NetScaler 10.5 SSL Offload and Acceleration

SSL Offload and Acceleration
2015-01-16 04:50:24 UTC

2015 Citrix Systems, Inc. All rights reserved. Terms of Use | Trademarks | Privacy Statement
Contents
SSL Offload and Acceleration...............................................................................
Configuring SSL Offloading......................................................................
Enabling SSL Processing....................................................................
Configuring Services........................................................................
Configuring an SSL-Based Virtual Server ................................................
12
Binding Services to the SSL-Based Virtual Server ......................................
15
Adding or Updating a Certificate-Key Pair..............................................
18
Binding the Certificate-Key Pair to the SSL-Based Virtual Server ...................
22
Configuring an SSL Virtual Server for Secure Hosting of Multiple Sites ............
25
Configuring a DTLS Virtual Server ........................................................
28
DTLS Profile .................................................................................
32
Importing SSL Files from Remote Hosts .................................................
34
SSL Profiles ..................................................................................
38
Managing Certificates ...........................................................................
42
Obtaining a Certificate from a Certificate Authority .................................
43
Importing Existing Certificates and Keys................................................
48
Generating a Self-Signed Certificate ....................................................
50
Adding a Group of SSL Certificates ......................................................
56
Adding and Linking a Certificate Set ...............................................
57
Creating a Chain of Certificates ....................................................
60
Displaying a Certificate Chain ............................................................
62
Generating a Server Test Certificate ....................................................
65
Modifying and Monitoring Certificates and Keys .......................................
66
Using Global Site Certificates.............................................................
71
Converting the Format of SSL Certificates for Import or Export ....................
74
Managing Certificate Revocation Lists ........................................................
76
Creating a CRL on the NetScaler .........................................................
77
Adding an Existing CRL to the NetScaler ................................................
79
Configuring CRL Refresh Parameters ....................................................
81
Synchronizing CRLs .........................................................................
85
Performing Client Authentication by using a Certificate Revocation List..........
87
Monitoring Certificate Status with OCSP .....................................................
90
NetScaler Implementation of OCSP ......................................................
91
OCSP Request Batching ....................................................................
92
OCSP Response Caching....................................................................
93
Configuring an OCSP Responder ..........................................................
94
Configuring Client Authentication .............................................................
101
Providing the Client Certificate ..........................................................
103
Enabling Client-Certificate-Based Authentication .....................................
104
Binding CA Certificates to the Virtual Server ..........................................
106
Customizing the SSL Configuration ............................................................
107
Configuring Diffie-Hellman (DH) Parameters ...........................................
108
Configuring Ephemeral RSA ...............................................................
110
Configuring Session Reuse .................................................................
112
Configuring Cipher Redirection ...........................................................
114
Configuring SSLv2 Redirection ............................................................
116
Configuring SSL Protocol Settings ........................................................
118
Configuring Close-Notify...................................................................
121
Configuring ECDHE Ciphers................................................................
124
Configuring a Common Name on an SSL Service or Service Group for Server

Certificate Authentication ................................................................
127
Configuring Advanced SSL Settings.......................................................
130
Synchronizing Configuration Files in a High Availability Setup ......................
136
Managing Server Authentication..........................................................
138
Configuring User-Defined Cipher Groups on the NetScaler Appliance..............
141
Configuring SSL Actions and Policies ..........................................................
146
Configuring User-Defined Actions for SSL Policies .....................................
147
Configuring SSL Policies....................................................................
151
Configuring an SSL Default Syntax Policy ...............................................
152
Configuring Built-in Actions for SSL Default Syntax Policies .........................
155
Configuring SSL Policy Labels .............................................................
157
Configuring Per-Directory Client Authentication ......................................
159
Configuring Support for Outlook Web Access...........................................
163
Configuring SSL-Based Header Insertion ................................................
167
Binding SSL Policies to a Virtual Server .................................................
169
Binding SSL Policies Globally..............................................................
171
Commonly Used SSL Configurations ...........................................................
172
Configuring SSL Offloading with End-to-End Encryption ..............................
173
Configuring Transparent SSL Acceleration ..............................................
175
Configuring SSL Acceleration with HTTP on the Front End and SSL on the Back
End ............................................................................................
179
SSL Offloading with Other TCP Protocols ...............................................
180
Configuring SSL Bridging ...................................................................
181
Configuring the SSL Feature for Commonly Used Deployment Scenarios................
182
Configuring an SSL Virtual Server for Load Balancing .................................
183
Configuring a Secure Content Switching Server........................................
184
Configuring SSL Monitoring when Client Authentication is Enabled on the

Backend Service.............................................................................
186
Ciphers Supported by the NetScaler Appliance..............................................
190
FIPS .................................................................................................
196
Configuring the HSM........................................................................
197
Creating and Transferring FIPS Keys .....................................................
201
Creating a FIPS Key ...................................................................
202
Exporting a FIPS Key ..................................................................
204
Importing an Existing FIPS Key ......................................................
206
Importing External Keys ..............................................................
209
Configuring FIPS Appliances in a High Availability Setup .............................
213
Resetting a Locked HSM ...................................................................
218
FIPS Approved Algorithms and Ciphers ..................................................
221
Support for Thales nShield HSM ..............................................................
222
Architecture Overview .....................................................................
223
Prerequisites ................................................................................
225
Configuring the ADC-Thales Integration.................................................
226
Enabling Remote Configuration Push on the HSM ................................
229
Configure the ADC to use the Thales HSM .........................................
230
Create an HSM RSA Key...............................................................
235
Configure the Entities on the ADC ..................................................
238
Limitations...................................................................................
248
Appendix .....................................................................................
249
Troubleshooting ..................................................................................
251
Resources for Troubleshooting ...........................................................
252
Troubleshooting SSL Issues ................................................................
253
SSL Offload and Acceleration

A Citrix NetScaler appliance configured for SSL acceleration transparently accelerates
SSL transactions by offloading SSL processing from the server. To configure SSL offloading,
you configure a virtual server to intercept and process SSL transactions, and send the
decrypted traffic to the server (unless you configure end-to-end encryption, in which case
the traffic is re-encrypted). Upon receiving the response from the server, the appliance
completes the secure transaction with the client. From the client's perspective, the
transaction seems to be directly with the server. A NetScaler configured for SSL
acceleration also performs other configured functions, such as load balancing.
Configuring SSL offloading requires an SSL certificate and key pair, which you must obtain if
you do not already have an SSL certificate. Other SSL-related tasks that you might need to
perform include managing certificates, managing certificate revocation lists, configuring
client authentication, and managing SSL actions and policies.
A non-FIPS NetScaler appliance stores the servers private key on the hard disk. On a FIPS
appliance, the key is stored in a cryptographic module known as a hardware security
module (HSM). Only the MPX 9700/10500/12500/15500 appliances support a FIPS card, so
other NetScaler models cannot be equipped with an HSM.
Beginning with release 10.5, build 52.1115.e, all NetScaler appliances that do not support a
FIPS card (including virtual appliances) support the Thales nShield Connect external HSM.
(MPX 9700/10500/12500/15500 appliances do not support an external HSM.)
Note: FIPS-related options for some of the SSL configuration procedures described in this
document are specific to a FIPS-enabled NetScaler.
Configuring SSL Offloading

To configure SSL offloading, you must enable SSL processing on the NetScaler appliance and
configure an SSL based virtual server that will intercept SSL traffic, decrypt the traffic, and
forward it to a service that is bound to the virtual server. To secure time-sensitive traffic,
such as media streaming, you can configure a DTLS virtual server.To enable SSL offloading,
you must import a valid certificate and key and bind the pair to the virtual server.
Enabling SSL Processing

To process SSL traffic, you must enable SSL processing. You can configure SSL based
entities, such as virtual servers and services, without enabling SSL processing, but they will
not work until SSL processing is enabled.
To enable SSL processing by using the command line

interface
At the command prompt, type:
enable ns feature ssl
show ns feature
Example
> enable ns feature SSL

Done
> show ns feature
Feature
------Web Logging
Surge Protection
Load Balancing
1)
2)
3)
.
.
.
9)
SSL Offloading
.
.
.
24) NetScaler Push
Done
Acronym
------WL
SP
LB
SSL
push
Status
-----OFF
ON
ON
ON
OFF
To enable SSL processing by using the configuration

utility
Navigate to System > Settings and, in the Modes and Features group, select Configure Basic
Features, and select SSL Offloading.
Enabling SSL Processing
Parameter Descriptions (of commands listed in the

CLI procedure)
enable ns feature
No parameters provided in this topic or the command has no parameters. View
description(s) in command reference Top
show ns feature
Configuring Services
On the NetScaler appliance, a service represents a physical server or an application on a
physical server. Once configured, services are in the disabled state until the appliance can
reach the physical server on the network and monitor its status.
To add a service by using the command line interface

At the command prompt, type the following commands to add a service and verify the
configuration:
add service <name> (<IP> | <serverName>) <serviceType> <port>
show service <serviceName>
Example
> add service ssl1 10.102.29.252 HTTP 80

Done
> show service ssl1
ssl1 (10.102.29.252:80) - HTTP
State: UP
Last state change was at Thu Nov 12 05:26:31 2009
Time since last state change: 0 days, 00:00:06.750
Server Name: 10.102.29.252
Server ID : 0 Monitor Threshold : 0
Max Conn: 0
Max Req: 0
Max Bandwidth: 0 kbits
Use Source IP: NO
Client Keepalive(CKA): NO
Access Down Service: NO
TCP Buffering(TCPB): YES
HTTP Compression(CMP): YES
Idle timeout: Client: 180 sec Server: 360 sec
Client IP: DISABLED
Cacheable: NO
SC: OFF
SP: ON
Down state flush: ENABLED
1)
Done
Monitor Name: tcp-default

State: UP
Weight: 1
Probes: 2
Failed [Total: 0 Current: 0]
Last response: Success - TCP syn+ack received.
Response Time: N/A
To modify or remove a service by using the command

line interface
To modify a service, use the set service command, which is just like using the add service
command, except that you enter the name of an existing service. To remove a service, use
the rm service command, which accepts only the <name> argument.
To configure a service by using the configuration

utility
Navigate to Traffic Management > Load Balancing > Services, create a service, and specify
the protocol as SSL.

CLI procedure)
add service
name
Name for the service. Must begin with an ASCII alphabetic or underscore (_) character,
and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon
(:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after the service
has been created.
IP
IP to assign to the service.
serverName
Name of the server that hosts the service.
serviceType
Protocol in which data is exchanged with the service.
Possible values: HTTP, FTP, TCP, UDP, SSL, SSL_BRIDGE, SSL_TCP, DTLS, NNTP, RPCSVR,
DNS, ADNS, SNMP, RTSP, DHCPRA, ANY, SIP_UDP, DNS_TCP, ADNS_TCP, MYSQL, MSSQL,
ORACLE, RADIUS, RDP, DIAMETER, SSL_DIAMETER, TFTP
port
Port number of the service.
View description(s) in command reference Top
10
show service
11
Configuring an SSL-Based Virtual Server

Secure sessions require establishing a connection between the client and an SSL-based
virtual server on the NetScaler appliance. The SSL virtual server intercepts SSL traffic,
decrypts it and processes it before sending it to services that are bound to the virtual
server.
Note: The SSL virtual server is marked as down on the NetScaler appliance until a valid
certificate / key pair and at least one service are bound to it. An SSL based virtual server
is a load balancing virtual server of protocol type SSL or SSL_TCP. The load balancing
feature must be enabled on the NetScaler.
To add an SSL-based virtual server by using the

command line interface
At the command prompt, type the following commands to create an SSL-based virtual
server and verify the configuration:
add lb vserver <name> (serviceType) <IPAddress> <port>
show lb vserver <name>
Example
> add lb vserver vssl SSL 10.102.29.133 443

Done
> show ssl vserver vssl
Advanced SSL configuration for VServer vssl:
DH: DISABLED
Ephemeral RSA: ENABLED
Refresh Count: 0
Session Reuse: ENABLED
Timeout: 120 seconds
Cipher Redirect: DISABLED
SSLv2 Redirect: DISABLED
ClearText Port: 0
Client Auth: DISABLED
SSL Redirect: DISABLED
Non FIPS Ciphers: DISABLED
SSLv2: DISABLED SSLv3: ENABLED TLSv1: ENABLED
1)
Cipher Name: DEFAULT

Description: Predefined Cipher Alias
Done
12
To modify or remove an SSL-based virtual server by

using the command line interface
To modify the load balancing properties of an SSL virtual server, use the set lb vserver
command, which is just like using the add lb vserver command, except that you enter the
name of an existing vserver. To modify the SSL properties of an SSL-based virtual server,
use the set ssl vserver command. For more information, see Customizing the SSL
Configuration.
To remove an SSL virtual server, use the rm lb vserver command, which accepts only the
<name> argument.
To configure an SSL-based virtual server by using the

configuration utility
Navigate to Traffic Management > Load Balancing > Virtual Servers, create a virtual server,
and specify the protocol as SSL.

CLI procedure)
add lb vserver
name
Name for the virtual server. Must begin with an ASCII alphanumeric or underscore (_)
character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.),
space, colon (:), at sign (@), equal sign (=), and hyphen (-) characters. Can be changed
after the virtual server is created.
CLI Users: If the name includes one or more spaces, enclose the name in double or single
quotation marks (for example, "my vserver" or 'my vserver').
serviceType
Protocol used by the service (also called the service type).
Possible values: HTTP, FTP, TCP, UDP, SSL, SSL_BRIDGE, SSL_TCP, DTLS, NNTP, DNS,
DHCPRA, ANY, SIP_UDP, DNS_TCP, RTSP, PUSH, SSL_PUSH, RADIUS, RDP, MYSQL, MSSQL,
DIAMETER, SSL_DIAMETER, TFTP, ORACLE
show lb vserver
name
13

Name of the virtual server. If no name is provided, statistical data of all configured
virtual servers is displayed.
14
Binding Services to the SSL-Based Virtual

Server
For the NetScaler appliance to forward decrypted SSL data to servers in the network,
services representing these physical servers must be bound to the virtual server that
receives the SSL data.
Because the link between the NetScaler and the physical server is typically secure, data
transfer between the appliance and the physical server does not have to be encrypted.
However, you can provide end-to end-encryption by encrypting data transfer between the
NetScaler and the server. For details, see Configuring SSL Offloading with End-to-End
Encryption.
Note: The Load Balancing feature should be enabled on the NetScaler appliance before
you bind services to the SSL based virtual server.
To bind a service to a virtual server by using the

At the command prompt, type the following commands to bind the service to the virtual
bind lb vserver <name> <serviceName>
Example
> bind lb vserver vssl ssl1

Done
> show lb vserver vssl
vssl (10.102.29.133:443) - SSL Type: ADDRESS
State: DOWN[Certkey not bound]
Last state change was at Thu Nov 12 05:31:17 2009 (+485 ms)
Effective State: DOWN
Client Idle Timeout: 180 sec
Disable Primary Vserver On Down : DISABLED
No. of Bound Services : 1 (Total)
1 (Active)
Configured Method: LEASTCONNECTION
Mode: IP
Persistence: NONE
Vserver IP and Port insertion: OFF
Push: DISABLED Push VServer:
15
Binding Services to the SSL-Based Virtual Server

Push Multi Clients: NO
Push Label Rule: none
1) ssl1 (10.102.29.252: 80) - HTTP State: UP
Done
Weight: 1
To unbind a service from a virtual server by using the

At the command prompt, type the following command:
unbind lb vserver <name> <serviceName>
Example
unbind lb vserver vssl ssl1
To bind a service to a virtual server by using the

1. Navigate to Traffic Management > Load Balancing > Virtual Servers.
2. Open a virtual server, and click in the Services section to bind a service to the virtual
server.

CLI procedure)
bind lb vserver
name
serviceName
Name of the service.
16
Binding Services to the SSL-Based Virtual Server

show lb vserver
name
unbind lb vserver
name
serviceName
17
Adding or Updating a Certificate-Key Pair

For any SSL transaction, the server needs a valid certificate and the corresponding private
and public key pair. The SSL data is encrypted with the server's public key, which is
available through the server's certificate. Decryption requires the corresponding private
key.
Because the NetScaler appliance offloads SSL transactions from the server, the server's
certificate and private key must be present on the appliance, and the certificate must be
paired with its corresponding private key. This certificate-key pair must then be bound to
the virtual server that processes the SSL transactions.
Both the certificate and the key must be in local storage on the NetScaler appliance before
they can be added to the appliance. If your certificate or key file is not on the appliance,
upload it to the appliance before you create the pair.
Important: Certificates and keys are stored in the /nsconfig/ssl directory by default. If
your certificates or keys are stored in any other location, you must provide the absolute
path to the files on the NetScaler appliance. The NetScaler FIPS appliances do not
support external keys (non-FIPS keys). On a FIPS appliance, you cannot load keys from a
local storage device such as a hard disk or flash memory. The FIPS keys must be present
in the Hardware Security Module (HSM) of the appliance.
On a NetScaler MPX appliance and a NetScaler FIPS appliance, only RSA private keys are
supported. On a VPX virtual appliance, both RSA and DSA private keys are supported. On an
SDX appliance if SSL chips are assigned to an instance, then only RSA private keys are
supported. However, if SSL chips are not assigned to an instance, then both RSA and DSA
private keys are supported. In all the cases, you can bind a CA certificate with either RSA or
DSA keys.
Set the notification period and enable the expiry monitor to be prompted before the
certificate expires.
Note: A certificate must be signed by using one of the following hash algorithms:
MD5
SHA-1
SHA-224
SHA-256
SHA-384
SHA-512
An MPX appliance supports certificates from 512-bits up to the following sizes:
18
4096-bit server certificate on the virtual server
4096-bit client certificate on the service
4096-bit CA certificate (includes intermediate and root certificates)
4096-bit certificate on the back end server
4096-bit client certificate (if client authentication is enabled on the virtual server)
A virtual appliance supports certificates from 512-bits up to the following sizes:
4096-bit CA certificate (includes intermediate and root certificates)
2048-bit certificate on the back end server
To add a certificate-key pair by using the command

line interface
At the command prompt, type the following commands to add a certificate-key pair and
verify the configuration:
add ssl certKey <certkeyName> -cert <string>[(-key <string> [-password]) | -fipsKey

<string>] [-inform ( DER | PEM )] [<passplain>] [-expiryMonitor ( ENABLED | DISABLED )
[-notificationPeriod <positive_integer>]]
show ssl certKey [<certkeyName>]
Example
> add ssl certKey sslckey -cert server_cert.pem -key server_key.pem -password ssl -expiryMonitor ENABLED Done
Note: For FIPS appliances, replace -key with -fipskey
> show ssl certKey sslckey
Name: sslckey
Status: Valid, Days to expiration:8418
Version: 3
Serial Number: 01
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US,ST=SJ,L=SJ,O=NS,OU=NSSSL,CN=www.root.com
Validity
Not Before: Jul 15 02:25:01 2005 GMT
Not After : Nov 30 02:25:01 2032 GMT
Subject: C=US,ST=SJ,L=SJ,O=NS,OU=NSSSL,CN=www.server.com
Public Key Algorithm: rsaEncryption
Public Key size: 1024
Done
19
To update or remove a certificate-key pair by using

the command line interface
To modify the expiry monitor or notification period in a certificate-key pair, use the set ssl
certkey command. To replace the certificate or key in a certificate-key pair, use the
update ssl certkey command. The update ssl certkey command has an additional parameter
for overriding the domain check. For both commands, enter the name of an existing
certificate-key pair. To remove an SSL certificate-key pair, use the rm ssl certkey
command, which accepts only the <certkeyName> argument.
To add or update a certificate-key pair by using the

Navigate to Traffic Management > SSL > Certificates, and configure a certificate-key pair.

CLI procedure)
add ssl certKey
certkeyName
Name for the certificate and private-key pair. Must begin with an ASCII alphanumeric or
underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash
(#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be
changed after the certificate-key pair is created.
The following requirement applies only to the NetScaler CLI:
If the name includes one or more spaces, enclose the name in double or single quotation
marks (for example, "my cert" or 'my cert').
cert
Name of and, optionally, path to the X509 certificate file that is used to form the
certificate-key pair. The certificate file should be present on the appliance's hard-disk
drive or solid-state drive. Storing a certificate in any location other than the default
might cause inconsistency in a high availability setup. /nsconfig/ssl/ is the default path.
key
Name of and, optionally, path to the private-key file that is used to form the
fipsKey
20

Name of the FIPS key that was created inside the Hardware Security Module (HSM) of a
FIPS appliance, or a key that was imported into the HSM.
inform
Input format of the certificate and the private-key files. The two formats supported by
the appliance are:
PEM - Privacy Enhanced Mail
DER - Distinguished Encoding Rule
Possible values: DER, PEM
Default value: FORMAT_PEM
expiryMonitor
Issue an alert when the certificate is about to expire.
Possible values: ENABLED, DISABLED
notificationPeriod
Time, in number of days, before certificate expiration, at which to generate an alert
that the certificate is about to expire.
Minimum value: 10
Maximum value: 100
show ssl certKey

certkeyName
Name of the certificate-key pair for which to show detailed information.
21
Binding the Certificate-Key Pair to the

SSL-Based Virtual Server
An SSL certificate is an integral element of the SSL encryption and decryption process. The
certificate is used during an SSL handshake to establish the identity of the SSL server.
The certificate being used for processing SSL transactions must be bound to the virtual
server that receives the SSL data. If you have multiple virtual servers receiving SSL data, a
valid certificate-key pair must be bound to each of them.
You can use a valid, existing SSL certificate that you have uploaded to the NetScaler
appliance. As an alternative for testing purposes, you can create your own SSL certificate
on the appliance. Intermediate certificates created by using a FIPS key on the NetScaler
cannot be bound to an SSL virtual server.
As a part of the SSL handshake, in the certificate request message during client
authentication, the server lists the distinguished names (DNs) of all the certificate
authorities (CAs) bound to the server from which it will accept a client certificate. If you do
not want the DN name of a specific CA certificate to be sent to the SSL client, set the
skipCA flag. This setting indicates that the particular CA certificate's distinguished name
should not be sent to the SSL client.
For details on how to create your own certificate, see Managing Certificates.
Note: Citrix recommends that you use only valid SSL certificates that have been issued by
a trusted certificate authority.
To bind an SSL certificate-key pair to a virtual server

by using the command line interface
At the command prompt, type the following commands to bind an SSL certificate-key pair
to a virtual server and verify the configuration:
bind ssl vserver <vServerName> -certkeyName <certificate-KeyPairName> -CA

-skipCAName
show ssl vserver <vServerName>
Example
> bind ssl vs vs1 -certkeyName cert2 -CA -skipCAName

Done
> sh ssl vs vs1
Advanced SSL configuration for VServer vs1:
DH: DISABLED
22
Binding the Certificate-Key Pair to the SSL-Based Virtual Server

Ephemeral RSA: ENABLED Refresh Count: 0
Session Reuse: ENABLED Timeout: 120 seconds
ClearText Port: 0
SNI: DISABLED
Push Encryption Trigger: Always
Send Close-Notify: YES
1) CertKey Name: cert1 CA Certificate OCSPCheck: Optional CA_Name Sent
2) CertKey Name: cert2 CA Certificate OCSPCheck: Optional CA_Name Skipped
1) Cipher Name: DEFAULT
Done
To unbind an SSL certificate-key pair from a virtual

server by using the command line interface
If you try to unbind a certificate-key pair from a virtual server by using the unbind ssl
certKey <certkeyName> command, an error message appears because the syntax of the
command has changed. At the command prompt, type the following command:
unbind ssl vserver <vServerName> -certkeyName <string>
Example
unbind ssl vserver vssl -certkeyName sslckey
To bind an SSL certificate-key pair to a virtual server

by using the configuration utility
2. Open an SSL virtual server and, in Advanced Settings, click SSL Certificate.
3. Bind a server certificate or CA certificate to the virtual server. To add a server
certificate as an SNI certificate, select Server Certificate for SNI.
23
Binding the Certificate-Key Pair to the SSL-Based Virtual Server

CLI procedure)
bind ssl vserver
vServerName
Name of the SSL virtual server.
certkeyName
Name of the certificate-key pair.
show ssl vserver

vServerName
Name of the SSL virtual server for which to show detailed information.
unbind ssl vserver

vServerName
certkeyName
The name of the certificate key pair binding.
24
Configuring an SSL Virtual Server for

Secure Hosting of Multiple Sites
Virtual hosting is used by Web servers to host more than one domain name with the same IP
address. The NetScaler supports hosting of multiple secure domains by offloading SSL
processing from the Web servers using transparent SSL services or vserver-based SSL
offloading. However, when multiple Web sites are hosted on the same virtual server, the
SSL handshake is completed before the expected host name is sent to the virtual server. As
a result, the NetScaler cannot determine which certificate to present to the client after a
connection is established. This problem is resolved by enabling Server Name Indication (SNI)
on the virtual server. SNI is a Transport Layer Security (TLS) extension used by the client to
provide the host name during handshake initiation. Based on the information provided by
the client in the SNI extension, the NetScaler presents the corresponding certificate to the
client.
A wildcard SSL Certificate helps enable SSL encryption on multiple subdomains if the
domains are controlled by the same organization and share the same second-level domain
name. For example, a wildcard certificate issued to a sports network using the common
name "*.sports.net" can be used to secure domains, such as "login.sports.net" and
"help.sports.net" but not "login.ftp.sports.net."
Note: On a NetScaler appliance, SNI is not supported with a Subject Alternative Name
(SAN) extension certificate.
You can bind multiple server certificates to a single SSL virtual server or transparent service
using the -SNICert option. These certificates are issued by the virtual server or service if SNI
is enabled on the virtual server or service. You can enable SNI at any time.
To bind multiple server certificates to a single SSL

virtual server by using the command line interface
At the command prompt, type the following commands to configure SNI and verify the
configuration:
set ssl vserver <vServerName>@ [-SNIEnable ( ENABLED | DISABLED )]
bind ssl vserver <vServerName>@ -certkeyName <string> -SNICert

To bind multiple server certificates to a transparent service by using the NetScaler
command line, replace vserver with service and vservername with servicename in the
above commands.
Note: The SSL service should be created with -clearTextPort 80 option.
Example
25
Configuring an SSL Virtual Server for Secure Hosting of Multiple Sites
set ssl vserver v1 -snI ENABLED

bind ssl vserver v1 -certkeyName serverabc -SNICert
sh ssl vserver v1
Advanced SSL configuration for VServer v1:

SNI: ENABLED
1)CertKey Name: servercert Server Certificate
1)CertKey Name: abccert Server Certificate for SNI
2)CertKey Name: xyzcert Server Certificate for SNI
3)CertKey Name: startcert Server Certificate for SNI
1)Cipher Name: DEFAULT
Done
To bind multiple server certificates to a single SSL

virtual server or transparent SSL service by using the
2. Open an SSL virtual server and, in Advanced Settings, click SSL Parameters.
3. Select SNI Enable.

CLI procedure)
set ssl vserver
SNIEnable
State of the Server Name Indication (SNI) feature on the virtual server and service-based
offload. SNI helps to enable SSL encryption on multiple domains on a single virtual server
or service if the domains are controlled by the same organization and share the same
second-level domain name. For example, *.sports.net can be used to secure domains
such as login.sports.net and help.sports.net.
Default value: DISABLED
26
Configuring an SSL Virtual Server for Secure Hosting of Multiple Sites
bind ssl vserver

certkeyName
show ssl vserver

vServerName
27
Configuring a DTLS Virtual Server

The SSL and TLS protocols have traditionally been used to secure streaming traffic. Both of
these protocols are based on TCP, which is very slow. In addition, TLS cannot handle lost or
reordered packets.
UDP is the preferred protocol for audio and video applications, such as Lync, Skype, iTunes,
YouTube, training videos, and flash. However, UDP is not secure or reliable. The DTLS
protocol is designed to secure data over UDP and is used for applications such as media
streaming, VOIP, and online gaming for communication. In DTLS, each handshake message is
assigned a specific sequence number within that handshake. When a peer receives a
handshake message, it can quickly determine whether that message is the next one
expected. If it is, the peer processes the message. If not, the message is queued for
handling after all the previous messages have been received.
You must create a DTLS virtual server and a service of type UDP. By default, a DTLS profile
(nsdtls_default_profile) is bound to the virtual server. Optionally, you can create
and bind a user-defined DTLS profile to the virtual server.
Note: RC4 ciphers are not supported on a DTLS virtual server.
To create a DTLS configuration by using the

command line
add lb vserver <vserver_name> DTLS <IPAddress> <port>
add service <service_name> <IPAddress> UDP 443
bind lb vserver <vserver_name> <udp_service_name>
The following steps are optional:

add dtlsProfile dtls1 -maxretryTime <positive_integer>
set ssl vserver <vserver_name> -dtlsProfileName <dtls_profile_name>
28
To create a DTLS configuration by using the

2. Create a virtual server of type DTLS, and bind a UDP service to the virtual server.
3. A default DTLS profile is bound to the DTLS virtual server. To bind a different profile, in
SSL Parameters, select a different DTLS profile. To create a new profile, click the plus
(+) next to DTLS Profile.
Example
The following example is for an end-to-end DTLS configuration:
>
>
>
>
>
>
>
enable ns feature SSL LB

add server s1 10.102.59.190
add service svc1 s1 UDP 32000
add lb vserver lb1 DTLS 10.102.59.244 443
add ssl certKey servercert -cert server_cert.pem -key server_key.pem
bind ssl vserver lb1 -certkeyname servercert
bind lb vserver lb1 svc1
> sh lb vserver lb1

lb1 (10.102.59.244:443) - DTLS Type: ADDRESS
State: UP
Last state change was at Tue May 20 16:41:27 2014
Effective State: UP
Appflow logging: ENABLED
1 (Active)
Current Method: Round Robin, Reason: A new service is bound
Mode: IP
Persistence: NONE
L2Conn: OFF
Skip Persistency: None
IcmpResponse: PASSIVE
RHIstate: PASSIVE
New Service Startup Request Rate: 0 PER_SECOND, Increment Interval: 0
TD: 0
Mac mode Retain Vlan: DISABLED
DBS_LB: DISABLED
Process Local: DISABLED
1 bound service:
1) svc1 (10.102.59.190: 32000) - UDP State: UP Weight: 1
Done
>
29

> sh ssl vserver lb1
Advanced SSL configuration for VServer lb1:
DH: DISABLED
Refresh Count: 0
ClearText Port: 0
SNI: DISABLED
DTLSv1: ENABLED
DTLS profile name: nsdtls_default_profile
1 bound certificate:
1)
CertKey Name: servercert
Server Certificate
1 configured cipher:
1)

Done
> sh dtlsProfile nsdtls_default_profile

1) Name: nsdtls_default_profile
PMTU Discovery: DISABLED
Max Record Size: 1460 bytes
Max Retry Time: 3 sec
Hello Verify Request: DISABLED
Terminate Session: DISABLED
Max Packet Count: 120 bytes
Done
Features not supported by a DTLS virtual server

The following options cannot be enabled on a DTLS virtual server:
30
SSLv2
SSLv3
TLSv1
TLSv1.1
TLSv1.2
Push encrypt trigger
SSLv2Redirect
SSLv2URL
SNI
Secure renegotiation
Parameters not used by a DTLS virtual server

The following SSL parameters, even if set, are ignored by a DTLS virtual server:
Encryption trigger packet count
PUSH encryption trigger timeout
SSL quantum size
Encryption trigger timeout
Subject/Issuer Name Insertion Format

CLI procedure)
add lb vserver
IPAddress
IPv4 or IPv6 address to assign to the virtual server.
port
Port number for the virtual server.
31
DTLS Profile
A DTLS profile with the default settings is automatically bound to a DTLS virtual server.
However, you can create a new DTLS profile with specific settings to suit your requirement.
To create a DTLS profile by using the command line
add ssl dtlsProfile <name>
how ssl dtlsProfile<name>
Example
> add dtlsProfile dtls1 -helloVerifyRequest ENABLED -maxretryTime 4
Done
> show dtlsProfile dtls1
1)
Name: dtls1
PMTU Discovery: DISABLED
Max Record Size: 1460 bytes
Max Retry Time: 4 sec
Hello Verify Request: ENABLED
Terminate Session: DISABLED
Max Packet Count: 120 bytes
Done
To create a DTLS profile by using the configuration

utility
1. Navigate to System > Profiles > DTLS Profiles and configure a new profile.

CLI procedure)
add ssl dtlsProfile
name
Name for the DTLS profile. Must begin with an ASCII alphanumeric or underscore (_)
space, colon (:), at (@),equals sign (=), and hyphen (-) characters. Cannot be changed
32
DTLS Profile
after the profile is created.
33
Importing SSL Files from Remote Hosts

You can now import SSL resources, such as certificates, private keys , CRLs, and DH keys,
from remote hosts even if FTP access to these hosts is not available. This is especially
helpful in environments where shell access to the remote host is restricted. Default folders
are created in /nsconfig/ssl as follows:
For certificate files: /nsconfig/ssl/certfile
For private keys: the /nsconfig/ssl/keyfile
For CRLs: /var/netscaler/ssl/crlfile
For DH keys: /nsconfig/ssl/dhfile
Imports from both HTTP and HTTPS servers are supported. However, the import fails if the
file is on an HTTPS server that requires client certificate authentication for access.
Note: The import command is not stored in the configuration (ns.conf) file, because
reimporting the file after a restart might cause an error.
To import a certificate file from a remote host by using

the command line
import ssl certFile [<name>] [<src>]
Example
import ssl certfile my-certfile http://www.example.com/file_1
> show ssl certfile
Name : my-certfile
URL : http://www.example.com/file_1
To remove a certificate file, use the rm ssl certFile command, which accepts only the
<name> argument.
To import a key file from a remote host by using the

command line
import ssl keyFile [<name>] [<src>]
34
Example
import ssl keyfile my-keyfile http://www.example.com/key_file
> show ssl keyfile
Name : my-keyfile
URL : http://www.example.com/key_file
To remove a key file, use the rm ssl keyFile command, which accepts only the <name>
argument.
To import a CRL file from a remote host by using the

command line
import ssl crlFile [<name>] [<src>]
Example
import ssl crlfile my-crlfile http://www.example.com/crl_file
> show ssl crlfile
Name : my-crlfile
URL : http://www.example.com/crl_file
To remove a CRL file, use the rm ssl crlFile command, which accepts only the <name>
argument.
To import a DH file from a remote host by using the

command line
import ssl dhFile [<name>] [<src>]
Example
import ssl dhfile my-dhfile http://www.example.com/dh_file
> show ssl dhfile
Name : my-dhfile
URL : http://www.example.com/dh_file
To remove a DH file, use the rm ssl dhFile command, which accepts only the <name>
argument.
35
To import an SSL resource by using the configuration

utility
Navigate to Traffic Management > SSL > Imports, and then select the appropriate tab.

CLI procedure)
import ssl certFile
name
Name to assign to the imported certificate file. Must begin with an ASCII alphanumeric or
(#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. The
following requirement applies only to the NetScaler CLI: If the name includes one or
more spaces, enclose the name in double or single quotation marks (for example, "my
file" or 'my file').
src
URL specifying the protocol, host, and path, including file name, to the certificate file to
be imported. For example, http://www.example.com/cert_file.
NOTE: The import fails if the object to be imported is on an HTTPS server that requires
client certificate authentication for access.
import ssl keyFile

name
Name to assign to the imported key file. Must begin with an ASCII alphanumeric or
underscore(_) character, and must contain only ASCII alphanumeric, underscore, hash
(#), period (.), space, colon (:), at (@),equals (=), and hyphen (-) characters. The
src
URL specifying the protocol, host, and path, including file name, to the key file to be
imported. For example, http://www.example.com/key_file.
36
import ssl crlFile

name
Name to assign to the imported CRL file. Must begin with an ASCII alphanumeric or
src
URL specifying the protocol, host, and path, including file name to the CRL file to be
imported. For example, http://www.example.com/crl_file.
import ssl dhFile

name
Name to assign to the imported DH file. Must begin with an ASCII alphanumeric or
src
URL specifying the protocol, host, and path, including file name, to the DH file to be
imported. For example, http://www.example.com/dh_file.
NOTE: The import fails if the file is on an HTTPS server that requires client certificate
authentication for access.
37
SSL Profiles
You can use an SSL profile to specify how a NetScaler ADC processes SSL traffic. The profile
is a collection of SSL parameter settings for SSL entities, such as virtual servers, services,
and service groups, and offers ease of configuration and flexibility. You are not limited to
configuring only one set of global parameters. You can create multiple sets (profiles) of
global parameters and assign different sets to different SSL entities. SSL profiles are
classified into two categories:
Front end profiles, containing parameters applicable to the front-end entity. That is,
they apply to the entity that receives requests from a client.
Backend profiles, containing parameters applicable to the back-end entity. That is,
they apply to the entity that sends client requests to a server.
Unlike a TCP or HTTP profile, an SSL profile is optional. Therefore, there is no default SSL
profile. The same profile can be reused across multiples entities. If an entity does not have
a profile attached, the values set at the global level apply. For dynamically learned
services, current global values apply.
The following table lists the parameters that are part of each profile.
Front end profile
Backend profile
cipherRedirect, cipherURL
denySSLReneg
clearTextPort*
encryptTriggerPktCount
clientAuth, clientCert
nonFipsCiphers
denySSLReneg
pushEncTrigger
dh, dhFile, dhCount
pushEncTriggerTimeout
dropReqWithNoHostHeader
pushFlag
quantumSize
eRSA, eRSACount
serverAuth
insertionEncoding
commonName
nonFipsCiphers
sessReuse, sessTimeout
pushEncTrigger
SNIEnable
ssl3
pushFlag
sslTriggerTimeout
quantumSize
strictCAChecks
redirectPortRewrite
tls1
sendCloseNotify
sessReuse, sessTimeout
SNIEnable
38
SSL Profiles
ssl3
sslRedirect
sslTriggerTimeout
strictCAChecks
tls1, tls11, tls12
* The clearTextPort parameter applies only to an SSL virtual server.
An error message appears if you try to set a parameter that is not part of the profile (for
example, if you try to set the clientAuth parameter in a backend profile).
Some SSL parameters, such as CRL memory size, OCSP cache size, UndefAction Control, and
UndefAction Data, are not part of any of the above profiles, because these parameters are
independent of entities.
An SSL profile supports the following operations:
AddCreates an SSL profile on the NetScaler ADC. Specify whether the profile is front
end or backend. Front end is the default.
SetModifies the settings of an existing profile.
UnsetSets the specified parameters to their default values. If you do not specify any
parameters, an error message appears. If you unset a profile on an entity, the profile is
unbound from the entity.
RemoveDeletes a profile. A profile that is being used by any entity cannot be deleted.
Clearing the configuration deletes all the entities. As a result, the profiles are also
deleted.
ShowDisplays all the profiles that are available on the NetScaler ADC . If a profile
name is specified, the details of that profile are displayed. If an entity is specified, the
profiles associated with that entity are displayed.
To create an SSL profile by using the command line
39
To add an SSL profile, type: add ssl profile <name> [-sslProfileType (

BackEnd | FrontEnd )]
To modify an existing profile, type: set ssl profile <name>
To unset an existing profile, type: unset ssl profile <name> [-dh]

[-dhFile] [-dhCount] [-eRSA]
To unset an existing profile from an entity, type: unset ssl vserver

<vServerName> sslProfile
To remove an existing profile, type: rm ssl profile <name>
To display an existing profile, type: rm ssl profile <name>
SSL Profiles
Examples
1. Adding a front end (default) profile:
> add sslprofile p1
Done
2. Adding a backend profile:
> add sslprofile p2 -sslprofileType backend -tls1 disabled
Done
3. Enabling settings on a backend profile:
> set sslprofile p2 -serverAuth eNABLED
Done
4. Enabling settings on a frontend profile:
> set sslprofile p1 -clientauth eNABLED -clientcert optional
Done
sh ssl profile p1
1)
Configuration for Front-End SSL profile
Name: p1
DH: DISABLED
Refresh Count: 0
Client Auth: ENABLED Client Cert Required: Optional
SNI: DISABLED
SSLv3: ENABLED TLSv1.0: ENABLED TLSv1.1: DISABLED TLSv1.2: DISABLED
PUSH encryption trigger timeout:
1 ms
Push flag:
0x0 (Auto)
Deny SSL Renegotiation
NO
SSL quantum size:
8 kB
Strict CA checks:
NO
100 mS
Encryption trigger packet count:
45
Subject/Issuer Name Insertion Format: Unicode
Strict Host Header check for SNI enabled SSL sessions:
NO
Done
5. Settings parameters to their default values:

> unset sslprofile p1 -clientauth -clientcert
Done
> sh ssl profile p1
1)
Configuration for Front-End SSL profile
Name: p1
DH: DISABLED
Refresh Count: 0
40
SSL Profiles
SNI: DISABLED
SSLv3: ENABLED TLSv1.0: ENABLED TLSv1.1: DISABLED TLSv1.2: DISABLED
PUSH encryption trigger timeout:
1 ms
Push flag:
0x0 (Auto)
NO
SSL quantum size:
8 kB
Strict CA checks:
NO
100 mS
45
NO
Done
6. Deleting a profile:
> rm sslprofile p1
Done
7. Binding a profile to a virtual server:
> set ssl vserver v1 -sslprofile p3
Done
8. Unbinding a profile from a virtual server:
>unset ssl vserver v1 -sslprofile
Done
To create an SSL profile by using the configuration

utility
Navigate to System > Profiles, select the SSL Profiles tab, and create an SSL profile.
41
Managing Certificates
An SSL certificate, which is an integral part of any SSL transaction, is a digital data form
(X509) that identifies a company (domain) or an individual. The certificate has a public key
component that is visible to any client that wants to initiate a secure transaction with the
server. The corresponding private key, which resides securely on the NetScaler appliance, is
used to complete asymmetric key (or public key) encryption and decryption.
You can obtain an SSL certificate and key in either of the following ways:
From an authorized certificate authority (CA), such as VeriSign
By generating a new SSL certificate and key on the NetScaler appliance
Alternately, you can use an existing SSL certificate on the appliance.

Caution: Citrix recommends that you use certificates obtained from authorized CAs, such
as VeriSign, for all your SSL transactions. Certificates generated on the NetScaler
appliance should be used for testing purposes only, not in any live deployment.
42
Obtaining a Certificate from a Certificate

Authority
A certificate authority (CA) is an entity that issues digital certificates for use in public key
cryptography. Certificates issued or signed by a CA are automatically trusted by
applications, such as web browsers, that conduct SSL transactions. These applications
maintain a list of the CAs that they trust. If the certificate being used for the secure
transaction is signed by any of the trusted CAs, the application proceeds with the
transaction.
To obtain an SSL certificate from an authorized CA, you must create a private key, use that
key to create a certificate signing request (CSR), and submit the CSR to the CA. The only
special characters allowed in the file names are underscore and dot.
Creating a Private Key

The private key is the most important part of a digital certificate. By definition, this key is
not to be shared with anyone and should be kept securely on the NetScaler appliance. Any
data encrypted with the public key can be decrypted only by using the private key.
The appliance supports two encryption algorithms, RSA and DSA, for creating private keys.
You can submit either type of private key to the CA. The certificate that you receive from
the CA is valid only with the private key that was used to create the CSR, and the key is
required for adding the certificate to the NetScaler.
Caution: Be sure to limit access to your private key. Anyone who has access to your
private key can decrypt your SSL data.
All SSL certificates and keys are stored in the /nsconfig/ssl folder on the appliance. For
added security, you can use the Data Encryption Standard (DES) or triple DES (3DES)
algorithm to encrypt the private key stored on the appliance.
Note: The length of the SSL key name allowed includes the length of the absolute path
name if the path is included in the key name.
To create an RSA private key by using the command line

interface
create ssl rsakey <keyFile> <bits> [-exponent ( 3 | F4 )] [-keyform ( DER | PEM )]
Example
> create ssl rsakey Key-RSA-1 1024 -exponent F4 -keyform PEM
43
Obtaining a Certificate from a Certificate Authority
To create a DSA private key by using the command line

interface
create ssl dsakey <keyfile> <bits> [-keyform (DER | PEM)]
Example
> create ssl dsakey Key-DSA-1 1024 -keyform PEM
To create an RSA private key by using the configuration

utility
Navigate to Traffic Management > SSL and, in the SSL Keys group, select Create RSA Key,
and create an RSA key.
To create an DSA private key by using the configuration

utility
Navigate to Traffic Management > SSL and, in the SSL Keys group, select Create DSA Key,
and create a DSA key.
Creating a Certificate Signing Request

The certificate signing request (CSR) is a collection of information, including the domain
name, other important company details, and the private key to be used to create the
certificate. To avoid generating an invalid certificate, make sure that the details you
provide are accurate.
To create a certificate signing request by using the command

line interface
create ssl certreq <reqFile> -keyFile <input_filename> | -fipsKeyName <string>) [-keyForm
(DER | PEM) {-PEMPassPhrase }] -countryName <string> -stateName <string>
-organizationName <string> [-organizationUnitName <string>] [-localityName <string>]
[-commonName <string>] [-emailAddress <string>] {-challengePassword } [-companyName
<string>]
Example
> create ssl certreq csreq1 -keyfile ramp -keyform PEM -countryName IN -stateName Karnataka -localityNam
44
To create a certificate signing request by using the

Navigate to Traffic Management > SSL and, in the SSL Certificates group, select Create
Certificate Signing Request (CSR), and create a CSR.
Submitting the CSR to the CA

Most CAs accept certificate submissions by email. The CA will return a valid certificate to
the email address from which you submit the CSR.

CLI procedure)
create ssl rsakey
keyFile
Name for and, optionally, path to the RSA key file. /nsconfig/ssl/ is the default path.
Maximum value: 63
bits
Size, in bits, of the RSA key.
Minimum value: 512
Maximum value: 4096
exponent
Public exponent for the RSA key. The exponent is part of the cipher algorithm and is
required for creating the RSA key.
Possible values: 3, F4
Default value: FIPSEXP_F4
keyform
Format in which the RSA key file is stored on the appliance.
45
create ssl dsakey

keyfile
Name for and, optionally, path to the DSA key file. /nsconfig/ssl/ is the default path.
Maximum value: 63
bits
Size, in bits, of the DSA key.
Minimum value: 512
Maximum value: 2048
keyform
Format in which the DSA key file is stored on the appliance.
create ssl certreq

reqFile
Name for and, optionally, path to the certificate signing request (CSR). /nsconfig/ssl/ is
the default path.
Maximum value: 63
keyFile
Name of and, optionally, path to the private key used to create the certificate signing
request, which then becomes part of the certificate-key pair. The private key can be
either an RSA or a DSA key. The key must be present in the appliance's local storage.
/nsconfig/ssl is the default path.
Maximum value: 63
fipsKeyName
Name of the FIPS key used to create the certificate signing request. FIPS keys are
created inside the Hardware Security Module of the FIPS card.
keyForm
Format in which the key is stored on the appliance.
46

countryName
Two letter ISO code for your country. For example, US for United States.
stateName
Full name of the state or province where your organization is located.
Do not abbreviate.
organizationName
Name of the organization that will use this certificate. The organization name
(corporation, limited partnership, university, or government agency) must be registered
with some authority at the national, state, or city level. Use the legal name under which
the organization is registered.
Do not abbreviate the organization name and do not use the following characters in the
name:
Angle brackets (< >) tilde (~), exclamation mark, at (@), pound (#), zero (0), caret (^),
asterisk (*), forward slash (/), square brackets ([ ]), question mark (?).
organizationUnitName
Name of the division or section in the organization that will use the certificate.
localityName
Name of the city or town in which your organization's head office is located.
emailAddress
Contact person's e-mail address. This address is publically displayed as part of the
certificate. Provide an e-mail address that is monitored by an administrator who can be
contacted about the certificate.
challengePassword
Pass phrase, embedded in the certificate signing request that is shared only between the
client or server requesting the certificate and the SSL certificate issuer (typically the
certificate authority). This pass phrase can be used to authenticate a client or server
that is requesting a certificate from the certificate authority.
companyName
Additional name for the company or web site.
47
Importing Existing Certificates and Keys

If you want to use certificates and keys that you already have on other secure servers or
applications in your network, you can export them, and then import them to the NetScaler
appliance. You might have to convert exported certificates and keys before you can import
them to the NetScaler appliance.
For the details of how to export certificates from secure servers or applications in your
network, see the documentation of the server or application from which you want to
export.
Note: For installation on the NetScaler appliance, key and certificate names cannot
contain spaces or special characters other than those supported by the UNIX file system.
Follow the appropriate naming convention when you save the exported key and
certificate.
A certificate and private key pair is commonly sent in the PKCS#12 format. The NetScaler
supports PEM and DER formats for certificates and keys. To convert PKCS#12 to PEM or DER,
or PEM or DER to PKCS#12, see Converting the Format of SSL Certificates for Import or
Export.
The NetScaler appliance does not support PEM keys in PKCS#8 format. However, you can
convert these keys to a supported format by using the OpenSSL interface, which you can
access from the NetScaler command line or the configuration utility. Before you convert the
key, you need to verify that the private key is in PKCS#8 format. Keys in PKCS#8 format
typically start with the following text:
-----BEGIN ENCRYPTED PRIVATE KEY----leuSSZQZKgrgUQ==
-----END ENCRYPTED PRIVATE KEY-----
To open the OpenSSL interface from the command

line interface
1. Open an SSH connection to the appliance by using an SSH client, such as PuTTY.
2. Log on to the appliance by using the administrator credentials.
3. At the command prompt, type shell.
4. At the shell prompt type openssl.
To open the ssl interface from the configuration utility

Navigate to Traffic Management > SSL and, in the Tools group, select OpenSSL interface.
48
Importing Existing Certificates and Keys
To convert a non-supported PKCS#8 key format to an

encrypted supported key format by using the
OpenSSL interface
At the OpenSSL prompt, type one of the following commands, depending on whether the
non-supported key format is of type rsa or dsa:
rsa- in <PKCS#8 Key Filename> -des3 -out <encrypted Key Filename>
dsa -in <PKCS#8 Key Filename> -des3 -out <encrypted Key Filename>
To convert a non-supported PKCS#8 key format to an

unencrypted key format by using the OpenSSL
interface
At the OpenSSL prompt, type the following commands, depending on whether the
non-supported key format is of type rsa or dsa:
rsa -in <PKCS#8 Key Filename> -out <unencrypted Key Filename>
dsa -in <PKCS#8 Key Filename> -out <unencrypted Key Filename>
Parameters for converting an unsupported key format to a

supported key format
<PKCS#8 Key Filename>
The input file name of the incompatible PKCS#8 private key.
<encrypted Key Filename>
The output file name of the compatible encrypted private key in PEM format.
<unencrypted Key Filename>
The output file name of the compatible unencrypted private key in PEM format.
49
Generating a Self-Signed Certificate

The NetScaler appliance has a built in CA tools suite that you can use to create self-signed
certificates for testing purposes.
Caution: Because these certificates are signed by the NetScaler itself, not by an actual
CA, you should not use them in a production environment. If you attempt to use a
self-signed certificate in a production environment, users will receive a "certificate
invalid" warning each time the virtual server is accessed.
The NetScaler supports creation of the following types of certificates
Root-CA certificates
Intermediate-CA certificates
End-user certificates
server certificates
client certificates
Before generating a certificate, create a private key and use that to create a certificate
signing request (CSR) on the appliance. Then, instead of sending the CSR out to a CA, use
the NetScaler CA Tools to generate a certificate.
For details on how to create a private key and a CSR, see Obtaining a Certificate from a
Certificate Authority.
To create a certificate by using a wizard

1. Navigate to Traffic Management > SSL.
2. In the details pane, under Getting Started, select the wizard for the type of certificate
that you want to create.
3. Follow the instructions on the screen.
To create a Root-CA certificate by using the command

line interface
create ssl cert <certFile> <reqFile> <certType> [-keyFile <input_filename>] [-keyform ( DER
| PEM )] [-days <positive_integer>]
Example
50
> create ssl cert certi1 csreq1 ROOT_CERT -keyFile

rsa1 -keyForm PEM -days 365
Done
To create an Intermediate-CA certificate or end-user

certificate by using the command line interface
create ssl cert <certFile> <reqFile> <certType> [-keyFile <input_filename>] [-keyform ( DER
| PEM )] [-days <positive_integer>] [-certForm ( DER | PEM )] [-CAcert <input_filename>]
[-CAcertForm ( DER | PEM )] [-CAkey <input_filename>] [-CAkeyForm ( DER | PEM )]
[-CAserial <output_filename>]
Example
> create ssl cert certsy csr1 INTM_CERT -CAcert cert1

-CAkey rsakey1 -CAserial 23
Done
To create a Root-CA certificate by using the

Navigate to Traffic Management > SSL and, in the Getting Started group, select Root-CA
Certificate Wizard, and configure a root CA certificate.
To create an Intermediate-CA certificate or end-user

certificate by using the configuration utility
Navigate to Traffic Management > SSL and, in the Getting Started group, select
Intermediate-CA Certificate Wizard, and configure an intermediate CA certificate.
Generating a Diffie-Hellman (DH) Key

The Diffie-Hellman (DH) key exchange is a way for two parties involved in an SSL
transaction that have no prior knowledge of each other to agree upon a shared secret over
an insecure channel. This secret can then be converted into cryptographic keying material
for mainly symmetric key cipher algorithms that require such a key exchange.
51

This feature is disabled by default and should be specifically configured to support ciphers
that use DH as the key exchange algorithm.
Note: Generating a 2048-bit DH key may take a long time (up to 30 minutes).
To generate a DH key by using the command line interface

create ssl dhparam <dhFile> [<bits>] [-gen (2 | 5)]
Example
create ssl dhparam Key-DH-1 512 -gen 2
To generate a DH key by using the configuration utility

Navigate to Traffic Management > SSL and, in the Tools group, select Create Diffie-Hellman
(DH) key, and generate a DH key.

CLI procedure)
create ssl cert
certFile
Name for and, optionally, path to the generated certificate file. /nsconfig/ssl/ is the
default path.
Maximum value: 63
reqFile
Name for and, optionally, path to the certificate-signing request (CSR). /nsconfig/ssl/ is
the default path.
Maximum value: 63
certType
Type of certificate to generate. Specify one of the following:
* ROOT_CERT - Self-signed Root-CA certificate. You must specify the key file name. The
generated Root-CA certificate can be used for signing end-user client or server
certificates or to create Intermediate-CA certificates.
* INTM_CERT - Intermediate-CA certificate.
52

* CLNT_CERT - End-user client certificate used for client authentication.
* SRVR_CERT - SSL server certificate used on SSL servers for end-to-end encryption.
Possible values: ROOT_CERT, INTM_CERT, CLNT_CERT, SRVR_CERT
keyFile
Name for and, optionally, path to the private key. You can either use an existing RSA or
DSA key that you own or create a new private key on the NetScaler appliance. This file is
required only when creating a self-signed Root-CA certificate. The key file is stored in
the /nsconfig/ssl directory by default.
If the input key specified is an encrypted key, you are prompted to enter the PEM pass
phrase that was used for encrypting the key.
Maximum value: 63
keyform
Format in which the key is stored on the appliance.
days
Number of days for which the certificate will be valid, beginning with the time and day
(system time) of creation.
Default value: 365
Minimum value: 1
Maximum value: 3650
certForm
Format in which the certificate is stored on the appliance.
CAcert
Name of the CA certificate file that issues and signs the Intermediate-CA certificate or
the end-user client and server certificates.
Maximum value: 63
CAcertForm
Format of the CA certificate.
53

CAkey
Private key, associated with the CA certificate that is used to sign the Intermediate-CA
certificate or the end-user client and server certificate. If the CA key file is password
protected, the user is prompted to enter the pass phrase that was used to encrypt the
key.
Maximum value: 63
CAkeyForm
Format for the CA certificate.
CAserial
Serial number file maintained for the CA certificate. This file contains the serial number
of the next certificate to be issued or signed by the CA. If the specified file does not
exist, a new file is created, with /nsconfig/ssl/ as the default path. If you do not specify
a proper path for the existing serial file, a new serial file is created. This might change
the certificate serial numbers assigned by the CA certificate to each of the certificates it
signs.
Maximum value: 63
create ssl dhparam

dhFile
Name of and, optionally, path to the DH key file. /nsconfig/ssl/ is the default path.
Maximum value: 63
bits
Size, in bits, of the DH key being generated.
Minimum value: 512
Maximum value: 2048
gen
Random number required for generating the DH key. Required as part of the DH key
generation algorithm.
54

Possible values: 2, 5
Default value: 2
55
Adding a Group of SSL Certificates

If the server certificate is issued by an intermediate CA that is not recognized by standard
web browsers as a trusted CA, the CA certificate(s) must be sent to the client with the
server's own certificate. Otherwise, the browser terminates the SSL session because it fails
to authenticate the server certificate.
There are two ways to add the server and intermediate certificates:
56
Create a certificate set that contains the chain of certificates.
Create a chain of certificates manually by adding and linking the certificates

individually.
Adding and Linking a Certificate Set

Note: This feature is not supported on the NetScaler FIPS platform.
Instead of adding and linking individual certificates, you can now group a server certificate
and up to nine intermediate certificates in a single file, and then specify the file's name
when adding a certificate-key pair. Before you do so, make sure that the following
prerequisites are met.
The certificates in the file are in the following order:
Server certificate (should be the first certificate in the file)
Optionally, a server key
Intermediate certificate 1 (ic1)
Intermediate certificate 2 (ic2)
Intermediate certificate 3 (ic3), and so on
Note: Intermediate certificate files are created for each intermediate certificate
with the name "<certificatebundlename>.pem_ic<n>" where n is between 1 and 9.
For example, bundle.pem_ic1, where bundle is the name of the certificate set
and ic1 is the first intermediate certificate in the set.
Bundle option is selected.
No more than nine intermediate certificates are present in the file.
The file is parsed and the server certificate, intermediate certificates, and server key (if
present) are identified. First, the server certificate and key are added. Then, the
intermediate certificates are added, in the order in which they were added to the file, and
linked accordingly.
An error is reported if any of the following conditions exist:
57
A certificate file for one of the intermediate certificates already exists on the
appliance.
The key is placed before the server certificate in the file.
An intermediate certificate is placed before the server certificate.
Intermediate certificates are not in placed in the file in the same order as they are
created.
No certificates are present in the file.
A certificate is not in the proper PEM format.
The number of intermediate certificates in the file exceeds nine.
To add a certificate set by using the command line

interface
At the command prompt, type the following commands to create a certificate set and verify
the configuration:
1. add ssl certKey <certkeyName> -cert <string> -key <string> -bundle (YES | NO)
2. show ssl certKey
3. show ssl certlink
Example
In the following example, the certificate set (bundle.pem) contains the following files:
server certificate (bundle) linked to bundle_ic1
First intermediate certificate (bundle_ic1) linked to bundle_ic2
Second intermediate certificate (bundle_ic2) linked to bundle_ic3
Third intermediate certificate (bundle_ic3)
> add ssl certKey bundle -cert bundle.pem -key bundle.pem -bundle yes
> show ssl certkey
1) Name: bundle
Cert Path: /nsconfig/ssl/bundle.pem
Format: PEM
Certificate Expiry Monitor: DISABLED
2) Name: bundle_ic1
Cert Path: /nsconfig/ssl/bundle.pem_ic1
Format: PEM
3) Name: bundle_ic2
Format: PEM
4) Name: bundle_ic3
Format: PEM
Done
58
> show ssl certlink

1) Cert Name: bundle CA Cert Name: bundle_ic1
2) Cert Name: bundle_ic1 CA Cert Name: bundle_ic2
3) Cert Name: bundle_ic2 CA Cert Name: bundle_ic3
Done
To add a certificate set by using the configuration

utility
1. Navigate to Traffic Management > SSL > Certificates.
2. In the SSL Certificates pane, click Install.
3. In the Install Certificate dialog box, type the details, such as the certificate and key file
name, and then select Certificate Bundle.
4. Click Install, and then click Close.
59
Creating a Chain of Certificates

Instead of using a set of certificates (a single file), you can create a chain of certificates.
The chain links the server certificate to its issuer (the intermediate CA). For this approach
to work, the intermediate CA certificate file must already be installed on the NetScaler
appliance, and one of the certificates in the chain must be trusted by the client
application. For example, link Cert-Intermediate-A to Cert-Intermediate-B, where
Cert-Intermediate-B is linked to Cert-Intermediate-C, which is a certificate trusted by the
client application.
Note: The NetScaler supports sending a maximum of 10 certificates in the chain of
certificates sent to the client (one server certificate and nine CA certificates).
To create a certificate chain by using the command

line interface
At the command prompt, type the following commands to create a certificate chain and
verify the configuration. (Repeat the first command for each new link in the chain.)
link ssl certkey <certKeyName> <linkCertKeyName>
show ssl certlink
Example
> link ssl certkey siteAcertkey CAcertkey

Done
> show ssl certlink
linked certificate:
1) Cert Name: siteAcertkey CA Cert Name: CAcertkey
Done
To create a certificate chain by using the

1. Navigate to Traffic Management > SSL > Certificates.
2. Select a server certificate, and in the Action list, select Link, and specify a CA
certificate name.
60
Creating a Chain of Certificates

CLI procedure)
link ssl certkey
certKeyName
Name of the certificate-key pair to link to its issuer's certificate-key pair in the chain.
linkCertKeyName
Name of the Certificate Authority certificate-key pair to which to link a certificate-key
pair.
show ssl certlink

61
Displaying a Certificate Chain

A certificate contains the name of the issuing authority and the subject to whom the
certificate is issued. To validate a certificate, you must look at the issuer of that certificate
and confirm if you trust the issuer. If you do not trust the issuer, you must see who issued
the issuer certificate. Go up the chain till you reach the root CA certificate or an issuer that
you trust.
As part of the SSL handshake, when a client requests a certificate, the NetScaler appliance
presents a certificate and the chain of issuer certificates that are present on the appliance.
An administrator can view the certificate chain for the certificates present on the appliance
and install any missing certificates.
To view the certificate chain for the certificates

present on the appliance by using the command line
show ssl certchain <cert_name>
Examples
There are 3 certificates: c1, c2, and c3. Certificate c1 is signed by c2, c2 is signed by c3,
and c3 is the root CA certificate. The following examples illustrate the output of the show
ssl certchain c1 command in different scenarios.
1. Scenario 1:
Certificate c2 is linked to c1, and c3 is linked to c2.
Certificate c3 is a root CA certificate.

If you run the following command, the certificate links up to the root CA certificate are
displayed.
> show ssl certchain c1

Certificate chain details of certificate name c1 are:
1) Certificate name: c2
linked; not a root certificate
2) Certificate name: c3
linked; root certificate
Done
2. Scenario 2:
Certificate c2 is linked to c1.
Certificate c2 is not a root CA certificate.

If you run the following command, information that certificate c3 is a root CA
certificate but is not linked to c2 is displayed.
62

1) Certificate Name: c2
not linked; root certificate
Done
3. Scenario 3:
Certificate c1, c2, and c3 are not linked but are present on the appliance.
If you run the following command, information about all the certificates starting with
the issuer of certificate c1 is displayed and it is specified that the certificates are not
linked.

not linked; not a root certificate
not linked; root certificate
Done
4. Scenario 4:
Certificate c2 is linked to c1.
Certificate c3 is not present on the appliance.

If you run the following command, information about the certificate linked to c1 is
displayed and you are prompted to add a certificate with the subject name specified in
c2. In this case, the user is asked to add the root CA certificate c3.

2) Certificate Name: /C=IN/ST=ka/O=netscaler/CN=test
Action: Add a certificate with this subject name.
Done
5. Scenario 5:
A certificate is not linked to certificate c1 and the issuer certificate of c1 is not
present on the appliance.
If you run the following command, you are prompted to add a certificate with the
subject name in certificate c1.
> sh ssl certchain c1

1) Certificate Name: /ST=KA/C=IN
Action: Add a certificate with this subject name.
63

CLI procedure)
show ssl certchain
64
Generating a Server Test Certificate

The NetScaler appliance allows you to create a test certificate for server authentication by
using a GUI wizard in the configuration utility. A server certificate is used to authenticate
and identify a server in an SSL handshake. A server certificate is generally issued by a
trusted CA and is sent out by the server to a client who uses it to authenticate the server.
For issuing a server test certificate, the appliance operates as a CA. This certificate can be
bound to an SSL virtual server for authentication in an SSL handshake with a client. This
certificate is for testing purposes only. It should not be used in a production environment.
You can install the server test certificate on any virtual server that uses the SSL or the
SSL_TCP protocol.
To generate a server test certificate by using the

Navigate to Traffic Management > SSL and, in the SSL Certificates group, select Create and
Install a Server Test Certificate.
65
Modifying and Monitoring Certificates and

Keys
To avoid downtime when replacing a certificate-key pair, you can update an existing
certificate. If you want to replace a certificate with a certificate that was issued to a
different domain, you must disable domain checks before updating the certificate.
To receive notifications about certificates due to expire, you can enable the expiry
monitor.
Updating an Existing Server Certificate

When you remove or unbind a certificate from a configured SSL virtual server, or an SSL
service, the virtual server or service becomes inactive until a new valid certificate is bound
to it. To avoid downtime, you can use the update feature to replace a certificate-key pair
that is bound to an SSL virtual server or an SSL service, without first unbinding the existing
certificate.
To update an existing certificate-key pair by using the

At the command prompt, type the following commands to update an existing certificate-key
pair and verify the configuration:
update ssl certkey <certkeyName> -cert <string> -key <string>
show ssl certKey <certkeyName>
Example
> update ssl certkey siteAcertkey -cert /nsconfig/ssl/cert.pem

-key /nsconfig/ssl/pkey.pem
Done
> show ssl certkey siteAcertkey
Name: siteAcertkey
Status: Valid
Version: 3
Serial Number: 02
Signature Algorithm: md5WithRSAEncryption
Issuer: /C=US/ST=CA/L=Santa Clara/O=siteA/OU=Tech
Validity
Not Before: Nov 11 14:58:18 2001 GMT
Not After: Aug 7 14:58:18 2004 GMT
Subject: /C=US/ST-CA/L=San Jose/O=CA/OU=Security
66
Modifying and Monitoring Certificates and Keys

Public Key Algorithm: rsaEncryption
Public Key size: 1024
Done
To update an existing certificate-key pair by using the

Navigate to Traffic Management > SSL > Certificates, select a certificate, and click Update.
Disabling Domain Checks

When an SSL certificate is replaced on the NetScaler, the domain name mentioned on the
new certificate should match the domain name of the certificate being replaced. For
example, if you have a certificate issued to abc.com, and you are updating it with a
certificate issued to def.com, the certificate update fails.
However, if you want the server that has been hosting a particular domain to now host a
new domain, you can disable the domain check before updating its certificate.
To disable the domain check for a certificate by using the

At the command prompt, type the following commands to disable the domain check and
update ssl certKey <certkeyName> -noDomainCheck
Example
> update ssl certKey sv -noDomainCheck

Done
> show ssl certkey sv
Name: sv
Cert Path: /nsconfig/ssl/complete/server/server_rsa_512.pem
Key Path: /nsconfig/ssl/complete/server/server_rsa_512.ky
Format: PEM
Done
67
To disable the domain check for a certificate by using the

1. Navigate to Traffic Management > SSL > Certificates, select a certificate, and click
Update.
2. Select No Domain Check.
Enabling the Expiry Monitor

An SSL certificate is valid for a specific period of time. A typical deployment includes
multiple virtual servers that process SSL transactions, and the certificates bound to them
can expire at different times. An expiry monitor configured on the NetScaler appliance
creates entries in the appliance's syslog and nsaudit logs when a certificate configured on
the appliance is due to expire.
If you want to create SNMP alerts for certificate expiration, you must configure them
separately.
For information about monitoring on the NetScaler appliance, see .
To enable an expiry monitor for a certificate by using the

At the command prompt, type the following commands to enable an expiry monitor for a
certificate and verify the configuration:
set ssl certKey <certkeyName> [-expiryMonitor ( ENABLED | DISABLED )

[-notificationPeriod <positive_integer>]]
Example
> set ssl certKey sv -expiryMonitor ENABLED notificationPeriod 60

Done
> show ssl certkey sv
Name: sv
Cert Path: /nsconfig/ssl/complete/server/server_rsa_512.pem
Key Path: /nsconfig/ssl/complete/server/server_rsa_512.ky
Format: PEM
Certificate Expiry Monitor: ENABLED
Expiry Notification period: 60 days
Done
68
To enable an expiry monitor for a certificate by using the

1. Navigate to Traffic Management > SSL > Certificates, select a certificate, and click
Update.
2. Select Notify When Expires, and optionally specify a notification period.

CLI procedure)
update ssl certkey
certkeyName
Name of the certificate-key pair to update.
cert
key
show ssl certKey

certkeyName
Name of the certificate-key pair for which to show detailed information.
update ssl certKey

certkeyName
Name of the certificate-key pair to update.
noDomainCheck
Override the check for matching domain names during a certificate update operation.
69

set ssl certKey

certkeyName
Name of the certificate-key pair to modify.
expiryMonitor
Issue an alert when the certificate is about to expire.
70
Using Global Site Certificates

A global site certificate is a special-purpose server certificate whose key length is greater
than 128 bits. A global site certificate consists of a server certificate and an accompanying
intermediate-CA certificate. You must import the global site certificate and its key from
the server to the NetScaler appliance.
How Global Site Certificates Work

Export versions of browsers use 40-bit encryption to initiate connections to SSL
Web-servers. The server responds to connection requests by sending its certificate. The
client and server then decide on an encryption strength based on the server certificate
type:
If the server certificate is a normal certificate and not a global site certificate, the
export client and server complete the SSL handshake and uses 40-bit encryption for
data transfer.
If the server certificate is a global site certificate (and if the export client feature is
supported by the browser), the export client automatically upgrades to 128-bit
encryption for data transfer.
If the server certificate is a global site certificate, the server sends its certificate, along
with the accompanying intermediate-CA certificate. The browser first validates the
intermediate-CA certificate by using one of the Root-CA certificates that are normally
included in web browsers. Upon successful validation of the intermediate-CA certificate,
the browser uses the intermediate-CA certificate to validate the server certificate. Once
the server is successfully validated, the browser renegotiates (upgrades) the SSL connection
to 128-bit encryption.
With Microsoft's Server Gated Cryptography (SGC), if the Microsoft IIS server is configured
with an SGC certificate, export clients that receive the certificate renegotiate to
use128-bit encryption.
Importing a Global Site Certificate

To import a global site certificate, first export the certificate and server key from the Web
server. Global site certificates are generally exported in some binary format, therefore,
before importing the global site certificate, convert the certificate and key to the PEM
format.
71
To import a global site certificate

1. Using a text editor, copy the server certificate and the accompanying intermediate-CA
certificate into two separate files.
The individual PEM encoded certificate will begin with the header ----- BEGIN
CERTIFICATE----- and end with the trailer -----END CERTIFICATE-----.
2. Use an SFTP client to transfer the server certificate, intermediate-CA certificate, and
server-key to the NetScaler.
3. Use the following OpenSSL command to identify the server certificate and
intermediate-CA certificate from the two separate files.
Note: You can launch the OpenSSL interface from the configuration utility. In the
navigation pane, click SSL. In the details pane, under Tools, click Open SSL interface.
> openssl x509 -in >path of the CA cert file< text

X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Netscape Cert Type:
SSL CA, S/MIME CA
> openssl x509 -in >path of the server certificate file< -text
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
4. At the FreeBSD shell prompt, enter the following command:
openssl x509 -in cert.pem -text | more

Where cert.pem is one of the two certificate files.
Read the Subject field in the command output. For example,
Subject: C=US, ST=Oregon, L=Portland,

O=mycompany, Inc., OU=IT, CN=www.mycompany.com
If the CN field in the Subject matches the domain-name of your Web site, then this is
the server certificate and the other certificate is the accompanying intermediate-CA
certificate.
72

5. Use the server certificate and its private key) to create a certificate key pair on the
NetScaler. For details on creating a certificate-key pair on the NetScaler, see Adding a
Certificate Key Pair.
6. Add the intermediate-CA certificate on the NetScaler. Use the server certificate you
created in step 4 to sign this intermediate certificate. For details on creating an
Intermediate-CA certificate on the NetScaler, see Generating a Self-Signed Certificate.
73
Converting the Format of SSL Certificates

for Import or Export
A NetScaler appliance supports the PEM and DER formats for SSL certificates. Other
applications, such as client browsers and some external secure servers, require various
public key cryptography standard (PKCS) formats. The NetScaler can convert the PKCS#12
format (the personal information exchange syntax standard) to PEM or DER format for
importing a certificate to the appliance, and can convert PEM or DER to PKCS#12 for
exporting a certificate. For additional security, conversion of a file for import can include
encryption of the private key with the DES or DES3 algorithm.
Note: If you use the configuration utility to import a PKCS#12 certificate, and the
password contains a dollar sign ($), backquote (`), or escape (\) character, the import
may fail. If it does, the ERROR: Invalid password message appears. If you must use
a special character in the password, be sure to prefix it with an escape character (\)
unless all imports are performed by using the NetScaler command line.
To convert the format of a certificate by using the

Convert ssl pkcs12 <outfile> [-import [-pkcs12File <inputFilename>] [-des | -des3] [-export
[-certFile <inputFilename>] [-keyFile <inputFilename>]] During the operation, you are
prompted to enter an import password or an export password. For an encrypted file, you
are also prompted to enter a passphrase.
Example
convert ssl pkcs12 Cert-Import-1.pem -import -pkcs12File Cert-Import-1.pfx -des

convert ssl pkcs12 Cert-Client-1.pfx -export -certFile Cert-Client-1 -keyFile Key-Client-1
To convert the format of a certificate by using the

Navigate to Traffic Management > SSL and, in the Tools group, select Import PKCS#12 or
Export PKCS#12.
74
Converting the Format of SSL Certificates for Import or Export

CLI procedure)
Convert ssl pkcs12
outfile
Name for and, optionally, path to, the output file that contains the certificate and the
private key after converting from PKCS#12 to PEM format. /nsconfig/ssl/ is the default
path.
If importing, the certificate-key pair is stored in PEM format. If exporting, the
certificate-key pair is stored in PKCS#12 format.
Maximum value: 63
import
Convert the certificate and private-key from PKCS#12 format to PEM format.
export
Convert the certificate and private key from PEM format to PKCS#12 format. On the
command line, you are prompted to enter the pass phrase.
75
Managing Certificate Revocation Lists

A certificate issued by a CA typically remains valid until its expiration date. However, in
some circumstances, the CA may revoke the issued certificate before the expiration date
(for example, when an owner's private key is compromised, a company's or individual's
name changes, or the association between the subject and the CA changes).
A Certificate Revocation List (CRL) identifies invalid certificates by serial number and
issuer.
Certificate authorities issue CRLs on a regular basis. You can configure the NetScaler
appliance to use a CRL to block client requests that present invalid certificates.
If you already have a CRL file from a CA, add that to the NetScaler. You can configure
refresh options. You can also configure the NetScaler to sync the CRL file automatically at a
specified interval, from either a web location or an LDAP location. The NetScaler supports
CRLs in either the PEM or the DER file format. Be sure to specify the file format of the CRL
file being added to the NetScaler.
If you have used the NetScaler as a CA to create certificates that are used in SSL
deployments, you can also create a CRL to revoke a particular certificate. This feature can
be used, for example, to ensure that self-signed certificates that are created on the
NetScaler are not used either in a production environment or beyond a particular date.
Note:
By default, CRLs are stored in the /var/netscaler/ssl directory on the NetScaler appliance.
76
Creating a CRL on the NetScaler

Since you can use the NetScaler appliance to act as a certificate authority and create
self-signed certificates, you can also revoke certificates that you have created and
certificates whose CA certificate you own.
The appliance must revoke invalid certificates before creating a CRL for those certificates.
The appliance stores the serial numbers of revoked certificates in an index file and updates
the file each time it revokes a certificate. The index file is automatically created the first
time a certificate is revoked.
To revoke a certificate or create a CRL by using the

create ssl crl <CAcertFile> <CAkeyFile> <indexFile> (-revoke <input_filename> | -genCRL
<output_filename>)
Example
create ssl crl Cert-CA-1 Key-CA-1 File-Index-1 -revoke Invalid-1

create ssl crl Cert-CA-1 Key-CA-1 File-Index-1 -genCRL CRL-1
To revoke a certificate or create a CRL by using the

1. Navigate to Traffic Management > SSL and, in the Getting Started group, select CRL
Management.
2. Enter the certificate details and, in the Choose Operation list, select Revoke Certificate
or Generate CRL.

CLI procedure)
create ssl crl
CAcertFile
77
Creating a CRL on the NetScaler

Name of and, optionally, path to the CA certificate file.
/nsconfig/ssl/ is the default path.
Maximum value: 63
CAkeyFile
Name of and, optionally, path to the CA key file. /nsconfig/ssl/ is the default path
Maximum value: 63
indexFile
Name of and, optionally, path to the file containing the serial numbers of all the
certificates that are revoked. Revoked certificates are appended to the file.
/nsconfig/ssl/ is the default path
Maximum value: 63
revoke
Name of and, optionally, path to the certificate to be revoked. /nsconfig/ssl/ is the
default path.
Maximum value: 63
genCRL
Name of and, optionally, path to the CRL file to be generated. The list of certificates
that have been revoked is obtained from the index file. /nsconfig/ssl/ is the default
path.
Maximum value: 63
78
Adding an Existing CRL to the NetScaler

Before you configure the CRL on the NetScaler appliance, make sure that the CRL file is
stored locally on the NetScaler. In the case of an HA setup, the CRL file must be present on
both NetScaler appliances, and the directory path to the file must be the same on both
appliances.
To add a CRL on the NetScaler by using the command

line
At the command prompt, type the following commands to add a CRL on the NetScaler and
add ssl crl <crlName> <crlPath> [-inform (DER | PEM)]
show ssl crl [<crlName>]
Example
> add ssl crl crl-one /var/netscaler/ssl/CRL-one -inform PEM

Done
> show ssl crl crl-one
Name: crl-one Status: Valid, Days to expiration: 29
CRL Path: /var/netscaler/ssl/CRL-one
Format: PEM
CAcert: samplecertkey
Refresh: DISABLED
Version: 1
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US,ST=California,L=Santa Clara,O=NetScaler Inc.,OU=SSL Acceleration,CN=www.ns.com/ema
Last_update:Jun 15 10:53:53 2010 GMT
Next_update:Jul 15 10:53:53 2010 GMT
1)
Serial Number: 00
Revocation Date:Jun 15 10:51:16 2010 GMT
Done
To add a CRL on the NetScaler by using the

Navigate to Traffic Management > SSL > CRL, and add a CRL.
79
Adding an Existing CRL to the NetScaler

CLI procedure)
add ssl crl
crlName
Name for the Certificate Revocation List (CRL). Must begin with an ASCII alphanumeric or
changed after the CRL is created.
marks (for example, "my crl" or 'my crl').
crlPath
Path to the CRL file. /var/netscaler/ssl/ is the default path.
inform
Input format of the CRL file. The two formats supported on the appliance are:
PEM - Privacy Enhanced Mail.
DER - Distinguished Encoding Rule.
show ssl crl

crlName
Name of the CRL for which to show detailed information.
80
Configuring CRL Refresh Parameters

A CRL is generated and published by a Certificate Authority periodically or, in some cases,
immediately after a particular certificate is revoked. Citrix recommends that you update
CRLs on the NetScaler appliance regularly, for protection against clients trying to connect
with certificates that are not valid.
The NetScaler can refresh CRLs from a web location or an LDAP directory. When you specify
refresh parameters and a web location or an LDAP server, the CRL does not have to be
present on the local hard disk drive at the time you execute the command. The first refresh
stores a copy on the local hard disk drive, in the path specified by the CRL File parameter.
The default path for storing the CRL is /var/netscaler/ssl.
Note: In release 10.0 and later, the method for refreshing a CRL is not included by
default. You must explicitly specify an HTTP or LDAP method. If you are upgrading from
an earlier release to release 10.0 or later, you must add a method and run the command
again.
To configure CRL autorefresh by using the command

line
At the command prompt, type the following commands to configure CRL auto refresh and
verify the configuration the following commands to configure CRL auto refresh and verify
the configuration:
set ssl crl <crlName> [-refresh ( ENABLED | DISABLED )] [-CAcert <string>] [-url <URL |
-server <ip_addr|ipv6_addr>] [-method HTTP | (LDAP [-baseDN <string>] [-bindDN
<string>] [-scope ( Base | One )] [-password <string>] [-binary ( YES | NO )])] [-port
<port>] [-interval <interval>]
show ssl crl [<crlName>]
Example
Set CRL crl1 -refresh enabled -method ldap -inform DER -CAcert ca1 -server 10.102.192.192 -port 389 -scope
set ssl crl crl1 -refresh enabled -method http -cacert ca1 -port 80 -time 00:10 -url http://10.102.192.192/crl
> sh crl
1)
81
Name: crl1
Status: Valid,
Days to expiration: 355
CRL Path: /var/netscaler/ssl/crl1
Format: PEM
CAcert: ca1
Refresh: ENABLED
Method: HTTP
URL: http://10.102.192.192/crl/ca1.crl
Port:80
Refresh Time: 00:10
Last Update: Successful, Date:Tue Jul 6 14:38:13 2010

Done
To configure CRL autorefresh using LDAP or HTTP by

using the configuration utility
1. Navigate to Traffic Management > SSL > CRL.
2. Open a CRL, and select Enable CRL Auto Refresh.
Note: If the new CRL has been refreshed in the external repository before its actual
update time as specified by the Last Update time field of the CRL, you should
immediately refresh the CRL on the NetScaler.
To view the last update time, select the CRL, and click Details.

CLI procedure)
set ssl crl
crlName
Name of the CRL to be modified.
refresh
Set CRL auto refresh.
CAcert
CA certificate that has issued the CRL. Required if CRL Auto Refresh is selected. Install
the CA certificate on the appliance before adding the CRL.
server
IP address of the LDAP server from which to fetch the CRLs.
method
Method for CRL refresh. If LDAP is selected, specify the method, CA certificate, base DN,
port, and LDAP server name. If HTTP is selected, specify the CA certificate, method,
URL, and port. Cannot be changed after a CRL is added.
Possible values: HTTP, LDAP
baseDN
82

Base distinguished name (DN), which is used in an LDAP search to search for a CRL. Citrix
recommends searching for the Base DN instead of the Issuer Name from the CA
certificate, because the Issuer Name field might not exactly match the LDAP directory
structure's DN.
bindDN
Bind distinguished name (DN) to be used to access the CRL object in the LDAP repository
if access to the LDAP repository is restricted or anonymous access is not allowed.
scope
Extent of the search operation on the LDAP server. Available settings function as follows:
One - One level below Base DN.
Base - Exactly the same level as Base DN.
Possible values: Base, One
Default value: NSAPI_ONESCOPE
password
Password to access the CRL in the LDAP repository if access to the LDAP repository is
restricted or anonymous access is not allowed.
binary
Set the LDAP-based CRL retrieval mode to binary.
Possible values: YES, NO
Default value: NO
port
Port for the LDAP server.
Minimum value: 1
interval
CRL refresh interval. Use the NONE setting to unset this parameter.
Possible values: MONTHLY, WEEKLY, DAILY, NOW, NONE
show ssl crl

crlName
Name of the CRL for which to show detailed information.
83

84
Synchronizing CRLs
The NetScaler appliance uses the most recently distributed CRL to prevent clients with
revoked certificates from accessing secure resources.
If CRLs are updated often, the NetScaler needs an automated mechanism to fetch the latest
CRLs from the repository. You can configure the NetScaler to update CRLs automatically at
a specified refresh interval.
The NetScaler maintains an internal list of CRLs that need to be updated at regular
intervals. At these specified intervals, the appliance scans the list for CRLs that need to be
updated, connects to the remote LDAP server or HTTP server, retrieves the latest CRLs, and
then updates the local CRL list with the new CRLs.
Note: If CRL check is set to mandatory when the CA certificate is bound to the virtual
server, and the initial CRL refresh fails, all client-authentication connections with the
same issuer as the CRL are rejected as REVOKED until the CRL is successfully refreshed.
You can specify the interval at which the CRL refresh should be carried out. You can also
specify the exact time.
To synchronize CRL autorefresh by using the

set ssl crl <crlName> [-interval <interval>] [-day <integer>] [-time <HH:MM>]
Example
set ssl crl CRL-1 -refresh ENABLE -interval

MONTHLY -days 10 -time 12:00
To synchronize CRL refresh by using the

1. Navigate to Traffic Management > SSL > CRL.
2. Open a CRL, select enable CRL Auto Refresh, and specify the interval.
85
Synchronizing CRLs

CLI procedure)
set ssl crl
crlName
Name of the CRL to be modified.
interval
CRL refresh interval. Use the NONE setting to unset this parameter.
Possible values: MONTHLY, WEEKLY, DAILY, NOW, NONE
day
Day on which to refresh the CRL, or, if the Interval parameter is not set, the number of
days after which to refresh the CRL. If Interval is set to MONTHLY, specify the date. If
Interval is set to WEEKLY, specify the day of the week (for example, Sun=0 and Sat=6).
This parameter is not applicable if the Interval is set to DAILY.
Maximum value: 31
time
Time, in hours (1-24) and minutes (1-60), at which to refresh the CRL.
86
Performing Client Authentication by using

a Certificate Revocation List
If a certificate revocation list (CRL) is present on a NetScaler appliance, a CRL check is
performed regardless of whether performing the CRL check is set to mandatory or optional.
The success or failure of a handshake depends on a combination of the following factors:
Rule for CRL check
Rule for client certificate check
State of the CRL configured for the CA certificate
The following table lists the results of the possible combinations for a handshake involving a
revoked certificate.
Table 1. Result of a Handshake with a Client Using a Revoked Certificate
Rule for CRL Check
Rule for Client

Certificate Check
State of the CRL

Configured for the
CA certificate
Result of a
Handshake with a
Revoked
Certificate
Optional
Optional
Missing
Success
Optional
Mandatory
Missing
Success
Optional
Mandatory
Present
Failure
Mandatory
Optional
Missing
Success
Mandatory
Mandatory
Missing
Failure
Mandatory
Optional
Present
Success
Mandatory
Mandatory
Present
Failure
Optional/Mandatory
Optional
Expired
Success
Optional/Mandatory
Mandatory
Expired
Failure
Note:
87
The CRL check is optional by default. To change from optional to mandatory or

vice-versa, you must first unbind the certificate from the SSL virtual server, and then
bind it again after changing the option.
In the output of the sh ssl vserver command, OCSP check: optional implies
that a CRL check is also optional. The CRL check settings are displayed in the output of
the sh ssl vserver command only if CRL check is set to mandatory. If CRL check is
set to optional, the CRL check details do not appear.
Performing Client Authentication by using a Certificate Revocation List
To configure CRL check by using the command line

interface
bind ssl vserver <vServerName> -certkeyName <string> [(-CA -crlCheck ( Mandatory | Optional ))]
Example
bind ssl vs v1 -certkeyName ca -CA -crlCheck mandatory
sh ssl vserver
> sh ssl vs v1
DH: DISABLED
Ephemeral RSA: ENABLED Refresh Count: 0
ClearText Port: 0
Client Auth: ENABLED Client Cert Required: Mandatory
SNI: DISABLED
1) CertKey Name: ca CA Certificate CRLCheck: Mandatory CA_Name Sent
Done
To configure CRL check by using the configuration

utility
1. Navigate to Traffic Management > Load Balancing > Virtual Servers, and open an SSL
virtual server.
2. Click in the Certificates section.
3. Select a certificate and, in the OCSP and CRL Check list, select CRL Mandatory.
88
Performing Client Authentication by using a Certificate Revocation List

CLI procedure)
bind ssl vserver
vServerName
certkeyName
89
Monitoring Certificate Status with OCSP

Online Certificate Status Protocol (OCSP) is an Internet protocol that is used to determine
the status of a client SSL certificate. NetScaler appliances support OCSP as defined in RFC
2560. OCSP offers significant advantages over certificate revocation lists (CRLs) in terms of
timely information. Up-to-date revocation status of a client certificate is especially useful
in transactions involving large sums of money and high-value stock trades. It also uses fewer
system and network resources. NetScaler implementation of OCSP includes request batching
and response caching.
90
NetScaler Implementation of OCSP

OCSP validation on a NetScaler appliance begins when the appliance receives a client
certificate during an SSL handshake. To validate the certificate, the NetScaler creates an
OCSP request and forwards it to the OCSP responder. To do so, the NetScaler uses a locally
configured URL. The transaction is in a suspended state until the NetScaler evaluates the
response from the server and determines whether to allow the transaction or reject it. If
the response from the server is delayed beyond the configured time and no other
responders are configured, the NetScaler will allow the transaction or display an error,
depending on whether the OCSP check was set to optional or mandatory, respectively.
The NetScaler supports batching of OCSP requests and caching of OCSP responses to reduce
the load on the OCSP responder and provide faster responses.
91
OCSP Request Batching

Each time the NetScaler receives a client certificate, it sends a request to the OCSP
responder. To help avoid overloading the OCSP responder, the NetScaler can query the
status of more than one client certificate in the same request. For this to work efficiently,
a timeout needs to be defined so that processing of a single certificate is not inordinately
delayed while waiting to form a batch.
92
OCSP Response Caching

Caching of responses received from the OCSP responder enables faster responses to the
clients and reduces the load on the OCSP responder. Upon receiving the revocation status
of a client certificate from the OCSP responder, the NetScaler caches the response locally
for a predefined length of time. When a client certificate is received during an SSL
handshake, the NetScaler first checks its local cache for an entry for this certificate. If an
entry is found that is still valid (within the cache timeout limit), it is evaluated and the
client certificate is accepted or rejected. If a certificate is not found, the NetScaler sends a
request to the OCSP responder and stores the response in its local cache for a configured
length of time.
93
Configuring an OCSP Responder

Configuring OCSP involves adding an OCSP responder, binding the OCSP responder to a
certification authority (CA) certificate, and binding the certificate to an SSL virtual server.
If you need to bind a different certificate to an OCSP responder that has already been
configured, you need to first unbind the responder and then bind the responder to a
different certificate.
To add an OCSP responder by using the command

line interface
At the command prompt, type the following commands to configure OCSP and verify the
configuration:
add ssl ocspResponder <name> -url <URL> [-cache ( ENABLED | DISABLED

)[-cacheTimeout <positive_integer>]] [ -batchingDepth
<positive_integer>][-batchingDelay <positive_integer>] [-resptimeout
<positive_integer>] [-responderCert <string> | -trustResponder] [-producedAtTimeSkew
<positive_integer>][-signingCert <string>][-useNonce ( YES | NO )][ -insertClientCert(
YES | NO )]
bind ssl certKey [<certkeyName>] [-ocspResponder <string>] [-priority

<positive_integer>]
bind ssl vserver <vServerName>@ (-certkeyName <string> ( CA [-ocspCheck ( Mandatory

| Optional )]))
show ssl ocspResponder [<name>]
Example
add ssl ocspResponder ocsp_responder1 -url "http:// www.myCA.org:80/ocsp/" -cache ENABLED -cacheTimeo
bind ssl certKey ca_cert -ocspResponder ocsp_responder1 -priority 1
bind ssl vserver vs1 -certkeyName ca_cert -CA -ocspCheck Mandatory
sh ocspResponder ocsp_responder1
1)Name: ocsp_responder1
URL: http://www.myCA.org:80/ocsp/, IP: 192.128.22.22
Caching: Enabled
Timeout: 30 minutes
Batching: 8 Timeout: 100 mS
HTTP Request Timeout: 100mS
Request Signing Certificate: sign_cert
Response Verification: Full, Certificate: responder_cert
ProducedAt Time Skew: 300 s
Nonce Extension: Enabled
Client Cert Insertion: Enabled
Done
94
show certkey ca_cert

Name: ca_cert
Version: 3
1) VServer name: vs1

CA Certificate
1) OCSP Responder name: ocsp_responder1
Priority: 1
Done
sh ssl vs vs1
Advanced SSL configuration for VServer vs1:
DH: DISABLED
1) CertKey Name: ca_cert CA Certificate OCSPCheck: Mandatory

Done
To modify an OCSP responder by using the command

line interface
You cannot modify the responder name. All other parameters can be changed using the set
ssl ocspResponder command.
At the command prompt, type the following commands to set the parameters and verify the
configuration:
95
set ssl ocspResponder <name> [-url <URL>] [-cache ( ENABLED | DISABLED)]

[-cacheTimeout <positive_integer>] [-batchingDepth <positive_integer>]
[-batchingDelay <positive_integer>] [-resptimeout <positive_integer>] [ -responderCert
<string> | -trustResponder][-producedAtTimeSkew <positive_integer>][-signingCert
<string>] [-useNonce ( YES | NO )]
unbind ssl certKey [<certkeyName>] [-ocspResponder <string>]
bind ssl certKey [<certkeyName>] [-ocspResponder <string>] [-priority

<positive_integer>]
show ssl ocspResponder [<name>]
To configure an OCSP responder by using the

1. Navigate to Traffic Management > SSL > OCSP Responder, and configure an OCSP
responder.
2. Navigate to Traffic Management > SSL > Certificates, select a certificate, and in the
Action list, select OCSP Bindings. Bind an OCSP responder.
3. Navigate to Traffic Management > Load Balancing > Virtual Servers, open a virtual
server, and click in the Certificates section to bind a CA certificate.
4. Optionally, select select OCSP Mandatory.

CLI procedure)
add ssl ocspResponder
name
Name for the OCSP responder. Cannot begin with a hash (#) or space character and must
contain only ASCII alphanumeric, underscore (_), hash (#), period (.), space, colon (:), at
(@), equals (=), and hyphen (-) characters. Cannot be changed after the responder is
created.
marks (for example, "my responder" or 'my responder').
url
URL of the OCSP responder.
cache
Enable caching of responses. Caching of responses received from the OCSP responder
enables faster responses to the clients and reduces the load on the OCSP responder.
cacheTimeout
Timeout for caching the OCSP response. After the timeout, the NetScaler sends a fresh
request to the OCSP responder for the certificate status. If a timeout is not specified,
the timeout provided in the OCSP response applies.
Default value: 1
Minimum value: 1
96

Maximum value: 1440
batchingDepth
Number of client certificates to batch together into one OCSP request. Batching avoids
overloading the OCSP responder. A value of 1 signifies that each request is queried
independently. For a value greater than 1, specify a timeout (batching delay) to avoid
inordinately delaying the processing of a single certificate.
Minimum value: 1
Maximum value: 8
batchingDelay
Maximum time, in milliseconds, to wait to accumulate OCSP requests to batch. Does not
apply if the Batching Depth is 1.
Maximum value: 10000
resptimeout
Time, in milliseconds, to wait for an OCSP response. When this time elapses, an error
message appears or the transaction is forwarded, depending on the settings on the
virtual server. Includes Batching Delay time.
producedAtTimeSkew
Time, in seconds, for which the NetScaler waits before considering the response as
invalid. The response is considered invalid if the Produced At time stamp in the OCSP
response exceeds or precedes the current NetScaler clock time by the amount of time
specified.
Default value: 300
signingCert
Certificate-key pair that is used to sign OCSP requests. If this parameter is not set, the
requests are not signed.
useNonce
Enable the OCSP nonce extension, which is designed to prevent replay attacks.
insertClientCert
Include the complete client certificate in the OCSP request.
97

bind ssl certKey

certkeyName
ocspResponder
Name of the OCSP responder to be associated with the CA certificate.
bind ssl vserver

certkeyName
show ssl ocspResponder

name
Name of the OCSP responder for which to show detailed information.
set ssl ocspResponder

name
Name of the OCSP responder to modify.
url
URL of the OCSP responder.
cache
Enable caching of responses. Caching of responses received from the OCSP responder
enables faster responses to the clients and reduces the load on the OCSP responder.
cacheTimeout
Timeout for caching the OCSP response. After the timeout, the NetScaler sends a fresh
request to the OCSP responder for the certificate status. If a timeout is not specified,
the timeout provided in the OCSP response applies.
98

Default value: 1
Minimum value: 1
Maximum value: 1440
batchingDepth
Number of client certificates to batch together into one OCSP request. Batching avoids
overloading the OCSP responder. A value of 1 signifies that each request is queried
independently. For a value greater than 1, specify a timeout (batching delay) to avoid
inordinately delaying the processing of a single certificate.
Minimum value: 1
Maximum value: 8
batchingDelay
Maximum time, in milliseconds, to wait to accumulate OCSP requests to batch. Does not
apply if the Batching Depth is 1.
resptimeout
Time, in milliseconds, to wait for an OCSP response. When this time elapses, an error
message appears or the transaction is forwarded, depending on the settings on the
virtual server. Includes Batching Delay time.
producedAtTimeSkew
Time, in seconds, for which the NetScaler waits before considering the response as
invalid. The response is considered invalid if the Produced At time stamp in the OCSP
response exceeds or precedes the current NetScaler clock time by the amount of time
specified.
Default value: 300
signingCert
Certificate-key pair that is used to sign OCSP requests. If this parameter is not set, the
requests are not signed.
useNonce
Enable the OCSP nonce extension, which is designed to prevent replay attacks.
99
unbind ssl certKey

certkeyName
Name of the certificate-key pair to unbind.
ocspResponder
Name of the OCSP responder.
100
Configuring Client Authentication

In a typical SSL transaction, the client that is connecting to a server over a secure
connection checks the validity of the server by checking the server's certificate before
initiating the SSL transaction. In some cases, however, you might want to configure the
server to authenticate the client that is connecting to it.
With client authentication enabled on an SSL virtual server, the NetScaler appliance asks
for the client certificate during the SSL handshake. The appliance checks the certificate
presented by the client for normal constraints, such as the issuer signature and expiration
date.
Note: For the NetScaler to verify issuer signatures, the certificate of the CA that issued
the client certificate must be installed on the NetScaler and bound to the virtual server
that the client is transacting with.
If the certificate is valid, the NetScaler allows the client to access all secure resources. But
if the certificate is invalid, the NetScaler drops the client request during the SSL
handshake.
The NetScaler verifies the client certificate by first forming a chain of certificates, starting
with the client certificate and ending with the root CA certificate for the client (for
example, VeriSign). The root CA certificate may contain one or more intermediate CA
certificates (if the client certificate is not directly issued by the root CA).
Before you enable client authentication on the NetScaler, make sure that a valid client
certificate is installed on the client. Then, enable client authentication for the virtual
server that will handle the transactions. Finally, bind the certificate of the CA that issued
the client certificate to the virtual server on the NetScaler.
Note: The NetScaler appliance supports a certificate-key pair size of 512 to 4096 bits.
The certificate must be signed by using one of the following hash algorithms:
MD5
SHA-1
SHA-224
SHA-256
SHA-384
SHA-512
A NetScaler virtual appliance supports certificates of up to the following sizes:
101
4096-bit CA certificate
Configuring Client Authentication
102
2048-bit certificate on the physical server
Providing the Client Certificate

Before you configure client authentication, a valid client certificate must installed on the
client. A client certificate includes details about the specific client system that will create
secure sessions with the NetScaler appliance. Each client certificate is unique and should be
used by only one client system.
Whether you obtain the client certificate from a CA, use an existing client certificate, or
generate a client certificate on the NetScaler appliance, you must convert the certificate
to the correct format. On the NetScaler, certificates are stored in either the PEM or DER
format and must be converted to PKCS#12 format before they are installed on the client
system. After converting the certificate and transferring it to the client, system, make sure
that it is installed on that system and configured for the client application that will be part
of the SSL transactions (for example, the web browser).
For instructions on how to convert a certificate from PEM or DER format to PKCS#12 format,
see Converting SSL Certificates for Import or Export.
For instructions on how to generate a client certificate, see Generating Self-Signed
Certificates.
103
Enabling Client-Certificate-Based
Authentication
By default, client authentication is disabled on the NetScaler appliance, and all SSL
transactions proceed without authenticating the client. You can configure client
authentication to be either optional or mandatory as part of the SSL handshake.
If client authentication is optional, the NetScaler requests the client certificate but
proceeds with the SSL transaction even if the client presents an invalid certificate. If client
authentication is mandatory, the NetScaler terminates the SSL handshake if the SSL client
does not provide a valid certificate.
Caution: Citrix recommends that you define proper access control policies before
changing client-certificate-based authentication check to optional.
Note: Client authentication is configured for individual SSL virtual servers, not globally.
To enable client-certificate-based authentication by

At the command prompt, type the following commands to enable the
client-certificate-based authentication and verify the configuration:
set ssl vserver <vServerName> [-clientAuth (ENABLED | DISABLED)] [-clientCert

(MANDATORY | OPTIONAL)]
Example
> set ssl vserver vssl -clientAuth ENABLED -clientCert Mandatory

Done
> show ssl vserver vssl
DH: DISABLED
Refresh Count: 0
ClearText Port: 0
Client Auth: ENABLED Client Cert Required: Mandatory
104
Enabling Client-Certificate-Based Authentication
1)
CertKey Name: sslckey Server Certificate
1)
Policy Name: client_cert_policy Priority: 0
1)

Done
To enable client-certificate-based authentication by

1. Navigate to Traffic Management > Load Balancing > Virtual Servers, and open a virtual
server.
2. In the SSL Parameters section, select Client Authentication, and in the Client
Certificate list, select Mandatory.

CLI procedure)
set ssl vserver
vServerName
Name of the SSL virtual server for which to set advanced configuration.
clientAuth
State of client authentication. If client authentication is enabled, the virtual server
terminates the SSL handshake if the SSL client does not provide a valid certificate.
105
Binding CA Certificates to the Virtual

Server
A CA whose certificate is present on the NetScaler appliance must issue the client
certificate used for client authentication. You must bind this certificate to the NetScaler
virtual server that will carry out client authentication.
You must bind the CA certificate to the SSL virtual server in such a way that the NetScaler
can form a complete certificate chain when it verifies the client certificate. Otherwise,
certificate chain formation fails and the client is denied access even if its certificate is
valid.
You can bind CA certificates to the SSL virtual server in any order. The NetScaler forms the
proper order during client certificate verification.
For example, if the client presents a certificate issued by CA_A, where CA_A is an
intermediate CA whose certificate is issued by CA_B, whose certificate is in turn issued by a
trusted root CA, Root_CA, a chain of certificates that contain all three of these certificates
must be bound to the virtual server on the NetScaler.
For instructions on binding one or more certificates to the virtual server, see Binding the
Certificate-key Pair to the SSL Based Virtual Server.
For instructions on creating a chain of certificates, see Creating a Chain of Certificates.
106
Customizing the SSL Configuration

Once your basic SSL configuration is operational, you can customize some of the parameters
that are specific to the certificates being used in SSL transactions. You can also enable and
disable session reuse and client authentication, and you can configure redirect responses
for cipher and SSLv2 protocol mismatches.
You can also customize SSL settings for two NetScaler appliances in a High Availability
configuration, and you can synchronize settings, certificates and keys across those
appliances.
These settings will depend on your network deployment and the type of clients you expect
will connect to your servers.
107
Configuring Diffie-Hellman (DH)

Parameters
If you are using ciphers on the NetScaler that require a DH key exchange to set up the SSL
transaction, enable DH key exchange on the NetScaler and configure other settings based
on your network.
To list the ciphers for which DH parameters must be set by using the NetScaler command
line, type: sh cipher DH.
To list the ciphers for which DH parameters must be set by using the configuration utility,
navigate to Traffic Management > SSL > Cipher Groups, and double-click DH.
For details on how to enable DH key exchange, see Generating a Diffie-Hellman (DH) Key.
To configure DH Parameters by using the command

line interface
At the command prompt, type the following commands to configure DH parameters and
set ssl vserver <vserverName> -dh <Option> -dhCount <RefreshCountValue> -filepath

<string>
Example
> set ssl vserver vs-server -dh ENABLED -dhFile /nsconfig/ssl/ns-server.cert -dhCount 1000
Done
> show ssl vserver vs-server
Advanced SSL configuration for VServer vs-server:
DH: ENABLED
Refresh Count: 1000
ClearText Port: 0
1)
108
Configuring Diffie-Hellman (DH) Parameters

Done
To configure DH Parameters by using the

server.
2. In the SSL Parameters section, select Enable DH Param, and specify a refresh count and
file path.

CLI procedure)
set ssl vserver
vserverName
dh
State of Diffie-Hellman (DH) key exchange.
dhCount
Number of interactions, between the client and the NetScaler appliance, after which the
DH private-public pair is regenerated. A value of zero (0) specifies infinite use (no
refresh).
show ssl vserver

vServerName
109
Configuring Ephemeral RSA

Ephemeral RSA allows export clients to communicate with the secure server even if the
server certificate does not support export clients (1024-bit certificate). If you want to
prevent export clients from accessing the secure web object and/or resource, you need to
disable ephemeral RSA key exchange.
By default, this feature is enabled on the NetScaler appliance, with the refresh count set to
zero (infinite use).
Note:
The ephemeral RSA key is automatically generated when you bind an export cipher to an
SSL or TCP-based SSL virtual server or service. When you remove the export cipher, the
eRSA key is not deleted but reused at a later date when another export cipher is bound to
an SSL or TCP-based SSL virtual server or service. The eRSA key is deleted when the system
restarts.
To configure Ephemeral RSA by using the command

line interface
At the command prompt, type the following commands to configure ephemeral RSA and
set ssl vserver <vServerName> -eRSA (enabled | disabled) -eRSACount

<positive_integer>
Example
> set ssl vserver vs-server -eRSA ENABLED -eRSACount 1000

Done
DH: DISABLED
Refresh Count: 1000
ClearText Port: 0
110
Configuring Ephemeral RSA

1)

Done
To configure Ephemeral RSA by using the

server.
2. In the SSL Parameters section, select Enable Ephemereal RSA, and specify a refresh
count.

CLI procedure)
set ssl vserver
vServerName
eRSA
State of Ephemeral RSA (eRSA) key exchange. Ephemeral RSA allows clients that support
only export ciphers to communicate with the secure server even if the server certificate
does not support export clients. The ephemeral RSA key is automatically generated when
you bind an export cipher to an SSL or TCP-based SSL virtual server or service. When you
remove the export cipher, the eRSA key is not deleted. It is reused at a later date when
another export cipher is bound to an SSL or TCP-based SSL virtual server or service. The
eRSA key is deleted when the appliance restarts.
Default value: ENABLED
show ssl vserver

vServerName
111
Configuring Session Reuse

For SSL transactions, establishing the initial SSL handshake requires CPU-intensive public
key encryption operations. Most handshake operations are associated with the exchange of
the SSL session key (client key exchange message). When a client session is idle for some
time and is then resumed, the SSL handshake is typically conducted all over again. With
session reuse enabled, session key exchange is avoided for session resumption requests
received from the client.
Session reuse is enabled on the NetScaler appliance by default. Enabling this feature
reduces server load, improves response time, and increases the number of SSL transactions
per second (TPS) that can be supported by the server.
To configure session reuse by using the command

line interface
At the command prompt, type the following commands to configure session reuse and verify
the configuration:
set ssl vserver <vServerName> -sessReuse ( ENABLED | DISABLED ) -sessTimeout

<positive_integer>
Example
> set ssl vserver vs-ssl -sessreuse enabled -sesstimeout 600

Done
> show ssl vserver vs-ssl
Advanced SSL configuration for VServer vs-ssl:
DH: DISABLED
Refresh Count: 1000
ClearText Port: 0
112
1)
CertKey Name: Auth-Cert-1
Server Certificate
1)

Configuring Session Reuse

Done
To configure session reuse by using the configuration

utility
server.
2. In the SSL Parameters section, select Enable Session Reuse, and specify a time for
which to keep the session active.

CLI procedure)
set ssl vserver
vServerName
sessReuse
State of session reuse. Establishing the initial handshake requires CPU-intensive public
key encryption operations. With the ENABLED setting, session key exchange is avoided for
session resumption requests received from the client.
show ssl vserver

vServerName
113
Configuring Cipher Redirection

During the SSL handshake, the SSL client (usually a web browser) announces the suite of
ciphers that it supports, in the configured order of cipher preference. From that list, the
SSL server then selects a cipher that matches its own list of configured ciphers.
If the ciphers announced by the client do not match those configured on the SSL server, the
SSL handshake fails, and the failure is announced by a cryptic error message displayed in
the browser. These messages rarely mention the exact cause of the error.
With cipher redirection, you can configure an SSL virtual server to deliver accurate,
meaningful error messages when an SSL handshake fails. When SSL handshake fails, the
NetScaler appliance redirects the user to a previously configured URL or, if no URL is
configured, displays an internally generated error page.
To configure cipher redirection by using the

At the command prompt, type the following commands to configure cipher redirection and
set ssl vserver <vServerName> -cipherRedirect < ENABLED | DISABLED> -cipherURL <
URL>
Example
> set ssl vserver vs-ssl -cipherRedirect ENABLED -cipherURL http://redirectURl

Done
DH: DISABLED
Refresh Count: 1000
Cipher Redirect: ENABLED
Redirect URL: http://redirectURl
ClearText Port: 0
114
1)
1)
Server Certificate
Configuring Cipher Redirection

Done
To configure cipher redirection by using the

server.
2. In the SSL Parameters section, select Enable Cipher Redirect, and specify a redirect
URL.

CLI procedure)
set ssl vserver
vServerName
cipherRedirect
State of Cipher Redirect. If cipher redirect is enabled, you can configure an SSL virtual
server or service to display meaningful error messages if the SSL handshake fails because
of a cipher mismatch between the virtual server or service and the client.
show ssl vserver

vServerName
115
Configuring SSLv2 Redirection

For an SSL transaction to be initiated, and for successful completion of the SSL handshake,
the server and the client should agree on an SSL protocol that both of them support. If the
SSL protocol version supported by the client is not acceptable to the server, the server does
not go ahead with the transaction, and an error message is displayed.
You can configure the server to display a precise error message (user-configured or
internally generated) advising the client on the next action to be taken. Configuring the
server to display this message requires that you set up SSLv2 redirection.
To configure SSLv2 redirection by using the

At the command prompt, type the following commands to configure SSLv2 redirection and
set ssl vserver <vServerName> [-sslv2Redirect ( ENABLED | DISABLED ) [-sslv2URL

<URL>]]
Example
> set ssl vserver vs-ssl -sslv2Redirect ENABLED -sslv2URL http://sslv2URL

Done
DH: DISABLED
Refresh Count: 1000
SSLv2 Redirect: ENABLED Redirect URL: http://sslv2URL
ClearText Port: 0
1)
1)
Server Certificate

Done
116
Configuring SSLv2 Redirection
To configure SSLv2 redirection by using the

server.
2. In the SSL Parameters section, select SSLv2 Redirect, and specify a URL.

CLI procedure)
set ssl vserver
vServerName
sslv2Redirect
State of SSLv2 Redirect. If SSLv2 redirect is enabled, you can configure an SSL virtual
server or service to display meaningful error messages if the SSL handshake fails because
of a protocol version mismatch between the virtual server or service and the client.
show ssl vserver

vServerName
117
Configuring SSL Protocol Settings

The NetScaler appliance supports the SSLv2, SSLv3, TLSv1 , TLSv1.1, and TLSv1.2 protocols.
Each of these can be set on the appliance as required by your deployment and the type of
clients that will connect to the appliance.
Note: Support for TLS protocol versions 1.1 and 1.2 is not available on a FIPS appliance or
on a NetScaler virtual appliance.
To configure SSL protocol support by using the

At the command prompt, type the following commands to configure SSL protocol support
and verify the configuration:
set ssl vserver <vServerName> -ssl2 ( ENABLED | DISABLED ) -ssl3 ( ENABLED | DISABLED
) -tls1 ( ENABLED | DISABLED ) -tls11 ( ENABLED | DISABLED ) -tls12 ( ENABLED |
DISABLED )
Example
> set ssl vserver vs-ssl -tls11 ENABLED -tls12 ENABLED

Done
> sh ssl vs vs-ssl
DH: DISABLED
Refresh Count: 0
ClearText Port: 0
SNI: DISABLED
SSLv2: DISABLED
SSLv3: ENABLED TLSv1.0: ENABLED TLSv1.1: ENABLED TLSv1.2: ENABLED
1)
1)
118
1 bound certificate:
CertKey Name: mycert Server Certificate
1 configured cipher:

Done
To configure SSL protocol support by using the

configuration Utility
server.
2. In the SSL Parameters section, select a protocol to enable.

CLI procedure)
set ssl vserver
vServerName
ssl2
State of SSLv2 protocol support for the SSL Virtual Server.
ssl3
State of SSLv3 protocol support for the SSL Virtual Server.
tls1
State of TLSv1.0 protocol support for the SSL Virtual Server.
tls11
State of TLSv1.1 protocol support for the SSL Virtual Server. TLSv1.1 protocol is
supported only on the MPX appliance. Support is not available on a FIPS appliance or on a
NetScaler VPX virtual appliance. On an SDX appliance, TLSv1.1 protocol is supported only
if an SSL chip is assigned to the instance.
119

tls12
State of TLSv1.2 protocol support for the SSL Virtual Server. TLSv1.2 protocol is
supported only on the MPX appliance. Support is not available on a FIPS appliance or on a
NetScaler VPX virtual appliance. On an SDX appliance, TLSv1.2 protocol is supported only
if an SSL chip is assigned to the instance.
show ssl vserver

vServerName
120
Configuring Close-Notify
A close-notify is a secure message that indicates the end of SSL data transmission. A
close-notify setting is required at the global level. This setting applies to all virtual servers,
services, and service groups. For information about the global setting, see Configuring
Advanced SSL Settings.
In addition to the global setting, you can set the close-notify parameter at the virtual
server, service, or service group level. You therefore have the flexibility of setting the
parameter for one entity and unsetting it for another entity. However, make sure that you
set this parameter at the global level. Otherwise, the setting at the entity level does not
apply.
To configure close-notify at the entity level by using

At the command prompt, type any of the following commands to configure close-notify and
1. To configure close-notify at the virtual server level, type:
set ssl vserver <vServerName> -sendCloseNotify ( YES | NO )

2. To configure close-notify at the service level, type:
set ssl service <serviceName> -sendCloseNotify ( YES | NO )
show ssl service <serviceName>

3. To configure close-notify at the service group level, type:
set ssl serviceGroup <serviceGroupName> -sendCloseNotify ( YES | NO )
show ssl serviceGroup <serviceGroupName>

Example
> set ssl vserver sslvsvr -sendCloseNotify YES

Done
121
To configure close-notify at the entity level by using

the configuration utility
server.
2. In the SSL Parameters section, select Send Close-Notify.

CLI procedure)
set ssl vserver
vServerName
sendCloseNotify
Enable sending SSL Close-Notify at the end of a transaction
Default value: YES
show ssl vserver

vServerName
set ssl service

serviceName
Name of the SSL service.
sendCloseNotify
Default value: YES
122
show ssl service

serviceName
Name of the SSL service for which to show detailed information.
set ssl serviceGroup

serviceGroupName
Name of the SSL service group for which to set advanced configuration.
sendCloseNotify
Default value: YES
show ssl serviceGroup

serviceGroupName
Name of the SSL service group for which to show detailed information.
123
Configuring ECDHE Ciphers

The Citrix NetScaler MPX 22040/22060/22080/22100/22120, MPX 24100/24150, and
MPX/SDX 11515/11520/11530/11540/11542 appliances now support the ECDHE cipher
group. On an SDX appliance, the cipher group is supported only if an SSL chip is assigned to
a VPX instance.
Note: In release 10.5 or later, the VPX virtual appliance also supports the ECDHE cipher
group.
This group contains the following ciphers:
TLS1-ECDHE-RSA-RC4-SHA
TLS1-ECDHE-RSA-DES-CBC3-SHA
TLS1-ECDHE-RSA-AES128-SHA
Because of its smaller key size, Elliptic Curve Cryptography (ECC) is especially useful in a
mobile (wireless) environment or an interactive voice response environment, where every
millisecond is important. Smaller key sizes result in power, memory, bandwidth, and
computational cost savings.
The following ECC curves are supported:
P_256
P_384
P_224
P_521
Note:
On the MPX platform, ECC curves 224 and 521 are not supported with the TLS1.2
protocol.
If you upgrade from a build earlier than release 10.1 build 121.10, you must explicitly
bind ECC curves to your existing SSL virtual servers. The curves are bound by default to
any virtual servers that you create after the upgrade.
You can bind an ECC curve to an SSL virtual server or front end service. If you bind an ECC
curve to a back end service, the error Operation not permitted appears. By default all
four curves are bound, in the following order: P_256, P_384,P_224,P_521. To change the
order, you must first unbind all the curves, and then bind them in the desired order.
124
To unbind and bind an ECC curve to an SSL virtual

server by using the command line
unbind ssl vserver <vServerName> -eccCurveName ALL
bind ssl vserver <vServerName> -eccCurveName <eccCurveName>
Example
unbind ssl vs v1 eccCurvename ALL
bind ssl vserver v1 -eccCurveName P_224
> sh ssl vserver v1
DH: DISABLED
Refresh Count: 0
ClearText Port: 0
SNI: DISABLED
SSLv2: DISABLED SSLv3: ENABLED TLSv1.0: ENABLED TLSv1.1: DISABLED TLSv1.2: DISABLED
ECC Curve: P_224
Done

CLI procedure)
unbind ssl vserver
vServerName
eccCurveName
125

Named ECC curve bound to service/vserver.
Possible values: ALL, P_224, P_256, P_384, P_521
bind ssl vserver

vServerName
eccCurveName
Named ECC curve bound to service/vserver.
Possible values: ALL, P_224, P_256, P_384, P_521
126
Configuring a Common Name on an SSL

Service or Service Group for Server
Certificate Authentication
In end-to-end encryption with server authentication enabled, you can include a common
name in the configuration of an SSL service or service group. The name that you specify is
compared to the common name in the server certificate during an SSL handshake. If the
two names match, the handshake is successful. This configuration is especially useful if
there are, for example, two servers behind a firewall and one of the servers spoofs the
identity of the other. If the common name is not checked, a certificate presented by either
server is accepted if the IP address matches.
To configure common-name verification for an SSL

service or service group by using the command line
interface
At the command prompt, type the following commands to specify server authentication
with common-name verification and verify the configuration:
1. To configure common name in a service, type:
set ssl service <serviceName> -commonName <string> -serverAuth ENABLED

2. To configure common name in a service group, type:
set ssl serviceGroup <serviceGroupName> -commonName <string> -serverAuth

ENABLED
show ssl serviceGroup <serviceGroupName>

Example
> set ssl service svc1 -commonName xyz.com -serverAuth ENABLED

Done
> show ssl service svc1
Advanced SSL configuration for Back-end SSL Service svc1:
DH: DISABLED
Ephemeral RSA: DISABLED
Server Auth: ENABLED Common Name: www.xyz.com
127
Configuring a Common Name on an SSL Service or Service Group for Server Certificate Authentication
SNI: DISABLED
1) CertKey Name: cacert
CA Certificate
OCSPCheck: Optional
1) Cipher Name: ALL

Done
To configure common-name verification for an SSL

service or service group by using the configuration
utility
1. Navigate to Traffic Management > Load Balancing > Services or Navigate to Traffic
Management > Load Balancing > Service Groups, and open a service or service group.
2. In the SSL Parameters section, select Enable Server Authentication, and specify a
common name.

CLI procedure)
set ssl service
serviceName
serverAuth
State of server authentication support for the SSL service.
show ssl service

serviceName
128
Configuring a Common Name on an SSL Service or Service Group for Server Certificate Authentication
set ssl serviceGroup

serviceGroupName
Name of the SSL service group for which to set advanced configuration.
serverAuth
State of server authentication support for the SSL service group.
show ssl serviceGroup

serviceGroupName
Name of the SSL service group for which to show detailed information.
129
Configuring Advanced SSL Settings

Advanced customization of your SSL configuration addresses specific issues. You can use the
set ssl parameter command or the configuration utility to specify the following:
Quantum size to be used for SSL transactions.
CRL memory size.
OCSP cache size.
Deny SSL renegotiation.
Set the PUSH flag for decrypted, encrypted, or all records.
Drop requests if the client initiates the handshake for one domain and sends an HTTP
request for another domain.
Set the time after which encryption is triggered.

Note: The time that you specify applies only if you use the set ssl vserver command
or the configuration utility to set timer-based encryption.
To configure advanced SSL settings by using the

At the command prompt, type the following commands to configure advanced SSL settings
and verify the configuration:
set ssl parameter [-quantumSize <quantumSize>] [-crlMemorySizeMB <positive_integer>]

[-strictCAChecks (YES | NO)] [-sslTriggerTimeout <positive_integer>] [-sendCloseNotify
(YES | NO)] [-encryptTriggerPktCount <positive_integer>] [-denySSLReneg
<denySSLReneg>] [-insertionEncoding (Unicode|UTF-8)] [-ocspCacheSize
<positive_integer>][- pushFlag <positive_integer>] [- dropReqWithNoHostHeader (YES |
NO)] [-pushEncTriggerTimeout <positive_integer>]
show ssl parameter
Example
> set ssl parameter -quantumSize 8 -crlMemorySizeMB 256 -strictCAChecks no -sslt

iggerTimeout 100 -sendClosenotify no -encryptTriggerPktCount 45 -denySSLReneg no
-insertionEncoding unicode -ocspCacheSize 10 -pushFlag 3 -dropReqWithNoHostHeader YES -pushEncTriggerT
Done
> show ssl parameter
Advanced SSL Parameters
130

----------------------SSL quantum size:
8 kB
Max CRL memory size:
256 MB
Strict CA checks:
NO
100 mS
Send Close-Notify
NO
45
NO
OCSP cache size:
10 MB
Push flag:
0x3 (On every decrypted and encrypted record)
PUSH encryption trigger timeout 100 ms
Done
YES
To configure advanced SSL settings by using the

Navigate to Traffic Management > SSL and, in the Settings group, select Change advanced
SSL settings.
PUSH Flag-Based Encryption Trigger Mechanism

The encryption trigger mechanism that is based on the PSH TCP flag now enables you to do
the following:
Merge consecutive packets in which the PSH flag is set into a single SSL record, or
ignore the PSH flag.
Perform timer-based encryption, in which the time-out value is set globally by using the
set ssl parameter -pushEncTriggerTimeout <positive_integer> command.
To configure PUSH flag-based encryption by using the

At the command prompt, type the following commands to configure PUSH flag-based
encryption and verify the configuration:
set ssl vserver <vServerName> [-pushEncTrigger <pushEncTrigger>]
show ssl vserver
Example

DH: DISABLED
131
Refresh Count: 0

ClearText Port: 0
SNI: DISABLED
SSLv2: DISABLED
SSLv3: ENABLED
TLSv1: ENABLED
To configure PUSH flag-based encryption by using the

1. Navigate to Traffic Management > Load Balancing > Virtual servers and open an SSL
virtual server.
2. In the SSL Parameters section, from the PUSH Encryption Trigger list, select a value.

CLI procedure)
set ssl parameter
quantumSize
Amount of data to collect before the data is pushed to the crypto hardware for
encryption. For large downloads, a larger quantum size better utilizes the crypto
resources.
Possible values: 4096, 8192, 16384
Default value: 8192
crlMemorySizeMB
Maximum memory size to use for certificate revocation lists (CRLs). This parameter
reserves memory for a CRL but sets a limit to the maximum memory that the CRLs loaded
on the appliance can consume.
Default value: 256
Minimum value: 10
Maximum value: 1024
strictCAChecks
Enable strict CA certificate checks on the appliance.
132

Default value: NO
sslTriggerTimeout
Time, in milliseconds, after which encryption is triggered for transactions that are not
tracked on the NetScaler appliance because their length is not known. There can be a
delay of up to 10ms from the specified timeout value before the packet is pushed into
the queue.
Default value: 100
Minimum value: 1
Maximum value: 200
sendCloseNotify
Send an SSL Close-Notify message to the client at the end of a transaction.
Default value: YES
Maximum number of queued packets after which encryption is triggered. Use this setting
for SSL transactions that send small packets from server to NetScaler.
Default value: 45
Minimum value: 10
Maximum value: 50
denySSLReneg
Deny renegotiation in specified circumstances. Available settings function as follows:
* NO - Allow SSL renegotiation.
* FRONTEND_CLIENT - Deny secure and nonsecure SSL renegotiation initiated by the
client.
* FRONTEND_CLIENTSERVER - Deny secure and nonsecure SSL renegotiation initiated by
the client or the NetScaler during policy-based client authentication.
* ALL - Deny all secure and nonsecure SSL renegotiation.
* NONSECURE - Deny nonsecure SSL renegotiation. Allows only clients that support RFC
5746.
Possible values: NO, FRONTEND_CLIENT, FRONTEND_CLIENTSERVER, ALL, NONSECURE
Default value: NORENEG_FE_BE
133

insertionEncoding
Encoding method used to insert the subject or issuer's name in HTTP requests to servers.
Possible values: Unicode, UTF-8
Default value: UNICODE_INSERTION
ocspCacheSize
Size, per packet engine, in megabytes, of the OCSP cache. A maximum of 10% of the
packet engine memory can be assigned. Because the maximum allowed packet engine
memory is 4GB, the maximum value that can be assigned to the OCSP cache is
approximately 410 MB.
Default value: 10
Maximum value: 512
pushFlag
Insert PUSH flag into decrypted, encrypted, or all records. If the PUSH flag is set to a
value other than 0, the buffered records are forwarded on the basis of the value of the
PUSH flag. Available settings function as follows:
0 - Auto (PUSH flag is not set.)
1 - Insert PUSH flag into every decrypted record.
2 -Insert PUSH flag into every encrypted record.
3 - Insert PUSH flag into every decrypted and encrypted record.
Maximum value: 3
dropReqWithNoHostHeader
Host header check for SNI enabled sessions. If this check is enabled and the HTTP request
does not contain the host header for SNI enabled sessions, the request is dropped.
Default value: NO
PUSH encryption trigger timeout value. The timeout value is applied only if you set the
Push Encryption Trigger parameter to Timer in the SSL virtual server settings.
Default value: 1
Minimum value: 1
Maximum value: 200
134
show ssl parameter

set ssl vserver

vServerName
pushEncTrigger
Trigger encryption on the basis of the PUSH flag value. Available settings function as
follows:
* ALWAYS - Any PUSH packet triggers encryption.
* IGNORE - Ignore PUSH packet for triggering encryption.
* MERGE - For a consecutive sequence of PUSH packets, the last PUSH packet triggers
encryption.
* TIMER - PUSH packet triggering encryption is delayed by the time defined in the set ssl
parameter command or in the Change Advanced SSL Settings dialog box.
Possible values: Always, Merge, Ignore, Timer
show ssl vserver

135
Synchronizing Configuration Files in a

High Availability Setup
In a high availability (HA) set up, the primary NetScaler appliance in the HA pair
automatically synchronizes with the secondary appliance in the pair. In the synchronization
process, the secondary copies the primary's /nsconfig/ssl/ directory, which is the default
location for storing the certificates and keys for SSL transactions. Synchronization occurs at
one-minute intervals and every time a new file is added to the directory.
To synchronize files in a high availability setup by

sync HA files [<Mode> ]
Example
sync HA files SSL
To synchronize files in a high availability setup by

Navigate to Traffic Management > SSL and, in the Tools group, select Start SSL certificate,
key file synchronization for HA.

CLI procedure)
sync HA files
Mode
Specify one of the following modes of synchronization.
* all - Synchronize files related to system configuration, Access Gateway bookmarks, SSL
certificates, SSL CRL lists, HTML injection scripts, and Application Firewall XML objects.
* bookmarks - Synchronize all Access Gateway bookmarks.
136
Synchronizing Configuration Files in a High Availability Setup

* ssl - Synchronize all certificates, keys, and CRLs for the SSL feature.
* htmlinjection. Synchronize all scripts configured for the HTML injection feature.
* imports. Synchronize all XML objects (for example, WSDLs, schemas, error pages)
configured for the application firewall.
* misc - Synchronize all license files and the rc.conf file.
* all_plus_misc - Synchronize files related to system configuration, Access Gateway
bookmarks, SSL certificates, SSL CRL lists, HTML injection scripts, application firewall
XML objects, licenses, and the rc.conf file.
137
Managing Server Authentication

Since the NetScaler appliance performs SSL offload and acceleration on behalf of a web
server, the appliance does not usually authenticate the Web server's certificate. However,
you can authenticate the server in deployments that require end-to-end SSL encryption.
In such a situation, the NetScaler becomes the SSL client, carries out a secure transaction
with the SSL server, verifies that a CA whose certificate is bound to the SSL service has
signed the server certificate, and checks the validity of the server certificate.
To authenticate the server, you must first enable server authentication and then bind the
certificate of the CA that signed the server's certificate to the SSL service on the NetScaler.
When binding the certificate, you must specify the bind as CA option.
To enable (or disable) server certificate authentication

by using the command line interface
At the command prompt, type the following commands to enable server certificate
authentication and verify the configuration:
set ssl service <serviceName> -serverAuth ( ENABLED | DISABLED )
Example
> set ssl service ssl-service-1 -serverAuth ENABLED

Done
> show ssl service ssl-service-1
Advanced SSL configuration for Back-end SSL Service ssl-service-1:
DH: DISABLED
Server Auth: ENABLED
1)
Cipher Name: ALL

Done
138
To enable (or disable) server certificate authentication

by using the configuration utility
1. Navigate to Traffic Management > Load Balancing > Services, and open an SSL service.
2. In the SSL Parameters section, select Enable Server Authentication, and specify a
Common Name.
3. In Advanced Settings, select Certificates, and bind a CA certificate to the service.
To bind the CA certificate to the service by using the

At the command prompt, type the following commands to bind the CA certificate to the
service and verify the configuration:
bind ssl service <serviceName> -certkeyName <string> -CA
Example
> bind ssl service ssl-service-1 -certkeyName samplecertkey -CA

Done
> show ssl service ssl-service-1
Advanced SSL configuration for Back-end SSL Service ssl-service-1:
DH: DISABLED
Server Auth: ENABLED
1)
1)
CertKey Name: samplecertkey
CA Certificate
Cipher Name: ALL

Done
139
CRLCheck: Optional

CLI procedure)
set ssl service
serviceName
serverAuth
State of server authentication support for the SSL service.
show ssl service

serviceName
bind ssl service

serviceName
Name of the SSL service for which to set advanced configuration.
certkeyName
140
Configuring User-Defined Cipher Groups

on the NetScaler Appliance
A cipher group is a set of cipher suites that you bind to an SSL virtual server, service, or
service group on the NetScaler appliance. A cipher suite comprises a protocol, a key
exchange (Kx) algorithm, an authentication (Au) algorithm, an encryption (Enc) algorithm,
and a message authentication code (Mac) algorithm. Your appliance ships with a predefined
set of cipher groups. When you create a SSL service or SSL service group, the ALL cipher
group is automatically bound to it. However, when you create an SSL virtual server or a
transparent SSL service, the DEFAULT cipher group is automatically bound to it. In addition,
you can create a user-defined cipher group and bind it to an SSL virtual server, service, or
service group.
Note: If your MPX appliance does not have any licenses, then only the EXPORT cipher is
bound to your SSL virtual server, service, or service group.
To create a user-defined cipher group, first you create a cipher group and then you bind
ciphers or cipher groups to this group. If you specify a cipher alias or a cipher group, all the
ciphers in the cipher alias or group are added to the user-defined cipher group. You can
also add individual ciphers (cipher suites) to a user-defined group. However, you cannot
modify a predefined cipher group. Before removing a cipher group, unbind all the cipher
suites in the group.
If you bind a cipher group to an SSL virtual server, service, or service group, the ciphers are
appended to the existing ciphers that are bound to the entity. To bind a specific cipher
group to the entity, you must first unbind the ciphers or cipher group that is bound to the
entity and then bind the specific cipher group. For example, to bind only the AES cipher
group to an SSL service, you perform the following steps:
1. Unbind the default cipher group ALL that is bound by default to the service when the
service is created.
unbind ssl service <service name> -cipherName ALL
2. Bind the AES cipher group to the service
bind ssl service <Service name> -cipherName AE
If you want to bind the cipher group DES in addition to AES, at the command prompt, type:
bind ssl service <service name> -cipherName DES
Note: The free NetScaler virtual appliance supports only the DH cipher group.
141
Configuring User-Defined Cipher Groups on the NetScaler Appliance
To configure a user-defined cipher group by using the

At the command prompt, type the following commands to add a cipher group, or to add
ciphers to a previously created group, and verify the settings:
add ssl cipher <cipherGroupName>
bind ssl cipher <cipherGroupName> -cipherName <string>
show ssl cipher <cipherGroupName>
Example
> add ssl cipher test

Done
> bind ssl cipher test -cipherName SSLv2
Done
> show ssl cipher test
1)
Cipher Name: SSL2-RC2-CBC-MD5
Description: SSLv2 Kx=RSA
Au=RSA Enc=RC2(128) Mac=MD5
2)
Cipher Name: SSL2-RC4-MD5
3)
Cipher Name: SSL2-DES-CBC3-MD5
Au=RSA Enc=3DES(168) Mac=MD5
4)
Cipher Name: SSL2-DES-CBC-MD5
Au=RSA Enc=DES(56) Mac=MD5
5)
Cipher Name: SSL2-RC4-64-MD5
6)
Cipher Name: SSL2-EXP-RC4-MD5
Description: SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 Export
7)
Cipher Name: SSL2-EXP-RC2-CBC-MD5
Done
To unbind ciphers from a cipher group by using the

At the command prompt, type the following commands to unbind ciphers from a
user-defined cipher group, and verify the settings:
unbind ssl cipher <cipherGroupName> -cipherName <string>
Example
142

1) Cipher Name: SSL2-RC2-CBC-MD5
Description: SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5
2) Cipher Name: SSL2-RC4-MD5
3) Cipher Name: SSL2-DES-CBC3-MD5
Description: SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
4) Cipher Name: SSL2-DES-CBC-MD5
Description: SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
5) Cipher Name: SSL2-RC4-64-MD5
6) Cipher Name: SSL2-EXP-RC4-MD5
7) Cipher Name: SSL2-EXP-RC2-CBC-MD5
Done
> unbind ssl cipher test -cipherName SSL2-RC2-CBC-MD5
1) Cipher Name: SSL2-RC4-MD5
2) Cipher Name: SSL2-DES-CBC3-MD5
Description: SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
3) Cipher Name: SSL2-DES-CBC-MD5
Description: SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
4) Cipher Name: SSL2-RC4-64-MD5
5) Cipher Name: SSL2-EXP-RC4-MD5
6) Cipher Name: SSL2-EXP-RC2-CBC-MD5
Done
To remove a cipher group by using the command line

interface
Note: You cannot remove a built-in cipher group. Before removing a user-defined cipher
group, make sure that the cipher group is empty.
At the command prompt, type the following commands to remove a user-defined cipher
group, and verify the configuration:
rm ssl cipher <userDefCipherGroupName> [<cipherName> ...]
Example
143

> rm ssl cipher test
Done
> sh ssl cipher test
ERROR: No such resource [cipherGroupName, test]
To configure a user-defined cipher group by using the

Navigate to Traffic Management > SSL > Cipher Groups, and configure a cipher group.
To bind a cipher group to an SSL virtual server,

service, or service group by using the command line
interface
At the command prompt, type one of the following:
bind ssl vserver <vServerName> -cipherName <string>
bind ssl service <serviceName> -cipherName <string>
bind ssl serviceGroup <serviceGroupName> -cipherName <string>
Examples
> bind ssl vserver ssl_vserver_test -cipherName test

Done
bind ssl service nshttps -cipherName test
Done
> bind ssl servicegroup ssl_svc -cipherName test
Done
To bind a cipher group to an SSL virtual server,

service, or service group by using the configuration
utility
1. Navigate to Traffic Management > Load Balancing > Virtual Servers or navigate to
Traffic Management > Load Balancing > Services or navigate to Traffic Management >
Load Balancing > Service Groups, and open the virtual server, service, or service group.
2. In Advanced Settings, select SSL Ciphers, and bind a cipher group to the virtual server,
service, or service group.
144

CLI procedure)
bind ssl vserver
vServerName
cipherName
Name of the individual cipher, user-defined cipher group, or predefined (built-in) cipher
alias.
bind ssl service

serviceName
cipherName
Name of the individual cipher, user-defined cipher group, or predefined (built-in) cipher
alias.
bind ssl serviceGroup

serviceGroupName
The name of the SSL service to which the SSL policy needs to be bound.
cipherName
A cipher-suite can consist of an individual cipher name, the system predefined
cipher-alias name, or user defined cipher-group name.
145
Configuring SSL Actions and Policies

An SSL policy evaluates incoming traffic and applies a predefined action to requests that
match a rule (expression). You have to configure the actions before creating the policies, so
that you can specify an action when you create a policy. To put a policy into effect, you
must either bind it to a virtual server on the appliance, so that it applies only to traffic
flowing through that virtual server, or bind it globally, so that it applies to all traffic
flowing through the appliance.
SSL actions define SSL settings that you can apply to the selected requests. You associate
an action with one or more policies. Data in client connection requests or responses is
compared to a rule specified in the policy, and the action is applied to connections that
match the rule (expression).
You can configure classic policies with classic expressions and default syntax policies with
default syntax expressions for SSL. For a complete description of these expressions, how
they work, and how to configure them manually, see .
Note: Users who are not experienced in configuring policies at the NetScaler command
line usually find using the configuration utility to be considerably easier.
You can associate a user-defined action or a built-in action to a default syntax policy.
Classic policies allow only user-defined actions. In default syntax policy, you can also group
policies under a policy label, in which case they are applied only when invoked from
another policy.
Common uses of SSL actions and policies include per-directory client authentication,
support for Outlook web access, and SSL-based header insertions. SSL-based header
insertions contain SSL settings required by a server whose SSL processing has been offloaded
to the NetScaler appliance.
146
Configuring User-Defined Actions for SSL

Policies
SSL policies require that you create an action before creating a policy, so that you can
specify the actions when you create the policies. In SSL default syntax policies, you can also
use the built-in actions. For more information about built-in actions, see Configuring
Built-in SSL Actions.
To configure an SSL action by using the command

line interface
At the command prompt, type the following commands to configure an action and verify
the configuration:
add SSL action <name> -clientAuth(DOCLIENTAUTH | NOCLIENTAUTH) -clientCert

(ENABLED | DISABLED) certHeader <string> -clientHeader <string>
-clientCertSerialNumber (ENABLED | DISABLED) -certSerialHeader <string>
-clientCertSubject (ENABLED | DISABLED) -certSubjectHeader <string> -clientCertHash
(ENABLED | DISABLED) -certHashHeader <string> -clientCertIssuer (ENABLED |
DISABLED) -certIssuerHeader <string> -sessionID (ENABLED | DISABLED) -sessionIDheader
<string> -cipher (ENABLED | DISABLED) -cipherHeader <string> -clientCertNotBefore
(ENABLED | DISABLED) -certNotBeforeHeader <string> -clientCertNotAfter (ENABLED |
DISABLED) -certNotAfterHeader <string> -OWASupport (ENABLED | DISABLED)
show ssl action [<name>]
Example
> add ssl action Action-SSL-ClientCert -clientCert ENABLED -certHeader "X-Client-Cert"

Done
> show ssl action Action-SSL-ClientCert
1)
Name: Action-SSL-ClientCert
Data Insertion Action:
Cert Header: ENABLED
Cert Tag: X-Client-Cert
Done
To configure an SSL action by using the configuration

utility
Navigate to Traffic Management > SSL > Policies and, on the Actions tab, click Add.
147
Configuring User-Defined Actions for SSL Policies

CLI procedure)
add SSL action
name
Name for the SSL action. Must begin with an ASCII alphanumeric or underscore (_)
space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after
the action is created.
marks (for example, "my action" or 'my action').
clientAuth
Perform client certificate authentication.
Possible values: DOCLIENTAUTH, NOCLIENTAUTH
clientCert
Insert the entire client certificate into the HTTP header of the request being sent to the
web server. The certificate is inserted in ASCII (PEM) format.
clientCertSerialNumber
Insert the entire client serial number into the HTTP header of the request being sent to
the web server.
clientCertSubject
Insert the client certificate subject, also known as the distinguished name (DN), into the
HTTP header of the request being sent to the web server.
clientCertHash
Insert the certificate signature (hash) into the HTTP header of the request being sent to
the web server.
clientCertIssuer
148

Insert the certificate issuer details into the HTTP header of the request being sent to the
web server.
sessionID
Insert the SSL session ID into the HTTP header of the request being sent to the web
server. Every SSL connection that the client and the NetScaler share has a unique ID that
identifies the specific connection.
cipher
Insert the cipher suite that the client and the NetScaler appliance negotiated for the SSL
session into the HTTP header of the request being sent to the web server. The appliance
inserts the cipher-suite name, SSL protocol, export or non-export string, and cipher
strength bit, depending on the type of browser connecting to the SSL virtual server or
service (for example, Cipher-Suite: RC4- MD5 SSLv3 Non-Export 128-bit).
clientCertNotBefore
Insert the date from which the certificate is valid into the HTTP header of the request
being sent to the web server. Every certificate is configured with the date and time from
which it is valid.
clientCertNotAfter
Insert the date of expiry of the certificate into the HTTP header of the request being
sent to the web server. Every certificate is configured with the date and time at which
the certificate expires.
OWASupport
If the appliance is in front of an Outlook Web Access (OWA) server, insert a special
header field, FRONT-END-HTTPS: ON, into the HTTP requests going to the OWA server.
This header communicates to the server that the transaction is HTTPS and not HTTP.
show ssl action

name
Name of the SSL action for which to show detailed information.
149

150
Configuring SSL Policies

Policies on the NetScaler help identify specific connections that you want to process. The
processing is based on the actions that are configured for that particular policy. Once you
create the policy and configure an action for it, you must either bind it to a virtual server
on the NetScaler, so that it applies only to traffic flowing through that virtual server, or
bind it globally, so that it applies to all traffic flowing through any virtual server configured
on the NetScaler.
The NetScaler SSL feature supports both classic policies and default syntax policies . For a
complete description of classic and default syntax expressions, how they work, and how to
configure them manually, see .
Note: Users who are not experienced in configuring policies at the NetScaler command
line will usually find using the configuration utility considerably easier.
151
Configuring an SSL Default Syntax Policy

An SSL default syntax policy defines a control or a data action to be performed on requests.
SSL policies can therefore be categorized as control policies and data policies:
Control policy. A control policy uses a control action, such as forcing client
authentication.
Note: In release 10.5 or later, deny SSL renegotiation (denySSLReneg) is set, by
default, to ALL. However, control policies, such as CLIENTAUTH, trigger a
renegotiation handshake. If you use such policies, you must set denySSLReneg to NO.
Data policy. A data policy uses a data action, such as inserting some data into the
request.
The essential components of a policy are an expression and an action. The expression
identifies the requests on which the action is to be performed. SSL policies use the default
expression syntax or the classic expression syntax. For information about expressions and
how to configure them, see .
You can configure a default syntax policy with a built-in action or a user-defined action.
You can configure a policy with a built-in action without creating a separate action.
However, to configure a policy with a user-defined action, first configure the action and
then configure the policy.
You can specify an additional action, called an UNDEF action, to be performed in the event
that applying the expression to a request has an undefined result.
To configure an SSL default syntax policy by using

add ssl policy <name> -rule <expression> -Action <string> [-undefAction <string>]
[-comment <string>]
To configure an SSL default syntax policy by using

the configuration utility
Navigate to Traffic Management > SSL > Policies and, on the Polices tab, click Add.
152

CLI procedure)
add ssl policy
name
Name for the new SSL policy. Must begin with an ASCII alphanumeric or underscore (_)
the policy is created.
marks (for example, "my policy" or 'my policy').
rule
Expression, against which traffic is evaluated. Written in the classic or default syntax.
Note:
Maximum length of a string literal in the expression is 255 characters. A longer string can
be split into smaller strings of up to 255 characters each, and the smaller strings
concatenated with the + operator. For example, you can create a 500-character string as
follows: '"<string of 255 characters>" + "<string of 245 characters>"'
(Classic expressions are not supported in the cluster build.)
The following requirements apply only to the NetScaler CLI:
* If the expression includes one or more spaces, enclose the entire expression in double
quotation marks.
* If the expression itself includes double quotation marks, escape the quotations by using
the character.
* Alternatively, you can use single quotation marks to enclose the rule, in which case you
do not have to escape the double quotation marks.
Action
Name of the built-in or user-defined action to perform on the request. Available built-in
actions are NOOP, RESET, DROP, CLIENTAUTH, and NOCLIENTAUTH.
undefAction
Name of the action to be performed when the result of rule evaluation is undefined.
Possible values for control policies: CLIENTAUTH, NOCLIENTAUTH, NOOP, RESET, DROP.
Possible values for data policies: NOOP, RESET or DROP.
comment
153

Any comments associated with this policy.
154
Configuring Built-in Actions for SSL

Default Syntax Policies
Unless you need only the built-in actions in your policies, you have to create the actions
before creating the policies, so that you can specify the actions when you create the
policies. The built-in actions are of two types, control actions and data actions. You use
control actions in control policies, and data actions in data policies.
The built-in control actions are:
CLIENTAUTHPerform client certificate authentication.
NOCLIENTAUTHDo not perform client certificate authentication.
The built-in data actions are:
RESETClose the connection by sending a RST packet to the client.
DROPDrop all packets from the client. The connection remains open until the client
closes it.
NOOPForward the packet without performing any operation on it.
You can create user-defined data actions. For example, if you enable client authentication,
you can create an SSL action to insert client-certificate data into the request header before
forwarding the request to the web server. For more information about user-defined actions,
see Configuring User-Defined SSL Actions.
If a policy evaluation results in an undefined state, an UNDEF action is performed. For
either a data policy or a control policy, you can specify RESET, DROP, or NOOP as the
UNDEF action. For a control policy, you also have the option of specifying CLIENTAUTH or
NOCLIENTAUTH.
Examples of built-in actions in a policy

In the following example, if the client sends a cipher other than an EXPORT category
cipher, the NetScaler appliance requests client authentication. The client has to provide a
valid certificate for a successful transaction.
add ssl policy pol1 -rule CLIENT.SSL.CIPHER_EXPORTABLE.NOT -reqAction CLIENTAUTH

The following examples assume that client authentication is enabled.
If the version in the certificate provided by the user matches the version in the policy, no
action is taken and the packet is forwarded:
155
Configuring Built-in Actions for SSL Default Syntax Policies

add ssl policy pol1 -rule CLIENT.SSL.CLIENT_CERT.VERSION.EQ(2) -reqAction NOOP
If the version in the certificate provided by the user matches the version in the policy, the
connection is dropped:
add ssl policy pol1 -rule CLIENT.SSL.CLIENT_CERT.VERSION.EQ(2) -reqAction DROP

If the version in the certificate provided by the user matches the version in the policy, the
connection is reset:
add ssl policy pol1 -rule CLIENT.SSL.CLIENT_CERT.VERSION.EQ(2) -reqAction RESET
156
Configuring SSL Policy Labels

Policy labels are holders for policies. A policy label helps in managing a group of policies,
called a policy bank, which can be invoked from another policy. SSL policy labels can be
control labels or data labels, depending on the type of policies that are included in the
policy label. You can add only data policies in a data policy label and only control policies
in a control policy label. To create the policy bank, you bind policies to the label and
specify the order of evaluation of each policy relative to others in the bank of policies for
the policy label. At the NetScaler command line, you enter two commands to create a
policy label and bind policies to the policy label. In the configuration utility, you select
options from a dialog box.
To create an SSL policy label and bind policies to the

label by using the command line interface
add ssl policylabel <labelName> -type ( CONTROL | DATA )
bind ssl policylabel <labelName> <policyName> <priority> [<gotoPriorityExpression>]

[-invoke (<labelType> <labelName>) ]
Example
add ssl policylabel cpl1 -type CONTROL
add ssl policylabel dpl1 -type DATA
bind ssl policylabel cpl1 -policyName ctrlpol -priority 1
bind ssl policylabel dpl1 -policyName datapol -priority 1
To configure an SSL policy label and bind policies to

the label by using the configuration utility
Navigate to Traffic Management > SSL > Policy Labels, and configure an SSL policy label.
157
Configuring SSL Policy Labels

CLI procedure)
add ssl policylabel
labelName
Name for the SSL policy label. Must begin with an ASCII alphanumeric or underscore (_)
the policy label is created.
marks (for example, "my label" or 'my label').
type
Type of policies that the policy label can contain.
Possible values: CONTROL, DATA
bind ssl policylabel

labelName
Name of the SSL policy label to which to bind policies.
policyName
Name of the SSL policy to bind to the policy label.
158
Configuring Per-Directory Client

Authentication
If you create an action specifying client-side authentication on a per-directory basis, a
client identified by a policy associated with the action is not authenticated as part of the
initial SSL handshake. Instead, authentication is carried out every time the client wants to
access a specific directory on the web server.
For example, if you have multiple divisions in the company, where each division has a
folder in which all its files are stored, and you want to know the identity of each client that
tries to access files from a particular directory, such as the finance directory, you can
enable per-directory client authentication for that directory.
To enable per-directory client authentication, first configure client authentication as an SSL
action, and then create a policy that identifies the directory that you want to monitor.
When you create the policy, specify your client-authentication action as the action
associated with the policy. Then, bind the policy to the SSL virtual server that will receive
the SSL traffic.
To create an SSL action and a policy to enable client

authentication by using the command line interface
At the command prompt, type the following commands to create an SSL action to enable to
client authentication and verify the configuration:
add ssl action <name> [-clientAuth ( DOCLIENTAUTH | NOCLIENTAUTH )]
add ssl policy <name> -rule <expression> [-action <string>] [-undefAction <string>]
[-comment <string>]
show ssl policy [<name>]
Example
> add ssl action ssl-action-1 -clientAuth DOCLIENTAUTH

Done
> show ssl action ssl-action-1
1)
Name: ssl-action-1
Client Authentication Action: DOCLIENTAUTH
Hits: 0
Undef Hits: 0
Action Reference Count: 1
Done
159
Configuring Per-Directory Client Authentication

> add ssl policy ssl-pol-1 -rule 'REQ.HTTP.METHOD==GET' -reqaction ssl-action-1
> sh ssl policy ssl-pol-1
Name: ssl-pol-1
Rule: REQ.HTTP.METHOD == GET
Action: ssl-action-1
UndefAction: Use Global
Hits: 0
Undef Hits: 0
Done
To create an SSL action to enable client

authentication by using the configuration utility
1. Navigate to Traffic Management > SSL > Policies and, on the Actions tab, click Add.
2. In the Client Authentication list, select Enabled.
To create and bind an SSL policy to enable client

authentication by using the configuration utility
1. Navigate to Traffic Management > SSL and, on the Polices tab, click Add.
2. Navigate to Traffic Management > Load Balancing > Virtual Servers and open an SSL
virtual server.
In Advanced Settings, select SSL Policy, and bind the policy to the virtual server.

CLI procedure)
add ssl action
name
clientAuth
160

Perform client certificate authentication.
Possible values: DOCLIENTAUTH, NOCLIENTAUTH
show ssl action

name
add ssl policy

name
rule
Note:
quotation marks.
the character.
action
161

undefAction
comment
show ssl policy

name
Name of the SSL policy for which to display detailed information.
162
Configuring Support for Outlook Web

Access
If your SSL configuration is offloading SSL transactions from an Outlook Web Access (OWA)
server, you must insert a special header field, FRONT-END-HTTPS: ON, in all HTTP requests
directed to the OWA servers. This is required for the OWA servers to generate URL links as
https:// instead of http://.
When you enable support for OWA on the NetScaler, the header is automatically inserted
into the specified HTTP traffic, and you do not need to configure a specific header
insertion. Use SSL policies to identify all traffic directed to the OWA server.
Note: You can enable Outlook Web Access support for HTTP-based SSL virtual servers and
services only. You cannot apply it to TCP-based SSL virtual servers and services.
To enable OWA support, first configure OWA support as an SSL action, and then create a
policy that identifies the virtual servers or services for which you want to enable OWA
support. When you create the policy, specify your OWA support action as the action
associated with the policy. Then, bind the policy to the SSL virtual server that will receive
the SSL traffic.
To create an SSL action and a policy to enable OWA

support by using the command line interface
At the command prompt, type the following commands to create an SSL action to enable
OWA support and verify the configuration:
add ssl action <name> -OWASupport ( ENABLED | DISABLED )
add ssl policy <name> -rule <expression> [-action <string>] [-undefAction <string>]
[-comment <string>]
show ssl policy [<name>]
Example
> add ssl action ssl-action-2 -OWASupport ENABLED

Done
> show ssl action ssl-action-2
1)
Name: ssl-action-2
Type: Data Insertion
OWA Support: ENABLED
Hits: 0
163
Configuring Support for Outlook Web Access

Undef Hits: 0
Action Reference Count: 1
Done
> add ssl policy ssl-pol -rule 'REQ.HTTP.METHOD == GET' -reqaction ssl-action-2
Done
> sh ssl policy ssl-pol
Name: ssl-pol
Rule: REQ.HTTP.METHOD == GET
Action: ssl-action-2
UndefAction: Use Global
Hits: 0
Undef Hits: 0
Done
To create an SSL action to enable OWA support by

1. Navigate to Traffic Management > SSL > Policies and, on the Actions tab, click Add.
2. In the Outlook Web Access list, select Enabled.
Note: Outlook Web Access support is applicable only for SSL virtual server based
configurations and transparent SSL service based configurations and not for SSL
configurations with back-end encryption.
To create and bind an SSL policy to enable OWA

support by using the configuration utility
Navigate to Traffic Management > SSL > Policies, and add a policy.
In the Action list, select the action that you created earlier. Specify an undefined action,
and an expression.

CLI procedure)
add ssl action
name
164

OWASupport
If the appliance is in front of an Outlook Web Access (OWA) server, insert a special
header field, FRONT-END-HTTPS: ON, into the HTTP requests going to the OWA server.
This header communicates to the server that the transaction is HTTPS and not HTTP.
show ssl action

name
add ssl policy

name
rule
Note:
quotation marks.
165

the character.
action
undefAction
comment
show ssl policy

name
Name of the SSL policy for which to display detailed information.
166
Configuring SSL-Based Header Insertion

Because the NetScaler appliance offloads all SSL-related processing from the servers, the
servers receive only HTTP traffic. In some circumstances, the server needs certain SSL
information. For example, security audits of recent SSL transactions require the client
subject name (contained in an X509 certificate) to be logged on the server.
Such data can be sent to the server by inserting it into the HTTP header as a name-value
pair. You can insert the entire client certificate, if required, or only the specific fields from
the certificate, such as the subject, serial number, issuer, certificate hash, SSL session ID,
cipher suite, or the not-before or not-after date used to determine certificate validity.
You can enable SSL-based insertion for HTTP-based SSL virtual servers and services only.
You cannot apply it to TCP-based SSL virtual servers and services. Also, client
authentication must be enabled on the SSL virtual server, because the inserted values are
taken from the client certificate that is presented to the virtual server for authentication.
To configure SSL-based header insertion, first create an SSL action for each specific set of
information to be inserted, and then create policies that identify the connections for which
you want to insert the information. As you create each policy, specify the action that you
want associated with the policy. Then, bind the policies to the SSL virtual servers that will
receive the SSL traffic.
The following example uses default syntax policies. In the following example, a control
policy (ctrlpol) is created to perform client authentication if a request is received for the
URL /testsite/file5.html. A data policy (datapol) is created to perform an action (act1) if
client authentication is successful, and an SSL action (act1) is added to insert the
certificate details and issuer's name in the request before forwarding the request. For other
URLs, client authentication is disabled. The policies are then bound to an SSL virtual server
(ssl_vserver) that receives the SSL traffic.
Command-line example of configuring SSL-based

header insertion
Example
> add ssl action act1 -clientCert ENABLED -certHeader mycert -clientcertissuer ENABLED -certIssuerHeader m
> add ssl policy datapol -rule HTTP.REQ.URL.EQ(\"/testsite/file5.html\") -action act1
> add ssl policy ctrlpol -rule HTTP.REQ.URL.EQ(\"/testsite/file5.html\") -action CLIENTAUTH
> bind ssl vserver ssl_vserver -policyName ctrlpol -priority 1
> bind ssl vserver ssl_vserver -policyName datapol -priority 1
Done
167
Configuring SSL-Based Header Insertion
To configure SSL-based header insertion by using the

1. Navigate to Traffic Management > SSL > Policies.
2. In the details pane, on the Actions tab, click Add.
3. In the Create SSL Action dialog box, set the following parameters:
Name*
Client Certificate
Certificate Tag
Client Certificate Issuer
Issuer Tag
* A required parameter
4. Click Create, and then click Close.

5. On the tab, click Add to create a control policy.
6. In the Create SSL Policy dialog box, set the following parameters:
Name*
Expression
Request Action
* A required parameter

8. Create a data policy by repeating steps 5 through 7.
9. In the navigation pane, expand SSL Offload, and then click Virtual Servers.
10. In the details pane, from the list of virtual servers, select the virtual server to which
you want to bind the SSL policies, and then click Open.
11. In the Configure Virtual Server (SSL Offload) dialog box, click SSL Settings, and then
click SSL Policies.
12. In the Bind/Unbind SSL Policies dialog box, click Insert Policy. Under Policy Name,
select the policy that you created in steps 5 through 7.
13. Click OK, and then click Close. A message appears in the status bar, stating that the
policy has been bound successfully.
14. Repeat steps 12 and 13 and select the policy that you created in step 8.
168
Binding SSL Policies to a Virtual Server

The SSL policies that are configured on the NetScaler appliance need to be bound to a
virtual server that intercepts traffic directed to the virtual server. If the incoming data
matches any of the rules configured in the SSL policy, the policy is triggered and the action
associated with it is carried out.
You can also bind SSL policies globally or to custom bind points on the NetScaler appliance.
For more information about binding policies on the appliance, see .
To bind an SSL policy to a virtual server by using the

At the command prompt, type the following command to bind an SSL policy to a virtual
bind ssl vserver <vServerName> -policyName <string> [-priority <positive_integer>]
Example
> bind ssl vserver vs-server -policyName ssl-policy-1 -priority 10

Done
DH: DISABLED
Refresh Count: 1000
ClearText Port: 80
SSL Redirect: ENABLED
SSL-REDIRECT Port Rewrite: ENABLED
1)
1)
Policy Name: ssl-policy-1
Priority: 10

Done
169
Binding SSL Policies to a Virtual Server
To bind an SSL policy to a virtual server by using the

1. Navigate to Traffic Management > Load Balancing > Virtual Servers, and open an SSL
virtual server.
2. In Advanced Settings, select SSL Policy, Click in the SSL Policy section to bind to the
virtual server.

CLI procedure)
bind ssl vserver
vServerName
policyName
Name of the SSL policy to bind to the SSL virtual server.
show ssl vserver

vServerName
170
Binding SSL Policies Globally

Globally bound policies are evaluated after all policies bound to services, virtual servers, or
other NetScaler bind points are evaluated.
To globally bind an SSL policy by using the command

line interface
At the command prompt, type the following command to bind a global SSL policy and verify
the configuration:
bind ssl global - policyName <string> [- priority <positive_integer>]
show ssl global
Example
> bind ssl global -policyName Policy-SSL-2 -priority 90

Done
> sh ssl global
1) Name: Policy-SSL-2 Priority: 90
2) Name: Policy-SSL-1 Priority: 100
Done
To bind a global SSL policy by using the configuration

utility
1. Navigate to Traffic Management > SSL > Policies.
2. In the details pane, click Global Bindings.
3. In the Bind/Unbind SSL Policies to Global dialog box, click Insert Policy.
4. In the Policy Name drop-down list, select a policy.
5. Optionally, drag the entry to a new position in the policy bank to automatically update
the priority level.
6. Click OK. A message appears in the status bar, stating that the policy has been bound
successfully.
171
Commonly Used SSL Configurations

SSL deployments typically use some version of one or more of the following configurations:
SSL Offloading with End-to-End Encryption
Transparent SSL Acceleration
Service-based Transparent SSL Acceleration
Virtual Server-based Acceleration with a Wildcard IP Address (*:443)
SSL VIP-based Transparent Access with End-To-End Encryption

SSL Acceleration with HTTP on the Front-End and SSL on the Back-End
SSL Offloading with Other-TCP Protocols
Backend Encryption for TCP Based Data

SSL Bridging
172
SSL_TCP Based Offloading with End-to-End Encryption
Configuring SSL Offloading with

End-to-End Encryption
A simple SSL offloading setup terminates SSL traffic (HTTPS), decrypts the SSL records, and
forwards the clear text (HTTP) traffic to the back-end web servers. However, the clear text
traffic is vulnerable to being spoofed, read, stolen, or compromised by individuals who
succeed in gaining access to the back-end network devices or web servers.
You can, therefore, configure SSL offloading with end-to-end security by re-encrypting the
clear text data and using secure SSL sessions to communicate with the back-end Web
servers.
Additionally, you can configure the back-end SSL transactions so that the NetScaler
appliance uses SSL session multiplexing to reuse existing SSL sessions with the back-end web
servers, thus avoiding CPU-intensive key exchange (full handshake) operations. This reduces
the overall number of SSL sessions on the server, and therefore accelerates the SSL
transaction while maintaining end-to-end security.
To configure SSL Offloading with end-to-end encryption, add SSL based services that
represent secure servers with which the NetScaler appliance will carry out end-to-end
encryption. Then create an SSL based virtual server, and create and bind a valid
certificate-key pair to the virtual server. Bind the SSL services to the virtual server to
complete the configuration.
For details on adding SSL based services, see Configuring Services.
For details on adding an SSL virtual server, see Configuring an SSL Based Virtual Server.
For details on creating a certificate-key pair, see Adding a Certificate-Key Pair.
For details on binding a certificate-key pair to a virtual server, see Binding the Certificate
Key Pair to the SSL Based Virtual Server.
For details on binding services to a virtual server, see Binding Services to the SSL Based
Virtual Server.
Example
Create two SSL based services, Service-SSL-1 and Service-SSL-2, with IP addresses
10.102.20.30 and 10.102.20.31 and both using port 443.
Then create an SSL based virtual server, Vserver-SSL-2 with an IP address of 10.102.10.20.
Next, create a certificate-key pair, CertKey-1 and bind it to the virtual server.
Bind the SSL services to the virtual server to complete the configuration.
Table 1. Entities in the SSL Offloading with End-to-End Encryption Example
173
Configuring SSL Offloading with End-to-End Encryption
174
Entity
Name
Value
SSL Service
Service-SSL-1
10.102.20.30
Service-SSL-2
10.102.20.31
SSL Based Virtual Server
Vserver-SSL-2
10.102.10.20
Certificate - Key Pair
Certkey-1
Configuring Transparent SSL

Acceleration
Note: You need to enable L2 mode on the NetScaler appliance for transparent SSL
acceleration to work.
Transparent SSL acceleration is useful for running multiple applications on a secure server
with the same public IP, and also for SSL acceleration without using an additional public IP.
In a transparent SSL acceleration setup, the NetScaler appliance is transparent to the
client, because the IP address at which the appliance receives requests is the same as the
Web server's IP address.
The NetScaler offloads SSL traffic processing from the Web server and sends either clear
text or encrypted traffic (depending on the configuration) to the web server. All other
traffic is transparent to the NetScaler and is bridged to the Web server. Therefore, other
applications running on the server are unaffected.
There are three modes of transparent SSL acceleration available on the NetScaler:
Service-based transparent access, where the service type can be SSL or SSL_TCP.
Virtual server-based transparent access with a wildcard IP address (*:443).
SSL VIP-based transparent access with end-to-end encryption.
Note: An SSL_TCP service is used for non-HTTPS services (for example SMTPS and IMAPS).
Service-based Transparent SSL Acceleration

To enable transparent SSL acceleration using the SSL service mode, configure an SSL or an
SSL_TCP service with the IP address of the actual back-end Web server. Instead of a virtual
server intercepting SSL traffic and passing it on to the service, the traffic is now directly
passed on to the service, which decrypts the SSL traffic and sends clear text data to the
back-end server.
The service-based mode allows you to configure individual services with a different
certificate, or with a different clear text port. Also, you can also select individual services
for SSL acceleration.
You can apply service-based transparent SSL acceleration to data that uses different
protocols, by setting the clear text port of the SSL service to the port on which the data
transfer between the SSL service and the back-end server occurs.
To configure service-based transparent SSL acceleration, first enable both the SSL and the
load balancing features. Then create an SSL based service and configure its clear text port.
After the service is created, create and bind a certificate-key pair to this service.
175
Configuring Transparent SSL Acceleration

For details on configuring the clear text port for an SSL based service, see "Configuring
Advanced SSL Settings."
For details on creating a certificate-key pair and binding a certificate-key pair to a service,
see "Adding a Certificate-Key Pair."
Example
Enable SSL offloading and load balancing.
Create an SSL based service, Service-SSL-1 with the IP address 10.102.20.30 using port 443
and configure its clear text port.
Next, create a certificate-key pair, CertKey-1 and bind it to the SSL service.
Table 1. Entities in the Service-based Transparent SSL Acceleration
Entity
Name
Value
SSL Service
Service-SSL-1
102.20.30
Certificate - Key Pair
Certkey-1
Virtual Server-based Acceleration with a Wildcard IP

Address (*:443)
You can use an SSL virtual server in the wildcard IP address mode if when you want to
enable SSL acceleration for multiple servers that host the secure content of a Web site. In
this mode, a single-digital certificate is enough for the entire secure Web site, instead of
one certificate per virtual server. This results in significant cost savings on SSL certificates
and renewals. The wildcard IP address mode also enables centralized certificate
management.
To configure global transparent SSL acceleration on the NetScaler appliance, create a *:443
virtual server, which is a virtual server that accepts any IP address associated with port
443. Then, bind a valid certificate to this virtual server, and also bind all services to which
the virtual server is to transfer. Such a virtual server can use the SSL protocol for
HTTP-based data or the SSL_TCP protocol for non-HTTP-based data.
176
To configure virtual server-based acceleration with a

wildcard IP address
1. Enable SSL, as described in "Enabling SSL Processing."
2. Enable load balancing, as described in "Load Balancing."
3. Add an SSL based virtual server (see "Configuring an SSL-Based Virtual Server" for the
basic settings), and set the clearTextPort parameter (described in "Configuring
Advanced SSL Settings)."
4. Add a certificate-key pair, as described in "Adding a Certificate-Key Pair."
Note: The wildcard server will automatically learn the servers configured on the
NetScaler, so you do not need to configure services for a wildcard virtual server.
Example
After enabling SSL offloading and load balancing, create an SSL based wildcard virtual
server with IP address set to * and port number 443, and configure its clear text port
(optional).
If you specify the clear text port, decrypted data will be sent to the backend server on that
particular port. Otherwise, encrypted data will be sent to port 443.
Next, create an SSL certificate key pair, CertKey-1 and bind it to the SSL virtual server.
Table 2. Entities in the Virtual Server-based Acceleration with a Wildcard IP Address
Example
Entity
Name
IP Address
Port
SSL Based Virtual

Server
Vserver-SSL-Wildcard
443
Certificate - Key
Pair
Certkey-1
SSL VIP-based Transparent Access with End-To-End

Encryption
You can use an SSL virtual server for transparent access with end-to-end encryption if you
have no clear text port specified. In such a configuration, the NetScaler terminates and
offloads all SSL processing, initiates a secure SSL session, and sends the encrypted data,
instead of clear text data, to the web servers on the port that is configured on the wildcard
virtual server.
Note: In this case, the SSL acceleration feature runs at the back-end, using the default
configuration, with all 34 ciphers available.
To configure SSL VIP based transparent access with end-to-end encryption, Follow
instructions for Configuring a Virtual Server-based Acceleration with a Wildcard IP Address
(*:443), but do not configure a clear text port on the virtual server.
177
178
Configuring SSL Acceleration with HTTP

on the Front End and SSL on the Back
End
In certain deployments, you might be concerned about network vulnerabilities between the
NetScaler appliance and the backend servers, or you might need complete end-to-end
security and interaction with certain devices that can communicate only in clear text (for
example, caching devices).
In such cases, you can set up an HTTP virtual server that receives data from clients that
connect to it at the front end and hands the data off to a secure service, which securely
transfers the data to the web server.
To implement this type of configuration, you configure an HTTP virtual server on the
NetScaler and bind SSL based services to the virtual server. The NetScaler receives HTTP
requests from the client on the configured HTTP virtual server, encrypts the data, and
sends the encrypted data to the web servers in a secure SSL session.
To configure SSL acceleration with HTTP on the front-end and SSL on the back-end, first
enable the load balancing and SSL features on the NetScaler. Then, add SSL based services
that represent secure servers to which the NetScaler appliance will send encrypted data.
Finally, add an HTTP based virtual server and bind the SSL services to this virtual server.
Example
Enable load balancing and SSL acceleration on the NetScaler.
After enabling load balancing and SSL acceleration, create two SSL based services,
Service-SSL-1 and Service-SSL-2, with IP addresses 10.102.20.30 and 10.102.20.31, and both
using port 443.
Then create an HTTP based virtual server, Vserver-HTTP-1, with an IP address of
10.102.10.20.
Bind the SSL services to the virtual server to complete the configuration.
Table 1. Entities in the SSL Acceleration with HTTP on the Front End and SSL on the Back
End Example
179
Entity
Name
Value
SSL Service
Service-SSL-1
10.102.20.30
Service-SSL-2
10.102.20.31
HTTP Based Virtual Server
Vserver-HTTP-1
10.102.10.20
SSL Offloading with Other TCP Protocols

In addition to the secure HTTP (HTTPS) protocol, NetScaler appliances support SSL
acceleration for other TCP-based secure protocols. However, only simple requests and
response-based TCP application protocols are supported. Applications such as FTPS, that
insert the server's IP address and port information in their payloads, are not currently
supported.
Note: The STARTTLS feature for SMTP is currently not supported.
The NetScaler supports SSL acceleration for Other TCP protocols with and without
end-to-end encryption.
To configure SSL offloading with Other TCP protocols, create a virtual server of type
SSL_TCP, bind a certificate-key pair and TCP based services to the virtual server, and
configure SSL actions and policies based on the type of traffic expected and the
acceleration to be provided.
Follow the instructions in Configuring SSL Offloading, but create an SSL_TCP virtual server
instead of an SSL virtual server, and configure TCP services instead of HTTP services.
SSL_TCP Based Offloading with End-to-End

Encryption
To configure SSL_TCP-based offloading with end-to-end encryption, both the virtual server
that intercepts secure traffic and the services that it forwards the traffic to must be of type
SSL_TCP.
Configure SSL_TCP-based offloading as described in Configuring SSL Offloading with
End-to-End Encryption, but create an SSL_TCP virtual server instead of an SSL virtual
server.
Backend Encryption for TCP Based Data

Some deployments might require the NetScaler appliance to encrypt TCP data received as
clear text and send the data securely to the back end servers.
To provide SSL acceleration with back-end encryption for clear text TCP traffic arriving
from the client, create a TCP based virtual server and bind it to SSL_TCP based services.
To configure end-to-end encryption for TCP-based data, follow the procedure described in
Configuring the SSL feature with HTTP on the Front-End and SSL on the Back-End, but
create a TCP virtual server instead of an HTTP virtual server.
180
Configuring SSL Bridging

An SSL bridge configured on the NetScaler appliance enables the appliance to bridge all
secure traffic between the SSL client and the SSL server. The appliance does not offload or
accelerate the bridged traffic, nor does it perform encryption or decryption. Only load
balancing is done by the appliance. The SSL server must handle all SSL-related processing.
Features such as content switching, SureConnect, and cache redirection do not work,
because the traffic passing through the appliance is encrypted.
Because the appliance does not carry out any SSL processing in an SSL bridging setup, there
is no need for SSL certificates.
Citrix recommends that you use this configuration only if an acceleration unit (for example,
a PCI-based SSL accelerator card) is installed in the web server to handle the SSL processing
overhead.
Before you configure SSL bridging, first enable SSL and load balancing on the appliance.
Then, create SSL_Bridge services and bind them to an SSL_Bridge virtual server. Configure
the load balancing feature to maintain server persistency for secure requests.
Example
After enabling SSL and load balancing, create two servers, s1 and s2. Create two SSL_Bridge
services, sc1 and src2. Create an SSL_Bridge virtual server and bind the SSL_Bridge services
to the virtual server to complete the configuration. At the command line, type:
enable ns feature SSL LB
add server s1 10.102.1.101
add server s2 10.102.1.102
add service src1 s1 SSL_BRIDGE 443
add service src2 s2 SSL_BRIDGE 443
add lb vserver ssl_bridge_vip SSL_BRIDGE 10.102.1.200 443
bind lb vserver ssl_bridge_vip src1
bind lb vserver ssl_bridge_vip src2
181
Configuring the SSL Feature for

Commonly Used Deployment Scenarios
Some of the most commonly deployed NetScaler SSL configurations are for load balancing
secure data, applying content switching to secure data, and monitoring secure data:
182
Configuring an SSL Virtual Server for Load Balancing.
Configuring a Secure Content Switching Server.
Configuring SSL Monitoring when Client Authentication is Enabled on the Backend

Service.
Configuring an SSL Virtual Server for

Load Balancing
A virtual server configured to load balance incoming secure data first decrypts the data and
then selects a web server as determined by the configured load balancing policies. The
NetScaler appliance then sends the decrypted data to the selected server, using a mapped
IP address as the source IP address.
To configure load balancing on the appliance, you must first create an SSL-based load
balancing virtual server and two or more HTTP-based services. You then bind the services
and an SSL certificate to the virtual server. If no load balancing policy or method is
configured, the default, LEASTCONNECTION, method is used.
Example
>
>
>
>
>
>
>
>
add service ssl1 10.102.29.252 HTTP 80

add service ssl2 10.102.29.253 HTTP 80
add lb vserver vssl SSL 10.102.29.133 443
bind lb vserver vssl ssl1
bind lb vserver vssl ssl2
add ssl certKey sslckey -cert server_cert.pem -key server_key.pem -password ssl
bind ssl vserver vssl certkeyName sslckey
show ssl vserver vssl

DH: DISABLED
Refresh Count: 0
ClearText Port: 0
1)
1)
CertKey Name: sslckey Server Certificate

Done
183
Configuring a Secure Content Switching

Server
An SSL-based content switching virtual server first decrypts the secure data and then
redirects the data to appropriately configured servers as determined by the type of content
and the configured content switching policies. The packets sent to the server have a
mapped IP address as the source IP address.
The following example shows the steps to configure two address-based virtual servers to
perform load balancing on the HTTP services. One virtual server, Vserver-LB-HTML, load
balances the dynamic content (cgi, asp), and the other, Vserver-LB-Image, load balances
the static content (gif, jpeg). The load-balancing method used is the default,
LEASTCONNECTION. A content switching SSL virtual server, Vserver-CS-SSL, is then
configured to perform SSL acceleration and switching of HTTPS requests on the basis of
configured content switching policies.
Example
> enable ns feature lb cs ssl

> add lb vserver Vserver-LB-HTML http 10.1.1.2 80
> add lb vserver Vserver-LB-Image http 10.1.1.3 80
> add service s1 10.1.1.4 http 80
> bind lb vserver Vserver-LB-HTML s1
> bind lb vserver Vserver-LB-HTML s2
> bind lb vserver Vserver-LB-Image s3
> bind lb vserver Vserver-LB-Image s4
> add cs vserver Vserver-CS-SSL ssl 10.1.1.1 443
> add cs policy pol1 -url "*.cgi"
> add cs policy pol2 -url "*.asp"
> add cs policy pol3 -url "*.gif"
> add cs policy pol4 -url "*.jpeg"
> bind cs vserver Vserver-CS-SSL -policyName pol1 Vserver-LB-HTML
> bind cs vserver Vserver-CS-SSL -policyName pol2 Vserver-LB-HTML
> bind cs vserver Vserver-CS-SSL -policyName pol3 Vserver-LB-Image
> bind cs vserver Vserver-CS-SSL -policyName pol4 Vserver-LB-Image
> add certkey mykey -cert /nsconfig/ssl/ns-root.cert -key /nsconfig/ssl/ns-root.key
> bind certkey Vserver-CS-SSL mykey
>
> show cs vserver Vserver-CS-SSL
Vserver-CS-SSL (10.1.1.1:443) - SSL Type: CONTENT
State: UP
Last state change was at Tue Jul 13 02:11:37 2010
184
Configuring a Secure Content Switching Server
185

State Update: DISABLED
Default: Content Precedence: RULE
Case Sensitivity: ON
Configuring SSL Monitoring when Client

Authentication is Enabled on the Backend
Service
Consider a scenario in which you need to load balance servers that require SSL client
certificates to validate clients. For this deployment, you need to create an SSL service on
the NetScaler appliance, add an HTTPS monitor, add a certificate-key pair, bind this
certificate-key pair to the SSL service, and then bind the https monitor to this service. You
can use this https monitor to perform health checks on the backend services.
To configure SSL monitoring with client certificate

1. Open an SSH connection to the appliance by using an SSH client, such as PuTTY.
2. Log on the appliance by using the administrator credentials.
3. Add an SSL service. At the command prompt, type:
add service <name> <serverName> <serviceType> <port>
4. Add an https monitor. At the command prompt, type:
add lb monitor <name> <type>
5. Add the certificate-key pair that is going to be used as the client cert for that SSL
service. At the command prompt, type:
add ssl certKey <certkeyName> -cert <string> -key <string>
6. Bind this certkey to the SSL service. At the command prompt, type:
bind ssl service <serviceName> -certkeyName <string>
7. Bind the https monitor to the SSL service. At the command prompt, type:
bind lb monitor <monitorName> <serviceName>
Now, when the appliance tries to probe the backend service on which client authentication
is enabled, the backend service will request a certificate as part of the SSL handshake.
When the appliance returns the certificate-key bound in step 6 above, the monitor probe
will succeed.
Example
186
Configuring SSL Monitoring when Client Authentication is Enabled on the Backend Service
add service svc_k 10.102.145.30 SSL 443
add lb monitor sslmon HTTP -respCode 200 -httpRequest "GET /testsite/file5.html" -secure YES
add ssl certKey ctest -cert client_rsa_1024.pem -key client_rsa_1024.ky
bind ssl service svc_k -certkeyName ctest
bind lb monitor sslmon svc_k
> show service svc_k
svc_k (10.102.145.30:443) - SSL
State: UP
Last state change was at Tue Jan 10 13:12:24 2012
Server Name: 10.102.145.30
Server ID : 0 Monitor Threshold : 0
Max Conn: 0 Max Req: 0 Max Bandwidth: 0 kbits
Use Source IP: NO
Client Keepalive(CKA): NO
Access Down Service: NO
TCP Buffering(TCPB): NO
HTTP Compression(CMP): NO
Idle timeout: Client: 180 sec Server: 360 sec
Client IP: DISABLED
Cacheable: NO
SC: OFF
SP: OFF
1) Monitor Name: sslmon
State: UP Weight: 1
Probes: 1318 Failed [Total: 738 Current: 0]
Last response: Success - HTTP response code 200 received.
Response Time: 0.799 millisec
Done
>
> show ssl service svc_k
Advanced SSL configuration for Back-end SSL Service svc_k:
DH: DISABLED
Server Auth: DISABLED
SNI: DISABLED
1) CertKey Name: ctest Client Certificate
1) Cipher Name: ALL
Done
187

CLI procedure)
add service
name
has been created.
serverName
serviceType
port
add lb monitor
type
Type of monitor that you want to create.
Possible values: PING, TCP, HTTP, TCP-ECV, HTTP-ECV, UDP-ECV, DNS, FTP, LDNS-PING,
LDNS-TCP, LDNS-DNS, RADIUS, USER, HTTP-INLINE, SIP-UDP, LOAD, FTP-EXTENDED, SMTP,
SNMP, NNTP, MYSQL, MYSQL-ECV, MSSQL-ECV, ORACLE-ECV, LDAP, POP3,
CITRIX-XML-SERVICE, CITRIX-WEB-INTERFACE, DNS-TCP, RTSP, ARP, CITRIX-AG,
CITRIX-AAC-LOGINPAGE, CITRIX-AAC-LAS, CITRIX-XD-DDC, ND6, CITRIX-WI-EXTENDED,
DIAMETER, RADIUS_ACCOUNTING, STOREFRONT, APPC, CITRIX-XNC-ECV, CITRIX-XDM
add ssl certKey

certkeyName
188
cert
key
bind ssl service

serviceName
certkeyName
bind lb monitor
monitorName
Name of the monitor.
serviceName
Name of the service or service group.
189
Ciphers Supported by the NetScaler

Appliance
Your NetScaler appliance ships with a predefined set of cipher groups. Table 1 lists the
ciphers that are part of the DEFAULT cipher group and are therefore bound by default to an
SSL virtual server. Table 2 lists the other ciphers currently supported by the NetScaler
appliance. To use ciphers that are not part of the DEFAULT cipher group, you have to
explicitly bind them to an SSL virtual server. You can also create a user-defined cipher
group to bind to the SSL virtual server. For more information about creating a user-defined
cipher group, see Configuring User-Defined Cipher Groups on the NetScaler Appliance.
Note:
NetScaler MPX appliances support TLS protocol versions 1.1 and 1.2.
Support for TLS protocol versions 1.1 and 1.2 is not available on a FIPS appliance or on a
NetScaler virtual appliance.
Support for TLS protocol versions 1.1 and 1.2 is available on an SDX appliance, but only
on an instance-by-instance basis. To support TLS protocol versions 1.1 and 1.2 on an
SDX appliance, you must assign at least one SSL chip to the instance when you provision
it.
Table 1. Ciphers That the NetScaler Appliance Supports by Default

Cipher Suite
Protocol
Key
Exchange
Algorithm
Authentication
Algorithm
Encryption
Algorithm
(Key Size)
Message
Authentication
Code (MAC)
Algorithm
SSL3-RC4-MD5
SSLv3
RSA
RSA
RC4(128)
MD5
RSA
RSA
RC4(128)
SHA1
TLSv1
TLSv1.1
TLSv1.2
SSL3-RC4-SHA
SSLv3
TLSv1
TLSv1.1
TLSv1.2
190
Ciphers Supported by the NetScaler Appliance

SSL3-DES-CBC3-SHA
SSLv3
RSA
RSA
3DES(168)
SHA1
RSA
RSA
AES(256)
SHA1
RSA
RSA
AES(128)
SHA1
DH
DSS
3DES(168)
SHA1
TLSv1
TLSv1.1
TLSv1.2
TLS1-AES-256-CBC-SHA
SSLv3
TLSv1
TLSv1.1
TLSv1.2
SSLv3
TLSv1
TLSv1.1
TLSv1.2
SSL3-EDH-DSS-DES-CBC3-SHA
SSLv3
TLSv1
TLS1-DHE-DSS-RC4-SHA
TLSv1
DH
DSS
RC4(128)
SHA1
TLS1-DHE-DSS-AES-256-CBC-SHA
SSLv3
DH
DSS
AES(256)
SHA1
DH
DSS
AES(128)
SHA1
DH
RSA
3DES(168)
SHA1
DH
RSA
AES(256)
SHA1
TLSv1
TLS1-DHE-DSS-AES-128-CBC-SHA
SSLv3
TLSv1
SSL3-EDH-RSA-DES-CBC3-SHA
SSLv3
TLSv1
TLSv1.1
TLSv1.2
TLS1-DHE-RSA-AES-256-CBC-SHA
SSLv3
TLSv1
TLSv1.1
TLSv1.2
191

TLS1-DHE-RSA-AES-128-CBC-SHA
SSLv3
DH
RSA
AES(128)
SHA1
TLSv1
TLSv1.1
TLSv1.2
Table 2. Additional Ciphers Supported by the NetScaler Appliance
Cipher Suite
Protocol
Key
Exchange
Algorithm
Authentication
Algorithm
Encryption
Algorithm
(Key Size)
Message
Authentication
Code (MAC)
Algorithm
SSL3-DES-CBC-SHA
SSLv3
RSA
RSA
DES(56)
SHA1
TLSv1
TLSv1.1
TLS1-EXP1024-RC4-SHA
TLSv1
RSA(1024)
RSA
RC4(56)
SHA1 Export
SSL3-EXP-RC4-MD5
SSLv3
RSA(512)
RSA
RC4(40)
MD5 Export
RSA(512)
RSA
DES(40)
SHA1 Export
RSA(512)
RSA
RC2(40)
MD5 Export
TLSv1
SSL3-EXP-DES-CBC-SHA
SSLv3
TLSv1
SSL3-EXP-RC2-CBC-MD5
SSLv3
TLSv1
SSL2-RC4-MD5
SSLv2
RSA
RSA
RC4(128)
MD5
SSL2-DES-CBC3-MD5
SSLv2
RSA
RSA
3DES(168)
MD5
SSL2-RC2-CBC-MD5
SSLv2
RSA
RSA
RC2(128)
MD5
SSL2-DES-CBC-MD5
SSLv2
RSA
RSA
DES(56)
MD5
SSL2-RC4-64-MD5
SSLv2
RSA
RSA
RC4(64)
MD5
SSL2-EXP-RC4-MD5
SSLv2
RSA(512)
RSA
RC4(40)
MD5 Export
SSL3-EDH-DSS-DES-CBC-SHA
SSLv3
DH
DSS
DES(56)
SHA1
TLSv1
TLS1-EXP1024-DHE-DSS-DES-CBCSHA
TLSv1
DH(1024)
DSS
DES(56)
SHA1 Export
TLS1-EXP1024-DHE-DSS-RC4- SHA
TLSv1
DH(1024)
DSS
RC4(56)
SHA1 Export
SSL3-EXP-EDH-DSS-DES-CBC-SHA
SSLv3
DH(512)
DSS
DES(40)
SHA1 Export
TLSv1
192

SSL3-EDH-RSA-DES-CBC-SHA
SSLv3
DH
RSA
DES(56)
SHA1
DH(512)
RSA
DES(40)
DES(40)
TLSv1
TLSv1.1
SSL3-EXP-EDH-RSA-DES-CBC-SHA
SSLv3
TLSv1
TLS1-EXP1024-RC4-MD5
TLSv1
RSA(1024)
RSA
RC4(56)
MD5 Export
TLS1-EXP1024-RC2-CBC-MD5
TLSv1
RSA(1024)
RSA
RC2(56)
MD5 Export
SSL2-EXP-RC2-CBC-MD5
SSLv2
RSA(512)
RSA
RC2(40)
MD5 Export
SSL3-ADH-RC4-MD5
SSLv3
DH
None
RC4(128)
MD5
DH
None
DES(56)
SHA1
DH
None
3DES(168)
SHA1
DH
None
AES(128)
SHA1
DH
None
AES(256)
SHA1
DH(512)
None
RC4(40)
MD5 Export
DH(512)
None
DES(40)
SHA1 Export
ECC-DHE
RSA
RC4(128)
SHA1
TLSv1
TLSv1.1
SSL3-ADH-DES-CBC-SHA
SSLv3
TLSv1
TLSv1.1
SSL3-ADH-DES-CBC3-SHA
SSLv3
TLSv1
TLSv1.1
TLS1-ADH-AES-128-CBC-SHA
SSLv3
TLSv1
TLSv1.1
TLS1-ADH-AES-256-CBC-SHA
SSLv3
TLSv1
TLSv1.1
SSL3-EXP-ADH-RC4-MD5
SSLv3
TLSv1
SSL3-EXP-ADH-DES-CBC-SHA
SSLv3
TLSv1
TLS1-ECDHE-RSA-RC4-SHA
TLSv1
TLSv1.1
TLSv1.2
193

TLS1-ECDHE-RSA-DES-CBC3-SHA
TLSv1
ECC-DHE
RSA
3DES(168)
SHA1
ECC-DHE
RSA
AES(128)
SHA1
ECC-DHE
RSA
AES(256)
SHA1
TLSv1.1
TLSv1.2
TLSv1
TLSv1.1
TLSv1.2
TLSv1
TLSv1.1
TLSv1.2
Table 3. Additional Ciphers Supported with TLS Protocol Version 1.2 from Release 10.5 Build
53.9
Cipher Suite
Protocol
Key
Exchange
Algorithm
Authentication
Algorithm
Encryption
Algorithm (Key
Size)
Message
Authenticatio
Code (MAC)
Algorithm
TLS1.2-AES128-GCM-SHA256
TLSv1.2
RSA
RSA
AES-GCM(128)
SHA-256
TLS1.2-AES256-GCM-SHA384
TLSv1.2
RSA
RSA
AES-GCM(256)
SHA-384
TLS1.2-DHE-RSA-AES128-GCM-SHA256
TLSv1.2
DH
RSA
AES-GCM(128)
SHA-256
TLS1.2-DHE-RSA-AES256-GCM-SHA384
TLSv1.2
DH
RSA
AES-GCM(256)
SHA-384
TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
TLSv1.2
ECC-DHE
RSA
AES-GCM(128)
SHA-256
TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
TLSv1.2
ECC-DHE
RSA
AES-GCM(256)
SHA-384
TLS1.2-ECDHE-RSA-AES-128-SHA256
TLSv1.2
ECC-DHE
RSA
AES(128)
SHA-256
TLS1.2-ECDHE-RSA-AES-256-SHA384
TLSv1.2
ECC-DHE
RSA
AES(256)
SHA-384
TLS1.2-AES-256-SHA256
TLSv1.2
RSA
RSA
AES(256)
SHA-256
TLS1.2-AES-128-SHA256
TLSv1.2
RSA
RSA
AES(128)
SHA-256
TLS1.2-DHE-RSA-AES-128-SHA256
TLSv1.2
DH
RSA
AES(128)
SHA-256
TLS1.2-DHE-RSA-AES-256-SHA256
TLSv1.2
DH
RSA
AES(256)
SHA-256
Note: From release 10.5 build 53.9, ECDHE, AES-GCM, and SHA2 ciphers are part of the
default group. ECDHE/DHE cipher suites must be used to achieve perfect forward secrecy
(PFS).
On a NetScaler platform that does not have N3 chips and is configured to negotiate EDH
ciphers by using TLS version 1.0 with a DH key of 2048 bits, the SSL handshake fails in either
of the following scenarios:
194
Client authentication is enabled and the appliance receives a client certificate of 4096
bits.
End-to-end encryption is configured and the appliance receives a server certificate of

4096 bits.

Use the show ns hardware command to find out if your appliance has N3 chips.
Example
> sh hardware
Platform: NSMPX-22000 16*CPU+24*IX+12*E1K+2*E1K+4*CVM N3 2200100
Manufactured on: 8/19/2013
CPU: 2900MHZ
Host Id: 1006665862
Serial no: ENUK6298FT
Encoded serial no: ENUK6298FT
Done
195
FIPS
The Federal Information Processing Standard (FIPS), issued by the US National Institute of
Standards and Technologies, specifies the security requirements for a cryptographic module
used in a security system. The NetScaler FIPS appliance complies with the second version of
this standard, FIPS-140-2.
Note: Henceforth, all references to FIPS imply FIPS-140-2.
The FIPS appliance is equipped with a tamper-proof (tamper-evident) cryptographic
moduleand a Cavium CN1620-NFBE3-2.0-G on the MPX 9700/10500/12500/15500 FIPS
appliancesdesigned to comply with the FIPS 140-2 Level-2 specifications. The Critical
Security Parameters (CSPs), primarily the server's private-key, are securely stored and
generated inside the cryptographic module, also referred to as the Hardware Security
Module (HSM). The CSPs are never accessed outside the boundaries of the HSM. Only the
superuser (nsroot) can perform operations on the keys stored inside the HSM.
The following table summarizes the differences between standard NetScaler and NetScaler
FIPS appliances.
Setting
NetScaler appliance
NetScaler FIPS appliance
Key storage
On the hard disk
On the FIPS card
Cipher support
All ciphers
FIPS approved ciphers
Accessing keys
From the hard disk
Not accessible
Configuring a FIPS appliance involves configuring the HSM immediately after completing the
generic configuration process. You then create or import a FIPS key. After creating a FIPS
key, you should export it for backup. You might also need to export a FIPS key so that you
can import it to another appliance. For example, configuring FIPS appliances in a high
availability (HA) setup requires transferring the FIPS key from the primary node to the
secondary node immediately after completing the standard HA setup.
You can upgrade the firmware version on the FIPS card from version 4.6.0 to 4.6.1, and you
can reset an HSM that has been locked to prevent unauthorized logon. Only FIPS approved
ciphers are supported on a NetScaler FIPS appliance.
196
Configuring the HSM

Before you can configure the HSM of your NetScaler FIPS appliance, you must complete the
initial hardware configuration. For more information, see .
Configuring the HSM of your NetScaler FIPS appliance erases all existing data on the HSM.
To configure the HSM, you must be logged on to the appliance as the superuser (nsroot
account). The HSM is preconfigured with default values for the Security Officer (SO)
password and User password, which you use to configure the HSM or reset a locked HSM.
Important: Do not perform the set ssl fips command without first resetting the FIPS card
and restarting the MPX FIPS appliance.
Although the FIPS appliance can be used with the default password values, you should
modify them before using it. The HSM can be configured only when you log on to the
appliance as the superuser and specify the SO and User passwords.
Important: Due to security constraints, the appliance does not provide a means for
retrieving the SO password. Store a copy of the password safely. Should you need to
reinitialize the HSM, you will need to specify this password as the old SO password.
Before initializing the HSM, you can upgrade to the latest build of the software. To upgrade
to the latest build, see .
After upgrading, verify that the /nsconfig/fips directory has been successfully created on
the appliance.
To configure the HSM on an MPX

9700/10500/12500/15500 FIPS appliances by using the
After logging on to the appliance as the superuser and completing the initial configuration,
at the command prompt, type the following commands to configure the HSM and verify the
configuration:
1. show ssl fips
2. reset ssl fips
3. reboot -warm
4. set ssl fips -initHSM Level-2 <newSOpassword> <oldSOpassword> <userPassword>
[-hsmLabel <string>]
5. save ns config
6. reboot -warm
197
Configuring the HSM

7. show ssl fips
Example
show fips
FIPS Card is not configured
Done
reset fips
reboot
Are you sure you want to restart NetScaler (Y/N)? [N]:y
set ssl fips -initHSM Level-2 sopin12345 so12345 user123 -hsmLabel cavium
This command will erase all data on the FIPS card. You must save the configuration
(saveconfig) after executing this command.
Do you want to continue?(Y/N)y
Done
save ns config
reboot
Are you sure you want to restart NetScaler (Y/N)? [N]:y
show fips
FIPS HSM Info:
HSM Label
: NetScaler FIPS
Initialization
: FIPS-140-2 Level-2
HSM Serial Number
: 2.1G1008-IC000021
HSM State
:2
HSM Model
: NITROX XL CN1620-NFBE
Firmware Version
: 1.1
Firmware Release Date : Jun04,2010
Max FIPS Key Memory
Free FIPS Key Memory
Total SRAM Memory
Free SRAM Memory
Total Crypto Cores
Enabled Crypto Cores
Done
198
: 3996
: 3994
: 467348
: 62564
:3
:1
Configuring the HSM
To configure the HSM on an MPX

1. Navigate to Traffic Management > SSL > FIPS.
2. In the details pane, on the FIPS Infotab, click Reset FIPS.
3. In the navigation pane, click System.
4. In the details pane, click Reboot.
5. In the details pane, on the FIPS Info tab, click Initialize HSM.
6. In the Initialize HSM dialog box, specify values for the following parameters:
Security Officer (SO) Password*new SO password
Old SO Password*old SO password
User Password*user password
LevelinitHSM (Currently set to Level2 and cannot be changed)
HSM LabelhsmLabel
*A required parameter
7. Click OK.
8. In the details pane, click Save.
9. In the navigation pane, click System.
10. In the details pane, click Reboot.
11. Under FIPS HSM Info, verify that the information displayed for the FIPS HSM that you
just configured is correct.

CLI procedure)
show ssl fips
199
Configuring the HSM
reset ssl fips

reboot
warm
Restarts the NetScaler software without rebooting the underlying operating system. The
session terminates and you must log on to the appliance after it has restarted.
Note: This argument is required only for nCore appliances. Classic appliances ignore this
argument.
set ssl fips

initHSM
FIPS initialization level. The appliance currently supports Level-2 (FIPS 140-2).
Possible values: Level-2
hsmLabel
Label to identify the Hardware Security Module (HSM).
save ns config
200
Creating and Transferring FIPS Keys

After configuring the HSM of your FIPS appliance, you are ready to create a FIPS key. The
FIPS key is created in the appliances HSM. You can then export the FIPS key to the
appliances CompactFlash card as a secured backup. Exporting the key also enables you to
transfer it by copying it to the /flash of another appliance and then importing it into the
HSM of that appliance.
Instead of creating a FIPS key, you can import an existing FIPS key or import an external key
as a FIPS key. If you are adding a certificate-key pair of 2048 bits on the MPX
9700/10500/12500/15500 FIPS appliances, make sure that you have the correct certificate
and key pair.
Note: If you are planning an HA setup, make sure that the FIPS appliances are configured
in an HA setup before creating a FIPS key.
201
Creating a FIPS Key

Before creating a FIPS key, make sure that the HSM is configured.
To create a FIPS key by using the configuration utility

1. Navigate to Traffic Management > SSL > FIPS.
2. In the details pane, on the FIPS Keys tab, click Add.
3. In the Create FIPS Key dialog box, specify values for the following parameters:
FIPS Key Name*fipsKeyName
Modulus*modulus
Exponent*exponent

5. On the FIPS Keys tab, verify that the settings displayed for the FIPS key that you just
created are correct.
To create a FIPS key by using the command line

interface
At the command prompt, type the following commands to create a FIPS key and verify the
settings:
create ssl fipsKey <fipsKeyName> -modulus <positive_integer> [-exponent ( 3 | F4 )]
show ssl fipsKey [<fipsKeyName>]
Example
create fipskey Key-FIPS-1 -modulus 2048 -exponent 3

show ssl fipsKey Key-FIPS-1
FIPS Key Name: Key-FIPS-1 Modulus: 2048 Public Exponent: 3 (Hex: 0x3)
202
Creating a FIPS Key

CLI procedure)
create ssl fipsKey
fipsKeyName
Name for the FIPS key. Must begin with an ASCII alphanumeric or underscore (_)
the FIPS key is created.
marks (for example, "my fipskey" or 'my fipskey').
modulus
Modulus, in multiples of 64, of the FIPS key to be created.
Minimum value: 1024
Maximum value: 4096
exponent
Exponent value for the FIPS key to be created. Available values function as follows:
3=3 (hexadecimal)
F4=10001 (hexadecimal)
Default value: 3
show ssl fipsKey

fipsKeyName
Name of the FIPS key for which to show detailed information.
203
Exporting a FIPS Key

Citrix recommends that you create a backup of any key created in the FIPS HSM. If a key in
the HSM is deleted, there is no way to create the same key again, and all the certificates
associated with it are rendered useless.
In addition to exporting a key as a backup, you might need to export a key for transfer to
another appliance.
The following procedure provides instructions on exporting a FIPS key to the /nsconfig/ssl
folder on the appliance's CompactFlash and securing the exported key by using a strong
asymmetric key encryption method.
To export a FIPS key by using the command line

interface
export ssl fipsKey <fipsKeyName> -key <string>
Example
export fipskey Key-FIPS-1 -key Key-FIPS-1.key
To export a FIPS key by using the configuration utility

1. Navigate to Traffic Management > SSL > FIPS
2. In the details pane, on the FIPS Keys tab, click Export.
3. In the Export FIPS key to a file dialog box, specify values for the following parameters:
FIPS Key Name*fipsKeyName
File Name*key (To put the file in a location other than the default, you can either
specify the complete path or click the Browse button and navigate to a location.)
4. Click Export, and then click Close.
204
Exporting a FIPS Key

CLI procedure)
export ssl fipsKey
fipsKeyName
Name of the FIPS key to export.
key
Name of and, optionally, path to the exported key file.
205
Importing an Existing FIPS Key

To use an existing FIPS key with your FIPS appliance, you need to transfer the FIPS key from
the hard disk of the appliance into its HSM.
Note: To avoid errors when importing a FIPS key, make sure that the name of the key
imported is the same as the original key name when it was created.
To import a FIPS key on the MPX

At the command prompt, type the following commands to import a FIPS key and verify the
settings:
import ssl fipsKey <fipsKeyName> -key <string> -inform SIM -exponent (F4 | 3)
show ssl fipskey <fipsKeyName>
Example
import fipskey Key-FIPS-2 -key Key-FIPS-2.key -inform SIM -exponent F4
show ssl fipskey key-FIPS-2
FIPS Key Name: Key-FIPS-2 Modulus: 2048 Public Exponent: F4 (Hex value 0x10001)
206
To import a FIPS key by using the configuration utility

2. In the details pane, on the FIPS Keys tab, click Import.
3. In the Import as a FIPS Key dialog box, select FIPS key file and set values for the
following parameters:
FIPS Key Name*
Key File Name*To put the file in a location other than the default, you can either
specify the complete path or click Browse and navigate to a location.
Exponent*
4. Click Import, and then click Close.

imported are correct.

CLI procedure)
import ssl fipsKey
fipsKeyName
Name for the FIPS key to be imported. Must begin with an ASCII alphanumeric or
changed after the FIPS key is created.
key
Name of and, optionally, path to the key file to be imported.
inform
Input format of the key file. Available formats are:
SIM - Secure Information Management; select when importing a FIPS key. If the external
FIPS key is encrypted, first decrypt it, and then import it.
207

PEM - Privacy Enhanced Mail; select when importing a non-FIPS key.
Possible values: SIM, DER, PEM
Default value: FORMAT_SIM
exponent
Exponent value for the FIPS key to be created. Available values function as follows:
3=3 (hexadecimal)
F4=10001 (hexadecimal)
Default value: 3
show ssl fipskey

fipsKeyName
208
Importing External Keys

In addition to transferring FIPS keys that are created within the NetScaler appliances HSM,
you can transfer external private keys (such as those created on a standard NetScaler,
Apache, or IIS) to a FIPS NetScaler appliance. External keys are created outside the HSM, by
using a tool such as OpenSSL. Before importing an external key into the HSM, copy it to the
appliance's flash drive under /nsconfig/ssl.
Importing an external key as a FIPS key on the MPX

On the MPX 9700/10500/12500/15500 FIPS appliances, the -exponent parameter in the
import ssl fipskey command is not required while importing an external key. The correct
public exponent is detected automatically when the key is imported, and the value of the
-exponent parameter is ignored.
The NetScaler FIPS appliance does not support external keys with a public exponent other
than 3 or F4.
You do not need a wrap key on the MPX 9700/10500/12500/15500 FIPS appliances.
You cannot import an external, encrypted FIPS key directly to an MPX
9700/10500/12500/15500 FIPS appliance. To import the key you need to first decrypt the
key, and then import it. To decrypt the key, at the shell prompt, type:
openssl rsa -in <EncryptedKey.key> > <DecryptedKey.out>
To import an external key as a FIPS key to an MPX

9700/10500/12500/15500 FIPS appliance by using the
1. Copy the external key to the appliance's flash drive.
2. If the key is in .pfx format, you must first convert it to PEM format. At the command
prompt, type:
convert ssl pkcs12 <output file> -import -pkcs12File <input .pfx file name>
-password <password>
3. At the command prompt, type the following commands to import the external key as a
FIPS key and verify the settings:
209
import ssl fipsKey <fipsKeyName> - key <string> - inform PEM
show ssl fipskey<fipsKeyName>

Example
convert ssl pkcs12 iis.pem -password 123456 -import -pkcs12File iis.pfx
import fipskey Key-FIPS-2 -key iis.pem -inform PEM
show ssl fipskey key-FIPS-2
FIPS Key Name: Key-FIPS-2 Modulus: 0 Public Exponent: F4 (Hex value 0x10001)
Note: The modulus is incorrectly displayed as zero in the above example. The
discrepancy does not affect SSL functionality.
To import an external key as a FIPS key to an MPX

9700/10500/12500/15500 FIPS appliance by using the
1. If the key is in .pfx format, you must first convert it to PEM format.
a. Navigate to Traffic Management > SSL.
b. In the details pane, under Tools, click Import PKCS#12.
c. In the Import PKCS12 File dialog box, set the following parameters:
Output File Name*
PKCS12 File Name*Specify the .pfx file name.
Import Password*
Encoding Format
3. In the details pane, on the FIPS Keys tab, click Import.

4. In the Import as a FIPS Key dialog box, select PEM file, and set values for the following
parameters:
FIPS Key Name*
Key File Name*To put the file in a location other than the default, you can either
specify the complete path or click Browse and navigate to a location.
5. Click Import, and then click Close.

imported are correct.
210

CLI procedure)
convert ssl pkcs12
import
Convert the certificate and private-key from PKCS#12 format to PEM format.
import ssl fipsKey

fipsKeyName
Name for the FIPS key to be imported. Must begin with an ASCII alphanumeric or
changed after the FIPS key is created.
key
Name of and, optionally, path to the key file to be imported.
inform
Input format of the key file. Available formats are:
SIM - Secure Information Management; select when importing a FIPS key. If the external
FIPS key is encrypted, first decrypt it, and then import it.
PEM - Privacy Enhanced Mail; select when importing a non-FIPS key.
Possible values: SIM, DER, PEM
Default value: FORMAT_SIM
show ssl fipskey

fipsKeyName
211

212
Configuring FIPS Appliances in a High

Availability Setup
You can configure two appliances in a high availability (HA) pair as FIPS appliances. For
information about configuring an HA setup, see .
Note: Citrix recommends that you use the configuration utility (GUI) for this procedure. If
you use the command line (CLI), make sure that you carefully follow the steps as listed in
the procedure. Changing the order of steps or specifying an incorrect input file might
cause inconsistency that requires that the appliance be restarted. In addition, if you use
the CLI, the create ssl fipskey command is not propagated to the secondary node. When
you execute the command with the same input values for modulus size and exponent on
two different FIPS appliances, the keys generated are not identical. You have to create
the FIPS key on one of the nodes and then transfer it to the other node. But if you use
the configuration utility to configure FIPS appliances in an HA setup, the FIPS key that
you create is automatically transferred to the secondary node. The process of managing
and transferring the FIPS keys is known as secure information management (SIM).
Important: On the MPX 9700/10500/12500/15500 FIPS appliances, the HA setup should be
completed within six minutes. If the process takes longer than six minutes, the internal
timer of the FIPS card expires and the following error message appears:
ERROR: Operation timed out or repeated, please wait for 10 mins and redo the SIM/HA
configuration steps.
If this message appears, restart the appliance or wait for 10 minutes, and then repeat the
HA setup procedure.
In the following procedure, appliance A is the primary node and appliance B is the
secondary node.
213
Configuring FIPS Appliances in a High Availability Setup
To configure FIPS appliances in a high availability

setup by using the command line interface
1. On appliance A, open an SSH connection to the appliance by using an SSH client, such
as PuTTY.
2. Log on to the appliance, using the administrator credentials.
3. Initialize appliance A as the source appliance. At the command prompt, type:
init ssl fipsSIMsource <certFile>
4. Copy this <certFile> file to appliance B, in the /nconfig/ssl folder.
5. On appliance B, open an SSH connection to the appliance by using an SSH client, such
as PuTTY.
6. Log on to the appliance, using the administrator credentials.
7. Initialize appliance B as the target appliance. At the command prompt, type:
init ssl fipsSIMtarget <certFile> <keyVector> <targetSecret>
8. Copy this <targetSecret> file to appliance A.
9. On appliance A, enable appliance A as the source appliance. At the command prompt,
type:
enable ssl fipsSIMSource <targetSecret> <sourceSecret>
10. Copy this <sourceSecret> file to appliance B.
11. On appliance B, enable appliance B as the target appliance. At the command prompt,
type:
enable ssl fipsSIMtarget <keyVector> <sourceSecret>
12. On appliance A, create a FIPS key, as described in Creating a FIPS Key.
13. Export the FIPS key to the appliances hard disk, as described in Exporting a FIPS Key.
14. Copy the FIPS key to the hard disk of the secondary appliance by using a secure file
transfer utility, such as SCP.
15. On appliance B, import the FIPS key from the hard disk into the HSM of the appliance,
as described in Importing an Existing FIPS Key.
214
To configure FIPS appliances in a high availability

setup by using the configuration utility
1. On the appliance to be configured as the source appliance, navigate to Traffic
Management > SSL > FIPS.
2. In the details pane, on the FIPS Info tab, click Enable SIM.
3. In the Enable HA Pair for SIM dialog box, in the Certificate File Name text box, type the
file name, with the path to the location at which the FIPS certificate should be stored
on the source appliance.
4. In the Key Vector File Name text box, type the file name, with the path to the location
at which the FIPS key vector should be stored on the source appliance.
5. In the Target Secret File Name text box, type the location for storing the secret data on
the target appliance.
6. In the Source Secret File Name text box, type the location for storing the secret data on
the source appliance.
7. Click OK. The FIPS appliances are now configured in HA mode.
8. Create a FIPS key, as described in Creating a FIPS Key. The FIPS key is automatically
transferred from the primary to the secondary.
Example
In the following example, source.cert is the certificate on the source appliance, stored in
the default directory, /nsconfig/ssl. This certificate must be transferred to the same
location (/nsconfig/ssl) on the target appliance. The file target.secret is created on the
target appliance and copied to the source appliance. The file source.secret is created on
the source appliance and copied to the target appliance.
On the source appliance
init fipsSIMsource /nsconfig/ssl/source.cert

On the target appliance
init fipsSIMtarget /nsconfig/ssl/source.cert /nsconfig/ssl/target.key /nsconfig/ssl/target.secret

enable fipsSIMsource /nsconfig/ssl/target.secret /nsconfig/ssl/source.secret

215
enable fipsSIMtarget /nsconfig/ssl/target.key /nsconfig/ssl/source.secret

create ssl fipskey fips1 -modulus 2048 -exponent f4

export fipskey fips1 -key /nsconfig/ssl/fips1.key
Copy this key into the hard disk of the target appliance.
import fipskey fips1 -key /nsconfig/ssl/fips1.key

The following diagram summarizes the transfer process.
Figure 1. Transferring the FIPS Key-Summary

CLI procedure)
init ssl fipsSIMsource
certFile
Name for and, optionally, path to the source FIPS appliance's certificate file.
216

init ssl fipsSIMtarget

certFile
Name of and, optionally, path to the source FIPS appliance's certificate file.
keyVector
Name for and, optionally, path to the target FIPS appliance's key vector. /nsconfig/ssl/ is
the default path.
targetSecret
Name for and, optionally, path to the target FIPS appliance's secret data. The default
input path for the secret data is /nsconfig/ssl/.
enable ssl fipsSIMSource

targetSecret
Name of and, optionally, path to the target FIPS appliance's secret data. /nsconfig/ssl/ is
the default path.
sourceSecret
Name for and, optionally, path to the source FIPS appliance's secret data. /nsconfig/ssl/
is the default path.
enable ssl fipsSIMtarget

keyVector
Name of and, optionally, path to the target FIPS appliance's key vector. /nsconfig/ssl/ is
the default path.
sourceSecret
Name of and, optionally, path to the source FIPS appliance's secret data. /nsconfig/ssl/
is the default path.
217
Resetting a Locked HSM

The HSM becomes locked (no longer operational) if you change the SO password, restart the
appliance without saving the configuration, and make three unsuccessful attempts to
change the password. This is a security measure for preventing unauthorized access
attempts and changes to the HSM settings.
Important: To avoid this situation, save the configuration after initializing the HSM.
If the HSM is locked, you must reset the HSM and restart the appliance to restore the
default passwords. You can then use the default passwords to access the HSM and configure
it with new passwords. When finished, you must save the configuration and restart the
appliance.
Caution: Do not reset the HSM unless it has become locked.
To reset a locked HSM by using the command line

interface
At the command prompt, type the following commands to reset and re-initialize a locked
HSM:
reset ssl fips
reboot -warm
set ssl fips -initHSM Level-2 <new SO password> <old SO password> <user password>
[-hsmLabel <string>]
save ns config
reboot -warm
Example
reset fips
reboot -warm
set fips -initHSM Level-2 newsopin123 sopin123 userpin123 -hsmLabel NSFIPS
saveconfig
reboot -warm
Note: The SO and User passwords are the default passwords.
218
To reset a locked HSM by using the configuration

utility
2. In the details pane, on the FIPS Info tab, click Reset FIPS.
3. Configure the HSM, as described in Configuring the HSM.
4. In the details pane, click Save.

CLI procedure)
reset ssl fips
reboot
warm
Restarts the NetScaler software without rebooting the underlying operating system. The
session terminates and you must log on to the appliance after it has restarted.
Note: This argument is required only for nCore appliances. Classic appliances ignore this
argument.
set ssl fips

initHSM
FIPS initialization level. The appliance currently supports Level-2 (FIPS 140-2).
Possible values: Level-2
hsmLabel
Label to identify the Hardware Security Module (HSM).
219
save ns config
220
FIPS Approved Algorithms and Ciphers

The FIPS approved algorithms are:
Key-Exchange algorithms
RSA
Cipher algorithms
SSL3-DES-CBC3-SHA
Note: RC4 (ARC4) is not a FIPS-approved algorithm.

SSL virtual server is marked UP only when default ciphers (FIPS) are configured.
221
Support for Thales nShield HSM

Note: This feature is available from release 10.5, build 52.1115.e.
A non-FIPS NetScaler appliance stores the servers private key on the hard disk. On a FIPS
appliance, the key is stored in a cryptographic module known as hardware security module
(HSM). Storing a key in the HSM protects it from physical and software attacks. In addition,
the keys are encrypted by using special FIPS approved ciphers.
Only the NetScaler MPX 9700/10500/12500/15500 appliances support a FIPS card. Support
for FIPS is not available on other MPX appliances, or on the SDX and VPX appliances. This
limitation is addressed by supporting a Thales nShield Connect external HSM on all
NetScaler MPX, SDX, and VPX appliances except the MPX 9700/10500/12500/15500
appliances.
Thales nShield Connect is an external FIPS-certified network-attached HSM. With a Thales
HSM, the keys are securely stored as application key tokens on a remote file server (RFS)
and can be reconstituted inside the Thales HSM only.
If you are already using a Thales HSM, you can now use a NetScaler ADC to optimize,
secure, and control the delivery of all enterprise and cloud services.
Note: Thales HSMs comply with FIPS 140-2 Level 3 specifications, while the MPX FIPS
appliances comply with level 2 specifications.
222
Architecture Overview
The three entities that are part of a NetScaler-Thales deployment are a Thales nShield
Connect module, a remote file server (RFS), and a NetScaler ADC.
The Thales nShield Connect is a network-attached hardware security module. The RFS is
used to configure the HSM and to store the encrypted key files.
Hardserver, a proprietary daemon provided by Thales, is used for communication between
the client (ADC), the Thales HSM, and the RFS. It uses the IMPATH secure communication
protocol. A gateway daemon, called the Hardserver Gateway, is used to communicate
between the NetScaler packet engine and the Hardserver.
Note: The terms Thales nShield Connect, Thales HSM, and HSM are used interchangeably
in this documentation.
The following figure illustrates the interaction between the different components.
In a typical deployment, the RFS is used to securely store keys generated by the HSM. After
the keys are generated, you can securely transfer them to the ADC and then use the
NetScaler configuration utility or command line to load the keys to the HSM. A virtual
server on the ADC uses Thales to decrypt the client key exchange to complete the SSL
handshake. Thereafter, all the SSL operations are performed on the ADC.
Note: The terms keys and application key tokens are used interchangeably in this
documentation.
The following figure illustrates the packet flow in the SSL handshake with the Thales HSM.
Figure 1. SSL Handshake Packets Flow Diagram with NetScaler Using Thales HSM
223
Architecture Overview
Note: The communication between the ADC and the HSM uses a Thales proprietary
communication protocol, called IMPATH.
224
Prerequisites
Before you can use a Thales nShield Connect with a NetScaler ADC, make sure that the
following prerequisites are met:
A Thales nShield Connect device is installed in the network, ready to use, and
accessible to the NetScaler ADC. That is, the NetScaler IP (NSIP) address is added as an
authorized client on the HSM.
A usable Security World exists. Security World is a unique key management architecture
used by the Thales nShield line of HSMs. It protects and manages keys as application key
tokens, enabling unlimited key capacity, and automatic key backup and recovery. For
more information about creating a Security World, see the nShield Connect Quick Start
Guide from Thales. You can also find the guide in the CD provided with the Thales HSM
module at
CipherTools-linux-dev-xx.xx.xx/document/nShield_Connect_Quick_Start_Guide.pdf.
Note: Softcard or token/OCS protected keys are currently not supported on the
NetScaler ADC.
Licenses are available to support the number of clients that will be connected to the
Thales HSM. The ADC and RFS are clients of the HSM.
A remote file server (RFS) is installed in the network and is accessible to the NetScaler
ADC.
The Thales nShield Connect device, the RFS, and the NetScaler ADC can initiate
connections with each other through port 9004.
You are using NetScaler release 10.5 build 52.1115.e or later.
The NetScaler appliance does not contain a FIPS Cavium card.

Important: Thales HSM is not supported on the MPX 9700/10500/12500/15500 FIPS
appliances.
225
Configuring the ADC-Thales Integration

The following flowchart depicts the tasks that you need to perform to use Thales HSM with
a NetScaler ADC:
226
As shown in the above flowchart, you perform the following tasks:

1. Enable remote configuration push on the HSM.
2. Configure the ADC to use the Thales HSM.
227
Add the NSIP address on the HSM.
Configure access permission for the ADC on the RFS.
Enroll the HSM on the ADC.
Add RFS details on the ADC.
Synchronize the ADC to the RFS.
Verify that Thales HSM is successfully enrolled on the ADC.
Restart the ADC.
3. (Optional) Create an HSM RSA key.

4. Configure the entities on the NetScaler ADC.
228
Add the HSM key.
Add a certificate-key pair by using the HSM key.
Add a virtual server.
Add a server object.
Add a service.
Bind the service to the virtual server.
Bind the certificate-key pair to the virtual server.
Verify the configuration.
Enabling Remote Configuration Push on

the HSM
You must specify the IP address of the RFS on the Thales HSM so that it accepts the
configuration that the RFS pushes to it. Use the nShield Connect front panel on the Thales
HSM to perform the following procedure.
To specify the IP address of a remote computer on the Thales HSM
1. Navigate to System Configuration > Config file options > Allow auto push.
2. Select ON, and specify the IP address of the computer (RFS) from which to accept the
configuration.
229
Configure the ADC to use the Thales

HSM
Sample values used in this documentation:
NSIP address=10.217.2.43
Thales HSM IP address=10.217.2.112
RFS IP address=10.217.2.6
Add the NetScaler IP (NSIP) Address on the HSM

Typically you use the nShield Connect front panel to add clients to the HSM. For more
information, see the nShield Connect Quick Start Guide.
Alternately, use the RFS to add the ADC as a client to the HSM. To do this, you must add the
NSIP address in the HSM configuration on the RFS, and then push the configuration to the
HSM. Before you can do this, you must know the electronic serial number (ESN) of the HSM.
To get the ESN of your HSM, run the following command on the RFS:
root@ns# /opt/nfast/bin/anonkneti <Thales HSM IP address>
Example
root@ns# /opt/nfast/bin/anonkneti 10.217.2.112
BD17-C807-58D9 5e30a698f7bab3b2068ca90a9488dc4e6c78d822
The ESN number is BD17-C807-58D9.
After you have the ESN number, use an editor, such as vi, to edit the HSM configuration file
on the RFS.
vi /opt/nfast/kmdata/hsm-BD17-C807-58D9/config/config
In the hs_clients section, add the following entries:
# Amount of data in bytes to encrypt with a session key before session key# renegotiation, or 0 for unlimitied
# datalimit=INT
addr=10.217.2.43
clientperm=unpriv
keyhash=0000000000000000000000000000000000000000
esn=
timelimit=86400
datalimit=8388608
-----
230
Configure the ADC to use the Thales HSM

Note: Include one or more hyphens as delimiters to add multiple entries in the same
section.
To push the configuration to the HSM, run the following command on the RFS:
/opt/nfast/bin/cfg-pushnethsm --address=<Thales HSM IP address>
--force /opt/nfast/kmdata/hsm-BD17-C807-58D9/config/config
Example
/opt/nfast/bin/cfg-pushnethsm --address=10.217.2.112 --force
/opt/nfast/kmdata/hsm-BD17-C807-58D9/config/config
Configure Access Permission for the ADC on the RFS

To configure access permission for the ADC on the RFS, run the following command on the
RFS:
/opt/nfast/bin/rfs-setup --force -g --write-noauth <NetScaler IP
address>
Example
[root@localhost bin]# /opt/nfast/bin/rfs-setup --force -g --write-noauth 10.217.2.43
Adding read-only remote_file_system entries
Ensuring the directory /opt/nfast/kmdata/local exists
Adding new writable remote_file_system entries
Ensuring the directory /opt/nfast/kmdata/local/sync-store exists
Saving the new config file and configuring the hardserver
Done
Verify that the ADC can reach both the RFS and Thales HSM by using port 9004.
Enroll the HSM on the ADC

Change directory to /var/opt/nfast/bin.
To add HSM details into the ADC configuration, run the following command on the ADC:
nethsmenroll --force <Thales_nShield_Connect_ip_address> $(anonkneti
<Thales_nShield_Connect_ip_address>)
Example
root@ns# ./nethsmenroll --force 10.217.2.112 $(anonkneti 10.217.2.112)
OK configuring hardserver's nethsm imports
This step adds the following entries after the line # ntoken_esn=ESN in the
nethsm_imports section of the /var/opt/nfast/kmdata/config/config file.
231
local_module=0
remote_ip=10.217.2.112
remote_port=9004
remote_esn=BD17-C807-58D9
keyhash=5e30a698f7bab3b2068ca90a9488dc4e6c78d822
timelimit=86400
datalimit=8388608
privileged=0
privileged_use_high_port=0
ntoken_esn=
Note: To remove an HSM that is enrolled on the ADC, type: ./nethsmenroll remove
<NETHSM-IP>
Add RFS details on the ADC

To add RFS details, change directory to /var/opt/nfast/bin/ and then run the following
command:
./rfs-sync --no-authenticate --setup <rfs_ip_address>
Example
./rfs-sync --no-authenticate --setup 10.217.2.6
No current RFS synchronization configuration.
Configuration successfully written; new config details:
Using RFS at 10.217.2.6:9004: not authenticating.
This step adds the following entries after the # local_esn=ESN line in the
rfs_sync_client section of the /var/opt/nfast/kmdata/config/config file.
remote_ip=10.217.2.6
remote_port=9004
use_kneti=no
local_esn=
Note: To remove an RFS that is enrolled on the ADC, type: ./rfs_sync remove
Example
./rfs-sync --no-authenticate --setup 10.217.2.6
No current RFS synchronization configuration.
Configuration successfully written; new config details:
Using RFS at 10.217.2.6:9004: not authenticating.
This step adds the following entries after the # local_esn=ESN line in the
rfs_sync_client section of the /var/opt/nfast/kmdata/config/config file.
232
remote_ip=10.217.2.6
remote_port=9004
use_kneti=no
local_esn=
Synchronize the ADC to the RFS

To synchronize all the files, change directory to /var/opt/nfast/bin and then run the
following command on the ADC:
./rfs-sync -update
This command fetches all the World files, module files, and key files from the
/opt/nfast/kmdata/local directory on the RFS and puts them into the
/var/opt/nfast/kmdata/local directory on the ADC. Citrix recommends that you manually
copy the World files, the module_XXXX_XXXX_XXXX files, where XXXX_XXXX_XXXX is the ESN
of the enrolled HSM, and only the required RSA key and certificate files.
Verify that the Thales HSM is successfully enrolled on

the ADC
After you synchronize the ADC to the RFS, do the following:
Verify that the local Hardserver is UP and running. (nCipher server running).
Get the state of the configured HSMs, and verify that the values for the n_modules
(number of modules) field and the km info fields are non-zero.
Verify that the HSM is enrolled correctly and is usable (state 0x2 Usable) by the
ADC.
Load tests using sigtest run properly.
Change directory to /var/opt/nfast/bin, and at the shell prompt, run the following
commands:
root@ns# ./chkserv
root@ns# ./nfkminfo
root@ns# ./sigtest
See Appendix for an example.
Restart the ADC

You must restart the ADC for the configuration to take effect. If you have made changes to
the configuration, save the configuration before you restart the ADC.
To restart the ADC by using the command line
233

At the command prompt, run the following command:
reboot
To restart the ADC by using the configuration utility
1. In the configuration utility, click Reboot on the home page of the Configuration tab.
2. When prompted to reboot, select Save configuration to make sure that you do not lose
any configurations.

CLI procedure)
reboot
234
Create an HSM RSA Key

Only RSA keys are supported as HSM keys.
Note: Skip this step if keys are already present in the /opt/nfast/kmdata/local folder on
the RFS.
Create an RSA key, a self-signed certificate, and a Certificate Signing Request (CSR). Send
the CSR to a certificate authority to get a server certificate.
The following files are created in the example below:
Embed RSA key: key_embed_2ed5428aaeae1e159bdbd63f25292c7113ec2c78
Self-Signed Certificate: example_selfcert
Certificate Signing Request: example_req
Note: The generatekey command is supported in strict FIPS 140-2 Level 3 Security
World. An administrator card set (ACS) or an operator card set (OCS) is needed to control
many operations, including the creation of keys and OCSs. When you run the
generatekey command, you are prompted to insert an ACS or OCS card. For more
information about strict FIPS 140-2 Level 3 Security World, see the nShield Connect User
Guide.
The following example uses Level-2 Security World. In the example, the commands are in
boldface type.
Example
[root@localhost bin]# ./generatekey embed

size: Key size? (bits, minimum 1024) [1024] > 2048
OPTIONAL: pubexp: Public exponent for RSA key (hex)? []
>
embedsavefile: Filename to write key to? []
> example
plainname: Key name? [] > example
x509country: Country code? [] > US
x509province: State or province? [] > CA
x509locality: City or locality? [] > Santa Clara
x509org: Organisation? [] > Citrix
x509orgunit: Organisation unit? [] > NS
x509dnscommon: Domain name? [] > www.citrix.com
x509email: Email address? [] > example@citrix.com
nvram: Blob in NVRAM (needs ACS)? (yes/no) [no] >
digest: Digest to sign cert req with? (md5, sha1, sha256, sha384, sha512)
[default sha1] > sha512
key generation parameters:
operation
Operation to perform
generate
application Application
embed
verify
Verify security of key
yes
235

type
Key type
RSA
size
Key size
2048
pubexp
Public exponent for RSA key (hex)
embedsavefile Filename to write key to
example
plainname
Key name
example
x509country Country code
US
x509province State or province
CA
x509locality City or locality
Santa Clara
x509org
Organisation
Citrix
x509orgunit Organisation unit
NS
x509dnscommon Domain name
www.citrix.com
x509email
Email address
example@citrix.com
nvram
Blob in NVRAM (needs ACS)
no
digest
Digest to sign cert req with
sha512
Key successfully generated.
Path to key: /opt/nfast/kmdata/local/key_embed_2ed5428aaeae1e159bdbd63f25292c7113ec2c78
You have new mail in /var/spool/mail/root
Result
You have created a CSR (example_req), a self-signed certificate (example_selfcert), and an
application key token file in embed format
(/opt/nfast/kmdata/local/key_embed_2ed5428aaeae1e159bdbd63f25292c7113ec2c78)
Because the ADC supports keys in simple format only, you must convert the embed key to a
simple key.
To convert the embed key to a simple key, run the following command on the RFS:
[root@localhost bin]# ./generatekey -r simple
from-application: Source application? (embed, simple) [embed] > embed
from-ident: Source key identifier? (c6410ca00af7e394157518cb53b2db46ff18ce29,
2ed5428aaeae1e159bdbd63f25292c7113ec2c78)
[default c6410ca00af7e394157518cb53b2db46ff18ce29]
> 2ed5428aaeae1e159bdbd63f25292c7113ec2c78
ident: Key identifier? [] > examplersa2048key
plainname: Key name? [] > examplersa2048key
key generation parameters:
operation
Operation to perform retarget
application
Application
simple
verify
Verify security of key yes
from-application Source application
embed
from-ident
Source key identifier 2ed5428aaeae1e159bdbd63f25292c7113ec2c78
ident
Key identifier
examplersa2048key
plainname
Key name
examplersa2048key
Key successfully retargetted.
Path to key: /opt/nfast/kmdata/local/key_simple_examplersa2048key
Result
A key with the prefix key_simple (for example key_simple_examplersa2048key) is
created.
Note: examplersa2048key is the key identifier (ident) and is referred to as the HSM
key name on the ADC. A key identifier is unique. All the simple files have the prefix
key_simple.
236
237
Configure the Entities on the ADC

Before the ADC can process traffic, you must do the following:
1. Enable features.
2. Add a subnet IP (SNIP) address.
3. Add the HSM key to the ADC.
4. Add a certificate-key pair by using the HSM key.
5. Add a virtual server.
6. Add a server object.
7. Add a service.
8. Bind the service to the virtual server.
9. Bind the certificate-key pair to the virtual server.
10. Verify the configuration.
Enable features on the ADC

Licenses must be present on the ADC before you can enable a feature.
To enable a feature by using the command line
At the command prompt, run the following commands:
enable feature lb
enable feature ssl
To enable a feature by using the configuration utility

Navigate to System > Settings and, in the Modes and Features group, select Configure basic
features, and then select SSL Offloading.
Add a subnet IP address

For more information about subnet IP addresses, see Configuring Subnet IP Addresses.
To add a SNIP address and verify the configuration by using the command line
238
add ns ip <IPAddress> <netmask> -type SNIP
show ns ip
Example
> add ns ip 192.168.17.253 255.255.248.0 -type SNIP
Done
> show ns ip
Ipaddress
Traffic Domain Type
Mode
Arp
Icmp
Vserver State
---------------------- ------------------ -----1)
192.168.17.251 0
NetScaler IP
Active Enabled Enabled NA
Enabled
2)
192.168.17.252 0
VIP
Active Enabled Enabled Enabled Enabled
3)
192.168.17.253 0
SNIP
Active Enabled Enabled NA
Enabled
Done
To add a SNIP address and verify the configuration by using the configuration utility
Navigate to System > Network > IPs, add an IP address, and select the IP Type as Subnet
IP.
Copy the HSM key and certificate to the ADC

Use a secure file transfer utility to securely copy the key (key_simple_examplersa2048key)
to the /var/opt/nfast/kmdata/local folder, and the certificate (example_selfcert) to the
/nsconfig/ssl folder on the ADC.
Add the key on the ADC

All the keys have a key-simple prefix. When adding the key to the ADC, use the ident as the
HSM key name. For example, if the key that you added is key_simple_XXXX, the HSM key
name is XXXX.
Important:
The HSM key name must be the same as the ident that you specified when you
converted an embed key to a simple key format.
The keys must be present in the /var/opt/nfast/kmdata/local/ directory on the ADC.
To add an HSM key by using the command line

At the shell prompt, run the following command:
add ssl hsmKey <hsmKeyName> -key <string>
Example
> add ssl hsmKey examplersa2048key key key_simple_examplersa2048key
Done
To add an HSM key by using the configuration utility
239

Navigate to Traffic Management > SSL > HSM, and add an HSM key.
Add a certificate-key pair on the ADC

For information about certificate-key pairs, see Adding or Updating a Certificate-Key Pair.
To add a certificate-key pair by using the command line
add ssl certKey <certkeyName> -cert <string> -hsmKey <string>
Example
> add ssl certKey key22 -cert example_selfcert -hsmKey examplersa2048key
Done
To add a certificate-key pair by using the configuration utility
Navigate to Traffic Management > SSL > Certificates, and add a certificate-key pair.
Add a virtual server

For information about a virtual server, see Configuring an SSL-Based Virtual Server.
To configure an SSL-based virtual server by using the command line
add lb vserver <name> <serviceType> <IPAddress> <port>
Example
> add lb vserver v1 SSL 192.168.17.252 443
To configure an SSL-based virtual server by using the configuration utility
Navigate to Traffic Management > Load Balancing > Virtual Servers, create a virtual server,
and specify the protocol as SSL.
Add a server object

Before you can add a server object on the ADC, make sure that you have created a backend
server. The following example uses the built-in python HTTP Server module on a Linux
system.
Example
%python m SimpleHTTPServer 80
To add a server object by using the command line
240

add server <name> <IPAddress>
Example
> add server s1 192.168.17.246
To add a server object by using the configuration utilty
Navigate to Traffic Management > Load Balancing > Servers, and add a server.
Add a service
For more information, see Configuring Services.
To configure a service by using the command line
add service <name> <serverName> <serviceType> <port>
Example
> add service sr1 s1 HTTP 80
To configure a service by using the configuration utility
Navigate to Traffic Management > Load Balancing > Services, and create a service.
Bind the service to the virtual server

For more information, see Binding Services to an SSL-Based Virtual Server.
To bind a service to a virtual server by using the command line
bind lb vserver <name> <serviceName>
Example
> bind lb vserver v1 sr1
To bind a service to a virtual server by using the configuration utility
2. Open a virtual server, and click in the Services pane to bind a service to the virtual
server.
241
Bind the certificate-key pair to the virtual server on

the ADC
For more information, see Binding the Certificate-Key Pair to the SSL-Based Virtual Server.
To bind a certificate-key pair to a virtual server by using the command line
bind ssl vserver <vServerName> -certkeyName <string>
Example
> bind ssl vserver v1 -certkeyName key22
Warning: Current certificate replaces the previous binding
To bind a certificate-key pair to a virtual server by using the configuration utility
2. Open an SSL virtual server and, in Advanced Settings, click SSL Certificate.
3. Bind a server certificate to the virtual server.
Verify the configuration

To view the configuration by using the command line
Example
> show lb vserver v1
v1 (192.168.17.252:443) - SSL Type: ADDRESS
State: UP
Last state change was at Wed Oct 29 03:11:11 2014
Effective State: UP
1 (Active)
Current Method: Round Robin, Reason: Bound service's state changed to UP
Mode: IP
Persistence: NONE
242

Push Multi Clients: NO
L2Conn: OFF
Skip Persistency: None
IcmpResponse: PASSIVE
RHIstate: PASSIVE
New Service Startup Request Rate: 0 PER_SECOND, Increment Interval: 0
Mac mode Retain Vlan: DISABLED
DBS_LB: DISABLED
Process Local: DISABLED
Traffic Domain: 0
1) sr1 (192.168.17.246: 80) - HTTP State: UP
Done
>
Weight: 1
> sh ssl vserver v1

DH: DISABLED
Refresh Count: 0
ClearText Port: 0
SNI: DISABLED
SSLv2: DISABLED SSLv3: DISABLED TLSv1.0: ENABLED TLSv1.1: DISABLED TLSv1.2: DISABLED
ECC Curve: P_256, P_384, P_224, P_521
1)
CertKey Name: key22
Server Certificate
1)

Done
To view the configuration by using the configuration utility

Navigate to Traffic Management > Load Balancing > Virtual Servers, and double-click an SSL
virtual server to open it and view the configuration.

CLI procedure)
add ns ip
IPAddress
243

IPv4 address to create on the NetScaler appliance. Cannot be changed after the IP
address is created.
netmask
Subnet mask associated with the IP address.
type
Type of the IP address to create on the NetScaler appliance. Cannot be changed after
the IP address is created. The following are the different types of NetScaler owned IP
addresses:
* A Subnet IP (SNIP) address is used by the NetScaler ADC to communicate with the
servers. The NetScaler also uses the subnet IP address when generating its own packets,
such as packets related to dynamic routing protocols, or to send monitor probes to check
the health of the servers.
* A Virtual IP (VIP) address is the IP address associated with a virtual server. It is the IP
address to which clients connect. An appliance managing a wide range of traffic may
have many VIPs configured. Some of the attributes of the VIP address are customized to
meet the requirements of the virtual server.
* A GSLB site IP (GSLBIP) address is associated with a GSLB site. It is not mandatory to
specify a GSLBIP address when you initially configure the NetScaler appliance. A GSLBIP
address is used only when you create a GSLB site.
* A Cluster IP (CLIP) address is the management address of the cluster. All cluster
configurations must be performed by accessing the cluster through this IP address.
Possible values: SNIP, VIP, NSIP, GSLBsiteIP, CLIP
Default value: NSADDR_SNIP
show ns ip
add ssl certKey

certkeyName
244

cert
add lb vserver
name
serviceType
Protocol used by the service (also called the service type).
Possible values: HTTP, FTP, TCP, UDP, SSL, SSL_BRIDGE, SSL_TCP, DTLS, NNTP, DNS,
DHCPRA, ANY, SIP_UDP, DNS_TCP, RTSP, PUSH, SSL_PUSH, RADIUS, RDP, MYSQL, MSSQL,
DIAMETER, SSL_DIAMETER, TFTP, ORACLE
IPAddress
IPv4 or IPv6 address to assign to the virtual server.
port
Port number for the virtual server.
add server
name
Name for the server.
Must begin with an ASCII alphabetic or underscore (_) character, and must contain only
ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=),
and hyphen (-) characters.
Can be changed after the name is created.
IPAddress
245

IPv4 or IPv6 address of the server. If you create an IP address based server, you can
specify the name of the server, instead of its IP address, when creating a service. Note:
If you do not create a server entry, the server IP address that you enter when you create
a service becomes the name of the server.
add service
name
has been created.
serverName
serviceType
port
bind lb vserver
name
serviceName
246
bind ssl vserver

vServerName
certkeyName
show lb vserver
name
show ssl vserver

vServerName
247
Limitations
TLS protocol versions 1.1 and 1.2 are not supported with the Thales HSM integration.
Note: SSL version 3 (SSLv3) is not supported on an MPX appliance but is supported on
a VPX virtual appliance. A VPX instance provisioned on an SDX appliance supports
SSLv3 only if an SSL chip is not assigned to the instance.
248
ECDHE/DHE ciphers and Export ciphers are not supported.
SSL server key exchange using HSM keys is not supported.
If you have added or removed keys after you last saved the configuration, you must
save the configuration before you perform a warm restart. If you do not save the
configuration, there will be a key mismatch between the ADC and the HSM.
You cannot bind an HSM key to a DTLS virtual server.
You cannot bind a certificate-key pair that is created by using an HSM key to an SSL
service.
You cannot use the NetScaler configuration utility to enroll the ADC as a client of the
HSM or check the status of the HSM from the configuration utility.
SSL renegotiation is not supported.
You cannot sign OCSP requests by using a certificate-key pair that is created by using an
HSM key.
A certificate bundle with HSM keys is not supported.
An error does not appear if the HSM key and certificate do not match. Therefore, while
adding a certificate-key pair, you need to make sure that the HSM key and certificate
match.
Appendix
Example
Note: In the following example, the commands are in boldface type.
root@ns# ./chkserv
nCipher server running
root@ns# ./nfkminfo
World
generation 2
state
0x17a70000 Initialised Usable Recovery PINRecovery !ExistingClient RTC NVRAM FTO !AlwaysUseStr
n_modules 1
hknso
cbec8c0c56c6b5e76b73147ef02d34a661eaa044
hkm
bbb8d4839da5782be4d092735a7535538834dc91 (type Rijndael)
hkmwk
1d572201be533ebc89f30fdd8f3fac6ca3395bf0
hkre
01f21ecf43933ffdd45e74c3883525176c5c439c
hkra
ac8ec5ee6bce00991bd97adce2091d9739b9b452
hkmc
cf1b509abaad91995ed202d8f36613fc99433155
hkp
c20910b2ed1ca62d6a2b0db67052a05f7bbfeb43
hkrtc
bd811020a7c2f8df435a481c3767a89c2e13bc4f
hknv
278b8012e48910d518a9ee91cff57233fb0c9093
hkdsee
12230b0e31e3cec66324c0815f782cfb9249edd5
hkfto
89dd6250b3d6149bcd15606f4553085e2fd6271a
hkmnull
0100000000000000000000000000000000000000
ex.client none
k-out-of-n 1/2
other quora m=1 r=1 p=1 nv=1 rtc=1 dsee=1 fto=1
createtime 2014-02-28 21:05:32
nso timeout 10 min
ciphersuite DLf1024s160mRijndael
Module #1
generation 2
state
0x2 Usable
flags
0x10000 ShareTarget
n_slots 2
esn
BD17-C807-58D9
hkml
70289a6edba00ddc7e3f6d6f5a49edc963e822f2
Module #1 Slot #0 IC 0
generation 1
phystype
SmartCard
slotlistflags 0x2 SupportsAuthentication
state
0x2 Empty
flags
0x0
shareno
0
shares
error
OK
No Cardset
249
Appendix
Module #1 Slot #1 IC 0
generation 1
phystype
SoftToken
slotlistflags 0x0
state
0x2 Empty
flags
0x0
shareno
0
shares
error
OK
No Cardset
No Pre-Loaded Objects
root@ns# ./sigtest
Hardware module #1 speed index 5792 recommended minimum queue 19
Found 1 module; using 19 jobs
Making 1024-bit RSAPrivate key on module #1;
using Mech_RSApPKCS1 and PlainTextType_Bignum.
Generated and exported key from module #1.
Imported keys on module #1
1,
3059 1223.6, 3059 overall
2,
8698 2989.76, 4349 overall
3,
14396 4073.06, 4798.67 overall
4,
20091 4721.83, 5022.75 overall
5,
25799 5116.3, 5159.8 overall
6,
31496 5348.58, 5249.33 overall
7,
37192 5487.55, 5313.14 overall
8,
42780 5527.73, 5347.5 overall
9,
45777 4515.44, 5086.33 overall
10,
51457 4981.26, 5145.7 overall
11,
57151 5266.36, 5195.55 overall
12,
62813 5424.61, 5234.42 overall
13,
68496 5527.97, 5268.92 overall
14,
74182 5591.18, 5298.71 overall
15,
79832 5614.71, 5322.13 overall
16,
85518 5643.23, 5344.88 overall
17,
88412 4543.54, 5200.71 overall
18,
94086 4995.72, 5227 overall
19,
99778 5274.23, 5251.47 overall
20,
105469 5440.94, 5273.45 overall
21,
111133 5530.16, 5292.05 overall
22,
116838 5600.1, 5310.82 overall
23,
122522 5633.66, 5327.04 overall
24,
128175 5641.4, 5340.62 overall
25,
131072 4543.64, 5242.88 overall
26,
136762 5002.18, 5260.08 overall
27,
142415 5262.51, 5274.63 overall
28,
148125 5441.51, 5290.18 overall
29,
153816 5541.3, 5304 overall
30,
159414 5563.98, 5313.8 overall
250
Troubleshooting
If the SSL feature does not work as expected after you have configured it, you can use some
common tools to access NetScaler resources and diagnose the problem.
251
Resources for Troubleshooting

For best results, use the following resources to troubleshoot an SSL issue on a NetScaler
appliance:
The relevant ns.log file
The latest ns.conf file
The messages file
The relevant newnslog file
Trace files
A copy of the certificate files, if possible
A copy of the key file, if possible
The error message, if any
In addition to the above resources, you can use the Wireshark application customized for
the NetScaler trace files to expedite troubleshooting.
252
Troubleshooting SSL Issues

To troubleshoot an SSL issue, proceed as follows:
253
Verify that the NetScaler appliance is licensed for SSL Offloading and load balancing.
Verify that SSL Offloading and load balancing features are enabled on the appliance.
Verify that the status of the SSL virtual server is not displayed as DOWN.
Verify that the status of the service bound to the virtual server is not displayed as
DOWN.
Verify that a valid certificate is bound to the virtual server.
Verify that the service is using an appropriate port, preferably port 443.

NetScaler 10.5 SSL Offload and Acceleration

Uploaded by

Copyright:

Available Formats

NetScaler 10.5 SSL Offload and Acceleration

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NetScaler 10.5 SSL Offload and Acceleration

Uploaded by

Copyright:

Available Formats

SSL Offload and Acceleration

2015-01-16 04:50:24 UTC

SSL Offload and Acceleration...............................................................................

Configuring SSL Offloading......................................................................

Enabling SSL Processing....................................................................

Configuring an SSL-Based Virtual Server ................................................

Binding Services to the SSL-Based Virtual Server ......................................

Adding or Updating a Certificate-Key Pair..............................................

Binding the Certificate-Key Pair to the SSL-Based Virtual Server ...................

Configuring a DTLS Virtual Server ........................................................

DTLS Profile .................................................................................

Importing SSL Files from Remote Hosts .................................................

SSL Profiles ..................................................................................

Managing Certificates ...........................................................................

Obtaining a Certificate from a Certificate Authority .................................

Importing Existing Certificates and Keys................................................

Generating a Self-Signed Certificate ....................................................

Adding a Group of SSL Certificates ......................................................

Adding and Linking a Certificate Set ...............................................

Creating a Chain of Certificates ....................................................

Displaying a Certificate Chain ............................................................

Generating a Server Test Certificate ....................................................

Modifying and Monitoring Certificates and Keys .......................................

Using Global Site Certificates.............................................................

Converting the Format of SSL Certificates for Import or Export ....................

Managing Certificate Revocation Lists ........................................................

Creating a CRL on the NetScaler .........................................................

Adding an Existing CRL to the NetScaler ................................................

Configuring CRL Refresh Parameters ....................................................

Synchronizing CRLs .........................................................................

Performing Client Authentication by using a Certificate Revocation List..........

Monitoring Certificate Status with OCSP .....................................................

NetScaler Implementation of OCSP ......................................................

OCSP Request Batching ....................................................................

OCSP Response Caching....................................................................

Configuring an OCSP Responder ..........................................................

Configuring Client Authentication .............................................................

Providing the Client Certificate ..........................................................

Enabling Client-Certificate-Based Authentication .....................................

Binding CA Certificates to the Virtual Server ..........................................

Customizing the SSL Configuration ............................................................

Configuring Diffie-Hellman (DH) Parameters ...........................................

Configuring Ephemeral RSA ...............................................................

Configuring Session Reuse .................................................................

Configuring Cipher Redirection ...........................................................

Configuring SSLv2 Redirection ............................................................

Configuring SSL Protocol Settings ........................................................

Configuring ECDHE Ciphers................................................................

Configuring a Common Name on an SSL Service or Service Group for Server

Configuring Advanced SSL Settings.......................................................

Synchronizing Configuration Files in a High Availability Setup ......................

Managing Server Authentication..........................................................

Configuring User-Defined Cipher Groups on the NetScaler Appliance..............

Configuring SSL Actions and Policies ..........................................................

Configuring User-Defined Actions for SSL Policies .....................................

Configuring SSL Policies....................................................................

Configuring an SSL Default Syntax Policy ...............................................

Configuring Built-in Actions for SSL Default Syntax Policies .........................

Configuring SSL Policy Labels .............................................................