You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by di...@apache.org on 2010/02/02 23:17:16 UTC
svn commit: r905817 [1/2] - in
/incubator/trafficserver/site/trunk/docs/admin: secure.htm trouble.htm
Author: dianes
Date: Tue Feb 2 22:17:15 2010
New Revision: 905817
URL: http://svn.apache.org/viewvc?rev=905817&view=rev
Log:
corrections to doc errata that were previously overlooked
Modified:
incubator/trafficserver/site/trunk/docs/admin/secure.htm
incubator/trafficserver/site/trunk/docs/admin/trouble.htm
Modified: incubator/trafficserver/site/trunk/docs/admin/secure.htm
URL: http://svn.apache.org/viewvc/incubator/trafficserver/site/trunk/docs/admin/secure.htm?rev=905817&r1=905816&r2=905817&view=diff
==============================================================================
--- incubator/trafficserver/site/trunk/docs/admin/secure.htm (original)
+++ incubator/trafficserver/site/trunk/docs/admin/secure.htm Tue Feb 2 22:17:15 2010
@@ -10,18 +10,18 @@
<p>Traffic Server provides a number of security features.</p>
<p>This chapter discusses the following topics: </p>
<ul>
-<li><a href="#ControllingClientAccessProxyCache"><em>Controlling Client Access to the Proxy Cache</em></a></li>
-<li><a href="#ControllingAccessTrafficManager"><em>Controlling Access: SSL</em></a></li>
-<li><a href="#ConfiguringDNSServerSelectionSplit"><em>Configuring DNS Server Selection (Split DNS)</em></a></li>
-<li><a href="#ConfiguringProxyAuthentication"><em>Configuring Proxy Authentication</em></a></li>
-<li><a href="#UsingSSLTermination"><em>Using SSL Termination</em></a></li>
+<li><a href="#ControllingClientAccessProxyCache">Controlling Client Access to the Proxy Cache</a></li>
+<li><a href="#ControllingAccessTrafficManager">Controlling Access: SSL</a></li>
+<li><a href="#ConfiguringDNSServerSelectionSplit">Configuring DNS Server Selection (Split DNS)</a></li>
+<li><a href="#ConfiguringProxyAuthentication">Configuring Proxy Authentication</a></li>
+<li><a href="#UsingSSLTermination">Using SSL Termination</a></li>
</ul>
<h2 id="ControllingClientAccessProxyCache">Controlling Client Access to the Proxy Cache</h2>
<p>You can configure Traffic Server to allow only certain clients to use the proxy cache by editing a configuration file.</p>
<h5>To specify the clients allowed to use the proxy cache: </h5>
<ol>
<li>In a text editor, open the <code>ip_allow.config</code> file located in the Traffic Server <code>config</code> directory. </li>
- <li>Add a line in the file for each IP address or range of IP addresses allowed to access Traffic Server (refer to <a href="files.htm#53256"><em>ip_allow.config</em></a>). </li>
+ <li>Add a line in the file for each IP address or range of IP addresses allowed to access Traffic Server (refer to <a href="files.htm#53256">ip_allow.config</a>). </li>
<li>Save and close the <code>ip_allow.config</code> file. </li>
<li>Navigate to the Traffic Server <code>bin</code> directory.</li>
<li>Run the command <code>traffic_line -x</code> to apply the configuration changes.</li>
@@ -29,42 +29,40 @@
<h2 id="ControllingAccessTrafficManager">Controlling Access via SSL</h2>
<p>By restricting access to Traffic Server, you ensure that only authenticated users can change configuration options and view network traffic statistics. </p>
<h3 id="UsingSSLSecureAdministration">Using SSL for Secure Administration</h3>
-<p>Traffic Server supports the Secure Sockets Layer protocol (SSL) to provide protection for remote administrative monitoring and configuration. SSL security provides authentication for both ends of a network connection via certificates, and provides privacy via encryption. </p>
-<p>To use SSL, you must perform the following procedures: </p>
+<p>Traffic Server supports the Secure Sockets Layer (<b>SSL</b>) protocol to provide protection for remote administrative monitoring and configuration. SSL security provides authentication for both ends of a network connection via certificates and provides privacy via encryption. </p>
+<p>To use SSL, you must do the following: </p>
<ul>
<li>Obtain an SSL certificate </li>
<li>Enable SSL </li>
</ul>
<h4>Obtain an SSL Certificate </h4>
-<p>The SSL certificate is a text file you must install in the Traffic Server <code>config</code> directory. You must either rename the certificate to the default filename <code>private_key.pem</code>, or specify the name of the certificate in the configuration file (follow the procedure in <a href="#EnablingSSL"><em>Enabling SSL</em></a>). </p>
+<p>The SSL certificate is a text file you must install in the Traffic Server <code>config</code> directory. Either rename the certificate to the default filename <code>private_key.pem</code>, or specify the name of the certificate in the configuration file (follow the procedure in <a href="#EnablingSSL">Enabling SSL</a>). </p>
<h4 id="EnablingSSL">Enable SSL</h4>
-<p>After you have obtained an SSL certificate, enable SSL by manually editing a configuration file. Follow the steps below:</p>
+<p>After you've obtained an SSL certificate, enable SSL by manually editing a configuration file. Follow the steps below:</p>
<ol>
<li>In a text editor, open the <code>records.config</code> file located in the Traffic Server <code>config</code> directory. </li>
<li>Edit the following variables:</li>
-<br />
-<table width="1232" border="1">
+ <table width="1232" border="1">
<tr>
<th width="322" scope="col">Variable</th>
<th width="894" scope="col">Description</th>
</tr>
<tr>
<td><code><i>proxy.config.admin.use_ssl</i></code></td>
- <td>Set this variable to 1 to enable SSL.</td>
+ <td>Set this variable to <code>1</code> to enable SSL.</td>
</tr>
<tr>
<td><code><i>proxy.config.admin.ssl_cert_file</i></code></td>
<td>Set this variable to specify the filename of the SSL certificate. You have to change the filename only if the certificate file does not use the default name <code>private_key.pem</code>.</td>
</tr>
</table>
-<br />
<li>Save and close the <code>records.config</code> file. </li>
<li>Navigate to the Traffic Server <code>bin</code> directory.</li>
<li>Run the command <code>traffic_line -x</code> to apply the configuration changes.</li>
</ol>
<h2><a name="ConfiguringDNSServerSelectionSplit"></a>Configuring DNS Server Selection (Split DNS)</h2>
-<p>The Split DNS option enables you to configure Traffic Server to use multiple DNS servers, as dictated by your security requirements. For example, you might configure Traffic Server to use one set of DNS servers to resolve hostnames on your internal network, while allowing DNS servers outside the firewall to resolve hosts on the Internet. This maintains the security of your intranet, while continuing to provide direct access to sites outside your organization. </p>
-<p>To configure Split DNS, you must perform the following tasks: </p>
+<p>The <b>Split DNS </b>option enables you to configure Traffic Server to use multiple DNS servers, as dictated by your security requirements. For example, you might configure Traffic Server to use one set of DNS servers to resolve hostnames on your internal network, while allowing DNS servers outside the firewall to resolve hosts on the Internet. This maintains the security of your intranet, while continuing to provide direct access to sites outside your organization. </p>
+<p>To configure Split DNS, you must do the following: </p>
<ul>
<li>Specify the rules for performing DNS server selection based on the destination domain, the destination host, or a URL regular expression. </li>
<li>Enable the <b>Split DNS</b> option.</li>
@@ -72,26 +70,24 @@
<h5>To configure Split DNS: </h5>
<ol>
<li>In a text editor, open the <code>splitdns.config</code> file located in the Traffic Server <code>config</code> directory. </li>
- <li>Add rules to the <code>splitdns.config</code> file. For information about the format of the <code>splitdns.config</code> file, <a href="files.htm#132448"><em>click here</em></a>. </li>
+ <li>Add rules to the <code>splitdns.config</code> file. For information about the format of the <code>splitdns.config</code> file, <a href="files.htm#132448">click here</a>. </li>
<li>Save and close the <code>splitdns.config</code> file.</li>
<li>In a text editor, open the <code>records.config</code> file located in the Traffic Server <code>config</code> directory. </li>
<li>Edit the following variables:</li>
- <br />
-<table width="1232" border="1">
+ <table width="1232" border="1">
<tr>
<th width="322" scope="col">Variable</th>
<th width="894" scope="col">Description</th>
</tr>
<tr>
<td><code><i>proxy.process.dns.splitDNS.enabled</i></code></td>
- <td>Set this variable to 1 to enable split DNS.</td>
+ <td>Set this variable to <code>1</code> to enable split DNS.</td>
</tr>
<tr>
<td><code><i>proxy.config.dns.splitdns.def_domain</i></code></td>
<td>Set this variable to specify the default domain for split DNS requests. Traffic Server appends this value automatically to a hostname that does not include a domain before determining which DNS server to use.</td>
</tr>
</table>
-<br />
<li>Save and close the <code>records.config</code> file. </li>
<li>Navigate to the Traffic Server <code>bin</code> directory. </li>
<li>Run the command <code>traffic_line -x</code> to apply the configuration changes. </li>
@@ -99,46 +95,45 @@
<h2><a name="UsingSSLTermination"></a>Using SSL Termination</h2>
-<p>The Traffic Server SSL termination option enables you to secure connections in reverse proxy mode between a client and a Traffic Server and/or Traffic Server and an origin server. </p>
+<p>The Traffic Server <b>SSL termination</b> option enables you to secure connections in reverse proxy mode between a client and a Traffic Server and/or Traffic Server and an origin server. </p>
<p>The following sections describe how to enable and configure the SSL termination option. </p>
<ul>
- <li>To enable and configure SSL termination for client/Traffic Server connections: <a href="#ClientTrafficEdgeConnections"><em>Client and Traffic Server Connections</em></a>. </li>
- <li>To enable and configure SSL termination for Traffic Server/origin server connections: <a href="#TrafficEdgeOriginServerConnections"><em>Traffic Server and Origin Server Connections</em></a>. </li>
- <li>To enable and configure SSL termination for both client/Traffic Server and Traffic Server/origin server connections: <a href="#ClientTrafficEdgeConnections"><em>Client and Traffic Server Connections</em></a> and <a href="#TrafficEdgeOriginServerConnections"><em>Traffic Server and Origin Server Connections</em></a>. </li>
+ <li>Enable and configure SSL termination for client/Traffic Server connections: <a href="#ClientTrafficEdgeConnections">Client and Traffic Server Connections</a>. </li>
+ <li>Enable and configure SSL termination for Traffic Server/origin server connections: <a href="#TrafficEdgeOriginServerConnections">Traffic Server and Origin Server Connections</a>. </li>
+ <li>Enable and configure SSL termination for both client/Traffic Server and Traffic Server/origin server connections: <a href="#ClientTrafficEdgeConnections">Client and Traffic Server Connections</a> and <a href="#TrafficEdgeOriginServerConnections">Traffic Server and Origin Server Connections</a>, respectively.</li>
</ul>
-<p>If you install an SSL accelerator card on your Traffic Server system, then you must perform additional configuration steps - refer to <a href="#ConfiguringTrafficEdgeSSLAcceleratorCard"><em>Configuring Traffic Server to Use an SSL Accelerator Card</em></a>. </p>
+<p>If you install an SSL accelerator card on your Traffic Server system, then you must perform additional configuration steps - refer to <a href="#ConfiguringTrafficEdgeSSLAcceleratorCard">Configuring Traffic Server to Use an SSL Accelerator Card</a>. </p>
<h3 id="ClientTrafficEdgeConnections">Client and Traffic Server Connections </h3>
-<p>The figure below illustrates communication between a client and Traffic Server and between Traffic Server and an origin server, when the SSL termination option is enabled & configured <i>for client/Traffic Server connections only.</i></p>
+<p>The figure below illustrates communication between a client and Traffic Server (and between Traffic Server and an origin server) when the SSL termination option is enabled & configured for<b> client/Traffic Server connections only</b>.</p>
<p><img src="images/ssl_c.jpg" width="1017" height="388" /></p>
<blockquote>
<p><em><b>Client and Traffic Server communication using SSL termination</b></em></p>
</blockquote>
-<p>The figure above demonstrates the following: </p>
-<p><strong>Step 1:</strong> The client sends an HTTPS request for content. Traffic Server receives the request and performs the SSL 'handshake' to authenticate the client (depending on the authentication options configured) and determine the encryption method to be used. If the client is allowed access, then Traffic Server checks its cache for the requested content. </p>
+<p>The figure above depicts the following: </p>
+<p><strong>Step 1:</strong> The client sends an HTTPS request for content. Traffic Server receives the request and performs the SSL 'handshake' to authenticate the client (depending on the authentication options configured) and determine the encryption method that will be used. If the client is allowed access, then Traffic Server checks its cache for the requested content. </p>
<p><strong>Step 2:</strong> If the request is a cache hit and the content is fresh, thenTraffic Server encrypts the content and sends it to the client. The client decrypts the content (using the method determined during the handshake) and displays it. </p>
-<p><strong>Step 3:</strong> If the request is a cache miss or is stale, then Traffic Server communicates with the origin server via HTTP and obtains a plain text version of the content. Traffic Server saves the plain text version of the content in its cache, encrypts the content, and sends it to the client. The client decrypts and displays the content. </p>
-<p>To configure Traffic Server to use the SSL termination option for client/Traffic Server connections, you must perform the following procedures: </p>
+<p><strong>Step 3:</strong> If the request is a cache miss or cached content is stale, then Traffic Server communicates with the origin server via HTTP and obtains a plain text version of the content. Traffic Server saves the plain text version of the content in its cache, encrypts the content, and sends it to the client. The client decrypts and displays the content. </p>
+<p>To configure Traffic Server to use the SSL termination option for client/Traffic Server connections, you must do the following: </p>
<ul>
<li>Obtain and install an SSL server certificate from a recognized certificate authority (such as VeriSign). The SSL server certificate contains information that enables the client to authenticate Traffic Server and exchange encryption keys. </li>
<li>Configure SSL termination options: </li>
<ul>
-<li>Enable the SSL termination option. </li>
+<li>Enable the <b>SSL termination</b> option. </li>
<li>Set the port number used for SSL communication. </li>
<li>Specify the filename and location of the server certificate. </li>
- <li><em>(Optional)</em> Configure the use of client certificates. <br />
- Client certificates are located on the client. If you configure Traffic Server to require client certificates, then Traffic Server verifies the client certificate during the SSL handshake to authenticate the client. If you configure Traffic Server to <em>not</em> require client certificates, then access to Traffic Server is managed through other Traffic Server options that have been set (such as rules in the <code>ip_allow.config</code> file). </li>
- <li>Specify the filename and location of the Traffic Server private key (if the private key is not located in the server certificate file) <br />
+ <li>(Optional) Configure the use of client certificates. <br />
+ Client certificates are located on the client. If you configure Traffic Server to require client certificates, then Traffic Server verifies the client certificate during the SSL handshake that authenticates the client. If you configure Traffic Server to <em>not</em> require client certificates, then access to Traffic Server is managed through other Traffic Server options that have been set (such as rules in the <code>ip_allow.config</code> file). </li>
+ <li>Specify the filename and location of the Traffic Server private key (if the private key is not located in the server certificate file). <br />
Traffic Server uses its private key during the SSL handshake to decrypt the session encryption keys. The private key must be stored and protected against theft. </li>
- <li><i>(Optional)</i> Configure the use of certification authorities (CAs). <br />
- CAs provide added security by verifying the identity of the person requesting a certificate.</li>
+ <li>(Optional) Configure the use of Certification Authorities (CAs). <br />
+ CAs add security by verifying the identity of the person requesting a certificate.</li>
</ul>
</ul>
<h5>To configure SSL termination for client/Traffic Server connections: </h5>
<ol>
<li>In a text editor, open the <code>records.config</code> file located in the Traffic Server <code>config</code> directory. </li>
<li>Edit the following variables in the <code>SSL Termination</code> section of the file: </li>
- <br />
-<table width="1232" border="1">
+ <table width="1232" border="1">
<tr>
<th width="322" scope="col">Variable</th>
<th width="894" scope="col">Description</th>
@@ -153,11 +148,16 @@
</tr>
<tr>
<td><code><i>proxy.config.ssl.client.certification_level</i></code></td>
- <td>Set this variable to one of the following values:<br />0 specifies that no client certificates are required. Traffic Server does not verify client certificates during the SSL handshake. Access to Traffic Server depends on Traffic Server configuration options (such as access control lists).<br />1 specifies that client certificates are optional. If a client has a certificate, the certificate is validated. If the client does not have a certificate, the client is still allowed access to Traffic Server unless access is denied through other Traffic Server configuration options.<br />2 specifies that client certificates are required. The client must be authenticated during the SSL handshake. Clients without a certificate are not allowed to access Traffic Server.</td>
+ <td>Set this variable to one of the following values:<br />
+ <code>0</code> - no client certificates are required. Traffic Server does not verify client certificates during the SSL handshake. Access to Traffic Server depends on Traffic Server configuration options (such as access control lists).<br />
+ <code>1</code> - client certificates are optional. If a client has a certificate, then the certificate is validated. If the client does not have a certificate, then the client is still allowed access to Traffic Server unless access is denied through other Traffic Server configuration options.<br />
+ <code>2</code> - client certificates are required. The client must be authenticated during the SSL handshake; Clients without a certificate are not allowed to access Traffic Server.</td>
</tr>
<tr>
<td><code><i>proxy.config.ssl.server.cert.filename</i></code></td>
- <td>Set this variable to specify the filename of the Traffic Server SSL server certificate.<br />Traffic Server provides a demo server certificate called <code>server.pem</code>. You can use this certificate to verify that the SSL feature is working.<br />If you are using multiple server certificates, set this variable to specify the default filename.</td>
+ <td>Set this variable to specify the filename of the Traffic Server SSL server certificate.<br />
+ Traffic Server provides a demo server certificate called <code>server.pem</code> - use this certificate to verify that the SSL feature is working.<br />
+ If you are using multiple server certificates, then set this variable to specify the default filename.</td>
</tr>
<tr>
<td><code><i>proxy.config.ssl.server.cert.path</i></code></td>
@@ -180,25 +180,23 @@
<td>Specify the location of the certificate authority file that client certificates will be verified against. The default value is <code>NULL</code>.</td>
</tr>
</table>
-<br />
<li>Save and close the <code>records.config</code> file. </li>
<li>Navigate to the Traffic Server <code>bin</code> directory. </li>
<li>Run the command <code>traffic_line -L</code> to restart Traffic Server on the local node or <code>traffic_line -M</code> to restart Traffic Server on all the nodes in a cluster. </li>
</ol>
<h3 id="TrafficEdgeOriginServerConnections">Traffic Server and Origin Server Connections</h3>
-<p>The figure below illustrates communication between Traffic Server and an origin server when the SSL termination option is enabled for<i> Traffic Server/origin server connections</i>.</p>
+<p>The figure below illustrates communication between Traffic Server and an origin server when the SSL termination option is enabled for <b>Traffic Server/origin server connections</b>.</p>
<p><img src="images/ssl_os.jpg" width="1039" height="313" /></p>
<blockquote>
<p><em><b>Traffic Server and origin server communication using SSL termination</b></em></p>
</blockquote>
-<p>The figure above demonstrates the following: </p>
-<p><strong>Step 1:</strong> If a client request is a cache miss or is stale, then Traffic Server sends an HTTPS request for the content to the origin server. The origin server receives the request and performs the SSL handshake to authenticate Traffic Server and to determine the encryption method to be used. </p>
-<p><strong>Step 2:</strong> If Traffic Server is allowed access, then the origin server encrypts the content and sends it to Traffic Server, where it is decrypted (using the method determined during the handshake) and the plain text version of the content saved in the cache. </p>
-<p><strong>Step 3:</strong> If SSL termination is enabled for client /Traffic Server connections, then Traffic Server re-encrypts the content and sends it to the client via HTTPS, where it is decrypted and displayed. If SSL termination is not enabled for client/Traffic Server connections, Traffic Server sends the plain text version of the content to the client via HTTP. </p>
-<p>To configure Traffic Server to use the SSL termination option for Traffic Server and origin server connections, you must perform the following steps: </p>
+<p>The figure above depicts the following: </p>
+<p><strong>Step 1:</strong> If a client request is a cache miss or is stale, then Traffic Server sends an HTTPS request for the content to the origin server. The origin server receives the request and performs the SSL handshake to authenticate Traffic Server and determine the encryption method to be used. </p>
+<p><strong>Step 2:</strong> If Traffic Server is allowed access, then the origin server encrypts the content and sends it to Traffic Server, where it is decrypted (using the method determined during the handshake). A plain text version of the content is saved in the cache. </p>
+<p><strong>Step 3:</strong> If SSL termination is enabled for client /Traffic Server connections, then Traffic Server re-encrypts the content and sends it to the client via HTTPS, where it is decrypted and displayed. If SSL termination is not enabled for client/Traffic Server connections, then Traffic Server sends the plain text version of the content to the client via HTTP. </p>
+<p>To configure Traffic Server to use the SSL termination option for Traffic Server and origin server connections, you must do the following: </p>
<ul>
- <li>Obtain and install an SSL <em>client</em> certificate from a recognized certificate authority (such as VeriSign). The SSL client certificate contains information that allows the origin server to authenticate Traffic Server. <br />
- The client certificate is optional. </li>
+ <li>Obtain and install an SSL client certificate from a recognized certificate authority (such as VeriSign). The SSL client certificate contains information that allows the origin server to authenticate Traffic Server (the client certificate is optional). </li>
<li>Configure SSL termination options: </li>
<ul> <li>Enable the SSL termination option. </li>
<li>Set the port number used for SSL communication. </li>
@@ -206,38 +204,37 @@
<li>Specify the filename and location of the Traffic Server private key (if the private key is not located in the client certificate file). <br />
Traffic Server uses its private key during the SSL handshake to decrypt the session encryption keys. The private key must be stored and protected against theft. </li>
<li>Configure the use of CAs. <br />
- CAs allow the Traffic Server that's acting as a client to verify the identity of the server with which it is communicating; this enables exchange of encryption keys.</li>
+ CAs allow the Traffic Server that's acting as a client to verify the identity of the server with which it is communicating, thereby enabling exchange of encryption keys.</li>
</ul>
</ul>
<h5>To configure SSL termination for Traffic Server/origin server connections: </h5>
<ol>
<li>In a text editor, open the <code>records.config</code> file located in the Traffic Server <code>config</code> directory. </li>
- <li>Edit the following variables in the SSL Termination section of the file: </li>
- <br />
-<table width="1232" border="1">
+ <li>Edit the following variables in the <code>SSL Termination </code>section of the file: </li>
+ <table width="1232" border="1">
<tr>
<th width="322" scope="col">Variable</th>
<th width="894" scope="col">Description</th>
</tr>
<tr>
<td><code><i>proxy.config.ssl.auth.enabled</i></code></td>
- <td>Set this variable to 1 to enable the SSL termination option.</td>
+ <td>Set this variable to <code>1</code> to enable the SSL termination option.</td>
</tr>
<tr>
<td><code><i>proxy.config.ssl.server_port</i></code></td>
- <td>Set this variable to specify the port used for SSL communication. The default port is 443.</td>
+ <td>Set this variable to specify the port used for SSL communication. The default port is <code>443</code>.</td>
</tr>
<tr>
<td><code><i>proxy.config.ssl.client.verify.server</i></code></td>
- <td>Set this option to 1 to require Traffic Server to verify the origin server certificate with the CA.</td>
+ <td>Set this option to <code>1</code> to require Traffic Server to verify the origin server certificate with the Certificate Authority.</td>
</tr>
<tr>
<td><code><i>proxy.config.ssl.client.cert.filename</i></code></td>
- <td>If you have installed an SSL client certificate on Traffic Server, set this variable to specify the filename of client certificate.</td>
+ <td>If you have installed an SSL client certificate on Traffic Server, then set this variable to specify the client certificate filename.</td>
</tr>
<tr>
<td><code><i>proxy.config.ssl.client.cert.path</i></code></td>
- <td>If you have installed an SSL client certificate on Traffic Server, set this variable to specify the location of the client certificate. The default directory is the Traffic Server <code>config</code> directory.</td>
+ <td>If you have installed an SSL client certificate on Traffic Server, then set this variable to the location of the client certificate. The default location is the Traffic Server <code>config</code> directory.</td>
</tr>
<tr>
<td><code><i>proxy.config.ssl.client.private_key.filename</i></code></td>
@@ -249,26 +246,24 @@
</tr>
<tr>
<td><code><i>proxy.config.ssl.client.CA.cert.filename</i></code></td>
- <td>Specify the filename of the certificate authority against which the origin server will be verified.The default value is <code>NULL</code>.</td>
+ <td>Specify the filename of the Certificate Authority against which the origin server will be verified. The default value is <code>NULL</code>.</td>
</tr>
<tr>
<td><code><i>proxy.config.ssl.client.CA.cert.path</i></code></td>
- <td>Specify the location of the certificate authority file against which the origin server will be verified.The default value is <code>NULL</code>.</td>
+ <td>Specify the location of the Certificate Authority file against which the origin server will be verified. The default value is <code>NULL</code>.</td>
</tr>
</table>
-<br />
<li>Save and close the <code>records.config</code> file. </li>
<li>Navigate to the Traffic Server <code>bin</code> directory. </li>
<li>Run the command <code>traffic_line -L</code> to restart Traffic Server on the local node or <code>traffic_line -M</code> to restart Traffic Server on all the nodes in a cluster. </li>
</ol>
<h3 id="ConfiguringTrafficEdgeSSLAcceleratorCard">Configuring Traffic Server to Use an SSL Accelerator Card </h3>
-<p>You can install an SSL accelerator card on your Traffic Server machine to accelerate the number of requests Traffic Server can process. Traffic Server supports the Cavium accelerator card. If you opt not to use an SSL accelerator card, then you'll use your normal SSL library; if you install the Cavium card, then you'll use the library supported & provided by the manufacturer.</p>
+<p>You can install an SSL accelerator card on your Traffic Server machine to accelerate the number of requests Traffic Server can process. Traffic Server supports the Cavium accelerator card. If you opt not to use an SSL accelerator card, then you'll use your normal SSL library; if you install the Cavium card, then you'll use the library supported & provided by the card manufacturer.</p>
<h5>Configure Traffic Server to use an SSL accelerator card: </h5>
<ol>
<li>In a text editor, open the <code>records.config</code> file located in the Traffic Server <code>config</code> directory. </li>
<li>Edit the following variables in the <code>SSL Termination</code> section of the file: </li>
-<br />
-<table width="1232" border="1">
+ <table width="1232" border="1">
<tr>
<th width="322" scope="col">Variable</th>
<th width="894" scope="col">Description</th>
@@ -278,19 +273,18 @@
<td>Set this specify if an accelerator card is required for operation.
<p>You may specify:<br />
- 0 - not required<br />
- 1 - accelerator card is required and Traffic Server will not enable SSL unless an accelerator card is present.<br />
- 2 - accelerator card is required and Traffic Server will not start unless an accelerator card is present.</p>
+ <code>0</code> - not required<br />
+ <code>1</code> - accelerator card is required and Traffic Server will not enable SSL unless an accelerator card is present.<br />
+ <code>2</code> - accelerator card is required and Traffic Server will not start unless an accelerator card is present.</p>
<p>You can verify operation by running<code> /home/y/bin/openssl_accelerated</code> (this comes as part of <code>openssl_engines_init</code>).</p></td>
</tr>
<tr>
<td><p><code><i>proxy.confg.ssl.accelerator.type</i></code></p></td>
<td><p>Specifies if the Cavium SSL accelerator card is installed on (and required by) your Traffic Server machine:</p>
- <p>0 = none (no SSL accelerator card is installed on the Traffic Server machine. The CPU on the Traffic Server machine determines the number of requests served per second).</p>
- <p>1 = accelerator card is present and required by Traffic Server.</p></td>
+ <p><code>0</code> = none. No SSL accelerator card is installed on the Traffic Server machine, so the CPU on the Traffic Server machine determines the number of requests served per second.</p>
+ <p><code>1</code> = an accelerator card is present and required by Traffic Server.</p></td>
</tr>
</table>
-<br />
<li>Save and close the <code>records.config</code> file. </li>
<li>Navigate to the Traffic Server <code>bin</code> directory. </li>
<li>Run the command <code>traffic_line -L</code> to restart Traffic Server on the local node or <code>traffic_line -M</code> to restart Traffic Server on all the nodes in a cluster. </li>