Product Documentation

Managing Server Authentication

Aug 20, 2013

Since the NetScaler appliance performs SSL offload and acceleration on behalf of a web server, the appliance does not usually authenticate the Web server's certificate. However, you can authenticate the server in deployments that require end-to-end SSL encryption.

In such a situation, the NetScaler becomes the SSL client, carries out a secure transaction with the SSL server, verifies that a CA whose certificate is bound to the SSL service has signed the server certificate, and checks the validity of the server certificate.

To authenticate the server, you must first enable server authentication and then bind the certificate of the CA that signed the server's certificate to the SSL service on the NetScaler. When binding the certificate, you must specify the bind as CA option.

To enable (or disable) server certificate authentication by using the command line interface

At the command prompt, type the following commands to enable server certificate authentication and verify the configuration:

  • set ssl service <serviceName> -serverAuth ( ENABLED | DISABLED )
  • show ssl service <serviceName>

Example

 
> set ssl service ssl-service-1 -serverAuth ENABLED 
 Done 
> show ssl service ssl-service-1 
 
        Advanced SSL configuration for Back-end SSL Service ssl-service-1: 
        DH: DISABLED 
        Ephemeral RSA: DISABLED 
        Session Reuse: ENABLED          Timeout: 300 seconds 
        Cipher Redirect: DISABLED 
        SSLv2 Redirect: DISABLED 
        Server Auth: ENABLED 
        SSL Redirect: DISABLED 
        Non FIPS Ciphers: DISABLED 
        SSLv2: DISABLED SSLv3: ENABLED  TLSv1: ENABLED 
 
1)      Cipher Name: ALL 
        Description: Predefined Cipher Alias 
 Done

To enable (or disable) server certificate authentication by using the configuration utility

  1. Navigate to Traffic Management > Load Balancing > Services, and open an SSL service.
  2. In the SSL Parameters section, select Enable Server Authentication, and specify a Common Name.
  3. In Advanced Settings, select Certificates, and bind a CA certificate to the service.

To bind the CA certificate to the service by using the command line interface

At the command prompt, type the following commands to bind the CA certificate to the service and verify the configuration:

  • bind ssl service <serviceName> -certkeyName <string> -CA
  • show ssl service <serviceName>

Example

 
> bind ssl service ssl-service-1 -certkeyName samplecertkey -CA 
 Done 
> show ssl service ssl-service-1 
 
        Advanced SSL configuration for Back-end SSL Service ssl-service-1: 
        DH: DISABLED 
        Ephemeral RSA: DISABLED 
        Session Reuse: ENABLED          Timeout: 300 seconds 
        Cipher Redirect: DISABLED 
        SSLv2 Redirect: DISABLED 
        Server Auth: ENABLED 
        SSL Redirect: DISABLED 
        Non FIPS Ciphers: DISABLED 
        SSLv2: DISABLED SSLv3: ENABLED  TLSv1: ENABLED 
 
1)      CertKey Name: samplecertkey     CA Certificate          CRLCheck: Optional 
 
1)      Cipher Name: ALL 
        Description: Predefined Cipher Alias 
 Done