SSL Test
A Citrix ADC appliance configured for SSL acceleration transparently accelerates SSL transactions by offloading SSL processing from the server. To configure SSL offloading, you configure a virtual server to intercept and process SSL transactions, and send the decrypted traffic to the server (unless you configure end-to-end encryption, in which case the traffic is re-encrypted). Upon receiving the response from the server, the appliance completes the secure transaction with the client. From the client's perspective, the transaction seems to be directly with the server. An ADC configured for SSL acceleration also performs other configured functions, such as load balancing.
The SSL test reveals how efficiently the ADC performs SSL acceleration. The metrics reported by this test provide administrators with indepth insights into the SSL session load on the appliance and the nature of SSL transactions (eg., SSLv1, SSLv2, TLSv1, etc.) that were performed during these sessions, and promptly alerts them to to issues affecting SSL acceleration such as a high number of session reuse missies and failures in multiplexing.
Target of the test : An ADC VPX/MPX
Agent deploying the test : A remote agent
Outputs of the test : One set of results for each authentication virtual server configured on the ADC appliance being monitored.
Parameter | Description |
---|---|
Test Period |
How often should the test be executed |
Host |
The IP address of the host for which the test is being configured. |
NetScaler Username and NetScaler Password |
To monitor a ADC device, the eG agent should be configured with the credentials of a user with read-only privileges to the target ADC device. Specify the credentials of such a user in the NetScaler Username and NetScaler Password text boxes. |
Confirm Password |
Confirm the ADC Password by retyping it here. |
SSL |
The eG agent collects performance metrics by invoking NITRO (ADC Interface Through Restful interfaces and Objects) APIs on the target ADC device. Typically, the NITRO APIs can be invoked through the HTTP or the HTTPS mode. By default, the eG agent invokes the NITRO APIs using the HTTPS mode. This is why, the SSL flag is set to Yes by default. If the target ADC device is not SSL-enabled, then the NITRO APIs can be accessed through the HTTP mode only. In this case, set the SSL flag to No. |
Measurement | Description | Measurement Unit | Interpretation | ||||||
---|---|---|---|---|---|---|---|---|---|
SSL cards present |
Indicates the number of SSL crypto cards currently present in this ADC device. |
Number |
A server accelerator card (also known as an SSL card) is a Peripheral Component Interconnect (PCI) card used to generate encryption keys for secure transactions on e-commerce Web sites. When a secure transaction is initiated, the Web site's server sends its certificate, which has been provided by a certifying authority, to the client machine to verify the Web site's authenticity. After this exchange, a secret key is used to encrypt all data transferred between sender and receiver so that all personal and credit card information is protected. This process can severely overload a server resulting in fewer transactions processed per second, which means fewer sales. The server accelerator card takes over this process, thus reducing the load on the server. Server accelerator cards support a number of security protocols including Secure Sockets Layer (SSL) and Secure Electronic Transaction (SET). |
||||||
SSL cards up |
Indicates the number of SSL cards that are currently UP in this ADC device. |
Number |
A low value for this measure indicates that many SSL cards are currently Down. |
||||||
SSL engine status |
Indicates the current status of the SSL engine. |
|
The values reported by this measure and their numeric equivalents are as shown in the table:
Note: By default, this measure reports the above-mentioned Measure Values while indicating the status of the SSL engine. However, in the graph of this measure, the states will be represented using the corresponding numeric equivalents - i.e., 0 or 1. |
||||||
SSL sessions |
Indicates the number of current SSL sessions on this ADC device. |
Number |
This measure is a good indicator of the current SSL session load on the appliance. |
||||||
SSL transactions |
Indicates the number of SSL transactions performed on this ADC device during the last measurement period. |
Number |
For an SSL transaction to be initiated, and for successful completion of the SSL handshake, the server and the client should agree on an SSL protocol that both of them support. If the SSL protocol version supported by the client is not acceptable to the server, the server does not go ahead with the transaction, and an error message is displayed. |
||||||
SSLv2 transactions |
Indicates the number of SSLv2 transactions performed on this ADC device during the last measurement period. |
Number |
|
||||||
SSLv3 transactions |
Indicates the number of SSLv3 transactions performed on this ADC device during the last measurement period. |
Number |
|
||||||
TLSv1 transactions |
Indicates the number of TLSv1 transactions on this ADC device during the last measurement period. |
Number |
|
||||||
Front-End SSL sessions |
Indicates the number of Front-end SSL sessions on this ADC device during the last measurement period.
|
Number |
In certain deployments, you might be concerned about network vulnerabilities between the ADC appliance and the backend servers, or you might need complete end-to-end security and interaction with certain devices that can communicate only in clear text (for example, caching devices). In such cases, you can set up an HTTP virtual server that receives data from clients that connect to it at the front end and hands the data off to a secure service, which securely transfers the data to the web server. To implement this type of configuration, you configure an HTTP virtual server on the ADC and bind SSL based services to the virtual server. The ADC receives HTTP requests from the client on the configured HTTP virtual server, encrypts the data, and sends the encrypted data to the web servers in a secure SSL session. This measure reports of the count of those SSL sessions that are front-ended by such virtual servers. |
||||||
Front-End SSLv2 sessions |
Indicates the number of Front-end SSLv2 sessions on this ADC device during the last measurement period. |
Number |
|
||||||
Front-End SSL v3 sessions |
Indicates the number of Front-end SSLv3 sessions on this ADC device during the last measurement period. |
Number |
|
||||||
Front-End TLSv1 sessions |
Indicates the number of TLSv1 sessions on this ADC device during the last measurement period. |
Number |
|
||||||
Front-End new sessions |
Indicates the number of new Front-end SSL sessions on this ADC device during the last measurement period. |
Number |
|
||||||
Front-End SSL session reuse misses |
Indicates the number of SSL session reuse misses on the ADC appliance since the last measurement period. |
Number |
For SSL transactions, establishing the initial SSL handshake requires CPU-intensive public key encryption operations. Most handshake operations are associated with the exchange of the SSL session key (client key exchange message). When a client session is idle for some time and is then resumed, the SSL handshake is typically conducted all over again. With session reuse enabled, session key exchange is avoided for session resumption requests received from the client. Session reuse is enabled on the ADC appliance by default. Enabling this feature reduces server load, improves response time, and increases the number of SSL transactions per second (TPS) that can be supported by the server. A server therefore, is said to be performing at peak capacity if the value of the Front-End SSL session reuse misses measure is low and the value of the Front-End SSL session reuse hits measure is high. |
||||||
Front-End SSL session reuse hits |
Indicates the number of SSL session reuse hits on the ADC appliance since the last measurement period. |
Number |
|||||||
Front-End SSLv1 client authentications |
Indicates the number of client authentications performed through the Front-end SSLv2 transactions on this ADC device during the last measurement period. |
Number |
|
||||||
Front-End SSLv3 client authentications |
Indicates the number of client authentications performed through the Front-end SSLv3 trensactions on this ADC device during the last measurement period. |
Number |
|
||||||
Front-End TLSv1 client authentications |
Indicates the number of client authentications performed through the Front-end TLSv1 transactions on this ADC device during the last measurement period. |
Number |
|
||||||
Back-End SSL sessions |
Indicates the number of Back-end SSL sessions through which transactions were performed on the virtual server by this ADC device during the last measurement period. |
Number |
In certain deployments, you might be concerned about network vulnerabilities between the ADC appliance and the backend servers, or you might need complete end-to-end security and interaction with certain devices that can communicate only in clear text (for example, caching devices). In such cases, you can set up an HTTP virtual server that receives data from clients that connect to it at the front end and hands the data off to a secure service, which securely transfers the data to the web server. To implement this type of configuration, you configure an HTTP virtual server on the ADC and bind SSL based services to the virtual server. The ADC receives HTTP requests from the client on the configured HTTP virtual server, encrypts the data, and sends the encrypted data to the web servers in a secure SSL session. This measure reports the count of those SSL sessions between the front-end HTTP virtual server and the backend web servers. |
||||||
Back-End SSLv3 sessions |
Indicates the number of Back-end SSLv3 sessions through which transactions were performed on the virtual server by this ADC device during the last measurement period. |
Number |
|
||||||
Back-End TLSv1 sessions |
Indicates the number of Back-end TLSv1 sessions through which transactions were performed on the virtual server by this ADC device during the last measurement period. |
Number |
|
||||||
Back-End SSL sessions multiplex attempts |
Indicates the number of Back-end SSL session multiplexing attempts made by this ADC device to access the virtual servers during the last measurement period. |
Number |
You can configure the back-end SSL transactions so that the ADC appliance uses SSL session multiplexing to reuse existing SSL sessions with the back-end web servers, thus avoiding CPU-intensive key exchange (full handshake) operations. This reduces the overall number of SSL sessions on the server, and therefore accelerates the SSL transaction while maintaining end-to-end security. This is why, a large number of Backend SSL sessions multiplex attempts successes is desired. On the other hand, too many Backend SSL sessions multiplex attempts failures could imply that SSL sessions could not be reused. This in turn can result in increased full handshakes, probable session overloads on the backend web servers, and consequently, slower SSL transaction processing.
|
||||||
Back-End SSL sessions multiplex attempts successes |
Indicates the number of Back-end SSL session multiplexing attempts that were successfully made by this ADC device during the last measurement period. |
Number |
|||||||
Back-End SSL sessions multiplex attempts failures: |
Indicates the number of failed Back-end SSL session multiplexing attempts made by this ADC device during the last measurement period. |
Number |
|||||||
Back-End SSLv3 client authentications |
Indicates the number of client authentications performed by the virtual server through SSLv3 sessions during the last measurement period. |
Number |
|
||||||
Back-End TLSv1 client authentications |
Indicates the number of client authentications performed by the virtual server through TLSv1 sessions during the last measurement period. |
Number |
|
||||||
Data decrypted |
Indicates the amount of data decypted on this ADC device during the last measurement period. |
MB |
|
||||||
Data encrypted |
Indicates the amount of data encrypted on this ADC device during the last measurement period. |
MB |
|
||||||
TLSv1.1 transactions |
Indicates the number of TLSv1.1 transactions on this ADC device during the last measurement period. |
Number |
|
||||||
TLSv1.2 transactions |
Indicates the number of TLSv1.2 transactions on this ADC device during the last measurement period. |
Number |
|
||||||
Front-End TLSv1.1 sessions |
Indicates the number of front-end TLSv1.1 transactions on this ADC device during the last measurement period. |
Number |
|
||||||
Front-End TLSv1.2 sessions |
Indicates the number of front-end TLSv1.2 transactions on this ADC device during the last measurement period. |
Number |
|
||||||
Front-End TLSv1.1 client authentications |
Indicates the number of client authentications performed through the Front-end TLSv1.1 transactions on this ADC device during the last measurement period. |
Number |
|
||||||
Front-End TLSv1.2 client authentications |
Indicates the number of client authentications performed through the Front-end TLSv1.2 transactions on this ADC device during the last measurement period. |
Number |
|