SSL Test

A Citrix ADC appliance configured for SSL acceleration transparently accelerates SSL transactions by offloading SSL processing from the server. To configure SSL offloading, you configure a virtual server to intercept and process SSL transactions, and send the decrypted traffic to the server (unless you configure end-to-end encryption, in which case the traffic is re-encrypted). Upon receiving the response from the server, the appliance completes the secure transaction with the client. From the client's perspective, the transaction seems to be directly with the server. An ADC configured for SSL acceleration also performs other configured functions, such as load balancing.

The SSL test reveals how efficiently the ADC performs SSL acceleration. The metrics reported by this test provide administrators with indepth insights into the SSL session load on the appliance and the nature of SSL transactions (eg., SSLv1, SSLv2, TLSv1, etc.) that were performed during these sessions, and promptly alerts them to to issues affecting SSL acceleration such as a high number of session reuse missies and failures in multiplexing.

Target of the test : An ADC VPX/MPX

Agent deploying the test : A remote agent

Outputs of the test : One set of results for each authentication virtual server configured on the ADC appliance being monitored.

Configurable parameters for the test
Parameter Description

Test Period

How often should the test be executed

Host

The IP address of the host for which the test is being configured.

NetScaler Username and NetScaler Password

To monitor a ADC device, the eG agent should be configured with the credentials of a user with read-only privileges to the target ADC device. Specify the credentials of such a user in the NetScaler Username and NetScaler Password text boxes.

Confirm Password

Confirm the ADC Password by retyping it here.

SSL

The eG agent collects performance metrics by invoking NITRO (ADC Interface Through Restful interfaces and Objects) APIs on the target ADC device. Typically, the NITRO APIs can be invoked through the HTTP or the HTTPS mode. By default, the eG agent invokes the NITRO APIs using the HTTPS mode. This is why, the SSL flag is set to Yes by default. If the target ADC device is not SSL-enabled, then the NITRO APIs can be accessed through the HTTP mode only. In this case, set the SSL flag to No.

Measurements made by the test
Measurement Description Measurement Unit Interpretation

SSL cards present

Indicates the number of SSL crypto cards currently present in this ADC device.

Number

A server accelerator card (also known as an SSL card) is a Peripheral Component Interconnect (PCI) card used to generate encryption keys for secure transactions on e-commerce Web sites. When a secure transaction is initiated, the Web site's server sends its certificate, which has been provided by a certifying authority, to the client machine to verify the Web site's authenticity. After this exchange, a secret key is used to encrypt all data transferred between sender and receiver so that all personal and credit card information is protected. This process can severely overload a server resulting in fewer transactions processed per second, which means fewer sales. The server accelerator card takes over this process, thus reducing the load on the server. Server accelerator cards support a number of security protocols including Secure Sockets Layer (SSL) and Secure Electronic Transaction (SET).

SSL cards up

Indicates the number of SSL cards that are currently UP in this ADC device.

Number

A low value for this measure indicates that many SSL cards are currently Down.

SSL engine status

Indicates the current status of the SSL engine.

 

The values reported by this measure and their numeric equivalents are as shown in the table:

Numeric Value Measure Value
0 Down
1 Up

Note:

By default, this measure reports the above-mentioned Measure Values while indicating the status of the SSL engine. However, in the graph of this measure, the states will be represented using the corresponding numeric equivalents - i.e., 0 or 1.

SSL sessions

Indicates the number of current SSL sessions on this ADC device.

Number

This measure is a good indicator of the current SSL session load on the appliance.

SSL transactions

Indicates the number of SSL transactions performed on this ADC device during the last measurement period.

Number

For an SSL transaction to be initiated, and for successful completion of the SSL handshake, the server and the client should agree on an SSL protocol that both of them support. If the SSL protocol version supported by the client is not acceptable to the server, the server does not go ahead with the transaction, and an error message is displayed.

SSLv2 transactions

Indicates the number of SSLv2 transactions performed on this ADC device during the last measurement period.

Number

 

SSLv3 transactions

Indicates the number of SSLv3 transactions performed on this ADC device during the last measurement period.

Number

 

TLSv1 transactions

Indicates the number of TLSv1 transactions on this ADC device during the last measurement period.

Number

 

Front-End SSL sessions

Indicates the number of Front-end SSL sessions on this ADC device during the last measurement period.

 

Number

In certain deployments, you might be concerned about network vulnerabilities between the ADC appliance and the backend servers, or you might need complete end-to-end security and interaction with certain devices that can communicate only in clear text (for example, caching devices). In such cases, you can set up an HTTP virtual server that receives data from clients that connect to it at the front end and hands the data off to a secure service, which securely transfers the data to the web server. To implement this type of configuration, you configure an HTTP virtual server on the ADC and bind SSL based services to the virtual server. The ADC receives HTTP requests from the client on the configured HTTP virtual server, encrypts the data, and sends the encrypted data to the web servers in a secure SSL session.

This measure reports of the count of those SSL sessions that are front-ended by such virtual servers.

Front-End SSLv2 sessions

Indicates the number of Front-end SSLv2 sessions on this ADC device during the last measurement period.

Number

 

Front-End SSL v3 sessions

Indicates the number of Front-end SSLv3 sessions on this ADC device during the last measurement period.

Number

 

Front-End TLSv1 sessions

Indicates the number of TLSv1 sessions on this ADC device during the last measurement period.

Number

 

Front-End new sessions

Indicates the number of new Front-end SSL sessions on this ADC device during the last measurement period.

Number

 

Front-End SSL session reuse misses

Indicates the number of SSL session reuse misses on the ADC appliance since the last measurement period.

Number

For SSL transactions, establishing the initial SSL handshake requires CPU-intensive public key encryption operations. Most handshake operations are associated with the exchange of the SSL session key (client key exchange message). When a client session is idle for some time and is then resumed, the SSL handshake is typically conducted all  over again. With session reuse enabled, session key exchange is avoided for session resumption requests received from the client. Session reuse is enabled on the ADC appliance by default. Enabling this feature reduces server load, improves response time, and increases the number of SSL transactions per second (TPS) that can be supported by the server.

A server therefore, is said to be performing at peak capacity if the value of the Front-End SSL session reuse misses measure is low and the value of the Front-End SSL session reuse hits measure is high.

Front-End SSL session reuse hits

Indicates the number of SSL session reuse hits on the ADC appliance since the last measurement period.

Number

Front-End SSLv1 client authentications

Indicates the number of client authentications performed through the Front-end SSLv2 transactions on this ADC device during the last measurement period.

Number

 

Front-End SSLv3 client authentications

Indicates the number of client authentications performed through the Front-end SSLv3 trensactions on this ADC device during the last measurement period.

Number

 

Front-End TLSv1 client authentications

Indicates the number of client authentications performed through the Front-end TLSv1 transactions on this ADC device during the last measurement period.

Number

 

Back-End SSL sessions

Indicates the number of Back-end SSL sessions through which transactions were performed on the virtual server by this ADC device during the last measurement period.

Number

In certain deployments, you might be concerned about network vulnerabilities between the ADC appliance and the backend servers, or you might need complete end-to-end security and interaction with certain devices that can communicate only in clear text (for example, caching devices). In such cases, you can set up an HTTP virtual server that receives data from clients that connect to it at the front end and hands the data off to a secure service, which securely transfers the data to the web server. To implement this type of configuration, you configure an HTTP virtual server on the ADC and bind SSL based services to the virtual server. The ADC receives HTTP requests from the client on the configured HTTP virtual server, encrypts the data, and sends the encrypted data to the web servers in a secure SSL session.

This measure reports the count of those SSL sessions between the front-end HTTP virtual server and the backend web servers.

Back-End SSLv3 sessions

Indicates the number of Back-end SSLv3 sessions through which transactions were performed on the virtual server by this ADC device during the last measurement period.

Number

 

Back-End TLSv1 sessions

Indicates the number of Back-end TLSv1 sessions through which transactions were performed on the virtual server by this ADC device during the last measurement period.

Number

 

Back-End SSL sessions multiplex attempts

Indicates the number of Back-end SSL session multiplexing attempts made by this ADC device to access the virtual servers during the last measurement period.

Number

You can configure the back-end SSL transactions so that the ADC appliance uses SSL session multiplexing to reuse existing SSL sessions with the back-end web servers, thus avoiding CPU-intensive key exchange (full handshake) operations. This reduces the overall number of SSL sessions on the server, and therefore accelerates the SSL transaction while maintaining end-to-end security.

This is why, a large number of Backend SSL sessions multiplex attempts successes is desired. On the other hand, too many Backend SSL sessions multiplex attempts failures could imply that SSL sessions could not be reused. This in turn can result in increased full handshakes, probable session overloads on the backend web servers, and consequently, slower SSL transaction processing.

 

 

Back-End SSL sessions multiplex attempts successes

Indicates the number of Back-end SSL session multiplexing attempts that were successfully made by this ADC device during the last measurement period.

Number

Back-End SSL sessions multiplex attempts failures:

Indicates the number of failed Back-end SSL session multiplexing attempts made by this ADC device during the last measurement period.

Number

Back-End SSLv3 client authentications

Indicates the number of client authentications performed by the virtual server through SSLv3 sessions during the last measurement period.

Number

 

Back-End TLSv1 client authentications

Indicates the number of client authentications performed by the virtual server through TLSv1 sessions during the last measurement period.

Number

 

Data decrypted

Indicates the amount of data decypted on this ADC device during the last measurement period.

MB

 

Data encrypted

Indicates the amount of data encrypted on this ADC device during the last measurement period.

MB

 

TLSv1.1 transactions

Indicates the number of TLSv1.1 transactions on this ADC device during the last measurement period.

Number

 

TLSv1.2 transactions

Indicates the number of TLSv1.2 transactions on this ADC device during the last measurement period.

Number

 

Front-End TLSv1.1 sessions

Indicates the number of front-end TLSv1.1 transactions on this ADC device during the last measurement period.

Number

 

Front-End TLSv1.2 sessions

Indicates the number of front-end TLSv1.2 transactions on this ADC device during the last measurement period.

Number

 

Front-End TLSv1.1 client authentications

Indicates the number of client authentications performed through the Front-end TLSv1.1 transactions on this ADC device during the last measurement period.

Number

 

Front-End TLSv1.2 client authentications

Indicates the number of client authentications performed through the Front-end TLSv1.2 transactions on this ADC device during the last measurement period.

Number