Learn
how to configure Intel 7110 SSL Accelerator to improve a secure web server
Learn
how to configure a web cluster with Intel 7280 Content Switch.
Assignment
Date: 10/30/2002
Due Day: 11/13/2002
Description:
Exercise 1: Create your own
server certificate.
cp the test.sh
from ~cs526/public_html/lscs/sanluisSrc to your lscs/src directory.
run test.sh on your lscs directory
to generate the server certificate.
run lscs and capture the screendump
of the server certificate presented to the browser as exercise1 result.
Exercise 2. Configure Intel
7110 SSL Accelerator to work on a web server.
In this exercise,
we will learn how to configure an Intel 7110 SSL Accelerator in ENS 143
lab to work with a Apache web server runs on Redhat 8 Linux PC.
It is housed in ENS 143, right
by the inside door of ENS149. Below is the picture of the PHAS with two
additional devices set up for your hw4. Yu Cai is my research assistant
for this project.
Close up look of the Phas testbed
Dlink Fast Ethernet
and KVM switch for control Real servers.
HP4000 Switch with
Gigabit fiber connection to the UCCS backbone network. The Network IXP12EB
Network Processor is located just below the switches.
The Phas demo testbed consists
of
Intel 7280 content
switch (machine name: LIAM 128.198.60.170)
(VIRTUAL WEB SERVER: LIZZIE 128.198.60.171)
(CONNECT TO FRODO: 128.198.60.183 AND ECA: 128.198.60.188)
INTEL 7110 DEMO
(CONNECT TO VIVA: 128.198.60.192)
The Phas exercise
testbed consistf of
INTEL 7280 content
switch (MACHINE NAME: FLADNAG 128.198.60.184)
(VIRTUAL WEB SERVER: ODORF 128.198.60.196)
(CONNECT TO FRODO: 128.198.60.183 AND ECA: 128.198.60.188)
INTEL 7110 TEST
(CONNECT TO RACE: 128.198.60.178)
We will use the exercise testbed
for our hw4. Those Intel devices has "test" label in the front
panel.
Use Ethernet cable
to connect "network" port of Intel 7110 to switch, use another
Ethernet cable to connect "server" to the real web server, race.uccs.edu
(128.198.60.178). This step is already configured for you. But you can make
sure it is properly connected.
In the case, the client will access real server race, and won't know anything
about 7110. We do not have to assign separate IP address for Intel 7110.
It assume the IP address of the real server using ARP protocol. Therefore
the switch/router routes the request to Intel 7110.
This is the main difference
between 7110 and 7280. For 7280 we need to assigned at least two IP addresses.
One for the machine itself. Others for the VIPs.
To configure Intel 7110, connect
the serial cable to the the
left-hand serial port labeled "Console" on
the "Intel 7110 TEST" machine.
On the other end, connect it to
a PC. We will use dibert.uccs.edu, an NT machine right next the Phas testbed.
We will use the hyperterminal on the dilbert to configure Intel 7110.
HyperTerminal software
in windows is typically available by selecting "programs | accessories
| communication | HyperTerminal".
Type an appropriate
name like "Intel 7110", in the Name field of the Connection Description
window, and then click the OK button. The Phone Number panel appears.
In the "Connect
Using " field specify "Direct to COM1", or the serial
port through which the PC is connected to the 7110 if different from COM1.
Click the OK button.
The COM1 Properties panel appears.
Set the values to
9600, 8, none, 1, and none.
Click the OK button.
Boot 7110, and the
password prompt appears, use admin as default password:
Password: admin (password is not echoed at prompt)
Current date: 2000 08/28 05:01
Intel 7115>
You should be able
to access https://race.uccs.edu, and if you click the certification icon
on the right bottom of the browser, you will see that the SSL key is replaced
by 7110 to be something different than original SSL key on viva, this means
7110 take the SSL processing job.
If you want to create
your own SSL key, here is the Procedure:
Create a key as follows:
Intel 7115> create key
Enter the key strength [512,1024]: 512
New keyID [001]: 001
Keypair was created for keyID: 001
Enter the create cert
command with the keyID
Intel 7115> create cert 001
You are about to be asked to enter information
Enter the information for the certificate, as prompted:
Country
State
Locality
Organization
Organization unit
Common name (for example, www.uccs.edu)
E-mail address.
Create a server mapping.
Use the create map command to
specify the server IP address, ports, and keyID.
Intel 7115> create map
Server IP (0.0.0.0): 128.198.60.192
SSL (network) port [443]: <Enter>
Cleartext (server) port [80]: <Enter>
KeyID to use for mapping: 001
Intel 7115>list
maps
Map Net Ser Cipher Re- Client
ID KeyID Server IP Port Port Suites
direct Auth
== ===== ========= ==== ==== ====== ===== ====
1 001 128.198.60.188 443 80 med(v2+v3) n n
Intel 7115>
Save the configuration
when the server has been mapped.
Intel 7115>config save
Saving configuration to flash...
Configuration saved to flash
Intel 7115>
Exercise 3: Intel 7280
XML Director Configuration
We will use the "Intel 7280
Test" device in our XML Director exercise.
Connect the dilbert serial cable
to "Intel 7280" device. Use the IP addresses assigned for the
content switch and the real servers (eca and frodo, same as the Intel 7280
demo cluster).
The real server can be set up transparent
to the existing of the content switch. No special configuration is needed,
compared with LVS cluster.
Follow the instruction in http://cs.uccs.edu/~chow/pub/master/ycai/doc/csdemo.html
Even though there is a text based
interface for specifying the content switch rules directly on the console.
We have found it is easier to set up the cluster and its content switching
rule using the web interface.
One drawback of the web interface
is that it uses old Java 1.1 plug in. We have reinstalled the java plug-in
on a win2000 machine called gallop, located just opposite side of the dilbert.
Login to gallop and type in http://liam:1095/
to configure the cluster.
Instead of the //item[subToal<=50000]
rule, replace it with //purchase[totalAmount<50000]. on 128.198.60.183
( frodo) setup.
Instead of the //item[subToal>50000]
rule, replace it with //purchase[totalAmount>=50000]. on 128.198.60.188
(eca) setup.