Ssl session id-based persistence, How ssl session id-based persistence works, Ssl session id-based persistence 437 – Nortel Networks WEB OS 212777 User Manual
Page 437: How ssl session id-based persistence works 437
Web OS 10.0 Application Guide
Chapter 16: Persistence
n
437
212777-A, February 2002
SSL Session ID-Based Persistence
SSL is a set of protocols built on top of TCP/IP that allows an application server and client to
communicate over an encrypted HTTP session, providing authentication, non-repudiation, and
security. The SSL protocol handshake is performed using clear (unencrypted) text. The content
data is then encrypted (using an algorithm exchanged during the handshake) prior to being
transmitted.
Using the SSL session ID, the switch forwards the client request to the same real server to
which it was bound during the last session. Because SSL protocol allows many TCP connec-
tions to use the same session ID from the same client to a server, key exchange needs to be
done only when the session ID expires. This reduces server overhead and provides a mecha-
nism, even when the client IP address changes, to send all sessions to the same real server.
N
OTE
–
The destination port number to monitor for SSL traffic is user-configurable.
How SSL Session ID-Based Persistence Works
n
All SSL sessions that present the same session ID (32 random bytes chosen by the SSL
server) will be directed to the same real server.
N
OTE
–
The SSL session ID can only be read by the switch after the TCP three-way hand-
shake. In order to make a forwarding decision, the switch must terminate the TCP connection
to examine the request.
n
New sessions are sent to the real server based on the metric selected (
hash
,
roundrobin
,
leastconns
,
minmisses
,
response
, and
bandwidth
).
n
If no session ID is presented by the client, the switch picks a real server based on the met-
ric for the real server group and waits until a connection is established with the real server
and a session ID is received.
n
The session ID is stored in a session hash table. Subsequent connections with the same
session ID are sent to the same real server. This binding is preserved even if the server
changes the session ID mid-stream. A change of session ID in the SSL protocol will cause
a full three-way handshake to occur.
n
Session IDs are kept on the switch until an idle time equal to the configured server time-
out (a default of 10 minutes) for the selected real server has expired.