Homework #4. Configure Intel 7110 SSL Accelerator and 7280 Content Switch

Goal:

• Learn how to create server certificates.
• Learn how to configure Intel 7110 SSL Accelerator to improve a secure web server
• Learn how to configure a web cluster with Intel 7280 Content Switch.

Assignment Date: 10/30/2002
Due Day: 11/13/2002
Description:

• In this exercise, we will learn how to configure an Intel 7110 SSL Accelerator in ENS 143 lab to work with a Apache web server runs on Redhat 8 Linux PC.
• As indicated in http://cs.uccs.edu/~chow/pub/master/ycai/doc/csdemo.html, we have set up a PHAS (Parallel Hardware Accelerator System) demo testbed for the Intel 7280 and 7110 devices.
• It is housed in ENS 143, right by the inside door of ENS149. Below is the picture of the PHAS with two additional devices set up for your hw4. Yu Cai is my research assistant for this project.
  
• Close up look of the Phas testbed
  
• Dlink Fast Ethernet and KVM switch for control Real servers.

• 
• HP4000 Switch with Gigabit fiber connection to the UCCS backbone network. The Network IXP12EB Network Processor is located just below the switches.

 

• The Phas demo testbed consists of
  • Intel 7280 content switch (machine name: LIAM 128.198.60.170)
    (VIRTUAL WEB SERVER: LIZZIE 128.198.60.171)
    (CONNECT TO FRODO: 128.198.60.183 AND ECA: 128.198.60.188)
  • INTEL 7110 DEMO
    (CONNECT TO VIVA: 128.198.60.192)
    
• The Phas exercise testbed consistf of
  • INTEL 7280 content switch (MACHINE NAME: FLADNAG 128.198.60.184)
    (VIRTUAL WEB SERVER: ODORF 128.198.60.196)
    (CONNECT TO FRODO: 128.198.60.183 AND ECA: 128.198.60.188)
  • INTEL 7110 TEST
    (CONNECT TO RACE: 128.198.60.178)
    
• We will use the exercise testbed for our hw4. Those Intel devices has "test" label in the front panel.
• Use Ethernet cable to connect "network" port of Intel 7110 to switch, use another Ethernet cable to connect "server" to the real web server, race.uccs.edu (128.198.60.178). This step is already configured for you. But you can make sure it is properly connected.
  In the case, the client will access real server race, and won't know anything about 7110. We do not have to assign separate IP address for Intel 7110. It assume the IP address of the real server using ARP protocol. Therefore the switch/router routes the request to Intel 7110.
• This is the main difference between 7110 and 7280. For 7280 we need to assigned at least two IP addresses. One for the machine itself. Others for the VIPs.
• To configure Intel 7110, connect the serial cable to the the left-hand serial port labeled "Console" on the "Intel 7110 TEST" machine.
• On the other end, connect it to a PC. We will use dibert.uccs.edu, an NT machine right next the Phas testbed. We will use the hyperterminal on the dilbert to configure Intel 7110.
• HyperTerminal software in windows is typically available by selecting "programs | accessories | communication | HyperTerminal".
• Type an appropriate name like "Intel 7110", in the Name field of the Connection Description window, and then click the OK button. The Phone Number panel appears.
• In the "Connect Using…" field specify "Direct to COM1", or the serial port through which the PC is connected to the 7110 if different from COM1.
• Click the OK button. The COM1 Properties panel appears.
• Set the values to 9600, 8, none, 1, and none.
• Click the OK button.
• Boot 7110, and the password prompt appears, use admin as default password:
  Password: admin (password is not echoed at prompt)
  Current date: 2000 08/28 05:01
  Intel 7115>
• You should be able to access https://race.uccs.edu, and if you click the certification icon on the right bottom of the browser, you will see that the SSL key is replaced by 7110 to be something different than original SSL key on viva, this means 7110 take the SSL processing job.
• If you want to create your own SSL key, here is the Procedure:
• Create a key as follows:
  Intel 7115> create key
  Enter the key strength [512,1024]: 512
  New keyID [001]: 001
  Keypair was created for keyID: 001
• Enter the create cert command with the keyID
  Intel 7115> create cert 001
  You are about to be asked to enter information…
  Enter the information for the certificate, as prompted:
  • Country
  • State
  • Locality
  • Organization
  • Organization unit
  • Common name (for example, www.uccs.edu)
  • E-mail address.
• Create a server mapping. Use the create map command to
  specify the server IP address, ports, and keyID.
  Intel 7115> create map
  Server IP (0.0.0.0): 128.198.60.192
  SSL (network) port [443]: <Enter>
  Cleartext (server) port [80]: <Enter>
  KeyID to use for mapping: 001
• Intel 7115>list maps
  Map Net Ser Cipher Re- Client
  ID KeyID Server IP Port Port Suites direct Auth
  == ===== ========= ==== ==== ====== ===== ====
  1 001 128.198.60.188 443 80 med(v2+v3) n n
  Intel 7115>
• Save the configuration when the server has been mapped.
  Intel 7115>config save
  Saving configuration to flash...
  Configuration saved to flash
  Intel 7115>

Exercise 3: Intel 7280 XML Director Configuration

• We will use the "Intel 7280 Test" device in our XML Director exercise.
• Connect the dilbert serial cable to "Intel 7280" device. Use the IP addresses assigned for the content switch and the real servers (eca and frodo, same as the Intel 7280 demo cluster).
• The real server can be set up transparent to the existing of the content switch. No special configuration is needed, compared with LVS cluster.
• Follow the instruction in http://cs.uccs.edu/~chow/pub/master/ycai/doc/csdemo.html
• Even though there is a text based interface for specifying the content switch rules directly on the console. We have found it is easier to set up the cluster and its content switching rule using the web interface.
• One drawback of the web interface is that it uses old Java 1.1 plug in. We have reinstalled the java plug-in on a win2000 machine called gallop, located just opposite side of the dilbert.
• Login to gallop and type in http://liam:1095/ to configure the cluster.
• Instead of the //item[subToal<=50000] rule, replace it with //purchase[totalAmount<50000]. on 128.198.60.183 ( frodo) setup.
• Instead of the //item[subToal>50000] rule, replace it with //purchase[totalAmount>=50000]. on 128.198.60.188 (eca) setup.