP Buffering(TCPB): NO 
       HTTP Compression(CMP): NO 
       Idle timeout: Client: 180 sec Server: 360 sec 
       Client IP: DISABLED 
       Cacheable: NO 
       SC: OFF 
       SP: OFF 
       Down state flush: ENABLED 
       Appflow logging: ENABLED 
       
 1) Monitor Name: sslmon 
       State: UP Weight: 1 
       Probes: 1318 Failed [Total: 738 Current: 0] 
       Last response: Success - HTTP response code 200 received. 
       Response Time: 0.799 millisec 
    Done 
 > 
 > show ssl service svc_k 
		     Advanced SSL configuration for Back-end SSL Service svc_k: 
       DH: DISABLED 
       Ephemeral RSA: DISABLED 
       Session Reuse: ENABLED Timeout: 300 seconds 
       Cipher Redirect: DISABLED 
       SSLv2 Redirect: DISABLED 
       Server Auth: DISABLED 
       SSL Redirect: DISABLED 
       Non FIPS Ciphers: DISABLED 
       SNI: DISABLED 
       SSLv2: DISABLED SSLv3: ENABLED TLSv1: ENABLED 
 1) CertKey Name: ctest Client Certificate 
 
 1) Cipher Name: ALL 
    Description: Predefined Cipher Alias 
 Done