Chapter 8
Examples of CSS SSL Configurations
2.
3.
4.
5.
When the TCP connection is finished, the four flows (the two flows between the
client and SSL module, and the two flows between the SSL module and the
Server) are torn down.
An entire SSL session can comprise Multiple TCP connections. For each of those
connections, the same process takes place among the client, SSL module, and
server. The SSL Session ID maintains the stickiness between the client and the
SSL module and the cookie maintains the stickiness between the SSL module and
the servers. In this way, stickiness can be maintained consistently through the
entire web transaction.
OL-5655-01
The client transmits the encrypted payment or order information through an
SSL connection (TCP SYN received through destination port 443). In this
example, when the client connection reaches the CSS, the CSS uses a Layer 5
SSL Session ID sticky content rule to load balance the SSL connection among
the three SSL modules (M1, M2, and M3). When the inbound TCP SYN
connection reaches the SSL module (the SSL server), it terminates the TCP
connections from the client.
Once an SSL module is selected (for example, M1), the CSS forwards the
SSL packet to that module. The Session ID is saved in the sticky table for
subsequent SSL connections from the same client. Once this SSL flow is
mapped, the CSS forwards all subsequent packets for this connection to SSL
module M1. If there are additional SSL connections associated with this
transaction (as determined by the SSL Session ID), the CSS also forwards and
maps the packets to SSL module M1.
The SSL module terminates the SSL connection and decrypts the packet data.
The SSL module then initiates an HTTP connection to a content rule
configured on the CSS. The data in this HTTP connection is clear text.
The HTTP content rule uses the Layer 5 HTTP cookies or URL sticky content
rule on this HTTP request. The cookie or URL string in this clear text HTTP
request is used to locate the same server (ServerABC) as the one initially used
by the non-SSL HTTP connection in the transactions (for example, online
shopping). The CSS forwards the request to ServerABC and maps this flow.
Once the flow is mapped, the return HTTP response from the server is sent to
the same SSL module (M1) that sent the original request. The SSL module
encrypts the response as an SSL packet (it translates flows from
HTTP-to-HTTPS for outbound packets) and sends the packets back to the
client through the correct SSL connection.
Cisco Content Services Switch SSL Configuration Guide
8-3