配置ADC集成

根@ NS＃的/ opt / nfast /斌/ anonkneti <委托HSM IP地址> <！ -  NeedCopy  - >

@根NS＃/选择/ nfast /斌/ anonkneti 10.217.2.112 BD17-C807-58D9 5e30a698f7bab3b2068ca90a9488dc4e6c78d822 <！ -  NeedCopy  - >

VI /选择/ nfast / kmdata / HSM-BD17-C807-58D9 /配置/配置<！ -  NeedCopy  - >

#在会话密钥重新协商之前，使用会话密钥加密的数据字节数，或0表示无限。(默认= 1024 * 1024 * 8 b = 8 mb)。# datelimit =INT addr=10.217.2.43 clientperm=unpriv keyhash=000000000000000000000000000000000000 esn= timelimit=86400 datelimit =8388608 ----- 

/opt/nfast/bin/cfg-pushnethsm——address=<委托HSM的IP地址>——force /opt/nfast/kmdata/ HSM - bd17 - c807 - 58d9 /config/config 

/opt/nfast/bin/cfg-pushnethsm——address=10.217.2.112——force /opt/nfast/kmdata/hsm-BD17-C807-58D9/config/config 

/选择/ nfast /斌/ RFS-设置--force -g --write-NOAUTH  <！ -  NeedCopy  - >

(root@localhost本)# / opt / nfast / bin / rfs-setup -力- g - write-noauth 10.217.2.43添加只读remote_file_system条目确保目录/ opt / nfast / kmdata /本地存在添加新的可写remote_file_system条目确保目录/ opt / nfast / kmdata /地方/ sync-store存在保存新配置文件和配置hardserver做< !——NeedCopy >

触摸/var/opt/nfast/bin/thales_hsm_is_enrolled < !——NeedCopy >

重新启动<！ -  NeedCopy  - >

$(anonkneti 10.217.2.112) OK configure hardserver's nethsm imports 

…local_module=0 remote_ip=10.217.2.112 remote_port=9004 remote_esn=BD17-C807-58D9 keyhash=5e30a698f7bab3b2068ca90a9488dc4e6c78d822 timelimit=86400 datelimit =8388608 privileged=0 privileged_use_high_port=0 ntoken_esn= 

触摸“thales_hsm_is_enrolled”< !——NeedCopy >

./nethsmenroll --remove  <！ -  NeedCopy  - >

./rfs-sync——no-authenticate——setup  

/ RFS -sync——No -authenticate——setup 10.217.2.6当前没有RFS同步配置。配置成功地写;新的配置细节:在10.217.2.6:9004使用RFS:不验证。<！——NeedCopy >

...... remote_ip = 10.217.2.6 REMOTE_PORT = 9004 use_kneti =无local_esn = <！ -  NeedCopy  - >

。/ rfs_sync删除< !——NeedCopy >

。/ rfs-sync——更新< !——NeedCopy >

root@ns# ./chkserv root@ns# ./nfkminfo root@ns# ./sigtest 

[root@localhost bin]# ./generatekey embed size:密钥大小?(bits, minimum 1024)[1024] > 2048可选:pubexp: RSA key Public exponent (hex)?[] > embedsavefile: Filename to write key to?[] > example plainname: Key name?[] > example x509country:国家代码?[] > US x509province: State or province?[] > CA x509locality: City or locality?[] > Santa Clara x509org: organization ?[] > Citrix x509orgunit:组织单位?[] > NS x509dnscommon:域名? [] > m.giftsix.com x509email: Email address? [] > example@citrix.com nvram: Blob in NVRAM (needs ACS)? (yes/no) [no] > digest: Digest to sign cert req with? (md5, sha1, sha256, sha384, sha512) [default sha1] > sha512 key generation parameters: operation Operation to perform generate application Application embed verify Verify security of key yes type Key type RSA size Key size 2048 pubexp Public exponent for RSA key (hex) embedsavefile Filename to write key to example plainname Key name example x509country Country code US x509province State or province CA x509locality City or locality Santa Clara x509org Organisation Citrix x509orgunit Organisation unit NS x509dnscommon Domain name m.giftsix.com x509email Email address example@citrix.com nvram Blob in NVRAM (needs ACS) no digest Digest to sign cert req with sha512 Key successfully generated. Path to key: /opt/nfast/kmdata/local/key_embed_2ed5428aaeae1e159bdbd63f25292c7113ec2c78 You have new mail in /var/spool/mail/root 

[root@localhostbin]#./generatekey-r简单来自应用程序：源应用程序？（嵌入，简单）[嵌入]>从标识嵌入：源密钥标识符？（c6410ca00af7e394157518cb53b2db46ff18ce29，2ED5428AAEAE159BD63F25292C7113EC2C78）[默认c6410ca00af7e394157518cb53b2db46ff18ce29]>2ED5428AAE159BD63F25292C7113EC2C78标识：密钥标识？[]>ExamplersA2048密钥纯名称：密钥名称？[]>Examplersa2048密钥生成参数：执行重定目标应用程序的操作应用程序简单验证验证来自应用程序源应用程序的密钥的安全性从标识源密钥标识符2ED5428AAEAE159BDBD63F25292C7113EC2C78标识密钥标识符Examplersa2048密钥明文名称密钥名称Examplersa2048密钥已成功重定目标。按键路径：/opt/nfast/kmdata/local/key\u simple\u示例2048key<--需要复制-->

启用特性lb启用特性SSL 

加NS的IP地址 <网络掩码>型SNIP显示NS的IP地址<！ -  NeedCopy  - >

添加ns ip 192.168.17.253 255.255.248.0类型剪做展示ns ip Ipaddress交通模式Arp Icmp Vserver状态域类型  --------- -------------- ---- ---- --- ---- ------- ------ 1) 192.168.17.251 0 NetScaler IP活跃启用启用NA启用2)192.168.17.252 0 VIP活动使启用启用启用3)192.168.17.253 0剪活跃Enabled Enabled NA Enabled Done 

add ssl hsmKey  -key  

加SSL hsmKey examplersa2048key  - 键key_simple_examplersa2048key完成<！ -  NeedCopy  - >

添加ssl certKey-cert-hsmKey<--需要复制-->

add ssl certKey key22 -cert example_selfcert -hsmKey examplersa2048key Done 

add lb vserver     

加磅虚拟服务器V1 SSL 192.168.17.252 443 <！ -  NeedCopy  - >

%python -m SimpleHTTPServer 80 

add server   

添加服务器s1 192.168.17.246 

加服<名> <服务器> <的serviceType> <口> <！ -  NeedCopy  - >

添加服务sr1 s1 HTTP 80 

绑定磅虚拟服务器<名称> <服务> <！ -  NeedCopy  - >

绑定lb vserver v1 sr1 

bind ssl vserver  -certkeyName  

bind ssl vserver v1 -certkeyName key22 Warning: Current certificate replace the previous binding 

显示lb vserver显示ssl vserver<--需要复制-->

显示磅vserver v1 v1 (192.168.17.252:443) - SSL类型:地址状态:去年状态改变是在2014年10月29日03:11:11结婚以来最后的状态变化:0天,00:01:25.220有效状态:客户端闲置超时:180秒刷新状态:启用禁用主要vserver:禁用演示applow日志:没有启用。绑定的服务:1(总)1(主动)配置方法:LEASTCONNECTION当前方法:循环赛,原因:绑定服务的状态改变模式:IP持久性:没有Vserver IP和端口插入:从推动:残疾人推Vserver:推动多客户:没有把标签规则:没有L2Conn:从跳过持久性:没有IcmpResponse:PASSIVE RHIstate: PASSIVE New Service Startup Request Rate: 0 PER_SECOND, Increment Interval: 0 Mac mode Retain Vlan: DISABLED DBS_LB: DISABLED Process Local: DISABLED Traffic Domain: 0 1) sr1 (192.168.17.246: 80) - HTTP State: UP Weight: 1 Done 

sh ssl vserver v1 vserver v1的高级ssl配置：DH:禁用临时RSA:启用刷新计数：0会话重用：启用超时：120秒密码重定向：禁用SSLv2重定向：禁用明文端口：0客户端身份验证：禁用ssl重定向：禁用非FIPS密码：禁用SNI:禁用SSLv2:禁用SSLv3:禁用TLSv1.0:启用TLSv1.1:禁用TLSv1.2:禁用推送加密触发器：始终发送关闭通知：是ECC曲线：P_256，P_384，P_224，P_521 1）CertKey名称：key22服务器证书1）密码名称：默认描述：预定义密码别名完成<--需要复制-->