« previous next »
Pages: [1]   Go Down

Author Topic: How to Correctly Configure SSL Certificates in High Availability Mode  (Read 2180 times)

Offline jmelika

  • Administrator
  • Hero Member
  • *****
  • Posts: 339
  • Karma: 7
How to Correctly Configure SSL Certificates in High Availability Mode
« on: August 13, 2007, 03:43:23 AM »
Summary

This document describes the correct procedure for configuring NetScaler devices for Secure Sockets Layer (SSL) operation in High Availability (HA) mode.

Requirements

Two Citrix NetScaler devices intended for deployment in HA configuration.

Background

NetScaler devices may be deployed in a HA configuration, in which a "secondary" (passive) system operates as a "hot standby" for a "primary" (active) system. The secondary system sends periodic "hello" messages to the primary to determine its status. If the primary system fails to respond to the "hello" messages within a specified (configurable) time interval, the secondary system determines that the primary is not functioning correctly, and takes over the functionality of the primary (a process known as failover). Clients must reestablish connections after a failover, but all session persistence settings are inherited by the secondary system, and the failure of the primary device is transparent to the user.

Replication of configuration settings from the primary to the secondary device is done by an automatic synchronization process that occurs periodically. The synchronization process only replicates configuration information and so does not perform transfer of supporting files, including certificates and keys. SSL connections to the secondary device in a failover scenario will fail if the certificates and keys are not present on the secondary system's filesystem.

Procedure

Ensure that all SSL certificate and key files are copied to the correct location on the secondary system using the following procedure:

Note: This procedure assumes that all certificates and keys required for SSL operation on the primary system are valid and operational. The certificate and key files should reside in the /nsconfig/ssl/ directory on both systems.

   1. Open an SSH session to the primary NetScaler system, entering credentials with root privileges.
   2. Access the BSD shell using the netscaler> shell command.
   3. Copy the relevant key and certificate files from the primary system to the secondary using the scp utility:

root@ns# scp /nsconfig/ssl/<key filename> nsroot@<IP address of
          secondary>:/nsconfig/ssl/

root@ns# scp /nsconfig/ssl/<certificate filename> nsroot@<IP address of
          secondary>:/nsconfig/ssl/

Repeat this process for all certificate and key pairs required for your SSL configuration.

4. Restart each system, one at a time, and verify that failover occurs.
Logged
Pages: [1]   Go Up
« previous next »