Product Documentation

Configuring Secure Peering

Jan 28, 2011
There are two ways to establish secure peering:
  1. Using credentials generated by the appliances. This method was introduced in release 7.4.
  2. Using credentials you provide yourself. This method is available in all releases since 5.7.

Because an appliance with secure peering enabled will only compress connections with partner appliances with which it has a secure peering relationship, this procedure should be applied at the same time to all your appliances.

To prepare the appliances for secure peering
Perform the following procedure on each appliance in your network.
  1. Install a crypto license on the appliance. Without a crypto license, secure acceleration is not available.
    1. If you have not done so already, acquire crypto licenses from Citrix.
    2. If you are using a network license server, go to the Configuration > Appliance Settings > Licensing > Add License page and click the Remote license server and Crypto License On options.
    3. If you are using local licensing, go to Configuration > Appliance Settings > Licensing > Add License page click the Local license server option, and click Add to upload a local crypto license.
    4. Verify successful license installation on the Configuration > Appliance Settings > Licensing page. Under Licensing Information, a crypto license should be shown as active and with an expiration date in the future.
  2. Go to the Configuration > Secure Acceleration page. If the page has a button labeled Secure, click it.

  3. If you are taken to a Keystore Settings screen automatically, do the following:
    1. Enter a keystore password twice and click Save.
    2. When the screen updates to show the Secure Peering Certificates and Keys section, click Enable Secure Peering and CA Certificate, then click Save.
    3. Skip to Step 6.
  4. If you were not taken to the Keystore Settings screen automatically, click the pencil icon under Secure Peering, then click the pencil icon under Keystore Settings. Open on the Keystore Status pulldown menu, and enter a keystore password twice. Click Save.
  5. Enable secure peering by going to the Configuration > Secure Acceleration page and clicking the Enable button. Ignore any warnings at this stage. This setting enables secure peering when the required additional configuration is complete.
  6. Enable encryption of compression history by going to Configuration > Secure Acceleration User Data Store and clicking the pencil icon. Click Enable Disk Encryption, then click Save. User data store encryption prevents unauthorized reading of the disk based compression history, in case the appliance is stolen or returned to the factory. The security of disk data encryption relies on the keystore password. This feature uses AES-256 encryption. (Disk data encryption does not encrypt the entire disk, just the compression history.)
  7. If you are using appliance-generated credentials, skip to the next step. If you are using your own credentials, do the following:
    1. Go to Configuration > Secure Acceleration and click the pencil icon under Secure Peering, then click the pencil icon under Secure Peering Certificates and Keys. Click Enable Secure Peering and Certificate Configuration > CA Certificate. The credential specification fields appear.
    2. Under Certificate/Key Pair Name, click the “+” icon and upload or paste the cert/key pair for this appliance. If required by the credentials, also enter the key password or file password. Click Create.
    3. Under CA Certificate Store Name, click the “+” icon and upload or paste the CA certificate for this appliance.
    4. Keep the default values for the Certificate Verification and SSL Cipher Specification fields unless your organization requires otherwise.
    5. Click Save.

  8. Repeat for the rest of your appliances.
  9. If you are using credentials that you provided yourself, secure peering configuration is complete.
  10. If you are using appliance-generated credentials, perform the following procedure.
To use secure peering with appliance-generated credentials
  1. Use the “Prepare the appliances for securing peering” procedure, above, to prepare your appliances for this procedure.
  2. On one datacenter appliance, go to Configuration > Secure Acceleration and click the Enable button, if present, to enable secure peering.
  3. Click the pencil icon under Secure Peering. The keystore should be open. If it isn’t, open it now.
  4. Click the pencil icon under Secure Peering Certificate and Keys. Click the Enable Secure Peering and Private CA options, then click Save. This will generate a local self-signed CA certificate and a local certificate-key pair.
  5. Click the “+” icon under Connected Peers. In the Connect Peer dialog box, enter the IP address, administrator’s user name, and administrator’s password for one of your remote appliances and click Connect. This issues a CA certificate and certificate-key pair for the remote appliance, and copies it to the remote appliance,
  6. Repeat for your other remote appliances.
  7. On the datacenter appliance, verify connectivity by going to Monitoring > Partners and Plug-ins > Secure Partners. For each remote appliance, the content of the Secure field should be True, and the Connection Status should be Connected Available.