WebMux supports SSL termination, offloading SSL encryption
and decryption from the servers CPUs. In addition, for L7 logic to work, the
SSL encrypted traffic must be decrypted first by WebMux so that the traffic can
be inspected and directed correctly based on its cookie or URL.
To make the SSL termination working, you will need to have
SSL certificates created and signed by a CA (certificate authority),
which normally paid Microsoft or Google to have its
CA root pre-installed in the IE browser or Firefox browser. Of course you can
self sign your SSL certificate, which will have same security level as CA signed
certificate. However, self-signed SSL certificate will trigger visitor′s browser to pop
up a window asking for confirmation.
This document illustrates how to create the SSL certificate
request and how to install CA signed certificate into WebMux.
1). Here is how to create a CSR and how to create a farm
using SSL termination.
From the main management console page, click on the SSL keys
button:
Click on an unused key slot, for example "key 3" in picture
below (or you can delete the sample keys and go from there).
In the next page, select "use newly generated nnnn-bit RSA key" from the
drop down menu above the private key box with the desired bit strength.
Click on the confirm button and you will be brought into the
Certificate Request Generation page. Fill in the fields below and clicks
confirm:
WebMux will display the Certificate Signing Request(CSR) based
on those information you provided. The CSR contains your information and your public
key. This CSR is to be send to the CA. Please copy and paste it into a text file
and keep a copy for safety. Do not click confirm button until you have copied and pasted this
into a file and saved it, since WebMux does not keep this information.
CA will sign your CSR and let you download signed certificate. Since
the CSR contains your public key, signed certificate will only work with the matching
private key generated in this step. If you mismatched different public key and
private key, they would not work. To prevent the mismatch key pairs, label your
private key properly in next step is important. Once you clicked "Confirm"
button, you will be bring to next page:
The private key matches the public key in your CSR is now in
the private key text box. In the private key text box, it is recommended putting
in a comment to identify the key slot and its status. If you add a comment to
the private key, you need select "use new private key pasted in" then "confirm"
so that the private key box gets properly updated.
Once you received your signed CA, please paste it in the
certificate field. Be sure to include the -----BEGIN and END----- header and
footers. You can import certificates in PEM format (the format generally used
for Linux Apache). If you were given an intermediate certificate along with
the certificate, you can paste it below the main certificate along with its own
-----BEGIN and END----- header and footer. The signed certificates order in the
certificate field is significant.
Now from "modify farmquot; screen, one can select the SSL key
slot for being used for SSL termination. Please note after SSL termination,
the traffic between WebMux and server are not encrypted. For the web server,
that is HTTP only. If your farm was HTTP/HTTPS before, you will need to
recreate the farm to use the "service" HTTP - hypertext transfer protocol (TCP),
so that SSL termination logic having chance to listen to the SSL
port(otherwise, the port will be used twice and cause conflict). Then select
the key slot from the "SSL termination" drop down menu. Clicks confirm.
Your farm should now show the port 80 (443). The 443 inside
the parenthesis means the WebMux is configured to do SSL termination for that
farm.
Is this easy to do? Have fun with WebMux!
