apps inline-ssl

Use the apps inline-ssl command to configure inline Secure Sockets Layer (SSL) parameters for SSL Decryption for inline tools. For more information, refer to the “Work With Inline SSL Decryption" section in the GigaVUE Fabric Management Guide.

The apps inline-ssl command has the following syntax:

apps inline-ssl
   caching persistence <disable | enable>
   keychain password <password> <confirm password> | <password> | [reset] <password><confirm password>

version < above | below >
   min-version <sslv3 | tls1 | tls11 | tls12 | tls13> max-version <sslv3 | tls1 | tls11 | tls12 | tls13>

below min-version <no-decrypt | drop>

above max-version <no-decrypt | drop >

   profile alias <alias>

inbound tool-early-inspect <enable | disable>

inbound tool-early-inspect connection timeout <1-10 sec>

split-proxy [enable | disable]

server non-pfs-ciphers [enable | disable]

tool early-engage [enable | disable]

one-arm [enable | disable]

monitor <disable | enable | inline>
      certificate
        expired <      decrypt | drop>
         invalid <decrypt | drop>
         revocation crl <disable | enable [fail <hard | soft>] [defer timeout <20-100>]>
         revocation ocsp <disable | enable [fail <hard | soft>] [defer timeout <20-100>]>
         self-signed <decrypt | drop>
         unknown-ca <decrypt | drop>
      clear <decryptlist | nodecryptlist>
      decrypt
         tcp
            inactive-timeout <2-1440 mins>

timewait-timeout <0-300 sec>
            portmap
               add in-port <value> out-port <value>
               default-out-port <<value> | disable>
               delete <all | rule-id <rule ID>>
               override-port <<value> | disable>
         tool-bypass <disable | enable>
      default-action <decrypt | no-decrypt>
      fetch < decryptlist <URL for profile decrypt list file> | nodecryptlist <URL for profile no-decrypt list file>>

fetch replace < decryptlist <URL for profile decrypt list file> | nodecryptlist <URL for profile no-decrypt list file>
      ha active-standby <disable | enable>
      keymap
         add server <server domain name or IP address or IPv6 address> key <key alias>
         delete <all | rule-id <rule ID>>
      network-group multiple-entry <disable | enable>
      no-decrypt tool-bypass <disable | enable>
      non-ssl-tcp tool-bypass <disable | enable>
      rule add
        category <category name> <decrypt | no-decrypt>
         domain <domain name string> <decrypt | no-decrypt>
         ipv4 <dst | src> <IP address> | ipv6 <dst | src> <IPv6 address> <mask>
         <decrypt | no-decrypt>
         issuer <issuer name string> <decrypt | no-decrypt>
         l4port <dst | src> <any | port <value or range>> <decrypt | no-decrypt>
         vlan <any | id <value or range>> <decrypt | no-decrypt>
      rule delete <all | rule-id <rule ID>>
      starttls
         add l4port <port number>
         delete <all | l4port <port number>>
      url-cache miss action <decrypt | defer [timeout <1-10>] | no-decrypt>
   resumption client <disable | enable>
   session debug <disable | enable>
   signing rsa for <primary | secondary> key <key alias>
   trust-store
      fetch <append | replace> <URL for trust store file>
      reset

The following table describes the arguments for the apps inline-ssl command:

Argument

Description

caching persistence <disable | enable>

Enables or disables caching persistence as follows:

disable—Disables caching persistence.
enable—Enables caching persistence.

The default is enable. Disable is recommended only for troubleshooting purposes.

For example:

(config) # apps inline-ssl caching persistence disable

keychain password <password> <confirm password>

Creates an SSL keychain password as follows:

(config) # apps inline-ssl keychain password

Creating a new password for ssl keychain:

Password: *********

Confirm: *********

The password is used to encrypt all cryptographic materials such as certificates and private keys uploaded to the node. Passwords are not saved on the node.

Passwords must be at least 8 characters (up to 64 characters) and must include at least one of each of the following:

uppercase letters
lowercase letters
numbers
special characters

Note:  The keychain password must be configured before installing certificates and keys. If the key has a passphrase, in order to install it, the keychain password and the passphrase must match.

keychain password <password>

Prompts for the SSL keychain password. When keys are installed on the node, you will be prompted to verify the password after any node reboot when you enter configure terminal mode, for example:

# configure terminal

(config) # apps inline-ssl keychain password required

Enter ssl keychain password:

Password: *********

keychain password [reset] <password> <confirm password>

Resets an SSL keychain password. When keys are installed on the node, a warning is displayed.

Note:  Resetting the password revokes all existing private keys.

For example:

(config) # apps inline-ssl keychain password reset

WARNING: Password is already set. Reset password will revoke all existing private keys.

Password: *********

Confirm: *********

version < above | below >

Configures the maximum SSL version and minimum SSL version parameters as follows:

above—Configure action for Inline-SSL max-version parameter.
below—Configure action for Inline-SSL min-version parameter.

min-version <sslv3 | tls1 | tls11 | tls12 | tls13> max-version <sslv3 | tls1 | tls11 | tls12 | tls13>

Specifies the SSL minimum version and maximum version as follows:

sslv3—Specifies SSL 3.0.
tls1—Specifies TLS 1.0.
tls11—Specifies TLS 1.1.
tls12—Specifies TLS 1.2.
tls13—Specifies TLS 1.3.

The default minimum version is sslv3. The default maximum version is tls12. Ensure the minimum version is less than the maximum version.

For example:

(config) # apps inline-ssl min-version tls11 max-version tls12

below min-version

Allows or drops below TLS minimum version for the given configuration as follows:

no-decrypt - Bypasses below TLS minimum version.
drop - Drops below TLS minimum version.

The default minimum version is tls1.

above max-version

Allows or drops above TLS maximum version for the given configuration as follows:

no-decrypt - Bypasses above TLS maximum version.
drop - Drops above TLS maximum version.

The default maximum version is tls13.

profile alias <alias> eval-cn <disable | enable>

Specifies an alias to create a policy profile for SSL Decryption for inline tools to specify policy configuration.

For example:

(config) # apps inline-ssl profile alias sslprofile

(config apps inline-ssl profile alias sslprofile) #

profile alias <alias> split-proxy [enable | disable]

When you enable the split proxy settings for an inline SSL profile, it divides the TLS connection between the server and client into two independent connections and keeps the security parameters separate.

For example:

(config) # apps inline-ssl profile alias sslprofile split-proxy enable​

profile alias <alias> split-proxy server non-pfs-ciphers [enable | disable]

When you enable the non-PFS ciphers settings for an inline SSL profile that has the split proxy settings enabled, it forces the server to use protocols that are lower than TLS1.3 with non-PFS ciphers. This means that the ciphers with DHE/ECDHE key-exchange will be disabled and the server will use only the ciphers with RSA key-exchange.

For example:

(config) # apps inline-ssl profile alias sslprofile split-proxy server non-pfs-ciphers enable​

profile alias <alias> tool early-engage [enable | disable]

Allows the inline tools to change the MAC address or VLAN IDs. When a connection request is received from the client, GigaSMART establishes the connection with the inline tool first, before connecting with the server. This helps the inline tools to modify the MAC address or VLAN IDs when sending the traffic back to the server.

For additional information and limitations, refer to the "Tool Early Engage and One-Arm Mode" section in the GigaVUE-FM User's Guide.

For example:

(config) # apps inline-ssl profile alias sslprofile tool early-engage enable​

profile alias <alias> tool early-inspect <enable | disable>

Allows the inline tool to view the decrypted data first before connecting to the server. This helps the inline tool to validate the data and ensure that only valid connections are sent to the server.

Note:  You can enable Tool Early Inspect only when inbound deployment is supported.

For additional information and limitations, refer to the "Tool Early Inspect" section in the GigaVUE-FM User's Guide.

For example:

(config) # apps inline-ssl profile alias ssl_profile inbound tool-early-inspect enable

(config) # apps inline-ssl profile alias ssl_profile inbound tool-early-inspect connection-timeout 10

Note:  Connection timeout represents the time by which the tool should respond; if no response is received within the configured interval time, the connections will be reset.

profile alias <alias> one-arm [enable | disable]

Allows both the client and server traffic to travel through the same physical link or logical aggregate port channel.

Note:  You can enable the one-arm mode only if you have enabled the tool early-engage option.

For additional information and limitations, refer to the "Tool Early Engage and One-Arm Mode" section in the GigaVUE-FM User's Guide.

For example:

(config) # apps inline-ssl profile alias sslprofile one-arm enable​

monitor <disable | enable | inline>

Configures the apps inline-ssl monitoring and SSL decryption/encryption as follows:

disable—Disables the monitor mode, and enables SSL decryption/encryption.
enable—Enables the monitor mode, and disables SSL decryption/encryption.
inline—Enables both the monitor mode, and the SSL decryption/encryption.

For example:

(config)# apps inline-ssl profile alias sslprofile monitor disable

(config)# apps inline-ssl profile alias sslprofile monitor enable

(config)# apps inline-ssl profile alias sslprofile monitor inline

Note:  Monitor mode is not supported with clustering.

profile alias <alias> certificate
   expired <decrypt | drop>
   invalid <decrypt | drop>
   revocation crl <disable | enable [fail
      <hard | soft>] [defer timeout
         <20-100>]>
   revocation ocsp <disable | enable
      [fail <hard | soft>] [defer timeout
      <20-100>]>
   self-signed <decrypt | drop>
   unknown-ca <decrypt | drop>

Configures the handling of expired, invalid, self-signed, and unknown CA certificates as well as enabling or disabling certificate revocation for the profile as follows:

expired—Specifies decrypt or drop for expired certificates. The default is drop.
■   decrypt—Accepts the certificate and continues to decryption.
■   drop—Rejects the certificate and drops the connection.
invalid—Specifies decrypt or drop for invalid certificates. The default is drop.
self-signed—Specifies whether or not to accept self-signed certificates. The default is drop. When set to decrypt, a new self-signed certificate is generated that matches the identity of the original certificate, but with a different key pair.
unknown-ca—Specifies decrypt or drop for unknown certificate authorities (CA). The default is drop.
revocation—Enables or disables certificate revocation check as follows:
■   crl—Uses a Certificate Revocation List (CRL) to obtain a list of certificates that have been revoked.
■   ocsp—Uses an Online Certificate Status Protocol to obtain certificate revocation status.
■   fail—Specifies the action to take when the GigaVUE node is unable to perform revocation check or does not already know the revocation status. The options are soft fail and hard fail. With soft fail, the decryption continues, whereas with hard fail, traffic will not be decrypted unless the revocation status is determined for certain.
■   defer timeout—Specifies a deferred action in the profile for the certificate. If the action is defer, specify an optional timeout value from 1 to 10 seconds. The default is 1 seconds. GigaSMART will defer the connection until the specified timeout.

The revocation check is disabled by default. The connection is permitted, at least until the revocation check returns the status.

Examples:

(config apps inline-ssl profile alias sslprofile) # certificate expired decrypt

(config apps inline-ssl profile alias sslprofile) # certificate invalid drop

(config apps inline-ssl profile alias sslprofile) # certificate revocation crl disable

(config apps inline-ssl profile alias sslprofile) # certificate revocation ocsp enable fail soft

profile alias <alias> clear <decryptlist | nodecryptlist>

Clears the no-decrypt list or the decrypt list for the profile as follows:

decryptlist—Clears the decrypt list.
nodecryptlist—Clears the no-decrypt list.

For example:

(config apps inline-ssl profile alias sslprofile) # clear nodecryptlist

profile alias <alias> decrypt
   tcp
      inactive-timeout <2-1440 mins>

timewait-timeout <0-300 sec>
      portmap
         add in-port <value> out-port
            <value>
         default-out-port <<value> | disable>
         delete <all | rule-id <rule ID>
         override-port <<value> |
            disable>
   tool-bypass <disable | enable>

Specifies additional configuration options for the decrypt action for the profile. This is the action to take if the match action is to decrypt as follows:

tcp—Specifies the TCP destination for decrypted traffic sent to inline tools. The TCP parameters are as follows:
o inactive-timeout—Specifies an inactivity timeout from 2 to 1440 minutes. The default is 5 minutes. Proxied connections are terminated when there is no activity for the specified time.
o timewait-timeout—Configure the 'TCP TIMEWAIT' timeout value from the range 0-300 seconds.
o portmap—Specifies the TCP port to use to send to inline tools for a particular destination TCP port from a client as follows:
■   add—Adds a port map by specifying an in-port number from 1 to 65535 and an out-port number from 1 to 65535. The in-port is the TCP destination port from the client. The out-port is the port to use to send traffic to the inline tools. There is a maximum of 20 mapping port pairs (in-port and out-port).
■   default-out-port—Specifies the default out port number from 1 to 65535. This is the TCP port used if the incoming port does not match a configured portmap and if an override port is not configured.
■   default-out-port disable—Disables the default out port configuration.
■   delete—Deletes a specific portmap by its rule ID, or deletes all portmaps.
■   override-port <value>—Specifies the override port number from 1 to 65535. All decrypted traffic to inline tools will use this port as the TCP destination port.
■   override-port disable—Disables the override port configuration.
tool-bypass—Specifies whether to bypass the inline tools or not as follows:
■   disable—Specifies not to bypass the inline tools.
■   enable—Specifies to bypass the inline tools.

The default is disable, which means that all decrypted SSL traffic is sent to the tools.

Examples:

(config apps inline-ssl profile alias sslprofile) # decrypt tool-bypass enable

(config apps inline-ssl profile alias sslprofile) # decrypt tcp inactive-timeout 10

(config apps inline-ssl profile alias sslprofile) # decrypt tcp portmap override-port disable

apps inline-ssl profile alias sslprofile decrypt tcp portmap default-out-port 12

Refer to “Inline SSL Decryption Port Map” section in the GigaVUE Fabric Management Guide for details.

profile alias <alias> default-action <decrypt | no-decrypt>

Specifies the default action for the profile. This is the action to take if none of the rules in the profile match. The actions are as follows:

decrypt—Specifies a decrypt action in the profile for default action.
no-decrypt—Specifies a no decrypt action in the profile for default action.

The default is no-decrypt selective forwarding - forward (formerly whitelist).

Use the default action to create policies such as decrypt all but privacy-related categories or no-decrypt all but security-related categories.

Examples:

(config apps inline-ssl profile alias sslprofile) # default-action decrypt

(config apps inline-ssl profile alias sslprofile) # default-action no-decrypt

profile alias <alias> fetch <decryptlist <URL for profile decryptlist file> | nodecryptlist <URL for profile nodecryptlist file>>

Fetches the no-decrypt list or the decrypt list text file for the profile from the specified URL as follows:

decryptlist <URL>—Specifies the URL of the decrypt list text file.
nodecryptlist <URL>—Specifies the URL of the no-decrypt list text file.

No-decrypt list entries are implicitly set to no-decrypt, which means that as a policy, no-decrypt listed domains and hostnames will always be bypassed for decryption.

As a policy, hostnames or domains matching the decrypt list entries will always be decrypted.

No-decrypt list and decrypt list text files must adhere to the following:

In a text (.txt) file, add each domain/FQDN hostname.
Use only the carriage return (newline) to separate entries in a file. Do not use any characters, such as commas or colons, to separate entries in a file.
Each file can contain a maximum of 10,000 entries. Entries beyond 10,000 will be ignored.

The supported formats for fetch are: SCP, SFTP, FTP, HTTP.

For example:

(config apps inline-ssl profile alias sslprofile) # fetch nodecryptlist http://1.1.1.1/temp/whitelist.txt

profile alias <alias> fetch replace <decryptlist <URL for profile decryptlist file> | nodecryptlist <URL for profile nodecryptlist file>>

Fetches and replaces the no-decrypt list or the decrypt list text file for the profile from the specified URL as follows:

decryptlist <URL>—Specifies the URL of the decrypt list text file.
nodecryptlist <URL>—Specifies the URL of the no-decrypt list text file.

profile alias <alias> ha active-standby <disable | enable>

Enables GigaSMART inline network high availability (HA) active standby support. When there is an inline SSL network group topology with two network port pairs (Na1, Nb1 and Na2, Nb2), incoming traffic from one network (for example, Na1) may change to another network (for example, Na2) due to upstream devices, such as firewalls performing high availability active standby failover. The options are as follows:

disable—Disables HA active standby support.
enable—Enables HA active standby support. When enabled, GigaSMART will forward traffic to the correct inline network if an upstream device fails over.

The default is disable.

For example:

(config apps inline-ssl profile alias sslprofile) # ha active-standby enable

profile alias <alias> keymap add server <server domain name or IP address or IPv6 address> key <key alias>

Creates an SSL server key map, which creates a key map entry. A server key map is for an inbound deployment of SSL Decryption for inline tools, in which the customer has the server keys.

A server key map binds keys from the keystore as follows:

server—Specifies the domain name of the server or the IP address of the server or the IPv6 address of the server.

Note:  IPV6 traffic decryption is supported only for GEN 3 cards. Refer to the GigaVUE-HC1 Hardware Installation Guide and GigaVUE-HC3 Hardware Installation Guide for the list of GEN 3 card numbers.

key—Specifies the alias of the key in the keystore. The key alias is a key pair generated by the apps keystore command. To bind with the key map, a private key and a certificate are required.

The maximum number of key mappings is 1000.

Examples:

(config apps inline-ssl profile alias sslprofile) # keymap add server server_1 key server_1_key

(config apps inline-ssl profile alias sslprofile) # keymap add server server_2 key server_2_key

(config apps inline-ssl profile alias sslprofile) # keymap add server server_3 key server_3_key

(config apps inline-ssl profile alias sslprofile) # keymap add server server_4 key server_4_key

Note:  Use the apps keystore command to add server keys to the key store. Refer to apps keystore.

profile alias <alias> keymap delete <all | rule-id <rule ID>

Deletes an SSL server key map entry, either all key maps or a specific key map by its ID.

Examples:

(config apps inline-ssl profile alias sslprofile) # keymap delete all

(config apps inline-ssl profile alias sslprofile) # keymap delete rule-id 12

profile alias <alias> network-group multiple-entry <disable | enable>

Enables or disables inline network group multiple entry for the profile. The default is disabled.

An inline network group topology can have multiple network port pairs (for example, Na1, Nb1 and Na2, Nb2). With multiple network port pairs, traffic from a network interface might traverse GigaSMART multiple times. Intercepted traffic from GigaSMART might reenter GigaSMART through a different network interface within the same network group.

Starting in software version 5.3, the same traffic sent from GigaSMART can reenter GigaSMART.

GigaSMART remembers the inline incoming inline network interface (for example, Na1) for each connection. When traffic from the same connections reaches GigaSMART with a different inline network interface (for example, Na2) within the same network group, GigaSMART will forward the traffic to the corresponding opposite network interface (for example, Nb2), without further processing. This allows traffic from the same connection to reenter GigaSMART.

However, the same traffic sent by GigaSMART reentering through the same network port pair (for example, Nb2, Na2) is not supported.

For example:

(config apps inline-ssl profile alias sslprofile) # network-group multiple-entry enable

profile alias <alias> no-decrypt tool-bypass <disable | enable>

Specifies additional configuration options for the no-decrypt action for the profile. This is the action to take if the match action is to bypass decryption as follows:

tool-bypass—Specifies whether to bypass the inline tools or not as follows:
■   disable—Specifies to send traffic to the inline tools (not to bypass it).
■   enable—Specifies to bypass the inline tools. For example, traffic that is not decrypted does not need to go to the inline tools.

The default is disable, which means that all non-decrypted SSL traffic is sent to the tools.

For example:

(config apps inline-ssl profile alias sslprofile) # no-decrypt tool-bypass enable

profile alias <alias> non-ssl-tcp tool-bypass <disable | enable>

Specifies a non-SSL TCP action as follows:

tool-bypass—Specifies whether to bypass the inline tools or not as follows:
■   disable—Disables SSL profile configuration on non-SSL TCP bypass to network port.
■   enable—Enables SSL profile configuration on non-SSL TCP bypass to network port.

The default is disable, which means that all non-SSL traffic is sent to the tools.

For example:

(config apps inline-ssl profile alias sslprofile) # non-ssl-tcp tool-bypass enable

profile alias <alias> rule add
   category <category name>
      <decrypt | no-decrypt>
   domain <domain name string>
      <decrypt | no-decrypt>
   ipv4 <src | dst> <IP address>

   ipv6 <dst | src> <IPv6 address>
      <mask> <decrypt | no-decrypt>
   issuer <issuer name string>
      <decrypt | no-decrypt>
   l4port <src | dst> <any | port <value
      or range>> <decrypt |
      no-decrypt>
   vlan <any | id <value or range>>
      <decrypt | no-decrypt>

Configures rules for the profile based on attributes to match. Select decrypt or no decrypt.

The maximum number of rules that can be added is 128, regardless of type. The rule types are as follows:

o category—Specifies a rule based on the URL category of the destination hostname in the Server Name Indication (SNI) extension. There are dozens of category names from which to choose. For example, you can create a no decrypt policy for privacy-related categories, such as health care, financial, education, and government. The categories are resolved by a third party database, Webroot.
o domain—Specifies a rule based on the destination hostname or domain name from the SNI.
o ipv4—Specifies a rule based on IPv4 address and netmask for either source or destination.
o ipv6—Specifies a rule based on IPv6 address and netmask for either source or destination.

Note:  IPV6 traffic decryption is supported only for GEN 3 cards. Refer to the GigaVUE-HC1 Hardware Installation Guide and GigaVUE-HC3 Hardware Installation Guide for the list of GEN 3 card numbers.

o issuer—Specifies a rule based on issuer of the server X.509 certificate. For example, an issuer name has the following format: /C=US/ST=ca/L=santa clara/O=gigamon/OU=eng/CN=RootCA/emailAddress=john.doe@gigamon
o l4port—Specifies a rule based on any Layer 4 (L4) port for either source or destination, for a specific L4 port number or range from 0 to 65535.
o vlan—Specifies a rule based on any VLAN ID or a specific VLAN ID or range from 0 to 4095.

Examples:

(config apps inline-ssl profile alias sslprofile) # rule add domain domain1.com no-decrypt

(config apps inline-ssl profile alias sslprofile) # rule add category search_engines decrypt

(config apps inline-ssl profile alias sslprofile) # rule add ipv4 src 1.1.1.1 mask 255.255.0.0 no-decrypt

(config apps inline-ssl profile alias sslprofile) # rule add l4port src port 443 decrypt

(config apps inline-ssl profile alias sslprofile) # rule add vlan id 100.200 no-decrypt

(config apps inline-ssl profile alias sslprofile) # rule add ipv6 dst 3000::1 mask FFFF::0 decrypt

profile alias <alias> rule delete <all |
   rule-id <rule ID>

Deletes rules for the profile, either all rules or a specific rule by its rule ID.

Examples:

(config apps inline-ssl profile alias sslprofile) # rule delete all

(config apps inline-ssl profile alias sslprofile) # rule delete rule-id 2

profile alias <alias> starttls
   add l4port <port number>
   delete <all | l4port <port number>

Specifies StartTLS Layer 4 (L4) ports as follows:

add—Specifies an L4 port number to add.
delete—Specifies an L4 port number to delete or all L4 ports.

The specific ports to monitor StartTLS traffic must be specified for the profile. Up to 20 ports can be specified in a comma separated list.

Note:  Both HTTP CONNECT and StartTLS are supported using the same starttls command. In HTTP CONNECT, the L4 port is the explicit proxy port number.

Examples:

(config apps inline-ssl profile alias sslprofile) # starttls add l4port 44

(config apps inline-ssl profile alias sslprofile) # starttls delete all

(config apps inline-ssl profile alias sslprofile) # starttls delete l4port 12

profile alias <alias> url-cache miss action <decrypt | defer [timeout <1-10>] | no-decrypt>

Specifies an action to take for the profile. This is the action to take on the traffic if GigaSMART is unable to resolve the URL category information locally. The actions are as follows:

decrypt—Specifies a decrypt action in the profile for URL cache.
defer [timeout]—Specifies a deferred action in the profile for URL cache miss. If the action is defer, specify an optional timeout value from 1 to 10 seconds. The default is 1 second. GigaSMART will defer the connection until the specified timeout before reevaluating the policy.
no-decrypt—Specifies a no decrypt (bypass) action in the profile for URL cache miss.

The default is no-decrypt.

Examples:

(config apps inline-ssl profile alias sslprofile) # url-cache miss action decrypt

(config apps inline-ssl profile alias sslprofile) # url-cache miss action defer

(config apps inline-ssl profile alias sslprofile) # url-cache miss action defer timeout 5

resumption client <enable | disable>

Enables or disables client initiated resumption as follows:

disable—Disables resumption on client.
enable—Enables resumption on client.

The default is enable.

For example:

(config) # apps inline-ssl resumption client disable

session debug [disable | enable]

Reserved for internal use.

signing rsa for <primary | secondary> key <key alias>

Specifies SSL signing for RSA. For SSL certificate re-signing, there are different CAs used (primary and secondary) as follows:

primary—(Mandatory) Specifies the primary signing certificate for RSA. The primary CA re-signs certificates for servers that present a valid certificate.
secondary—(Optional) Specifies the secondary signing certificate for RSA. The secondary CA re-signs certificates for servers that are invalid or that fail validation.

Note:  If decrypt is specified for invalid certificates, the primary certificate will be used for re-signing invalid certificates if the secondary certificate has not been configured.

key—Specifies the alias of the key in the keystore. The key alias from the keystore can be a Man-in-the-Middle (MitM) key pair or a self-signed generated certificate. Refer to apps keystore.

NOTES:

For SSL certificate re-signing, the subject name is copied from the original certificate.
The validation period for re-signed certificates is one week.

Examples:

(config) # apps inline-ssl signing rsa for primary key issl1-primary-ca

(config) # apps inline-ssl signing rsa for secondary key issl1-secondary-ca

trust-store <fetch <append | replace> <URL for trust store file> | reset>

Installs trusted certificate authority (CA) for server certificate validation as follows:

fetch append—Fetches the CA at the specified URL for the inline SSL trust store file and appends it to the end of the existing trust store. The URL must point to a file stored in PEM format.
fetch replace—Fetches the CA at the specified URL for the inline SSL trust store file and replaces the existing trust store. The URL must point to a file stored in PEM format.
reset—Resets to the default trusted CAs for server certification validation.

The supported formats for fetch are: SCP, SFTP, FTP, HTTP.

Note:   With software version 6.5.xx, the default iSSL trust stores have been updated automatically.

Note:  Revoked Certificates can be removed using no apps inline-ssl trust-store certificate fingerprint <> CLI command.

Examples:

(config) # apps inline-ssl trust-store fetch replace http://1.1.1.1/mitm/my_trust_store.pem

(config) # apps inline-ssl trust-store fetch append http://1.1.1.1/mitm/my_trust_store.pem

(config) # apps inline-ssl trust-store reset

Related Commands

The following table summarizes other commands related to the apps inline-ssl command:

Task

Command

Displays inline SSL persistent cache entries that match the certificate common name (CN).

# show apps inline-ssl caching certificate validation internal_ca1.com

Displays inline SSL persistent certificate cache status, including the number of entries saved in the database.

# show apps inline-ssl caching certificate validation status

Displays inline SSL persistent cache entries that match URL domain name.

# show apps inline-ssl caching url www.gigamon.com

Displays inline SSL persistent URL cache status, including the number of records cached and the database version.

# show apps inline-ssl caching url status

Displays all inline SSL global parameters.

# show apps inline-ssl global

Displays brief information for 1000 inline SSL monitor mode sessions.

# show apps inline-ssl monitor session any

Displays brief information for inline SSL monitor mode sessions, based on the match.

# show apps inline-ssl monitor session match ipv4-src 192.168.43.75/32 ipv4-dst 126.1.0.101/32 l4port-src 1124 l4port-dst 443

Displays inline SSL monitor mode session summary.

# show apps inline-ssl monitor summary

Displays a specified inline SSL profile.

# show apps inline-ssl profile alias sslprofile

Displays domain name entry if it is in the decrypt list.

# show apps inline-ssl profile alias sslprofile decryptlist BadCo.com

Displays domain name entry if it is in the no-decrypt list.

# show apps inline-ssl profile alias sslprofile nodecryptlist GoodCo.com

Displays all inline SSL profiles.

# show apps inline-ssl profile all

Displays any inline SSL session.

# show apps inline-ssl session any

Reserved for internal use.

# show apps inline-ssl session debug

Displays inline SSL sessions that match any IPv4 source IP address and mask, any IPv4 destination IP address and mask, any L4 source and destination port, and hostname.

# show apps inline-ssl session match ipv4-src any ipv4-dst any l4port-src any l4port-dst any hostname gigamon.com

Displays inline SSL sessions that match a specific IPv4 source IP address and mask, a specific IPv4 destination IP address and mask, any L4 source and destination port, and hostname

# show apps inline-ssl session match ipv4-src 126.1.0.141/21 ipv4-dst 126.1.0.22/29 l4port-src any l4port-dst any hostname gigamon.com

Displays inline SSL sessions that match a specific IPv4 source IP address and mask, destination IP address and mask, L4 source port number and L4 destination port number, and hostname.

# show apps inline-ssl session match ipv4-src 192.168.1.1/24 ipv4-dst 192.168.1.2/24 l4port-src 56708 l4port-dst 443 hostname gigamon.com

Displays inline SSL sessions that match a specific IPv4 source IP address and mask, destination IP address and mask, L4 source port number and L4 destination port number, and hostname in detail.

# show apps inline-ssl session match ipv4-src 192.168.1.1/24 ipv4-dst 192.168.1.2/24 l4port-src 56708 l4port-dst 443 hostname gigamon.com detail

Displays inline SSL sessions that match a hostname. Not all the matching criteria needs to be specified, for example, instead of gigamon.com, you can specify gigamon or gamon.

# show apps inline-ssl session match hostname gigamon.com# show apps inline-ssl session match hostname gigamon# show apps inline-ssl session match hostname gamon

Displays inline SSL sessions that match a hostname in detail.

# show apps inline-ssl session match hostname gigamon.com detail

Displays inline SSL session summary information.

# show apps inline-ssl session summary

Displays inline SSL trust store.

# show apps inline-ssl trust-store all

Displays a specified inline SSL certificate by fingerprint. The format is XX:XX:XX:XX, which is the hex representation of the first four octets of the certificate’s SHA1 fingerprint.

# show apps inline-ssl trust-store certificate fingerprint D1:EB:23:A4

Deletes a specified inline SSL profile.

(config) # no apps inline-ssl profile alias sslprofile

Deletes all inline SSL profiles.

(config) # no apps inline-ssl profile all

Specifies that SSL primary and secondary certificate for RSA can be overwritten.

Note:  The primary and secondary signing keys are not deleted with these commands, however, after these commands are issued, a new certificate/key pair can be configured, which will overwrite the existing certificate/key pair.

(config) # no apps inline-ssl signing rsa for primary

(config) # no apps inline-ssl signing rsa for secondary

Deletes a specified inline SSL certificate by fingerprint.

(config) # no apps inline-ssl trust-store certificate fingerprint 8E:1C:74:F8

Clears the inline SSL certificate validation persistent cache.

(config) # clear apps inline-ssl caching cert-validation

Clears the inline SSL URL persistent cache.

(config) # clear apps inline-ssl caching url

Clears inline SSL session statistics summary.

(config) # clear apps inline-ssl session summary