How to use secure adn with default Ca certificate
search cancel

How to use secure adn with default Ca certificate

book

Article ID: 166527

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

One of the common uses of secure ADN is to be able to accelerate ssl encrypted connections when used with the blue coat SSL proxy component.

By default it is very easy to use the bluecoat-appliance-name ssl device profile with secure ADN. However, there is a lack of documentation on how to set this up with a certificate other than this one.

Note you can use the passive-attack-protection-only profile but that does not provide authorization so is not as secure. Does not verify the peer. One common reason for creating a new device profile with

secure ADN is when the appliance does not come with the bluecoat-appliance-name ssl device profile. For exampe the SG VA (virtual appliance) does not come with the the bluecoat-appliance-name ssl device profile.

In this KB article I am going to use the default certificate. You could of course use certificates signed by say a Microsoft CA.

If you set up the secure ADN incorrectly then in the ADN > general tab you will see ADN connection status errors such as:

ADN denied or ssl connect failed (error: 0x3EB)

This will be because you are using the wrong cert i.e in device profile on the edge you are using the edge certificate whereas you need to use the core certificate or the ccl does not include the certificate.

Resolution

This is how to do this via the cli.

First of all we need to grab the default certificates from the core and edge boxes. To do this run the following command on edge and core:

This is from core:

 - Blue Coat SG210 Series1#(config ssl)view certificate default
-----BEGIN CERTIFICATE-----
MIIDJzCCApCgAwIBAgIEHT46uDANBgkqhkiG9w0BAQUFADBuMQswCQYDVQQGEwIg
IDETMBEGA1UECBMKU29tZS1TdGF0ZTEfMB0GA1UEChMWQmx1ZSBDb2F0IFNHMjEw
IFNlcmllczETMBEGA1UECxMKMjYwNzA2MzM0NTEUMBIGA1UEAxMLMTAuOTEuMTku
MjYwHhcNMTEwNzE5MTAzODQ4WhcNMTMwNzE4MTAzODQ4WjBuMQswCQYDVQQGEwIg
IDETMBEGA1UECBMKU29tZS1TdGF0ZTEfMB0GA1UEChMWQmx1ZSBDb2F0IFNHMjEw
IFNlcmllczETMBEGA1UECxMKMjYwNzA2MzM0NTEUMBIGA1UEAxMLMTAuOTEuMTku
MjYwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANE82NdUtfSxWPqbUz/PNVlY
vDkU2Dla8wGpycgm+PvWU3dLnszlx/g6O+roCs/JCrdwsEybOxysCNlL9CHIMV5G
NMjxyTZj3GoD8T24wHCwSkT7fI/e48pdKsADwhr/6t3aknKMAbSS314lFuUTjTE5
aHgaBYJbONv/GIPPaG3XAgMBAAGjgdEwgc4wHQYDVR0OBBYEFKyoObgri650Aijr
wHxFvwQ4zIpEMIGbBgNVHSMEgZMwgZCAFKyoObgri650AijrwHxFvwQ4zIpEoXKk
cDBuMQswCQYDVQQGEwIgIDETMBEGA1UECBMKU29tZS1TdGF0ZTEfMB0GA1UEChMW
Qmx1ZSBDb2F0IFNHMjEwIFNlcmllczETMBEGA1UECxMKMjYwNzA2MzM0NTEUMBIG
A1UEAxMLMTAuOTEuMTkuMjaCBB0+OrgwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
9w0BAQUFAAOBgQCig3+E7xJedy/Ep0IMMjToEBp8npoigbhRmhY2dP/pIRL9POI+
nQU5ewR1J2FPF3bBmRYfvHz/BwGUZsjBjCrlIxoriPZx4zzmCQY81SWwSOWqA86V
BXuQH3w/MagAuQ8d1KPqmWeik6MXsHTRWValxxfaW0Ku52woHuiLig6Ifg==
-----END CERTIFICATE-----

 

This is from edge:

Blue Coat SG300 Series#(config ssl)view certificate default
-----BEGIN CERTIFICATE-----
MIIDJzCCApCgAwIBAgIEHfBJ6jANBgkqhkiG9w0BAQUFADBuMQswCQYDVQQGEwIg
IDETMBEGA1UECBMKU29tZS1TdGF0ZTEfMB0GA1UEChMWQmx1ZSBDb2F0IFNHMzAw
IFNlcmllczETMBEGA1UECxMKMTkxMTE2MjA4MjEUMBIGA1UEAxMLMTAuOTEuMTku
MzAwHhcNMTExMjAxMTIwNzA2WhcNMTMxMTMwMTIwNzA2WjBuMQswCQYDVQQGEwIg
IDETMBEGA1UECBMKU29tZS1TdGF0ZTEfMB0GA1UEChMWQmx1ZSBDb2F0IFNHMzAw
IFNlcmllczETMBEGA1UECxMKMTkxMTE2MjA4MjEUMBIGA1UEAxMLMTAuOTEuMTku
MzAwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANLGnU8AUlaa4bLQ5Lc/r3AX
EYRVX6BugXuVEKS0eNYk+sIKP7ujUMJj3vvHcExhSIZrK5fIl7VrOiTy15Vp8LKo
oKewkrhis08qkpIbEZjwPvVfdhwQIyTpePfgSbY1j9U75zCidF8EUH+Hqo6h0CX7
9FHXYQSN3jALq3iGvJADAgMBAAGjgdEwgc4wHQYDVR0OBBYEFOBBn8fdRzm4oufc
KvQXoc5IT03CMIGbBgNVHSMEgZMwgZCAFOBBn8fdRzm4oufcKvQXoc5IT03CoXKk
cDBuMQswCQYDVQQGEwIgIDETMBEGA1UECBMKU29tZS1TdGF0ZTEfMB0GA1UEChMW
Qmx1ZSBDb2F0IFNHMzAwIFNlcmllczETMBEGA1UECxMKMTkxMTE2MjA4MjEUMBIG
A1UEAxMLMTAuOTEuMTkuMzCCBB3wSeowDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
9w0BAQUFAAOBgQB9PM8bCRTJxsHIjkZzZO+kCYqvvbfui7+tVpN/qhuOK74RGpwX
WaIF25vEXh/zRHicF11tk3RclD7kTBHtLq4jzMYiPJ+7X7MKh+CpBxcvcjxoYk7o
ar7f8ivvmPMBGdQqqyzlTT9kVhac3VsguFFdKia5Aoq8dDrGqZQ9RTAcVw==
-----END CERTIFICATE-----
 

 

We now need to import the edge certificate on to the core blue coat. We do this by running this command:

#(config ssl)inline ca-certificate edge-cert eof

-----BEGIN CERTIFICATE-----
MIIDJzCCApCgAwIBAgIEHfBJ6jANBgkqhkiG9w0BAQUFADBuMQswCQYDVQQGEwIg
IDETMBEGA1UECBMKU29tZS1TdGF0ZTEfMB0GA1UEChMWQmx1ZSBDb2F0IFNHMzAw
IFNlcmllczETMBEGA1UECxMKMTkxMTE2MjA4MjEUMBIGA1UEAxMLMTAuOTEuMTku
MzAwHhcNMTExMjAxMTIwNzA2WhcNMTMxMTMwMTIwNzA2WjBuMQswCQYDVQQGEwIg
IDETMBEGA1UECBMKU29tZS1TdGF0ZTEfMB0GA1UEChMWQmx1ZSBDb2F0IFNHMzAw
IFNlcmllczETMBEGA1UECxMKMTkxMTE2MjA4MjEUMBIGA1UEAxMLMTAuOTEuMTku
MzAwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANLGnU8AUlaa4bLQ5Lc/r3AX
EYRVX6BugXuVEKS0eNYk+sIKP7ujUMJj3vvHcExhSIZrK5fIl7VrOiTy15Vp8LKo
oKewkrhis08qkpIbEZjwPvVfdhwQIyTpePfgSbY1j9U75zCidF8EUH+Hqo6h0CX7
9FHXYQSN3jALq3iGvJADAgMBAAGjgdEwgc4wHQYDVR0OBBYEFOBBn8fdRzm4oufc
KvQXoc5IT03CMIGbBgNVHSMEgZMwgZCAFOBBn8fdRzm4oufcKvQXoc5IT03CoXKk
cDBuMQswCQYDVQQGEwIgIDETMBEGA1UECBMKU29tZS1TdGF0ZTEfMB0GA1UEChMW
Qmx1ZSBDb2F0IFNHMzAwIFNlcmllczETMBEGA1UECxMKMTkxMTE2MjA4MjEUMBIG
A1UEAxMLMTAuOTEuMTkuMzCCBB3wSeowDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
9w0BAQUFAAOBgQB9PM8bCRTJxsHIjkZzZO+kCYqvvbfui7+tVpN/qhuOK74RGpwX
WaIF25vEXh/zRHicF11tk3RclD7kTBHtLq4jzMYiPJ+7X7MKh+CpBxcvcjxoYk7o
ar7f8ivvmPMBGdQqqyzlTT9kVhac3VsguFFdKia5Aoq8dDrGqZQ9RTAcVw==
-----END CERTIFICATE-----


eof

We now need to do import the core certificate on to the edge box:

#(config ssl)inline ca-certificate core-cert eof

-----BEGIN CERTIFICATE-----
MIIDJzCCApCgAwIBAgIEHT46uDANBgkqhkiG9w0BAQUFADBuMQswCQYDVQQGEwIg
IDETMBEGA1UECBMKU29tZS1TdGF0ZTEfMB0GA1UEChMWQmx1ZSBDb2F0IFNHMjEw
IFNlcmllczETMBEGA1UECxMKMjYwNzA2MzM0NTEUMBIGA1UEAxMLMTAuOTEuMTku
MjYwHhcNMTEwNzE5MTAzODQ4WhcNMTMwNzE4MTAzODQ4WjBuMQswCQYDVQQGEwIg
IDETMBEGA1UECBMKU29tZS1TdGF0ZTEfMB0GA1UEChMWQmx1ZSBDb2F0IFNHMjEw
IFNlcmllczETMBEGA1UECxMKMjYwNzA2MzM0NTEUMBIGA1UEAxMLMTAuOTEuMTku
MjYwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANE82NdUtfSxWPqbUz/PNVlY
vDkU2Dla8wGpycgm+PvWU3dLnszlx/g6O+roCs/JCrdwsEybOxysCNlL9CHIMV5G
NMjxyTZj3GoD8T24wHCwSkT7fI/e48pdKsADwhr/6t3aknKMAbSS314lFuUTjTE5
aHgaBYJbONv/GIPPaG3XAgMBAAGjgdEwgc4wHQYDVR0OBBYEFKyoObgri650Aijr
wHxFvwQ4zIpEMIGbBgNVHSMEgZMwgZCAFKyoObgri650AijrwHxFvwQ4zIpEoXKk
cDBuMQswCQYDVQQGEwIgIDETMBEGA1UECBMKU29tZS1TdGF0ZTEfMB0GA1UEChMW
Qmx1ZSBDb2F0IFNHMjEwIFNlcmllczETMBEGA1UECxMKMjYwNzA2MzM0NTEUMBIG
A1UEAxMLMTAuOTEuMTkuMjaCBB0+OrgwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
9w0BAQUFAAOBgQCig3+E7xJedy/Ep0IMMjToEBp8npoigbhRmhY2dP/pIRL9POI+
nQU5ewR1J2FPF3bBmRYfvHz/BwGUZsjBjCrlIxoriPZx4zzmCQY81SWwSOWqA86V
BXuQH3w/MagAuQ8d1KPqmWeik6MXsHTRWValxxfaW0Ku52woHuiLig6Ifg==
-----END CERTIFICATE-----

eof

 

Now we need to create the ccl on the core and edge. To do this on core you would run the following commands (note edge-cert ssl device profile):


#(config ssl)create ccl demo

#(config ssl)edit ccl demo

#(config ssl ccl demo)add edge-cert

#(config ssl ccl demo)exit

#(config ssl)create device-authentication-profile demo default

#(config ssl)edit device-authentication-profile demo

#(config ssl device-auth demo)ccl demo

#(config ssl device-auth demo)exit

#(config ssl)exit


And on the edge you would run (note core-cert profile):

 

#(config ssl)create ccl demo

#(config ssl)edit ccl demo

#(config ssl ccl demo)add core-cert

#(config ssl ccl demo)exit

#(config ssl)create device-authentication-profile demo default

#(config ssl)edit device-authentication-profile demo

#(config ssl device-auth demo)ccl demo

#(config ssl device-auth demo)exit

#(config ssl)exit


 Now on the core you would run the following commands:

 

#(config)adn

#(config adn)security

#(config adn security)device-auth-profile demo

#(config adn security)secure-outbound all

#(config adn security)exit

#(config adn)manager

#(config adn manager)primary-manager self

#(config adn manager)exit

#(config adn)routing

#(config adn routing)server-subnets

#(config adn routing server-subnets)add <server-IP-Address>

#(config adn routing server-subnets)exit

#(config adn routing)exit

 

#(config adn)enable

On the edge node you would run:


#(config)adn
#(config adn)security
#(config adn security)device-auth-profile demo
#(config adn security)secure-outbound all
#(config adn security)exit
#(config adn)manager
#(config adn manager)primary-manager <manager-IP> <manager-ID>*
#(config adn manager)exit
#(config adn)enable

To find  the manager-id you can run the following command on the core box:

Blue Coat SG210 Series1#(config ssl)edit device-authentication-profile demo
Blue Coat SG210 Series1#(config device-profile demo)view
Name: demo
Usable for: client (authenticated), server
Keyring: default
CCL: demo
Device-id: $(subject.CN)  (*******)
Cipher suite: rc4-md5 rc4-sha des-cbc3-sha des-cbc3-md5 rc2-cbc-md5 des-cbc-sha des-cbc-md5 exp-rc4-md5 exp-rc2-cbc-md5 exp-des-cbc-sha aes128-sha aes256-sha
Protocol: SSLv2v3TLSv1
Verify-peer: enabled


The device id is included in brackets in the line beginning with "Device-id. Remove brackets before using it in the above command.


After this config is done the edge/node SG is going to be connecting to the primary manager and will be put in its pending-peers list to be approved. Issue the following commands for the primary manager to enable the peer to connect to the manager

#(config)adn
#(config adn)manager

#(config adn manager)pending-peers
#(config adn pending-peers)accept all


 

Powered by Wolken Software